Building Hardened Internet-of-Things Clients with Language-Theoretic Security

Anantharaman, Prashant; Locasto, Michael E.; Ciocarlie, Gabriela F.; Lindqvist, Ulf

doi:10.1109/spw.2017.36

Cited by 13 publications

(11 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fourth, the adapted tests are executed manually or automatically on an execution environment. In the case of IoT, it could be represented by FIT-IoT, 15 where large-scale deployments can be simulated. Finally, test results are collected to detect flaws and non-satisfactory test verdicts.…”

Section: Model-based Testing (Mbt)mentioning

confidence: 99%

“…Moreover, fuzzing testing has also attracted the interest in the IoT ecosystem. In particular, Reference [15] is focused on IoT application-layer protocols by building a set of possible inputs in each state of the protocol state machine. Towards a more general application, Reference [48] designs a fuzzing framework for discovering memory corruption vulnerabilities in IoT devices.…”

Section: Security Testing: Analysis and Applicability To The Iot Contextmentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Cybersecurity Certification for the Internet of Things

et al. 2020

View full text Add to dashboard Cite

In recent years, cybersecurity certification is gaining momentum as the baseline to build a structured approach to mitigate cybersecurity risks in the Internet of Things (IoT). This initiative is driven by industry, governmental institutions, and research communities, which have the goal to make IoT more secure for the end-users. In this survey, we analyze the current cybersecurity certification schemes, as well as the potential challenges to make them applicable for the IoT ecosystem. We also examine current efforts related to risk assessment and testing processes, which are widely recognized as the processes to build a cybersecurity certification framework. Our work provides a multidisciplinary perspective of a possible IoT cybersecurity certification framework by integrating research and technical tools and processes with policies and governance structures, which are analyzed against a set of identified challenges. This survey is intended to give a comprehensive overview of cybersecurity certification to facilitate the definition of a framework that fits in emerging scenarios, such as the IoT paradigm.

show abstract

Section: Model-based Testing (Mbt)mentioning

confidence: 99%

Section: Security Testing: Analysis and Applicability To The Iot Contextmentioning

confidence: 99%

A Survey of Cybersecurity Certification for the Internet of Things

et al. 2020

View full text Add to dashboard Cite

show abstract

“…One of the most popular approaches is represented by penetration testing, in which real-world attacks are simulated to identify vulnerabilities [24]- [26]. Another related approach is fuzzing testing, which is based on using non-valid inputs to stress the SUT [27]- [30]. Fuzzing testing can be classified on data fuzzing testing [31], in which random data are used as an input to test the SUT, and behavioural fuzzing testing [32] that produces sequences of invalid messages.…”

Section: A Security Testing In Iotmentioning

confidence: 99%

“…This way, the CVSS vector, impact-metric, is codified as specified in the CVSS standard (lines 20 and 26). It is possible to add additional information from the different tests, such as the maximum number of simultaneous connections that the server supports (element Value) (lines [27][28][29][30][31][32]. At the end of the TestResult element, it is mandatory the element Score, indicating the total score achieved in the security assessment process.…”

Section: A Assessment Report Generation Based On Xccdfmentioning

confidence: 99%

Extending MUD Profiles Through an Automated IoT Security Testing Methodology

et al. 2019

View full text Add to dashboard Cite

Defining the intended behaviour of IoT devices is considered as a key aspect to detect and mitigate potential security attacks. In this direction, the Manufacturer Usage Description (MUD) has been recently standardised to reduce the attack surface of a certain device through the definition of access control policies. However, the semantic model is only intended to provide network level restrictions for the communication of such device. In order to increase the expressiveness of this approach, we propose the use of an automated IoT security testing methodology, so that testing results are used to generate augmented MUD profiles, in which additional security aspects are considered. For the enforcement of these profiles, we propose the use of different access control technologies addressing application layer security concerns. Furthermore, the methodology is based on the use of Model-Based Testing (MBT) techniques to automate the generation, design and implementation of security tests. Then, we describe the application of the resulting approach to the Elliptic Curve Diffie-Hellman over COSE (EDHOC) protocol, which represents a standardisation effort to build a lightweight authenticated key exchange protocol for IoT constrained scenarios.INDEX TERMS Internet of Things, security testing, MUD, EDHOC.

show abstract

“…Snapins also enable the layering of security proactively at a global control point in a piece of unmodified software [23]. For example, secure input-handling parsing of command inputs to Internet of Things devices via the application of language-theoretic security [1] can avert potential security holes by creating parser-combinators that enforce input validation to prevent malicious data manipulation.…”

Section: Introductionmentioning

confidence: 99%

Dynamic Repair of Mission-Critical Applications with Runtime Snap-Ins

Brady

Bratus

Smith

2019

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

This chapter proposes a solution that provides reliable, non-disruptive updates to critical systems using a novel design pattern called a "snapin," which is able to install replacement routines embedded in shared libraries during system execution. Most system updates are performed in a static or maintenance state. However, dynamically updating software reduces the time required for adding functionality and applying security upgrades. The proposed snap-in solution improves on previous work by adopting the novel approach of using the target's application binary interface to first load shared libraries that contain replacement routines into a running application, supplanting the original routines with replacement routines without having to modify the existing code. An automated toolkit is provided for scanning application binaries and determining where the replacement routines are to be added.

show abstract

Building Hardened Internet-of-Things Clients with Language-Theoretic Security

Cited by 13 publications

References 14 publications

A Survey of Cybersecurity Certification for the Internet of Things

A Survey of Cybersecurity Certification for the Internet of Things

Extending MUD Profiles Through an Automated IoT Security Testing Methodology

Dynamic Repair of Mission-Critical Applications with Runtime Snap-Ins

Contact Info

Product

Resources

About