TY - GEN
T1 - OVER
T2 - 35th Annual ACM Symposium on Applied Computing, SAC 2020
AU - Sachidananda, Vinay
AU - Bhairav, Suhas
AU - Elovici, Yuval
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/3/30
Y1 - 2020/3/30
N2 - Internet of Things (IoT) exposes various vulnerabilities at the software level. In this paper, we propose a static analysis framework for IoT. The proposed framework is designed for detecting security vulnerabilities such as Buffer Overflow, Memory Leaks, Code Injection, TOCTOU, Banned functions, and other code-related vulnerabilities. We consider end-to-end IoT software suite that includes kernels, protocol stacks, APKs, firmware, and others. In particular, we unpacked and analyzed over 21,000 IoT firmware, 628 IoT APKs and 50 IoT Open Source Software (OSS). Our framework is an adaptable and automated static analysis technique that begins with crawling the web for fetching the IoT related files and ends with report generation consisting of IoT Risk Rating. In total, we were able to raise 7 new CVEs and detected 342 existing CVEs and 894 vulnerable code clones in IoT OSS. We found over 70% of APKs vulnerable to SQL Injection and 56% APKs using weak cryptographic algorithms. Also, our framework found 3783 hard-coded passwords and archaic BusyBox versions in IoT firmware.
AB - Internet of Things (IoT) exposes various vulnerabilities at the software level. In this paper, we propose a static analysis framework for IoT. The proposed framework is designed for detecting security vulnerabilities such as Buffer Overflow, Memory Leaks, Code Injection, TOCTOU, Banned functions, and other code-related vulnerabilities. We consider end-to-end IoT software suite that includes kernels, protocol stacks, APKs, firmware, and others. In particular, we unpacked and analyzed over 21,000 IoT firmware, 628 IoT APKs and 50 IoT Open Source Software (OSS). Our framework is an adaptable and automated static analysis technique that begins with crawling the web for fetching the IoT related files and ends with report generation consisting of IoT Risk Rating. In total, we were able to raise 7 new CVEs and detected 342 existing CVEs and 894 vulnerable code clones in IoT OSS. We found over 70% of APKs vulnerable to SQL Injection and 56% APKs using weak cryptographic algorithms. Also, our framework found 3783 hard-coded passwords and archaic BusyBox versions in IoT firmware.
KW - Internet of things (IoT)
KW - Security analysis
KW - Security and privacy
KW - Static analysis
KW - Vulnerabilities
KW - Vulnerability detection
UR - http://www.scopus.com/inward/record.url?scp=85083032684&partnerID=8YFLogxK
U2 - 10.1145/3341105.3373930
DO - 10.1145/3341105.3373930
M3 - Conference contribution
AN - SCOPUS:85083032684
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 729
EP - 738
BT - 35th Annual ACM Symposium on Applied Computing, SAC 2020
PB - Association for Computing Machinery
Y2 - 30 March 2020 through 3 April 2020
ER -