lua code security overview and practical approaches to
play

Lua Code: Security Overview and Practical Approaches to Static - PowerPoint PPT Presentation

Mar 09, 2024 •138 likes •374 views

IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland Agenda Introduction Contributions

  1. IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland

  2. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 2

  3. Introduction Lua (Moon in Brazilian/Portuguese) ● Ierusalimschy et al., Pontifical Catholic University of Rio de Janeiro in – Brazil (PUC-Rio) [IER96] Interpreted, cross-platform, embeddable , performant and low-footprint ● language Supports “extensible semantics, anonymous functions, full lexical scoping, ● proper tail calls, and coroutines” [IER96] Many Lua resources: https://github.com/LewisJEllis/awesome-lua ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 3

  4. Introduction Lua's popularity is on the rise ● TIOBE Index ● 27th most popular (May 2017) – Par or above: T-SQL , Lisp, Ada, Fortran, Scala, LabVIEW, Prolog, Haskell, – Erlang, Bash PYPL Index ● 19th most popular (May 2017) – Par or above: Go , Delphi, Haskell – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 4

  5. Introduction Lua in numbers ● PHP is 16x-to-20x more „popular“ (PYPL Index, GitHub repository count by – „language:“) Still, around 30k Lua-based GitHub repositories – Several millions ESP8266, ready for NodeLua/NodeMCU Lua firmware – Huge number of other devices with Lua support/APIs – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 5

  6. Introduction Lua in notorious use cases ● Web-facing Projects – Wikipedia, GitHub, CloudFlare ● Tools, Projects – Nmap, Wireshark, OpenWRT ● Conventional Malware – Flamer, EvilBunny, ProjectSauron ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 6

  7. Introduction Lua in notorious use cases ● IoT-specific Malware – LuaBot ● Incredible amount of other important but less known projects – IoT ● Home Automation ● SCADA/ICS ● Automotive ● Wireless/Mobile Chipsets ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 7

  8. Introduction: Motivation Zero SAST tools for Lua code ● Many tools/services for other languages – Coverity, VeraCode, AppScan, CodeClimate, RIPS, etc. – Zero datasets with (intentionally) vulnerable Lua samples for experimentation ● Many datasets/projects for other languages – BugBox, DVWA, WebGoat, SQLol, etc. – Not much systematic research on Lua security, e.g., [DAR14] ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 8

  9. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 9

  10. Contributions Develop and open-source the first and only static analysis tool for Lua code ● Build and open-source the first public corpus of synthetic Lua code samples ● Create and release the testing setups used in our experiments in form of ● virtual and reproducible environments 25th May 2017 Andrei Costin, Lua Code, LangSec'17 10

  11. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 11

  12. Implementation www.lua.re ● ANTLR4-based Python parser [PAR13] ● Lua.g4 from ANTLR's Grammars-V4 repository [SAK13] ● Built-in unit-tests ● $MSL/tests/test_msl_defaultconfig.py – $MSL/tests/test_msl_VariousTests1.py – $MSL/tests/test_msl_LangSec17.py – Own Python-based unsophisticated taint engine ● $MSL/taint/ – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 12

  13. Implementation Flexible configurations and taint rules ● $MSL/config/defaultconfig.py – Taint sensitive sinks (e.g., io.write) – Taint unsanitizers (e.g., htmlunescape) – Taint sanitizers (e.g., htmlentities) – Taint propagation/passthru (e.g., strcat and '..' concat operator) – Some combinations of above (e.g., see fake_strcat_print_popen) – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 13

  14. Examples, Results Detects all the simple synthetic TP test-cases and Avoids all the simple ● synthetic FP test-cases $MSL/tests/test_msl_VariousTests1.py – $MSL/tests/test_msl_LangSec17.py – Works on simple real-world code ● CVE-2014-4329: „Cross-site scripting (XSS) vulnerability in – lua/host_details.lua in ntopng 1.1 allows remote attackers to inject arbitrary web script or HTML via the host parameter.“ 25th May 2017 Andrei Costin, Lua Code, LangSec'17 14

