Archivio Istituzionale della RicercaThe rapid growth of the Internet of Things (IoT) has created a fragmented ecosystem, with no clear rules for security and reliability. This lack of standardization makes IoT devices vulnerable to attacks. IoT firmware certification can address these security concerns. It empowers consumers to make informed choices by readily identifying secure products. Additionally, it incentivizes developers to prioritize secure coding practices, ultimately promoting transparency and trust within the IoT ecosystem. Several existing IoT device certifications (e.g. Cybersecurity Assurance Program, British Standards Institution, ioXt Alliance) prioritise cybersecurity through risk and vulnerability assessments. This paper proposes a complementary approach. Our tool focuses on identifying firmware functionality by analysing system calls through static analysis. This allows to publicly identify APIs to assess the actual behaviour of a firmware. The analysis culminates in the generation of JSON manifests, which encapsulate the relevant information gathered during the case study. In particular, this analysis verifies whether the actual behaviour is in line with the developer's statements about the device's functionality, contributing to the security and reliability of a device. To evaluate tool's performance, we conducted a benchmarking analysis which has demonstrated efficient handling of binaries written in various languages, even those with large file sizes. Future will be based on refining the API search and syscall collection algorithms, other than incorporating vulnerability analysis to further strengthen the security of an IoT device.
A tool for IoT Firmware Certification / Bianco, G. M.; Ardito, L.; Valsesia, M.. - ELETTRONICO. - (2024), pp. 1-7. (Intervento presentato al convegno ARES 2024: The 19th International Conference on Availability, Reliability and Security tenutosi a Vienna (AUT) nel 30 July 2024- 2 August 2024) [10.1145/3664476.3670469].
A tool for IoT Firmware Certification
Bianco G. M.;Ardito L.;Valsesia M.
2024
Abstract
The rapid growth of the Internet of Things (IoT) has created a fragmented ecosystem, with no clear rules for security and reliability. This lack of standardization makes IoT devices vulnerable to attacks. IoT firmware certification can address these security concerns. It empowers consumers to make informed choices by readily identifying secure products. Additionally, it incentivizes developers to prioritize secure coding practices, ultimately promoting transparency and trust within the IoT ecosystem. Several existing IoT device certifications (e.g. Cybersecurity Assurance Program, British Standards Institution, ioXt Alliance) prioritise cybersecurity through risk and vulnerability assessments. This paper proposes a complementary approach. Our tool focuses on identifying firmware functionality by analysing system calls through static analysis. This allows to publicly identify APIs to assess the actual behaviour of a firmware. The analysis culminates in the generation of JSON manifests, which encapsulate the relevant information gathered during the case study. In particular, this analysis verifies whether the actual behaviour is in line with the developer's statements about the device's functionality, contributing to the security and reliability of a device. To evaluate tool's performance, we conducted a benchmarking analysis which has demonstrated efficient handling of binaries written in various languages, even those with large file sizes. Future will be based on refining the API search and syscall collection algorithms, other than incorporating vulnerability analysis to further strengthen the security of an IoT device.
| File | Dimensione | Formato | |
|---|---|---|---|
|
fw_cert.pdf
accesso aperto
Tipologia:
2. Post-print / Author's Accepted Manuscript
Licenza:
PUBBLICO - Tutti i diritti riservati
Dimensione
909.39 kB
Formato
Adobe PDF
|
909.39 kB | Adobe PDF | Visualizza/Apri |
|
3664476.3670469.pdf
accesso aperto
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
PUBBLICO - Tutti i diritti riservati
Dimensione
645.64 kB
Formato
Adobe PDF
|
645.64 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2991671