Research Information System
10th International Congress on Information and Communication Technology, ICICT 2025, London, England, 18 - 21 February 2025, vol.1441 LNNS, pp.453-465, (Full Text)
In contemporary cybersecurity, safeguarding systems from malicious attacks is paramount, given the proliferation of interconnected tools and the continuous efforts of cyberadversaries to disrupt these systems. Researchers have explored various methods to establish secure environments, including advanced techniques for detecting and mitigating cyberthreats. One such method, in-lined reference monitoring (IRM), leverages a language-based security approach and has shown promise in enhancing system security. This paper focuses on the application of the IRM through the Lua programming language, renowned for its efficiency and widespread use in diverse domains such as gaming, scientific computing, and the Internet of Things (IoT) devices. We introduce and evaluate LuaLight, a novel, fully automated system designed to transform Lua executables to address use-after-free (UAF) vulnerabilities inherent in the Lua garbage collector (LGC), without necessitating modifications to the vulnerable Lua virtual machines (LVM). LuaLight offers a comprehensive solution to several known security vulnerabilities associated with the LGC, specifically addressing issues identified in CVE-2020-24371 and CVE-2021-44964.