research-article

OVER: overhauling vulnerability detection for iot through an adaptable and automated static analysis framework

Authors:

Vinay Sachidananda,

Yuval EloviciAuthors Info & Claims

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 729 - 738

https://doi.org/10.1145/3341105.3373930

Published: 30 March 2020 Publication History

Abstract

Internet of Things (IoT) exposes various vulnerabilities at the software level. In this paper, we propose a static analysis framework for IoT. The proposed framework is designed for detecting security vulnerabilities such as Buffer Overflow, Memory Leaks, Code Injection, TOCTOU, Banned functions, and other code-related vulnerabilities. We consider end-to-end IoT software suite that includes kernels, protocol stacks, APKs, firmware, and others. In particular, we unpacked and analyzed over 21,000 IoT firmware, 628 IoT APKs and 50 IoT Open Source Software (OSS).

Our framework is an adaptable and automated static analysis technique that begins with crawling the web for fetching the IoT related files and ends with report generation consisting of IoT Risk Rating. In total, we were able to raise 7 new CVEs and detected 342 existing CVEs and 894 vulnerable code clones in IoT OSS. We found over 70% of APKs vulnerable to SQL Injection and 56% APKs using weak cryptographic algorithms. Also, our framework found 3783 hard-coded passwords and archaic BusyBox versions in IoT firmware.

References

[1]

Static analysis. [n. d.]. IoT Analyzer. https://www.iotcube.net.

[2]

Binwalk. [n. d.]. https://github.com/ReFirmLabs/binwalk.

[3]

BitThunder. [n. d.]. https://github.com/jameswalmsley/bitthunder.

[4]

CPPCheck. [n. d.]. http://cppcheck.sourceforge.net/.

[5]

Anthony Desnos. 2012. Android: Static analysis using similarity distance. In HICSS, 2012 45th. IEEE, 5394--5403.

[6]

Andrei Costin et al. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In USENIX Security. 95--110.

[7]

Andrei Costin et al. 2016. Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In Proceedings of Asia CCS. ACM, 437--448.

[8]

Amin Hassanzadeh et al. 2015. Towards effective security control assignment in the Industrial IoT. In WF-IoT, 2015 IEEE 2nd World Forum on. IEEE, 795--800.

[9]

Alexander Sotirov et al. 2008. MD5 considered harmful today, creating a rogue CA certificate. In 25th Annual Chaos Communication Congress.

[10]

Anam Sajid et al. 2016. Cloud-assisted IoT-based SCADA systems security: A review of the state of the art and future challenges. IEEE Access (2016), 1375--1384.

[11]

Arijit Ukil et al. 2011. Embedded security for Internet of Things. In NCETACS, 2011 2nd National Conference on. IEEE, 1--6.

[12]

Brian Chess et al. 2004. Static analysis for security. IEEE S&P 2, 6 (2004), 76--79.

[13]

Crispin Cowan et al. 2000. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DISCEX'00. Proceedings, Vol. 2. IEEE, 119--129.

[14]

Charalampos Doukas et al. 2012. Bringing IoT and cloud computing towards pervasive healthcare. In Proceeding of IMIS. IEEE, 922--926.

[15]

Christian Scully et al. 2018. Router Security Penetration Testing in a Virtual Environment. In Information Technology-New Generations. Springer, 119--124.

[16]

Cedric Van Bockhaven et al. 2014. Weak key cracking of Android applications. (2014).

[17]

Davide Balzarotti et al. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium S&P. IEEE, 387--401.

[18]

Drew Davidson et al. 2013. FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution. In USENIX Security. 463--478.

[19]

Denise E Zheng et al. 2015. Leveraging the internet of things for a more efficient and effective military. Rowman & Littlefield.

[20]

Dimitris Geneiatakis et al. 2017. Security and privacy issues for an IoT based smart home. In MIPRO, 2017 40th International Convention on. IEEE, 1292--1297.

[21]

David Hovemeyer et al. 2005. Evaluating and tuning a static analysis to find null pointer bugs. In ACM SIGSOFT Software Engineering Notes, Vol. 31. ACM, 13--19.

[22]

Dan Kaminsky et al. 2004. MD5 To Be Considered Harmful Someday. IACR Cryptology ePrint Archive 2004 (2004), 357.

