A Rust library for behaviours assessment in software certification

The majority of Internet of Things (IoT) devices available on the market nowadays present heterogeneity problems and security problems. These devices adopt different protocols to communicate among each other, hence the definition of a series of standards has been necessary to make their interaction possible. Moreover, certification processes have been proposed to analyse manufacturer's products in search of every vulnerability and security threat which might affect firmware and final devices. However, none of these methodologies fully considers the effects which might occur when executing an IoT firmware. Therefore, to fill in this gap, we propose the \textit{behaviours assessment} as a technique which allows a certifier to evaluate whether the effects of firmware operations are in accordance with some established policies. Starting from this model, we have created a library which performs the behaviours assessment using a safe and secure programming language called Rust. We have named this library \textit{manifest-producer}. This library provides APIs to analyse ELF binaries, extract their functions, disassemble machine code, and build call trees to support behaviour evaluation using reverse engineering techniques in an automated way. To demonstrate its potential as an additional tool for IoT certification, we present a proof of concept showing how it helps to assess behaviours in a mock IoT firmware.