  15. Examples, Results CVE-2014-4329 with our tool: „... via the host and page parameters. “ ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 15

  16. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 16

  17. Conclusions Lua is a powerful and performant dynamic language ● Lua's popularity is on the rise within the embedded/IoT applications ● Obvious lack of both static analysis tools for Lua code and corpora of ● vulnerable Lua code samples We bridge the gap by open-sourcing: Lua SAST tool, vulnerable code samples ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 17

  18. Conclusions and Future Work Dramatically improve performance ● Improve the parser/lexer (e.g., fails on some real-world code snippets) ● Add missing features (e.g., dofile() and includes) ● Improve taint engine and rules ● Generic configurable taint engine? – Interface with Joern engine [JOER] – 25th May 2017 Andrei Costin, Lua Code, LangSec'17 18

  19. Agenda Introduction ● Contributions ● Implementation, examples, results ● Conclusions ● Acknowledgements and Q&A ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 19

  20. Acknowledgements NLnet.nl Foundation and Binary Analysis Tools (BAT) Project ● This project was supported by the NLnet.nl grant: 2014-09-017e – Michiel Leenaars from NLnet foundation ● Armijn Hemel from Tjaldur Software Governance Solutions ● LangSec'17 reviewers, shepherds and organizers! ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 20

  21. Q&A Questions, suggestions, ideas? ● www.lua.re ancostin@jyu.fi andrei@firmware.re Twitter: @costinandrei 25th May 2017 Andrei Costin, Lua Code, LangSec'17 21

  22. References [IER96] R. Ierusalimschy, L. H. De Figueiredo, and W. Celes Filho, “Lua – an ● extensible extension language”, 1996 [PAR13] T. Parr, "The definitive ANTLR 4 reference". Pragmatic Bookshelf, ● 2013 [SAK13] K. Sakamoto, A. Alexeev, ● https://github.com/antlr/grammars-v4/blob/master/lua/Lua.g4 [JOER] F. Yamaguchi, "An Intelligent and Robust Code Analysis Platform for ● C/C++" [DAR14] F. Daragon, „Lua Web Application Security Vulnerabilities“ ● 25th May 2017 Andrei Costin, Lua Code, LangSec'17 22

  23. IEEE SPW: LangSec'17 (San Jose, CA) Lua Code: Security Overview and Practical Approaches to Static Analysis Andrei Costin ancostin@jyu.fi, andrei@firmware.re University of Jyvaskyla, Finland

Recommend

Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad

Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad

UCRL-PRES-150024 Practical Approaches to Advection Difficulties in a Multi- material, Multi-physics Code Brad Wallin, Albert Nichols, Richard Sharp Lawrence Livermore National Laboratory Presented to workshop on Numerical Methods for

656 views • 21 slides
Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code

Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code

Towards a Taxonomy of Approaches Towards a Taxonomy of Approaches for for Mining of Source Code Repositories Mining of Source Code Repositories Huzefa H. Kagdi, Michael L. Collard, Jonathan I. Maletic Software Development Laboratory

430 views • 5 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on

Approaches Based on guided code generation Based on exploring existing code Based on spreadsheet interaction Using R for teaching statistics to nonmajors: Comparing experiences of 2.5 different approaches Thomas Baier University of

639 views • 7 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller

Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller

How Are We Doing and Where Do We Go From Here? Practical Methods and Approaches to Evaluating Your ADR Program Russell Saltz & Zachary Miller Center for Alternative Dispute Resolution Annual Conference June 27, 2014 Presentation Overview

891 views • 16 slides
Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks 2 Basic Networking:

604 views • 35 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for Combinatorial problems QTML Workshop Verona, Nov 6 (2017) - Davide Venturelli davide.venturelli@nasa.gov Challenges to Practical End-to-end

