FirmCross: Detecting Taint-style Vulnerabilities in Modern C-Lua Hybrid Web Services of Linux-based Firmware

proaches [14] , [15] , [16] , [17] work by literally executing the target firmware services either through emulated environments or directly on physical devices. However, these methods face inherent challenges including labor-extensive firmware rehosting [3], [18] and limited code coverage [14] , [19] . In comparison, static approaches [10], [11], [13], [2], [20], which do not require the establishment of a dynamic execution environment, have been embraced as a complementary solution to detect vulnerabilities of IoT web services. Specifically, these works mostly leverage the taint analysis technique to accomplish this task, which involves two key phases: ❶ Source and Sink Identification pinpoints user-controllable inputs (sources) and security-sensitive operations (sinks), and ❷ Taint Propagation verifies whether attacker-controlled data can flow from sources to sinks through execution paths, causing potentially exploitable vulnerabilities. Although these static taint analysis techniques [8], [9], [2], [13], [12] , [20] have helped identify various vulnerabilities in firmware web services, they usually over-simplify the composition of firmware web services, inevitably hurting the completeness of vulnerability detection. To be more specific, existing works merely consider C-binaries (i.e., those extracted from the target firmware) as the scope of vulnerability detection. However, as highlighted in recent studies [21], [22], [23], Lua has emerged as one of the most popular languages for implementing web services [24], [25], [26], [27], [28], due to its high performance and flexibility. As demonstrated in our large-scale empirical study (see §II) on 4012 commercial device firmware, 38% firmware samples typically adopt a hybrid C-Lua framework to implement modern web services. Among these firmware, Lua scripts/bytecode are extensively leveraged to implement a wide array of functions (e.g., URI dispatching and handling). In fact, these long-neglected Luainvolved attack surfaces [29], [30] have become one of the bottlenecks in firmware security. Due to the fundamental differences between C binaries and Lua scripts/bytecode, as well as the complex cross-language interactions in C-Lua hybrid web services, existing static taint analysis approaches [8], [9], [2], [13], [12], [20] are difficult to directly apply to this scenario. Hence, in this work, we are highly motivated to re-design the taint-style Abstract-Static taint analysis has become a fundamental technique to detect vulnerabilities implied in web services of Linuxbased firmware. However, existing works commonly oversimplify the composition of firmware web services. Specifically, only C binaries (i.e., those extracted from the target firmware) are considered within the scope of vulnerability detection. In this work, we observe that modern firmware e xtensively combines Lua scripts/bytecode and C binaries to implement hybrid web services, and obviously, those C-binary-oriented vulnerability detection techniques can hardly achieve satisfactory performance. In light of this, we propose FirmCross, an automated taint-style vulnerability detector dedicated for C-Lua hybrid web services. Compared to existing detectors, FirmCross can automatically deobfuscate the Lua bytecode in target firmware, additionally identify distinctive taint sources in Lua codespace, and systematically capture the C-Lua cross-language taint flow. In the evaluation, FirmCross detects 6.82X ˜ 14.5X more vulnerabilities than SoTA approaches (i.e., MangoDFA and LuaTaint) in a dataset containing 73 firmware images from 11 vendors. Notably, FirmCross helps identify 610 0-day vulnerabilities among target firmware images. After reporting these vulnerabilities to vendors, till now, 31 vulnerability IDs have been assigned.