Static analysis for discovering IoT vulnerabilities
- PDF / 1,764,031 Bytes
- 18 Pages / 595.276 x 790.866 pts Page_size
- 104 Downloads / 173 Views
FOUNDATION FOR MASTERING CHANGE Special Issue: SPIoT 2019
Static analysis for discovering IoT vulnerabilities Pietro Ferrara1,2 · Amit Kr Mandal3 · Agostino Cortesi1 · Fausto Spoto4
© The Author(s) 2020
Abstract The Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies. Keywords IoT security · Static analysis · OWASP IoT Top 10 · IoT privacy · Insecure IoT ecosystem interface · Static analysis
1 Introduction In most of the attacks targeting Internet of Things (IoT) systems [11,19,41,69], a common IoT device is used to intrude into the system, and exploit the larger network to which IoT devices are connected. According to Gartner, by 2020, more than 25% of cyber-attacks on enterprises will target IoT systems [39]. Therefore, cyber-attacks are moving their targets Work partially supported by the Project “ADditive Manufacturing and Industry 4.0 as innovation Driver (ADMIN 4D)”.
B
Pietro Ferrara [email protected] Amit Kr Mandal [email protected] Agostino Cortesi [email protected] Fausto Spoto [email protected]
1
Università Ca’ Foscari, Venice, Italy
2
JuliaSoft, Verona, Italy
3
SRM University, Amaravati, AP, India
4
Università di Verona, Verona, Italy
from vulnerable computers to IoT devices. The ubiquitous nature of IoT ecosystems goes beyond the boundaries of traditional network security, and it widens the attack surface, as interconnected devices operate from different physical locations and network layers. In such scenarios, attackers may use automation tools to simulate authorized operations on legitimate devices to create a springboard effect where they may exploit minor vulnerabilities. IoT systems usually comprise at least three major components: devices, cloud, and companion applications [20]. Each of these components may contain security vulnerabilities, and when combined together such issues might increase their severity exponentially because of various computational and network features of IoT ecosystems. In general, a “Thing” in IoT (aka, device) executes (embedded) software on microcontrollers (MCUs) with a
Data Loading...