1.08k views • 79 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software

Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Re-engineering - Theoretical and Practical Approaches By Daniel Kinneryd Software Developer at the company Tieto Recently done Master Thesis on the

940 views • 82 slides
Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Management Management University of Amsterdam Introduction SNE -

Practical Security and Key Practical Security and Key Management Management University of Amsterdam Introduction SNE - Research Project 2 Research Question Security levels Secure elements By: Key Magiel van der Meer management PGP

778 views • 20 slides
Practical informations Practical informations Send source code to:

Practical informations Practical informations Send source code to:

Practical informations Practical informations Send source code to: christophe.leblanc@ulg.ac.be p g 2D and 3D curves: curvature 2D and 3D curves: curvature Compute the curvatures of two curves: 2D: (Semi) circle of radius r=1 ( )

237 views • 6 slides
Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow monitoring extended by application layer

1.99k views • 184 slides
Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H.

Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H.

Practical Approaches to Atrial Fibrillation Management Answ ers to Your Everyday Questions H. Mark Guo, MD, FACC, FHRS Clinical Cardiac Electrophysiology Oregon Heart & Vascular Institute hguo@ peacehealth.org Disclosure SYSTEMS OF

1.4k views • 40 slides
Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC

Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC

Practical Approaches to the Treatment of Obesity March 11, 2012 David C.W. Lau, MD, PhD, FRCPC Depts. of Medicine, Biochemistry & Molecular Biology and Cardiac Sciences Julia McFarlane Diabetes Research Centre University of Calgary

958 views • 38 slides
Identifying DRR Measures through participatory approaches approaches Karina Barquet, Stockholm

Identifying DRR Measures through participatory approaches approaches Karina Barquet, Stockholm

Identifying DRR Measures through participatory approaches approaches Karina Barquet, Stockholm Environment Institute (SEI) ECSA 56 Bremen, 6th September 2016 Session: "A practical illustration of the human dimension in coastal systems

455 views • 13 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical

2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical

2 nd Partners Meeting Security Outline of activities/floorplans Timeline and practical information EMAS: Waste reduction Se Security, ou our resp sponsib ibil ilit ity Specific security measures Ensuring safety of visitors,

282 views • 15 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical

Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical

Practical Principles for Computer Security Butler Lampson Marktoberdorf August 2006 1 Practical Principles for Computer Security B. W. Lampson 2 August 2006 Outline Introduction: what is security? Principals, the speaks for relation,

1.22k views • 94 slides
Practical approaches to undertaking research priority setting in health Anneliese Synnot,

Practical approaches to undertaking research priority setting in health Anneliese Synnot,

Practical approaches to undertaking research priority setting in health Anneliese Synnot, Allison Tong, Sophie Hill, Jonathan C Craig Australasian Cochrane Symposium | 25-26 November 2015 | State Library of Victoria, Melbourne Learning

668 views • 23 slides
Practical Approaches to Using Electronic Health Records for Research: Challenges and Mitigation

Practical Approaches to Using Electronic Health Records for Research: Challenges and Mitigation

Practical Approaches to Using Electronic Health Records for Research: Challenges and Mitigation Strategies David Mehr, MD, MS Rainu Kaushal, MD, MPH Melissa Honour, MPH Barbara Lund, MSW, MBA March 15, 2011 Agenda Welcome Barbara

637 views • 48 slides
Practical Approaches to a Mito Diagnosis Richard H. Haas M.B., B.Chir., M.R.C.P. Director UCSD

Practical Approaches to a Mito Diagnosis Richard H. Haas M.B., B.Chir., M.R.C.P. Director UCSD

Practical Approaches to a Mito Diagnosis Richard H. Haas M.B., B.Chir., M.R.C.P. Director UCSD Mitochondrial Disease Laboratory Co-Director UCSD Mitochondrial and Metabolic Disease Center Overview of Mitochondrial Diagnosis Basic Mito Facts

720 views • 57 slides

More recommend