Weiyi Wang,Lang Feng,Zhiguo Shi,Cheng Zhuo,Jiming Chen

DOI: https://doi.org/10.23919/date58400.2024.10546789

2024-01-01

Abstract:Internet of Things (IoT) devices face an escalating threat from code reuse attacks (CRAs) as they can reuse existing code for malicious purpose. Thus a practical cost-effective Control-Flow Integrity (CFI) mechanism for IoT devices is urgently needed. However, existing CFI solutions suffer from impractical-ities, including high performance overhead and a heavy reliance on offline perfect Control-Flow Graph (CFG) generation. To tackle these challenges, we propose a fine-grained dependable CFI scheme for IoT devices that real-time updates the CFG of devices. We evaluate the implementation on RISC-V architectures and the results show that our CFI scheme provides both backward- and forward-edge protection with almost no performance overhead in the case of fixed CFG, negligible power overhead, and low hardware overhead. Compared to the current hardware-assisted CFI designs, our design eliminates the dependence on the offline perfect CFG generation and performs real-time CFG updating for better practicality.

Vikas Kumar,Rahul Kumar,Akber Ali Khan,Vinod Kumar,Yu-Chi Chen,Chin-Chieh Chang

DOI: https://doi.org/10.3390/s22093110

IF: 3.9

2022-04-19

Sensors

Abstract:The Internet of Things (IoT) is a future trend that uses the Internet to connect a variety of physical things with the cyber world. IoT technology is rapidly evolving, and it will soon have a significant impact on our daily lives. While the growing number of linked IoT devices makes our daily lives easier, it also puts our personal data at risk. In IoT applications, Radio Frequency Identification (RFID) helps in the automatic identification of linked devices, and the dataflow of the system forms a symmetry in communication between the tags and the readers. However, the security and privacy of RFID-tag-connected devices are the key concerns. The communication link is thought to be wireless or insecure, making the RFID system open to several known threats. In order to address these security issues, we propose a robust authentication framework for IoT-based RFID infrastructure. We use formal security analysis in the random oracle model, as well as information analysis to support the claim of secure communication. Regarding the desirable performance characteristics, we describe and analyze the proposed framework’s performance and compare it to similar systems. According to our findings, the proposed framework satisfies all security requirements while also improving the communication.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ibrahim Nadir,Zafeer Ahmad,Haroon Mahmood,Ghalib Asadullah Shah,Farrukh Shahzad,Muhammad Umair,Hassam Khan,Usman Gulzar

DOI: https://doi.org/10.1109/EuroSPW.2019.00011

2019-01-01

Abstract:Introduction of IoT is a big step towards the convergence of physical and virtual world as everyday objects are connected to the internet nowadays. But due to its diversity and resource constraint nature, the security of these devices in the real world has become a major challenge. Although a number of security frameworks have been suggested to ensure the security of IoT devices, frameworks for auditing this security are rare. We propose an open-source framework to audit the security of IoT devices covering hardware, firmware and communication vulnerabilities. Using existing open-source tools, we formulate a modular approach towards the implementation of the proposed framework. Standout features in the suggested framework are its modular design, extensibility, scalability, tools integration and primarily autonomous nature. The principal focus of the framework is to automate the process of auditing. The paper further mentions some tools that can be incorporated in different modules of the framework. Finally, we validate the feasibility of our framework by auditing an IoT device using proposed toolchain.

Fatimah Aljaafari,Rafael Menezes,Mustafa A. Mustafa,Lucas C. Cordeiro

DOI: https://doi.org/10.48550/arXiv.2103.11363

2021-04-28

Abstract:Internet of Things (IoT) consists of a large number of devices connected through a network, which exchange a high volume of data, thereby posing new security, privacy, and trust issues. One way to address these issues is ensuring data confidentiality using lightweight encryption algorithms for IoT protocols. However, the design and implementation of such protocols is an error-prone task; flaws in the implementation can lead to devastating security vulnerabilities. Here we propose a new verification approach named Encryption-BMC and Fuzzing (EBF), which combines Bounded Model Checking (BMC) and Fuzzing techniques to check for security vulnerabilities that arise from concurrent implementations of cyrptographic protocols, which include data race, thread leak, arithmetic overflow, and memory safety. EBF models IoT protocols as a client and server using POSIX threads, thereby simulating both entities' communication. It also employs static and dynamic verification to cover the system's state-space exhaustively. We evaluate EBF against three benchmarks. First, we use the concurrency benchmark from SV-COMP and show that it outperforms other state-of-the-art tools such as ESBMC, AFL, Lazy-CSeq, and TSAN with respect to bug finding. Second, we evaluate an open-source implementation called WolfMQTT. It is an MQTT client implementation that uses the WolfSSL library. We show that \tool detects a data race bug, which other approaches are unable to find. Third, to show the effectiveness of EBF, we replicate some known vulnerabilities in OpenSSL and CyaSSL (lately WolfSSL) libraries. EBF can detect the bugs in minimum time.

Cryptography and Security

Fatimah Aljaafari,Lucas C. Cordeiro,Mustafa A. Mustafa

DOI: https://doi.org/10.48550/arXiv.2001.09837

2020-01-27

Abstract:Internet of Things (IoT) is a system that consists of a large number of smart devices connected through a network. The number of these devices is increasing rapidly, which creates a massive and complex network with a vast amount of data communicated over that network. One way to protect this data in transit, i.e., to achieve data confidentiality, is to use lightweight encryption algorithms for IoT protocols. However, the design and implementation of such protocols is an error-prone task; flaws in the implementation can lead to devastating security vulnerabilities. These vulnerabilities can be exploited by an attacker and affect users' privacy. There exist various techniques to verify software and detect vulnerabilities. Bounded Model Checking (BMC) and Fuzzing are useful techniques to check the correctness of a software system concerning its specifications. Here we describe a framework called Encryption-BMC and Fuzzing (EBF) using combined BMC and fuzzing techniques. We evaluate the application of EBF verification framework on a case study, i.e., the S-MQTT protocol, to check security vulnerabilities in cryptographic protocols for IoT.

Cryptography and Security,Software Engineering

Pallavi Sivakumaran,Jorge Blasco

DOI: https://doi.org/10.48550/arXiv.2105.03135

2021-05-07

Cryptography and Security

Abstract:Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerability of "smart" devices, and have resulted in numerous IoT-focused security analyses. Many of the attacks had weak device configuration as the root cause. One potential source of rich and definitive information about the configuration of an IoT device is the device's firmware. However, firmware analysis is complex and automated firmware analyses have thus far been confined to devices with more traditional operating systems such as Linux or VxWorks. Most IoT peripherals, due to lacking traditional operating systems and implementing a wide variety of communication technologies, have only been the subject of smaller-scale analyses. Peripheral firmware analysis is further complicated by the fact that such firmware files are predominantly available as stripped binaries, without the ELF headers and symbol tables that would simplify reverse engineering. In this paper, we present argXtract, an open-source automated static analysis tool, which extracts security-relevant configuration information from stripped IoT peripheral firmware. Specifically, we focus on binaries that target the ARM Cortex-M architecture, due to its growing popularity among IoT peripherals. argXtract overcomes the challenges associated with stripped Cortex-M analysis and is able to retrieve arguments to security-relevant supervisor and function calls, enabling automated bulk analysis of firmware files. We demonstrate this via three real-world case studies. The largest case study covers a dataset of 243 Bluetooth Low Energy binaries targeting Nordic Semiconductor chipsets, while the other two focus on Nordic ANT and STMicroelectronics BlueNRG binaries. The results reveal widespread lack of security and privacy controls in IoT, such as minimal or no protection for data, fixed passkeys and trackable device addresses.