[23]

Dimitrios Serpanos et al. 2018. Security Testing IoT Systems. In IoT Systems. Springer, 77--89.

[24]

David Wagner et al. 2001. Intrusion detection via static analysis. In IEEE Symposium S&P. IEEE, 156--168.

[25]

Earlence Fernandes et al. 2016. Security analysis of emerging smart home applications. In IEEE S&P. IEEE, 636--654.

[26]

Felipe Fernandez et al. 2014. Opportunities and challenges of the Internet of Things for healthcare: Systems engineering perspective. In Mobihealth, 2014 EAI 4th International Conference on. IEEE, 263--266.

[27]

George Chatzieleftheriou et al. 2011. Test-driving static analysis tools in search of C code vulnerabilities. In COMPSACW, 2011 IEEE 35th Annual. IEEE, 96--103.

[28]

Hongliang Liang et al. 2016. Understanding and detecting performance and security bugs in IOT OSes. In SNPD, 2016 ACIS. IEEE, 413--418.

[29]

Kasra Amirtahmasebi et al. 2009. A survey of SQL injection defense mechanisms. In ICITST 2009. International Conference for. IEEE, 1--8.

[30]

Leonid Batyuk et al. 2011. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications. In MALWARE, 2011 6th International Conference on. IEEE, 66--72.

[31]

Mihai Christodorescu et al. 2006. Static analysis of executables to detect malicious patterns. Technical Report. DTIC Document.

[32]

Manuel Egele et al. 2013. An empirical study of cryptographic misuse in android applications. In Proceedings of ACM CCS. ACM, 73--84.

[33]

Mengmeng Ge et al. 2017. A framework for automating security analysis of the IoT. Journal of Network and Computer Applications 83 (2017), 12--27.

Digital Library

[34]

Matthias Niedermaier et al. 2017. PropFuzz-An IT-security fuzzing framework for proprietary ICS protocols. In 2017 International Conference on AE. 1--4.

[35]

Nathaniel Ayewah et al. 2007. Using findbugs on production software. In Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion. ACM, 805--806.

[36]

Nathaniel Ayewah et al. 2008. Using static analysis to find bugs. IEEE software 25, 5 (2008).

[37]

Nenad Jovanovic et al. 2006. Pixy: A static analysis tool for detecting web application vulnerabilities. In IEEE Symposium S&P. IEEE, 6-pp.

[38]

Nick Rutar et al. 2004. A comparison of bug finding tools for Java. In ISSRE 2004. 15th International Symposium on. IEEE, 245--256.

[39]

Nghi Truong et al. 2004. Static analysis of students' Java programs. In Proceedings of the Sixth Australasian Conference on Computing Education-Volume 30. Australian Computer Society, Inc., 317--325.

[40]

Pär Emanuelsson et al. 2008. A comparative study of industrial static analysis tools. Electronic notes in theoretical computer science 217 (2008), 5--21.

[41]

Puspendra Kumar et al. 2012. A survey on SQL injection attacks, detection and prevention techniques. In Proceedings of ICCCNT 2012. IEEE, 1--5.

[42]

Philipp Vogt et al. 2007. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In NDSS, Vol. 2007. 12.

[43]

Ryan Johnson et al. 2012. Analysis of android applications' permissions. In SERE-C, 2012 IEEE Sixth International Conference on. IEEE, 45--46.

[44]

Sriramulu Bojjagani et al. 2017. VAPTAi: A Threat Model for Vulnerability Assessment and Penetration Testing of Android and iOS Mobile Banking Apps. In CIC, 2017 IEEE 3rd International Conference on. IEEE, 77--86.

[45]

Sean Dieter Tebje Kelly et al. 2013. Towards the implementation of IoT for environmental condition monitoring in homes. IEEE Sensors (2013), 3846--3853.

[46]

Seokjun Hong et al. 2017. Developing Usable Interface for IoT Security Analysis Software. In HCI, HAS. Springer, 322--328.

[47]

Saleh M Alnaeli et al. 2016. Vulnerable C/C++ code usage in IoT software systems. In WF-IoT, 2016 IEEE 3rd World Forum on. IEEE, 348--352.

