Static analysis for discovering IoT vulnerabilities

被引：33

作者：

Ferrara, Pietro ^{[1
,2
]}

Mandal, Amit Kr ^{[3
]}

Cortesi, Agostino ^{[1
]}

Spoto, Fausto ^{[4
]}

机构：

[1] Univ Ca Foscari, Venice, Italy

[2] JuliaSoft, Verona, Italy

[3] SRM Univ, Amaravati, AP, India

[4] Univ Verona, Verona, Italy

来源：

INTERNATIONAL JOURNAL ON SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER | 2021年 / 23卷 / 01期

关键词：

IoT security; Static analysis; OWASP IoT Top 10; IoT privacy; Insecure IoT ecosystem interface; SECURITY; INTERNET; FRAMEWORK; PROTOCOLS;

D O I：

10.1007/s10009-020-00592-x

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

The Open Web Application Security Project (OWASP), released the "OWASP Top 10 Internet of Things 2018" list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia's analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

引用

页码：71 / 88

页数：18

共 50 条

[1] Static analysis for discovering IoT vulnerabilities
Pietro Ferrara
Amit Kr Mandal
Agostino Cortesi
Fausto Spoto
International Journal on Software Tools for Technology Transfer, 2021, 23 : 71 - 88
[2] Finding Taint-Style Vulnerabilities in Lua Application of IoT Firmware with Progressive Static Analysis
Li, Xixing
Wei, Qiang
Wu, Zehui
Guo, Wei
APPLIED SCIENCES-BASEL, 2023, 13 (17):
[3] Analysis of Security Vulnerabilities for IoT Devices
Kim, Hee-Hyun
Yoo, Jinho
JOURNAL OF INFORMATION PROCESSING SYSTEMS, 2022, 18 (04): : 489 - 499
[4] Toward Hybrid Static-Dynamic Detection of Vulnerabilities in IoT Firmware
He, Daojing
Gu, Hongjie
Li, Tinghui
Du, Yongliang
Wang, Xiaolei
Zhu, Sencun
Guizani, Nadra
IEEE NETWORK, 2021, 35 (02): : 202 - 207
[5] Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface
Wang, Dong
Zhang, Xiaosong
Chen, Ting
Li, Jingwei
SECURITY AND COMMUNICATION NETWORKS, 2019, 2019
[6] Static analysis of format string vulnerabilities
National Engineering Research Center for Fundamental Software, Institute of Software, Beijing, China
不详
不详
不详
Proc. - ACIS Int. Symp. Softw. Netw. Eng., SSNE, (122-127):
[7] Integrating static and dynamic analysis for detecting vulnerabilities
Aggarwal, Ashish
Jalote, Pankaj
30TH ANNUAL INTERNATIONAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE, VOL 1, REGULAR PAPERS/PANELS, PROCEEDINGS, 2006, : 343 - +
[8] Vulnerabilities and Attacks Analysis for Military and Commercial IoT Drones
Restituyo, Ralph
Hayajneh, Thaier
2018 9TH IEEE ANNUAL UBIQUITOUS COMPUTING, ELECTRONICS & MOBILE COMMUNICATION CONFERENCE (UEMCON), 2018, : 26 - 32
[9] An Experimental Analysis of Security Vulnerabilities in Industrial IoT Devices
Jiang, Xingbin
Lora, Michele
Chattopadhyay, Sudipta
ACM TRANSACTIONS ON INTERNET TECHNOLOGY, 2020, 20 (02)
[10] Firmulti Fuzzer: Discovering Multi-process Vulnerabilities in IoT Devices with Full System Emulation and VMI
Cheng, Yung-Tai
Cheng, Shin-Ming
PROCEEDINGS OF THE 5TH WORKSHOP ON CPS & IOT SECURITY AND PRIVACY, CPSIOTSEC 2023, 2023, : 1 - 9

← 1 2 3 4 5 →