A Tool for IoT Firmware Certification

The rapid growth of the Internet of Things (IoT) has created a fragmented ecosystem, with no clear rules for security and reliability. This lack of standardization makes IoT devices vulnerable to attacks. IoT firmware certification can address these security concerns. It empowers consumers to make informed choices by readily identifying secure products. Additionally, it incentivizes developers to prioritize secure coding practices, ultimately promoting transparency and trust within the IoT ecosystem. Several existing IoT device certifications (e.g. Cybersecurity Assurance Program, British Standards Institution, ioXt Alliance) prioritise cybersecurity through risk and vulnerability assessments. This paper proposes a complementary approach. Our tool focuses on identifying firmware functionality by analysing system calls through static analysis. This allows to publicly identify APIs to assess the actual behaviour of a firmware. The analysis culminates in the generation of JSON manifests, which encapsulate the relevant information gathered during the case study. In particular, this analysis verifies whether the actual behaviour is in line with the developer's statements about the device's functionality, contributing to the security and reliability of a device. To evaluate tool's performance, we conducted a benchmarking analysis which has demonstrated efficient handling of binaries written in various languages, even those with large file sizes. Future will be based on refining the API search and syscall collection algorithms, other than incorporating vulnerability analysis to further strengthen the security of an IoT device.