[48]

Thomas Ball et al. 2006. Thorough static analysis of device drivers. ACM SIGOPS 40, 4 (2006), 73--85.

Digital Library

[49]

Tao Liu et al. 2015. Case study: static security analysis of the android goldfish kernel. In International Symposium on Formal Methods. Springer, 589--592.

[50]

Tianlong Yu et al. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the IoT. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks. ACM, 5.

[51]

V Benjamin Livshits et al. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Usenix Security, Vol. 2013.

[52]

Vitor Monte Afonso et al. 2016. Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy. In NDSS.

[53]

Vadim Okun et al. 2007. Effect of static analysis tools on software security: preliminary investigation. In Proceedings of workshop on QoP. ACM, 1--5.

[54]

Vinay Sachidananda et al. 2019. PIT: A Probe Into Internet of Things by Comprehensive Security Analysis. In Proceedings of TrustCom. IEEE, 522--529.

[55]

William G Halfond et al. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, Vol. 1. IEEE, 13--15.

[56]

Xiaoyun Wang et al. 2005. Collision search attacks on SHA1.

[57]

Yu Feng et al. 2014. Apposcopy: Semantics-based detection of android malware through static analysis. In Proceedings of SIGSOFT ESEC/FSE. ACM, 576--587.

[58]

Yao-Wen Huang et al. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of WWW. ACM, 40--52.

[59]

Zhen Ling et al. 2017. Security Vulnerabilities of IoT: A Case Study of the Smart Plug System. IEEE IoT Journal (2017).

[60]

findsecbugs. [n. d.]. http://find-sec-bugs.github.io/.

[61]

Google. [n. d.]. Fuchsia Magenta. https://github.com/fuchsia-mirror/magenta-rs.

[62]

Visual Code Grepper. [n. d.]. https://github.com/nccgroup/VCG.

[63]

Michael A Howard. 2006. A process for performing security code reviews. IEEE S&P 4, 4 (2006), 74--79.

Digital Library

[64]

Dae il Jang et al. 2017. A Design of IoT Protocol Fuzzer. In Advanced Multimedia and Ubiquitous Engineering. Springer, 242--246.

[65]

Jefferson. [n. d.]. https://github.com/sviehb/jefferson.

[66]

Chris Johnson. 2016. Securing the Participation of Safety-Critical SCADA Systems in the Industrial IoT. (2016).

[67]

Lepton. [n. d.]. https://github.com/lepton-distribution/lepton.

[68]

MobSF. [n. d.]. https://github.com/MobSF/Mobile-Security-Framework-MobSF.

[69]

MySQL. [n. d.]. https://www.mysql.com/.

[70]

Nano-RK. [n.d.]. http://nanork.org/projects/nanork/wiki.

[71]

NVD. [n. d.]. https://nvd.nist.gov/.

[72]

Arm Mbed OS. [n. d.]. https://www.mbed.com/en/platform/mbed-os/.

[73]

OWASP. [n. d.]. https://www.owasp.org.

[74]

PMD. [n. d.]. https://pmd.github.io/.

[75]

Milan Ramljak. 2017. Security analysis of Open Home Automation Bus system. In MIPRO, 2017 40th International Convention on. IEEE, 1245--1250.

[76]

Partha Pratim Ray. 2015. IoT for Sports (IoTSport): an architectural framework for sports and recreational activity. Proceeding of IEEE EESCO (2015), 79--83.

[77]

UBI Reader. [n. d.]. https://github.com/jrspruitt.

[78]

Free RTOS. [n. d.]. https://www.freertos.org/.

[79]

SHA1. [n. d.]. https://jokester.io/post/2017-02/sha1-collision-and-apk-signing/.

[80]

MKS Software. [n. d.]. CPIO Archive. https://www.mkssoftware.com.

[81]

Cert Coding Standards. [n. d.]. https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf.

[82]

TinyOS. [n. d.]. https://www.github.com/tinyos/tinyos-release.

[83]

Binary Analysis Tool. [n. d.]. http://www.binaryanalysis.org/.

[84]

uClinux. [n. d.]. http://www.uclinux.org/.

