Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LuaTaint: A Static Analysis System for Web Configuration Interface Vulnerability of Internet of Things Devices

Jiahui Xiang, Lirong Fu, Tong Ye, Peiyu Liu, Huan Le, Liming Zhu, Wenhai Wang

TL;DR

This paper tackles the challenge of securing IoT firmware web configuration interfaces by introducing LuaTaint, a static taint analysis system tailored to Lua-based LuCI interfaces. It combines AST/CFG-based parsing, reaching definitions, and a framework-adapted taint model with LLM-assisted false alarm pruning to achieve scalable, precise vulnerability detection. The approach demonstrates real-world impact by identifying 111 vulnerabilities across 2,447 firmware samples from 11 vendors, with precision reaching 89.29%, and shows superiority over existing Lua/LuCI analysis tools such as Semgrep. By releasing the implementation as open source, the work promises practical benefits for manufacturers and researchers, enabling earlier vulnerability discovery and more reliable IoT security maintenance.

Abstract

The diversity of web configuration interfaces for IoT devices has exacerbated issues such as inadequate permission controls and insecure interfaces, resulting in various vulnerabilities. Owing to the varying interface configurations across various devices, the existing methods are inadequate for identifying these vulnerabilities precisely and comprehensively. This study addresses these issues by introducing an automated vulnerability detection system, called LuaTaint. It is designed for the commonly used web configuration interface of IoT devices. LuaTaint combines static taint analysis with a large language model (LLM) to achieve widespread and high-precision detection. The extensive traversal of the static analysis ensures the comprehensiveness of the detection. The system also incorporates rules related to page handler control logic within the taint detection process to enhance its precision and extensibility. Moreover, we leverage the prodigious abilities of LLM for code analysis tasks. By utilizing LLM in the process of pruning false alarms, the precision of LuaTaint is enhanced while significantly reducing its dependence on manual analysis. We develop a prototype of LuaTaint and evaluate it using 2,447 IoT firmware samples from 11 renowned vendors. LuaTaint has discovered 111 vulnerabilities. Moreover, LuaTaint exhibits a vulnerability detection precision rate of up to 89.29%.

LuaTaint: A Static Analysis System for Web Configuration Interface Vulnerability of Internet of Things Devices

TL;DR

This paper tackles the challenge of securing IoT firmware web configuration interfaces by introducing LuaTaint, a static taint analysis system tailored to Lua-based LuCI interfaces. It combines AST/CFG-based parsing, reaching definitions, and a framework-adapted taint model with LLM-assisted false alarm pruning to achieve scalable, precise vulnerability detection. The approach demonstrates real-world impact by identifying 111 vulnerabilities across 2,447 firmware samples from 11 vendors, with precision reaching 89.29%, and shows superiority over existing Lua/LuCI analysis tools such as Semgrep. By releasing the implementation as open source, the work promises practical benefits for manufacturers and researchers, enabling earlier vulnerability discovery and more reliable IoT security maintenance.

Abstract

The diversity of web configuration interfaces for IoT devices has exacerbated issues such as inadequate permission controls and insecure interfaces, resulting in various vulnerabilities. Owing to the varying interface configurations across various devices, the existing methods are inadequate for identifying these vulnerabilities precisely and comprehensively. This study addresses these issues by introducing an automated vulnerability detection system, called LuaTaint. It is designed for the commonly used web configuration interface of IoT devices. LuaTaint combines static taint analysis with a large language model (LLM) to achieve widespread and high-precision detection. The extensive traversal of the static analysis ensures the comprehensiveness of the detection. The system also incorporates rules related to page handler control logic within the taint detection process to enhance its precision and extensibility. Moreover, we leverage the prodigious abilities of LLM for code analysis tasks. By utilizing LLM in the process of pruning false alarms, the precision of LuaTaint is enhanced while significantly reducing its dependence on manual analysis. We develop a prototype of LuaTaint and evaluate it using 2,447 IoT firmware samples from 11 renowned vendors. LuaTaint has discovered 111 vulnerabilities. Moreover, LuaTaint exhibits a vulnerability detection precision rate of up to 89.29%.
Paper Structure (20 sections, 3 equations, 6 figures, 7 tables, 2 algorithms)

This paper contains 20 sections, 3 equations, 6 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. OpenWrt and LuCI
  4. Observation
  5. Motivation
  6. LuaTaint
  7. Overview of LuaTaint
  8. Parsing and Control Flow Analysis
  9. Reaching Definitions Analysis
  10. Framework-Adapted Taint Analysis
  11. Pruning with LLM Assistance
  12. Implementation
  13. Evaluation
  14. Vulnerabilities Detection
  15. Evaluation of Accuracy Enhancements.
  16. ...and 5 more sections

Figures (6)

  • Figure 1: Statistics on the number of firmware web vulnerabilities listed by type.
  • Figure 2: Statistics based on the number of vulnerability types associated with the LuCI.
  • Figure 3: Example of a command injection vulnerability in LuCI. After a user executes an operation in the left browser’s front-end interface, the web server receives the HTTP request and decodes the message. This message then proceeds to the LuCI framework for further processing. Once processed, LuCI encodes the results into a response message, which is then sent back to the front-end interface.
  • Figure 4: Architecture of LuaTaint. LuaTaint analyzes the control flow and data flow of the LuCI framework, formulates rules based on the characteristics of the web configuration interface, and employs static taint analysis and LLM to automate the detection of web vulnerabilities.
  • Figure 5: Workflow of pruning with LLM assistance.
  • ...and 1 more figures