× Cookies are disabled! This site requires cookies to be enabled to work properly

Lua Code: Security Overview and Practical Approaches to Static Analysis

Andrei Costin

In Proceedings of the 38th IEEE Symposium on Security and Privacy Workshops, May 2017.


Lua is an interpreted, cross-platform, embeddable, performant and low-footprint language. Lua’s popularity is on the rise in the last couple of years. Simple design and efficient usage of resources combined with its performance make it attractive for production web applications even to big organizations such as Wikipedia, CloudFlare and GitHub. In addition to this, Lua is one of the preferred choices for programming embedded and IoT devices. This context allows to assume a large and growing Lua codebase yet to be assessed. This growing Lua codebase could be potentially driving production servers and extremely large number of devices, some perhaps with mission-critical function for example in automotive or home-automation domains.
However, there is a substantial and obvious lack of static analysis tools and vulnerable code corpora for Lua as compared to other increasingly popular languages, such as PHP, Python and JavaScript. Even the state-of-the-art commercial tools that support dozens of languages and technologies actually do not support Lua static code analysis.
In this paper we present the first public Static Analysis for Security Testing (SAST) tool for Lua code that is currently focused on web vulnerabilities. We show its potential with good and promising preliminary results that we obtained on simple and intentionally vulnerable Lua code samples that we synthesized for our experiments. We also present and release our synthesized corpus of intentionally vulnerable Lua code, as well as the testing setups used in our experiments in form of virtual and completely reproducible environments. We hope our work can spark additional and renewed interest in this apparently overlooked area of language security and static analysis, as well as motivate community’s contribution to these open-source projects. The tool, the samples and the testing VM setups will be released and updated at www.lua.re and www.lua.rocks.


Download the MoonshineLuaSec (MSL) Lua SAST tool, the conference slides or the conference paper (LangSec17 mirror, DOI 10.1109 SPW.2017.38).


To reference our paper, results and the MoonshineLuaSec (MSL) tool, please use the following bibtex entry:
  title={{Lua Code: Security Overview and Practical Approaches to Static Analysis}},
  author={Costin, Andrei},
  booktitle={38th IEEE Symposium on Security and Privacy Workshops (SPW)},