OVER: Overhauling vulnerability detection for iot through an adaptable and automated static analysis framework

Vinay Sachidananda, Suhas Bhairav, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

10 Scopus citations

Abstract

Internet of Things (IoT) exposes various vulnerabilities at the software level. In this paper, we propose a static analysis framework for IoT. The proposed framework is designed for detecting security vulnerabilities such as Buffer Overflow, Memory Leaks, Code Injection, TOCTOU, Banned functions, and other code-related vulnerabilities. We consider end-to-end IoT software suite that includes kernels, protocol stacks, APKs, firmware, and others. In particular, we unpacked and analyzed over 21,000 IoT firmware, 628 IoT APKs and 50 IoT Open Source Software (OSS). Our framework is an adaptable and automated static analysis technique that begins with crawling the web for fetching the IoT related files and ends with report generation consisting of IoT Risk Rating. In total, we were able to raise 7 new CVEs and detected 342 existing CVEs and 894 vulnerable code clones in IoT OSS. We found over 70% of APKs vulnerable to SQL Injection and 56% APKs using weak cryptographic algorithms. Also, our framework found 3783 hard-coded passwords and archaic BusyBox versions in IoT firmware.

Original languageEnglish
Title of host publication35th Annual ACM Symposium on Applied Computing, SAC 2020
PublisherAssociation for Computing Machinery
Pages729-738
Number of pages10
ISBN (Electronic)9781450368667
DOIs
StatePublished - 30 Mar 2020
Event35th Annual ACM Symposium on Applied Computing, SAC 2020 - Brno, Czech Republic
Duration: 30 Mar 20203 Apr 2020

Publication series

NameProceedings of the ACM Symposium on Applied Computing

Conference

Conference35th Annual ACM Symposium on Applied Computing, SAC 2020
Country/TerritoryCzech Republic
CityBrno
Period30/03/203/04/20

Keywords

  • Internet of things (IoT)
  • Security analysis
  • Security and privacy
  • Static analysis
  • Vulnerabilities
  • Vulnerability detection

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'OVER: Overhauling vulnerability detection for iot through an adaptable and automated static analysis framework'. Together they form a unique fingerprint.

Cite this