Urvashi Sangwan

DOI: https://doi.org/10.52783/jes.3233

2024-05-02

Abstract:Through the network's infrastructure, the IoT can impart perception, recognition, and remote control to inanimate objects. Due to IoT's characteristics, it's possible to integrate the real world into a digital system, which improves precision, productivity, and bottom line. While traditional internet infrastructure comprises of highly capable computers and servers, IoT gadgets have limited processing power and storage space. The authentication and key agreement system SecureAuthKey is very lightweight. The suggested technique is meant to solve the security and privacy problems that plague modern constraint-based CPS programmes. A lightweight approach for authenticating cyber-physical objects is one of the expected outcomes. Adaptation and autonomy in cyber-physical systems need not be compromised by a lack of trust or security in users' data or the devices themselves, according to a new type of security algorithm. To provide flexibility and scalability, a new middleware module has been developed on the Raspberry platform to facilitate communication between CPS-based devices and services. Secure Internet of Things (IoT) evaluation methodology that may be used in a variety of contexts and is user-focused. With the suggested system, the two CPS units will be able to authenticate one another. When a network grows larger, the possibility of an attack rises. Therefore, the IoT network is much more susceptible to attacks than conventional networks. As the number of connected devices grows, so do the number of potential threats to their security. To protect the IoT ecosystem from current threats, cutting-edge technology is essential. The proposed approach must be very efficient and have low computational overheads. It creates random session keys to protect wireless transmissions. The system is protected from a variety of cyber threats. The current constraint-based CPS system requires a new lightweight security solution.

Mattia Paccamiccio,Leonardo Mostarda

DOI: https://doi.org/10.1007/978-3-030-99619-2_24

2022-05-08

Abstract:The importance of information security dramatically increased and will further grow due to the shape and nature of the modern computing industry. Software is published at a continuously increasing pace. The Internet of Things and security protocols are two examples of domains that pose a great security challenge, due to how diverse the needs for those software may be, and a generalisation of the capabilities regarding the toolchain necessary for testing is becoming a necessity. Oftentimes, these software are designed starting from a formal model, which can be verified with appropriate model checkers. These models, though, do not represent the actual implementation, which can deviate from the model and hence certain security properties might not be inherited from the model, or additional issues could be introduced in the implementation. In this paper we describe a proposal for a novel technique to assess software security properties from LLVM bitcode. We perform various static analyses, such as points-to analysis, call graph and control-flow graph, with the aim of deriving from them an 'accurate enough' formal model of the paths taken by the program, which are then going to be examined via consolidated techniques by matching them against a set of defined rules. The proposed workflow then requires further analysis with more precise methods if a rule is violated, in order to assess the actual feasibility of such path(s). This step is required as the analyses performed to derive the model to analyse are over-approximating the behaviour of the software.

Cryptography and Security

Davide Zoni,Andrea Galimberti,Davide Galli

2024-07-25

Abstract:Attacks based on side-channel analysis (SCA) pose a severe security threat to modern computing platforms, further exacerbated on IoT devices by their pervasiveness and handling of private and critical data. Designing SCA-resistant computing platforms requires a significant additional effort in the early stages of the IoT devices' life cycle, which is severely constrained by strict time-to-market deadlines and tight budgets. This manuscript introduces a hardware-software framework meant for SCA research on FPGA targets. It delivers an IoT-class system-on-chip (SoC) that includes a RISC-V CPU, provides observability and controllability through an ad-hoc debug infrastructure to facilitate SCA attacks and evaluate the platform's security, and streamlines the deployment of SCA countermeasures through dedicated hardware and software features such as a DFS actuator and FreeRTOS support. The open-source release of the framework includes the SoC, the scripts to configure the computing platform, compile a target application, and assess the SCA security, as well as a suite of state-of-the-art SCA attacks and countermeasures. The goal is to foster its adoption and novel developments in the field, empowering designers and researchers to focus on studying SCA countermeasures and attacks while relying on a sound and stable hardware-software platform as the foundation for their research.

Cryptography and Security,Hardware Architecture

Avani Dave,Nilanjan Banerjee,Chintan Patel

2023-04-23

Abstract:With the increased utilization, the small embedded and IoT devices have become an attractive target for sophisticated attacks that can exploit the devices security critical information and data in malevolent activities. Secure boot and Remote Attestation (RA) techniques verifies the integrity of the devices software state at boot-time and runtime. Correct implementation and formal verification of these security primitives provide strong security guarantees and enhance user confidence. The formal verification of these security primitives is considered challenging, as it involves complex hardware software interactions, semantics gaps and requires bit-precise reasoning. To address these challenges, this paper presents FVCARE an end to end system co-verification framework. It also defines the security properties for resilient small embedded systems. FVCARE divides the end to end system co verification problem into two modules: 1) verifying the (bit precise) initial system settings, registers, and access control policies by hardware verification techniques, and 2) verifying the system specification, security properties, and functional correctness using source-level software abstraction of the hardware. The evaluation of proposed techniques on SRACARE based systems demonstrates its efficacy in security co verification.

Cryptography and Security,Hardware Architecture

Sören Tempel,Tristan Bruns

DOI: https://doi.org/10.48550/arXiv.2005.09516

2020-05-19

Abstract:We present an integration of a safe C dialect, Checked C, for the Internet of Things operating system RIOT. We utilize this integration to convert parts of the RIOT network stack to Checked C, thereby achieving spatial memory safety in these code parts. Similar to prior research done on IoT operating systems and safe C dialects, our integration of Checked C remains entirely optional, i.e. compilation with a standard C compiler not supporting the Checked C language extension is still possible. We believe this to be the first proposed integration of a safe C dialect for the RIOT operating system. We present an incremental process for converting RIOT modules to Checked C, evaluate the overhead introduced by the conversions, and discuss our general experience with utilizing Checked C in the Internet of Things domain.

Programming Languages,Cryptography and Security

Hezam Akram Abdulghani,Anastasija Collen,Niels Alexander Nijdam

DOI: https://doi.org/10.3390/s23084174

2023-04-21

Abstract:Internet of Things (IoT) faces security concerns different from existing challenges in conventional information systems connected through the Internet because of their limited resources and heterogeneous network setups. This work proposes a novel framework for securing IoT objects, the key objective of which is to assign different Security Level Certificates (SLC) for IoT objects according to their hardware capabilities and protection measures implemented. Objects with SLCs, therefore, will be able to communicate with each other or with the Internet in a secure manner. The proposed framework is composed of five phases, namely: classification, mitigation guidelines, SLC assignment, communication plan, and legacy integration. The groundwork relies on the identification of a set of security attributes, termed security goals. By performing an analysis on common IoT attacks, we identify which of these security goals are violated for specific types of IoT. The feasibility and application of the proposed framework is illustrated at each phase using the smart home as a case study. We also provide qualitative arguments to demonstrate how the deployment of our framework solves IoT specific security challenges.

Nabeil Eltayieb,Rashad Elhabob,Yongjian Liao,Fagen Li,Shijie Zhou

DOI: https://doi.org/10.1016/j.jisa.2024.103763

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:The Snowden leaks exposed the truth that skilled attackers can access users’ devices and steal their private information. Although public key encryption is widely used and theoretically secure, it has hidden vulnerabilities when implemented in practice. This is especially problematic when employing communication channels among heterogeneous protocols within the Internet of Things (IoT), it becomes apparent that these channels lack adequate protection to address the diverse nature of IoT systems. This work proposes a novel Heterogeneous Online/Offline Signcryption with Cryptographic Reverse Firewalls (HOOS-CRF). The scheme enables a secure communication channel between the sender in an Identity-based cryptosystem (IBC) and the receiver in the Public Key Infrastructure (PKI) cryptosystem with CRF deployed. To reduce computational costs, we split the signcryption algorithm into two stages: online and offline. Most resource-intensive operations are performed during the offline stage, which operates without any knowledge of the message being processed. The HOOS-CRF scheme provides confidentiality, authentication, and defense against insider security attacks. Meanwhile, we prove the security of the HOOS-CRF using the random oracle model and demonstrate its high efficiency and practicality through experiments. Lastly, the scheme’s relevance to IoT-driven healthcare applications is demonstrated.

Fursan Thabit,Ozgu Can,Asia Othman Aljahdali,Ghaleb H. Al-Gaphari,Hoda A. Alkhzaimi

DOI: https://doi.org/10.1016/j.iot.2023.100759

IF: 5.711

2023-07-01

Internet of Things

Abstract:In today's fast-paced world, a new technology paradigm known as the Internet of Things (IoT) is advancing every business. It provides communication between the digital and physical worlds, transforming the way people do business quickly. The IoT is a network of physical objects (things) equipped with sensors, intelligent networking, radio-frequency identification (RFID), and other technologies that communicate and exchange data with other systems and devices online. IoT applications are now significantly more prevalent worldwide. IoT is driving the real world to become more intelligent in several industries, including smart grids for electricity, intelligent traffic, and smart homes and buildings. As a result, predictions and research point to over 50 billion connected devices by 2020. It will be required to safeguard this growing volume of data during exchange because the amount of data being transmitted will be quite enormous. Data security is represented by cryptography, an essential tool (algorithms) in security, which is why many researchers are developing cryptographic algorithms to improve the Security of IoT. This survey paper introduced an overview of IoT technology, architecture, and applications and a detailed analysis comparing all cryptographic algorithms and their use in day-to-day life activities. This paper discusses lightweight block ciphers, stream ciphers, and hybrid ciphers. The report evaluates security algorithms, comparing performance and robustness with the computational complexity of these techniques. Finally, the survey presents IoT security challenges, threats, and attacks with their mitigation techniques.

Vishal A. Thakor,Mohammad Abdur Razzaque,Muhammad R. A. Khandaker

DOI: https://doi.org/10.1109/access.2021.3052867

IF: 3.9

2021-01-01

IEEE Access

Abstract:IoT is becoming more common and popular due to its wide range of applications in various domains. They collect data from the real environment and transfer it over the networks. There are many challenges while deploying IoT in a real-world, varying from tiny sensors to servers. Security is considered as the number one challenge in IoT deployments, as most of the IoT devices are physically accessible in the real world and many of them are limited in resources (such as energy, memory, processing power and even physical space). In this paper, we are focusing on these resource-constrained IoT devices (such as RFID tags, sensors, smart cards, etc.) as securing them in such circumstances is a challenging task. The communication from such devices can be secured by a mean of lightweight cryptography, a lighter version of cryptography. More than fifty lightweight cryptography (plain encryption) algorithms are available in the market with a focus on a specific application(s), and another 57 algorithms have been submitted by the researchers to the NIST competition recently. To provide a holistic view of the area, in this paper, we have compared the existing algorithms in terms of implementation cost, hardware and software performances and attack resistance properties. Also, we have discussed the demand and a direction for new research in the area of lightweight cryptography to optimize balance amongst cost, performance and security.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sunil Kumar,Dilip Kumar,Ramraj Dangi,Gaurav Choudhary,Nicola Dragoni,Ilsun You

DOI: https://doi.org/10.32604/cmc.2023.047084

2024-01-01

Abstract:The widespread and growing interest in the Internet of Things (IoT) may be attributed to its usefulness in many different fields. Physical settings are probed for data, which is then transferred via linked networks. There are several hurdles to overcome when putting IoT into practice, from managing server infrastructure to coordinating the use of tiny sensors. When it comes to deploying IoT, everyone agrees that security is the biggest issue. This is due to the fact that a large number of IoT devices exist in the physical world and that many of them have constrained resources such as electricity, memory, processing power, and square footage. This research intends to analyse resource-constrained IoT devices, including RFID tags, sensors, and smart cards, and the issues involved with protecting them in such restricted circumstances. Using lightweight cryptography, the information sent between these gadgets may be secured. In order to provide a holistic picture, this research evaluates and contrasts well-known algorithms based on their implementation cost, hardware/software efficiency, and attack resistance features. We also emphasised how essential lightweight encryption is for striking a good cost-to-performance-to-security ratio.

computer science, information systems,materials science, multidisciplinary

Haroon Mahmood,Maliha Arshad,Irfan Ahmed,Sana Fatima,Hafeez ur Rehman

DOI: https://doi.org/10.1016/j.fsidi.2024.301748

IF: 1.805

2024-04-06

Forensic Science International Digital Investigation

Abstract:Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge. In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

computer science, information systems, interdisciplinary applications

Praneet Singh,Kedar Deshpande

DOI: https://doi.org/10.48550/arXiv.1812.02220

2018-12-06

Abstract:With the advent of Internet of Things (IoT) and the increasing use of application-based processors, security infrastructure needs to be examined on some widely-used IoT hardware architectures. Applications in today's world are moving towards IoT concepts as this makes them fast, efficient, modular and future-proof. However, this leads to a greater security risk as IoT devices thrive in an ecosystem of co-existence and interconnection. As a result of these security risks, it is of utmost importance to test the existing cryptographic ciphers on such devices and determine if they are viable in terms of swiftness of execution time and memory consumption efficiency. It is also important to determine if there is a requirement to develop new lightweight cryptographic ciphers for these devices. This paper hopes to accomplish the above-mentioned objective by testing various encryption-decryption techniques on different IoT based devices and creating a comparison of execution speeds between these devices for a variety of different data sizes. Keywords-Internet of things(IoT), application-based processors, security, encryption-decryption, speed, efficiency

Cryptography and Security

Nada Alhirabi,Omer Rana,Charith Perera

DOI: https://doi.org/10.1145/3437537

2021-02-28

ACM Transactions on Internet of Things

Abstract:The design and development process for internet of things (IoT) applications is more complicated than that for desktop, mobile, or web applications. First, IoT applications require both software and hardware to work together across many different types of nodes with different capabilities under different conditions. Second, IoT application development involves different types of software engineers such as desktop, web, embedded, and mobile to work together. Furthermore, non-software engineering personnel such as business analysts are also involved in the design process. In addition to the complexity of having multiple software engineering specialists cooperating to merge different hardware and software components together, the development process requires different software and hardware stacks to be integrated together (e.g., different stacks from different companies such as Microsoft Azure and IBM Bluemix). Due to the above complexities, non-functional requirements (such as security and privacy, which are highly important in the context of the IoT) tend to be ignored or treated as though they are less important in the IoT application development process. This article reviews techniques, methods, and tools to support security and privacy requirements in existing non-IoT application designs, enabling their use and integration into IoT applications. This article primarily focuses on design notations, models, and languages that facilitate capturing non-functional requirements (i.e., security and privacy). Our goal is not only to analyse, compare, and consolidate the empirical research but also to appreciate their findings and discuss their applicability for the IoT.

Thomas Nyman,Jan-Erik Ekberg,Lucas Davi,N. Asokan

DOI: https://doi.org/10.48550/arXiv.1706.05715

2017-06-19

Abstract:With the increasing scale of deployment of Internet of Things (IoT), concerns about IoT security have become more urgent. In particular, memory corruption attacks play a predominant role as they allow remote compromise of IoT devices. Control-flow integrity (CFI) is a promising and generic defense technique against these attacks. However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In this paper, we describe the challenges of enabling CFI on microcontroller (MCU) based IoT devices. We then present CaRE, the first interrupt-aware CFI scheme for low-end MCUs. CaRE uses a novel way of protecting the CFI metadata by leveraging TrustZone-M security extensions introduced in the ARMv8-M architecture. Its binary instrumentation approach preserves the memory layout of the target MCU software, allowing pre-built bare-metal binary code to be protected by CaRE. We describe our implementation on a Cortex-M Prototyping System and demonstrate that CaRE is secure while imposing acceptable performance and memory impact.

Cryptography and Security