FirmCross: Detecting Taint-style Vulnerabilities in Modern C-Lua Hybrid Web Services of Linux-based Firmware
Runhao Liu
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · Systems Security
This talk presents **FirmCross**, a static analysis tool for detecting taint-style vulnerabilities in **C-Lua hybrid web services** found in Linux-based IoT firmware. The research addresses a critical blind spot in firmware security: while existing vulnerability detectors focus on C binaries, **38% of analyzed firmware samples** use C-Lua hybrid architectures, and the Lua-invoked attack surfaces have been systematically neglected. Making matters worse, **34% of Lua services** are distributed as vendor-customized obfuscated bytecode, preventing conventional analysis.
AI review
This is real vulnerability research at scale. FirmCross found 610 zero-day vulnerabilities across 11 IoT vendors by targeting the systematically neglected Lua attack surface in firmware web services. The automated bytecode deobfuscation (100% pass rate on 316 images vs 0% for prior work), cross-language taint analysis spanning C-Lua boundaries, and 59 assigned CVEs make this one of the most impactful firmware security tools presented at NDSS. Code is open-source.