Reminiscences about Lua and Mosquito

Wes Brown | June 2nd, 2008 | Filed Under: Development, Navel Gazing

When Ephemeral Security first came up with the concept of the injectable virtual machine over coffee, we had an aggressive schedule to meet.  We needed a proof of concept prototype running within a month in order to meet the submission deadline for Defcon 13.

A perfect language for the task was a glimmer in our eyes, but we did not have the time to implement one.  So we profiled various lightweight environments, and Lua looked quite promising.  It was small, it was easily extensible, and it was portable across many architectures.

Ephemeral Security settled on LibTomCrypt as our cryptography library, as we considered it the gold standard for such software.  It was small, it was efficient, it was well-understood, and it was far easier to use than OpenSSL.  OpenSSL does indeed have cipher functions, but it is strongly oriented towards using them in the context of SSL transactions.  

The other major component was LuaSockets.  We judged that the combination of Lua, LuaSockets, and LibTomCrypt was enough for a proof of concept.  We made the deadline for Defcon submissions with an early prototype, and we had a later version ready for demonstration at the actual presentation.

We hated Lua.  It wasn’t Mosquito Lisp.  We found Lua to be inferior to a language that existed only in our heads at the time.  Although, when we needed a prototype that could hobble across the stage in a month, it was the fastest path from idea to novelty.  And it was also the slowest path from novelty to tool.

Lua seemed to make simple things complicated, and the misuse of tables for both arrays and objects made things harder than they should have been.  Lua also did not have solid and reliable primitives for I/O.  It was really awkward to work with.  From our perspective, it had a poor debugger, poor I/O, poor architecture, and a poor C API.  It was a good extension language, but it was difficult to extend.  Our cryptography code was solid, but affiliation could not be gotten to work reliably on top of LuaSockets.

But it did the job, and we had a very small environment suitable for second stage injection as a proof of concept.  It was a sickening irony that the projector that Defcon provided did not work with my Powerbook, and we had to borrow a laptop from the audience to do our presentation.  So we never did get to do a demo of the Lua-based MOSREF in at Defcon 13.

We learned several lessons from that particular adventure:

  • Always make sure the laptop works with the projector provided ahead of time
  • We needed an I/O oriented virtual machine and language
  • Concepts that are simple in idea can be devilishly complex when we get to details

The next year, we did much better with Mosquito Lisp, thanks to what we learned from using Lua.

For those of you curious about it, here are the presentation slides, and the source code

EDIT: ‘We’ adjusted to Ephemeral Security in reference to LibTomCrypt to clarify that is is not a statement or belief held by Matasano Security.

Viewing 15 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus