Dongyang Zhan,Zhaofeng Yu,Xiangzhan Yu,Hongli Zhang,Lin Ye

DOI: https://doi.org/10.1109/tsc.2022.3173791

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.

Borui Li,Wei Dong

DOI: https://doi.org/10.1109/tc.2021.3129367

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:IoT application development usually involves separate programming at the device side and server side. While separate programming style is sufficient for many simple applications, it is not suitable for many complex applications that involve complex interactions and intensive data processing. We propose EdgeProg, an edge-centric programming approach to simplify IoT application programming, motivated by the increasing popularity of edge computing. With EdgeProg, users could write application logic in a centralized manner with an augmented If-This-Then-That (IFTTT) syntax and virtual sensor mechanism. The program can be processed at the edge server, which can automatically generate the actual application code and intelligently partition the code into device code and server code, for achieving the optimal latency. EdgeProg employs dynamic linking and loading to deploy the device code on a variety of IoT devices, which do not run any application-specific codes at the start. Results show that EdgeProg achieves an average reduction of 20.96%, 27.8% and 79.41% in terms of execution latency, energy consumption, and lines of code compared with state-of-the-art approaches.

Tong Sun,Borui Li,Yixiao Teng,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/ipsn61024.2024.00021

2024-01-01

Abstract:Internet of Things (IoT) applications have recently been widely used in safety-critical scenarios. To prevent sensitive information leaks, IoT device vendors provide hardware-assisted protections, called Trusted Execution Environments (TEEs), like ARM Trust-Zone. Programming a TEE-based application requires separate code for two components, significantly slowing down the development process. Existing solutions tackle this issue by automatic code partition while not successfully applying it in two complicated scenarios: adding trusted logic and interactions with secure peripherals.We propose dTEE, a declarative approach to secure IoT applications based on TrustZone. dTEE proposes a rapid approach that enables developers to declare tiered-sensitive variables and functions of existing applications. Besides, dTEE automatically transforms device drivers into trusted ones. We evaluate dTEE on four real-world IoT applications and seven micro-benchmarks. Results show that dTEE achieves high expressiveness for supporting 50% more applications than existing approaches and reduces 90% of the lines of code against handcrafted development.

Borui Li,Wei Dong

DOI: https://doi.org/10.1109/icdcs47774.2020.00038

2020-01-01

Abstract:IoT application development usually involves separate programming at the device side and server side. While separate programming style is sufficient for many simple applications, it is not suitable for many complex applications that involve complex interactions and intensive data processing. We propose EdgeProg, an edge-centric programming approach to simplify IoT application programming, motivated by the increasing popularity of edge computing. With EdgeProg, users could write application logic in a centralized manner with an augmented If-This-Then-That (IFTTT) syntax and virtual sensor mechanism. The program can be processed at the edge server, which can automatically generate the actual application code and intelligently partition the code into device code and server code, for achieving the optimal latency. EdgeProg employs dynamic linking and loading to deploy the device code on a variety of IoT devices, which do not run any application-specific codes at the start. Results show that EdgeProg achieves an average reduction of 20.96% and 79.41% in terms of execution latency and lines of code, compared with state-of-the-art approaches.

D. Tian,Dongyan Xu,Arslan Khan

DOI: https://doi.org/10.1109/SP46215.2023.10179285

2023-05-01

Abstract:Embedded systems comprise of low-power microcontrollers and constitute computing systems from IoT nodes to supercomputers. Unfortunately, due to the low power constraint, the security of these systems is often overlooked, leaving a huge attack surface. For instance, an attacker compromising a user task can access any kernel data structure. Existing work has applied compartmentalization to reduce the attack surface, but these systems either incur a high runtime overhead or require major modifications to existing firmware. In this paper, we present Embedded Compartmentalizer (EC), a comprehensive and automatic compartmentalization toolchain for Real-Time Operating Systems (RTOSs) and baremetal firmware. EC provides the Embedded Compartmentalizer Compiler (ECC) to automatically partition firmware into different compartments and enforces memory protection among them using the Embedded Compartmentalizer Kernel (ECK), a formally verified microkernel implementing a novel architecture for compartmentalizing firmware using intra-kernel isolation. Our evaluation shows that EC is 1.2x faster than state-of-the-art systems and can achieve up to 96.2% ROP gadget reduction in firmwares. EC provides a low-cost, practical, and effective compartmentalization solution for embedded systems with memory protection and debug hardware extension.

Engineering,Computer Science

Yao Yao,Wei Zhou,Yan Jia,Lipeng Zhu,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.1007/978-3-030-29959-0_31

2019-01-01

Abstract:With the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the traditional firmware bugs/vulnerabilities (e.g. memory corruption), the privilege separation model in IoT firmware has not yet been systematically investigated. In this paper, we conducted an in-depth security analysis of the privilege separation model of IoT firmware and identified a previously unknown vulnerability called privilege separation vulnerability. By combining loading information extraction, library function recognition and symbolic execution, we developed Gerbil, a firmware-analysis-specific extension of the Angr framework for analyzing binaries to effectively identify privilege separation vulnerabilities in IoT firmware. So far, we have evaluated Gerbil on 106 real-world IoT firmware images (100 of which are bare-metal and RTOS-based device firmware. Gerbil have successfully detected privilege separation vulnerabilities in 69 of them. We have also verified and exploited the privilege separation vulnerabilities in several popular smart devices including Xiaomi smart gateway, Changdi smart oven and TP-Link smart WiFi plug. Our research demonstrates that an attacker can leverage the privilege separation vulnerability to launch a border spectrum of attacks such as malicious firmware replacement and denial of service.

Wei Liu,Haihang Niu,Weifeng Luo,Wei Deng,Haitao Wu,Shanglin Dai,Zhongwei Qiao,Wei Feng

DOI: https://doi.org/10.1109/aeeca49918.2020.9213603

2020-01-01

Abstract:With the development of the Internet of Things (IoT), it has been widely deployed. As many embedded devices are connected to the network and massive amounts of security-sensitive data are stored in these devices, embedded devices in IoT have become the target of attackers. The trusted computing is a key technology to guarantee the security and trustworthiness of devices’ execution environment. This paper focuses on security problems on IoT devices, and proposes a security architecture for IoT devices based on the trusted computing technology. This paper implements a security management system for IoT devices, which can perform integrity measurement, real-time monitoring and security management for embedded applications, providing a safe and reliable execution environment and whitelist-based security protection for IoT devices. This paper also designs and implements an embedded security protection system based on trusted computing technology, containing a measurement and control component in the kernel and a remote graphical management interface for administrators. The kernel layer enforces the integrity measurement and control of the embedded application on the device. The graphical management interface communicates with the remote embedded device through the TCP/IP protocol, and provides a feature-rich and user-friendly interaction interface. It implements functions such as knowledge base scanning, whitelist management, log management, security policy management, and cryptographic algorithm performance testing.

Jiajie Ling,Siwei Miao,Xiaojuan Zhang,Changyu Chen,Cheng Peng,Quanyuan Jiang

DOI: https://doi.org/10.1109/ei250167.2020.9346941

2020-01-01

Abstract:With the accelerating development of the Internet of Things (IoT), its applications in power system are gradually becoming various and comphcated, followed by the diversity of relevant technical requirements. In order to identify the characteristics of these requirements of IoT in power system, this paper proposes a refined characterization approach to define, classify and summarize them from three different aspects, namely, performance-criticaL security-critical and reachability critical. In multiple IoT enabled apphcation scenarios, performance-critical index and security-critical index mainly focus on data transmission and calculation, while reachability-critical index focuses on the communication coverage and quality of service, which creates a new perspective to characterize power system IoT applications and their technical requirements.

Lirong Fu,Shouling Ji,Kangjie Lu,Peiyu Liu,Xuhong Zhang,Yuxuan Duan,Zihui Zhang,Wenzhi Chen,Yanjun Wu

DOI: https://doi.org/10.1145/3460120.3484738

2021-01-01

Abstract:To reduce the development costs, IoT vendors tend to construct IoT kernels by customizing the Linux kernel. Code pruning is common in this customization process. However, due to the intrinsic complexity of the Linux kernel and the lack of long-term effective maintenance, IoT vendors may mistakenly delete necessary security operations in the pruning process, which leads to various bugs such as memory leakage and NULL pointer dereference. Yet detecting bugs caused by code pruning in IoT kernels is difficult. Specifically, (1) a significant structural change makes precisely locating the deleted security operations (DSO ) difficult, and (2) inferring the security impact of a DSO is not trivial since it requires complex semantic understanding, including the developing logic and the context of the corresponding IoT kernel. In this paper, we present CPscan, a system for automatically detecting bugs caused by code pruning in IoT kernels. First, using a new graph-based approach that iteratively conducts a structure-aware basic block matching, CPscan can precisely and efficiently identify theDSOs in IoT kernels. Then, CPscan infers the security impact of a DSO by comparing the bounded use chains (where and how a variable is used within potentially influenced code segments) of the security-critical variable associated with it. Specifically, CPscan reports the deletion of a security operation as vulnerable if the bounded use chain of the associated security-critical variable remains the same before and after the deletion. This is because the unchanged uses of a security-critical variable likely need the security operation, and removing it may have security impacts. The experimental results on 28 IoT kernels from 10 popular IoT vendors show that CPscan is able to identify 3,193DSO s and detect 114 new bugs with a reasonably low false-positive rate. Many such bugs tend to have a long latent period (up to 9 years and 5 months). We believe CPscan paves a way for eliminating the bugs introduced by code pruning in IoT kernels. We will open-source CPscan to facilitate further research.

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2023.3279846

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the security risks raised by TPCs on 34,136 firmware images. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security risks in firmware and discovers some well-known vulnerabilities are still rooted in firmware. Besides, we explore the geographical distribution of vulnerable devices and confirm that the security situation of devices in different regions varies. Our analysis also indicates that vulnerabilities caused by TPCs in firmware keep growing with the boom of the IoT ecosystem. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Pallavi Sivakumaran,Jorge Blasco

DOI: https://doi.org/10.48550/arXiv.2105.03135

2021-05-07

Cryptography and Security

Abstract:Recent high-profile attacks on the Internet of Things (IoT) have brought to the forefront the vulnerability of "smart" devices, and have resulted in numerous IoT-focused security analyses. Many of the attacks had weak device configuration as the root cause. One potential source of rich and definitive information about the configuration of an IoT device is the device's firmware. However, firmware analysis is complex and automated firmware analyses have thus far been confined to devices with more traditional operating systems such as Linux or VxWorks. Most IoT peripherals, due to lacking traditional operating systems and implementing a wide variety of communication technologies, have only been the subject of smaller-scale analyses. Peripheral firmware analysis is further complicated by the fact that such firmware files are predominantly available as stripped binaries, without the ELF headers and symbol tables that would simplify reverse engineering. In this paper, we present argXtract, an open-source automated static analysis tool, which extracts security-relevant configuration information from stripped IoT peripheral firmware. Specifically, we focus on binaries that target the ARM Cortex-M architecture, due to its growing popularity among IoT peripherals. argXtract overcomes the challenges associated with stripped Cortex-M analysis and is able to retrieve arguments to security-relevant supervisor and function calls, enabling automated bulk analysis of firmware files. We demonstrate this via three real-world case studies. The largest case study covers a dataset of 243 Bluetooth Low Energy binaries targeting Nordic Semiconductor chipsets, while the other two focus on Nordic ANT and STMicroelectronics BlueNRG binaries. The results reveal widespread lack of security and privacy controls in IoT, such as minimal or no protection for data, fixed passkeys and trackable device addresses.

Junlong Zhou,Jin Sun,Peijin Cong,Zhe Liu,Xiumin Zhou,Tongquan Wei,Shiyan Hu

DOI: https://doi.org/10.1109/tsc.2019.2963301

IF: 11.019

2020-01-01

IEEE Transactions on Services Computing

Abstract:Internet of Things (IoT) devices, such as intelligent road side units and video-based detectors, are being deployed in emerging applications like sustainable and intelligent transportation systems. The primary obstacles against the development of these IoT devices are various security threats and huge energy consumption. In this article, we study the problem of scheduling tasks onto a heterogeneous multiprocessor system on a chip (MPSoC) deployed in IoT for optimizing quality of security under energy, real-time, and task precedence constraints. We first provide a mixed-integer linear programming (MILP) formulation for allocating and scheduling dependent tasks with energy and real-time constraints on a heterogeneous MPSoC system to maximize system quality of security. In order to efficiently solve the formulated MILP, we then propose an analysis-based two-stage scheme that determines the allocation, operating frequency, and security service of tasks to maximize system quality of security while satisfying the design constraints. We finally carry out extensive simulation experiments to validate our proposed two-stage scheme and MILP approach. Simulation results demonstrate that the proposed two-stage scheme outperforms a number of representative existing approaches in saving energy and improving system quality of security. The results also show that the proposed MILP approach can achieve the best performance and the proposed two-stage scheme has a close performance to the MILP approach.

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

Xu Zhou,Pengfei Wang,Lei Zhou,Peng Xun,Kai Lu

DOI: https://doi.org/10.3390/s23229221

2023-11-16

Abstract:Embedded devices are pervasive nowadays with the rapid development of the Internet of Things (IoT). This brings significant security issues that make the security analysis of embedded devices important. This paper presents a survey on the security analysis research of embedded devices. First, we analyze the embedded device types and their operating systems. Then, we describe a major dynamic security analysis method for an embedded device, i.e., simulating the firmware of the embedded device and performing fuzzing on the web interface provided by the firmware. Third, we discuss some other issues in embedded security analysis, such as analyzing the attack surface, applying static analysis, and performing large-scale analysis. Based on these analyses, we finally conclude three challenges in the current research and present our insights for future research directions.

Hanlin Zhang,Jia Yu,Mohammad S. Obaidat,Pandi Vijayakumar,Linqiang Ge,Jie Lin,Jianxi Fan,Rong Hao

DOI: https://doi.org/10.1109/tcss.2020.3030904

2022-01-01

IEEE Transactions on Computational Social Systems

Abstract:Devices in the Internet-of-Things (IoT) are networked and perform massive computations to support various social IoT systems. Applications in social IoT systems often involve complicated computations that are out of the computation capacity of some resource-constrained IoT devices. Thus, how to enable resource-constrained IoT devices to accomplish complex computations efficiently and securely is of significant importance. To address this problem, we develop a secure edge-aided computation scheme for the social IoT systems. We scope the framework of edge-aided computations and identify the security threats in such a system. We define the security requirements that the outsourcing algorithms should meet. Then, we provide two examples of secure outsourcing algorithms (matrix multiplication and modular exponentiation) that meet the given security requirements. The efficiency and security of the proposed algorithms are supported through the theoretical analysis and experimental results.

Peiying Zhang,Chunxiao Jiang,Xue Pang,Yi Qian

DOI: https://doi.org/10.48550/arXiv.2202.04300

2022-02-09

Networking and Internet Architecture

Abstract:To a large extent, the deployment of edge computing (EC) can reduce the burden of the explosive growth of the Internet of things. As a powerful hub between the Internet of things and cloud servers, edge devices make the transmission of cloud to things no longer complicated. However, edge nodes are faced with a series of problems, such as large number, a wide range of distribution, and complex environment, the security of edge computing should not be underestimated. Based on this, we propose a tactic to improve the safety of edge computing by virtualizing edge nodes. In detail, first of all, we propose a strategy of edge node partition, virtualize the edge nodes dealing with different types of things into various virtual networks, which are deployed between the edge nodes and the cloud server. Second, considering that different information transmission has different security requirement, we propose a security tactic based on security level measurement. Finally, through simulation experiments, we compare with the existing advanced algorithms which are committed to virtual network security, and prove that the model proposed in this paper has definite progressiveness in enhancing the security of edge computing.

Ioannis Angelakopoulos,G. Stringhini,Manuel Egele

Abstract:The Linux-based firmware running on Internet of Things (IoT) devices is complex and consists of user level programs as well as kernel level code. Both components have been shown to have serious security vulnerabilities, and the risk linked to kernel vulnerabilities is particularly high, as these can lead to full system compromise. However, previous work only focuses on the user space component of embedded firmware. In this paper, we present Firm ware Sol uti o n ( FirmSolo ), a system designed to incorporate the kernel space into firmware analysis. FirmSolo features the Kernel Configuration Reverse Engineering (K.C.R.E.) process that leverages information (i.e., exported and required symbols and version magic) from the kernel modules found in firmware images to build a kernel that can load the modules within an emulated environment. This capability allows downstream analysis to broaden their scope into code executing in privileged mode. We evaluated FirmSolo on 1,470 images containing 56,688 kernel modules where it loaded 64% of the kernel modules. To demonstrate how FirmSolo aids downstream analysis, we integrate it with two representative analysis systems; the TriforceAFL kernel fuzzer and Firmadyne, a dynamic firmware analysis tool originally devoid of kernel mode analysis capabilities. Our TriforceAFL experiments on a subset of 75 kernel modules discovered 19 previously-unknown bugs in 11 distinct proprietary modules. Through Firmadyne we confirmed the presence of these previously-unknown bugs in 84 firmware images. Furthermore, by using FirmSolo , Firmadyne confirmed a previously-known memory corruption vulnerability in five different versions of the closed-source Kcodes’ NetUSB module across 15 firmware images.

Engineering,Computer Science

Mattia Paccamiccio,Leonardo Mostarda

DOI: https://doi.org/10.1007/978-3-030-99619-2_24

2022-05-08

Abstract:The importance of information security dramatically increased and will further grow due to the shape and nature of the modern computing industry. Software is published at a continuously increasing pace. The Internet of Things and security protocols are two examples of domains that pose a great security challenge, due to how diverse the needs for those software may be, and a generalisation of the capabilities regarding the toolchain necessary for testing is becoming a necessity. Oftentimes, these software are designed starting from a formal model, which can be verified with appropriate model checkers. These models, though, do not represent the actual implementation, which can deviate from the model and hence certain security properties might not be inherited from the model, or additional issues could be introduced in the implementation. In this paper we describe a proposal for a novel technique to assess software security properties from LLVM bitcode. We perform various static analyses, such as points-to analysis, call graph and control-flow graph, with the aim of deriving from them an 'accurate enough' formal model of the paths taken by the program, which are then going to be examined via consolidated techniques by matching them against a set of defined rules. The proposed workflow then requires further analysis with more precise methods if a rule is violated, in order to assess the actual feasibility of such path(s). This step is required as the analyses performed to derive the model to analyse are over-approximating the behaviour of the software.

Cryptography and Security

Liming Fang,Hanyi Zhang,Minghui Li,Chunpeng Ge,Liang Liu,Zhe Liu

DOI: https://doi.org/10.1109/jiot.2020.2996664

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:With the high popularity of IoT devices, industrial IoT platforms, such as smart factories and oilfield industrial control systems, have become a new trend in the development of smart city. Although various manufacturers pay wide attention to the different functional requirements of IoT platforms, they seldom consider security issues, especially in terms of data security, which has led to a large number of cases of privacy leakage. Some works have been made to provide secure and reliable communication solutions for industrial IoT platforms, unfortunately, as different communication protocols and interaction models are adopted in different scenarios, these solutions are mainly isolated and fragmented. Therefore, it is an urgent challenge to construct a universal cross-platform secure communication scheme for industrial IoT platforms. In this article, we analyze the logic and requirements of different industrial IoT scenarios to abstracts them into a universal model. We summarize the possible attacks on different industrial IoT platforms and design a security scheme to capture these attacks based on the conditional proxy re-encryption primitive. The proposed scheme ensures that data cannot be accessed by an unauthorized user. We also evaluate the security and performance of our scheme, and the experimental results show that our scheme can achieve the functionality and security requirements with low overhead.

computer science, information systems,telecommunications,engineering, electrical & electronic

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1145/3533767.3534366

2022-01-01

Abstract:As the core of IoT devices, firmware is undoubtedly vital. Currently, the development of IoT firmware heavily depends on third-party components (TPCs), which significantly improves the development efficiency and reduces the cost. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will turn back influence the security of IoT firmware. Currently, existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs at version-level in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the usage of TPCs and the corresponding vulnerabilities in firmware. More specifically, we perform an analysis on 34,136 firmware images, including 11,086 publicly accessible firmware images, and 23,050 private firmware images from TSmart. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security issues for different kinds of firmware from various vendors, and discovers some well-known vulnerabilities are still deeply rooted in many firmware images. We also find that the TPCs used in firmware have fallen behind by five years on average. Besides, we explore the geographical distribution of vulnerable devices, and confirm the security situation of devices in several regions, e.g., South Korea and China, is more severe than in other regions. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.