[85]

uKOS. [n. d.]. https://www.osrtos.com/rtos/ukos/.

[86]

uOS. [n. d.]. https://fallout.fandom.com/wiki/UnifiedOperatingSystem.

[87]

Yasca. [n. d.]. http://www.scovetta.com/yasca.html.

Cited By

Ma XZeng QChi HLuo LHui PAmiri Sani ANurmi PLiu Y(2023)No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT FirmwareProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596857(205-218)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596857
Gautier AWhitehead CDzielski DDevine THernandez J(2023)A Systematic Mapping Study of the Advancement in Software Vulnerability ForecastingSoutheastCon 202310.1109/SoutheastCon51012.2023.10115111(545-552)Online publication date: 1-Apr-2023
https://doi.org/10.1109/SoutheastCon51012.2023.10115111
Motwani MBrun Y(2023)Understanding Why and Predicting When Developers Adhere to Code-Quality Standards2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP58684.2023.00045(432-444)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIP58684.2023.00045
Show More Cited By

Index Terms

OVER: overhauling vulnerability detection for iot through an adaptable and automated static analysis framework

Recommendations

Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies

In the era of the internet of things (IoT), software-enabled inter-connected devices are of paramount importance. The embedded systems are very frequently used in both security and privacy-sensitive applications. However, the underlying software (a.k.a. ...
Performance of automated network vulnerability scanning at remediating security issues

This paper evaluates how large portion of an enterprises network security holes that would be remediated if one would follow the remediation guidelines provided by seven automated network vulnerability scanners. Remediation performance was assessed for ...
Security Analysis of the Estonian Internet Voting System
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

March 2020

2348 pages

ISBN:9781450368667

DOI:10.1145/3341105

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '20

Sponsor:

SIGAPP

SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing

March 30 - April 3, 2020

Brno, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
538
Total Downloads

Downloads (Last 12 months)88
Downloads (Last 6 weeks)8

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ma XZeng QChi HLuo LHui PAmiri Sani ANurmi PLiu Y(2023)No More Companion Apps Hacking but One Dongle: Hub-Based Blackbox Fuzzing of IoT FirmwareProceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services10.1145/3581791.3596857(205-218)Online publication date: 18-Jun-2023
https://dl.acm.org/doi/10.1145/3581791.3596857
Gautier AWhitehead CDzielski DDevine THernandez J(2023)A Systematic Mapping Study of the Advancement in Software Vulnerability ForecastingSoutheastCon 202310.1109/SoutheastCon51012.2023.10115111(545-552)Online publication date: 1-Apr-2023
https://doi.org/10.1109/SoutheastCon51012.2023.10115111
Motwani MBrun Y(2023)Understanding Why and Predicting When Developers Adhere to Code-Quality Standards2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)10.1109/ICSE-SEIP58684.2023.00045(432-444)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIP58684.2023.00045
Almazrouei OMagalingam PHasan MShanmugam M(2023)A Review on Attack Graph Analysis for IoT Vulnerability Assessment: Challenges, Open Issues, and Future DirectionsIEEE Access10.1109/ACCESS.2023.327205311(44350-44376)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3272053
Brezolin UVergütz ANogueira M(2023)A method for vulnerability detection by IoT network traffic analyticsAd Hoc Networks10.1016/j.adhoc.2023.103247149(103247)Online publication date: Oct-2023
https://doi.org/10.1016/j.adhoc.2023.103247
Almazrouei OMagalingam P(2022)The Internet of Things Network Penetration Testing Model Using Attack Graph Analysis2022 International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT)10.1109/ISMSIT56059.2022.9932758(360-368)Online publication date: 20-Oct-2022
https://doi.org/10.1109/ISMSIT56059.2022.9932758
He DGu HLi TDu YWang XZhu SGuizani N(2021)Toward Hybrid Static-Dynamic Detection of Vulnerabilities in IoT FirmwareIEEE Network10.1109/MNET.011.200045035:2(202-207)Online publication date: Mar-2021
https://doi.org/10.1109/MNET.011.2000450
Zhang HSakurai K(2021)A Survey of Software Clone Detection From Security PerspectiveIEEE Access10.1109/ACCESS.2021.30658729(48157-48173)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3065872

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents