research-article

Cross-program taint analysis for IoT systems

Authors:
Amit Mandal

SRM University, AP, India

SRM University, AP, India
View Profile

,
Pietro Ferrara

Università Ca' Foscari Venezia, Italy

Università Ca' Foscari Venezia, Italy
View Profile

,
Yuliy Khlyebnikov

Università Ca' Foscari Venezia, Italy

Università Ca' Foscari Venezia, Italy
View Profile

,
Agostino Cortesi

Università Ca' Foscari Venezia, Italy

Università Ca' Foscari Venezia, Italy
View Profile

,
Fausto Spoto

Università di Verona, Italy

Università di Verona, Italy
View Profile

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied ComputingMarch 2020Pages 1944–1952https://doi.org/10.1145/3341105.3373924

Published:30 March 2020Publication History

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 1944–1952

ABSTRACT

Cross-program propagation of tainted data (such as sensitive information or user input) in an interactive IoT system is listed among the OWASP IoT top 10 most critical security risks. When programs run on distinct devices, as it occurs in IoT systems, they communicate through different channels in order to implement some functionality. Hence, in order to prove the overall system secure, an analysis must consider how these components interact. Standard taint analyses detect if a value coming from a source (such as methods that retrieve user input or sensitive data) flows into a sink (typically, methods that execute SQL queries or send data into the Internet), unsanitized (that is, not properly escaped). This work devises a cross-program taint analysis that leverages an existing intra-program taint analysis to detect security vulnerabilities in multiple communicating programs. The proposed framework has been implemented above the intra-program taint analysis of the Julia static analyzer. Preliminary experimental results on multi-program IoT systems, publicly available on GitHub, show that the technique is effective and detects inter-program flows of tainted data that could not be discovered by analyzing each program in isolation.

References

Hisham Alasmary, Afsah Anwar, Jeman Park, Jinchun Choi, DaeHun Nyang, and Aziz Mohaisen. 2018. Graph-based comparison of IoT and android malware. In Proceedings of CSoNet '18. Springer.Google ScholarCross Ref
S Alnaeli, Melissa Sarnowski, M Aman, Ahmed Abdelgawad, and Kumar Yelamarthi. 2017. Source Code Vulnerabilities in IoT Software Systems. Advances in Science, Technology and Engineering Systems Journal 2, 3 (2017), 1502--1507.Google ScholarCross Ref
Vincenzo Arceri, Martina Olliaro, Agostino Cortesi, and Isabella Mastroeni. 2019. Completeness of Abstract Domains for String Analysis of JavaScript Programs. In Proceedings of ICTAC '19. Springer.Google ScholarDigital Library
Allan Blanchard, Nikolai Kosmatov, and Frédéric Loulergue. 2018. A Lesson on Verification of IoT Software with Frama-C. In Proceedings of HPCS '18. IEEE.Google ScholarCross Ref
E. Burato, P. Ferrara, and F. Spoto. 2017. Security Analysis of the OWASP Benchmark with Julia. In Proceedings of ITASEC '17. Venice, Italy.Google Scholar
Z Berkay Celik, Earlence Fernandes, Eric Pauley, Gang Tan, and Patrick McDaniel. 2018. Program Analysis of Commodity IoT Applications for Security and Privacy: Challenges and Opportunities. arXiv preprint arXiv:1809.06962 (2018).Google Scholar
S. Challa, M. Wazid, A. K. Das, N. Kumar, A. Goutham Reddy, E. Yoon, and K. Yoo. 2017. Secure Signature-Based Authenticated Key Establishment Scheme for Future IoT Applications. Access 5 (2017), 3028--3043.Google ScholarCross Ref
James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A Generic Dynamic Taint Analysis Framework. In Proceedings of ISSTA '07. ACM.Google ScholarDigital Library
Agostino Cortesi, Henrich Lauko, Martina Olliaro, and Petr Rockai. 2019. String Abstraction for Model Checking of C Programs. In Proceedings of SPIN '19. Springer.Google ScholarDigital Library
Agostino Cortesi and Martina Olliaro. 2018. M-String Segmentation: A Refined Abstract Domain for String Analysis in C Programs. In Proceedings of TASE '18. IEEE.Google ScholarCross Ref
Giulia Costantini, Pietro Ferrara, and Agostino Cortesi. 2011. Static Analysis of String Values. In Proceedings of ICFEM '11. Springer.Google ScholarDigital Library
Giulia Costantini, Pietro Ferrara, and Agostino Cortesi. 2015. A suite of abstract domains for static analysis of string values. Softw., Pract. Exper. 45, 2 (2015), 245--287.Google ScholarDigital Library
P. Cousot and R. Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of POPL '77. ACM.Google Scholar
P. Cousot and R. Cousot. 1979. Systematic design of program analysis frameworks. In Proceedings of POPL '79. ACM.Google Scholar
Ashok Kumar Das, Sherali Zeadally, and Debiao He. 2018. Taxonomy and analysis of security protocols for Internet of Things. Future Generation Computer Systems 89 (2018), 110 -- 125.Google ScholarDigital Library
Eclipse IoT Working Group. 2019. The Three Software Stacks Required for IoT Architectures. Retrieved June, 26th 2019 from https://iot.eclipse.org/resources/white-papers/Eclipse%20IoT%20White%20Paper%20-%20The%20Three%20Software%20Stacks%20Required%20for%20IoT%20Architectures.pdfGoogle Scholar
M. D. Ernst, A. Lovato, D. Macedonio, C. Spiridon, and F. Spoto. 2015. Boolean Formulas for the Static Identification of Injection Attacks in Java. In Proceedings of LPAR '15. Springer.Google Scholar
Daniel Alberto Sepúlveda Estay. 2019. CyberShip-IoT: A Dynamic and Adaptive SDN-Based Security Policy Enforcement Framework for Ships. Future Generation Computer Systems (2019).Google Scholar
Ivan Farris, Tarik Taleb, Yacine Khettab, and Jaeseung Song. 2018. A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Communications Surveys & Tutorials 21, 1 (2018), 812--837.Google ScholarCross Ref
Pietro Ferrara, Amit Mandal, Agostino Cortesi, and Fausto Spoto. 2019. Static Analysis for the OWASP IoT Top 10 2018. In Proceedings of SPIoT '19.Google Scholar
Pietro Ferrara, Amit Kr Mandal, Agostino Cortesi, and Fausto Spoto. 2019. Cross-Programming Language Taint Analysis for the IoT Ecosystem. Electronic Communication of the European Association of Software Science and Technology, Proceedings of InterAVT '1977 (October 2019).Google Scholar
Pietro Ferrara, Luca Olivieri, and Fausto Spoto. 2020. BackFlow: Backward Context-sensitive Flow Reconstruction of Taint Analysis Results. In Proceedings of VMCAI '20. Springer.Google ScholarDigital Library
Pietro Ferrara and Fausto Spoto. 2018. Static Analysis for GDPR Compliance. In Proceedings of ITASEC 2018.Google Scholar
Rebecca Franks. 2019. android-things-electricity-monitor. Retrieved June, 26th 2019 from https://github.com/riggaroo/android-things-electricity-monitorGoogle Scholar
M. Frustaci, P. Pace, G. Aloi, and G. Fortino. 2018. Evaluating Critical Security Issues of the IoT World: Present and Future Challenges. Internet of Things 5, 4 (2018), 2483--2495.Google ScholarCross Ref
Mengmeng Ge, Jin B Hong, Walter Guttmann, and Dong Seong Kim. 2017. A framework for automating security analysis of the internet of things. Journal of Network and Computer Applications 83 (2017), 12--27.Google ScholarDigital Library
R. Giuliano, F. Mazzenga, A. Neri, and A. M. Vegni. 2017. Security Access Protocols in IoT Capillary Networks. Internet of Things 4, 3 (2017), 645--657.Google ScholarCross Ref
Google. 2019. Firebase. Retrieved June, 26th 2019 from https://firebase.google.com/Google Scholar
F. Griffiths and M. Ooi. 2018. The fourth industrial revolution - Industry 4.0 and IoT [Trends in Future I&M]. Instrumentation Measurement Magazine 21, 6 (2018), 29--43.Google ScholarCross Ref
Peng Hao, Xianbin Wang, and Weiming Shen. 2018. A Collaborative PHY-Aided Technique for End-to-End IoT Device Authentication. IEEE Access 6 (2018), 42279--42293.Google ScholarCross Ref
Holger. 2019. Color-Things. Retrieved June, 26th 2019 from https://github.com/holgi-s/ColorThings, https://github.com/holgi-s/ColorConnectionGoogle Scholar
Jianwei Hou, Leilei Qu, and Wenchang Shi. 2019. A survey on internet of things security from data perspectives. Computer Networks 148 (2019), 295 -- 306.Google ScholarCross Ref
Ralf Huuck. 2015. Iot: The internet of threats and static program analysis defense. In Proceedings of Embedded World '15.Google Scholar
SuHyun Kim and ImYeong Lee. 2018. IoT device security based on proxy reencryption. Ambient Intelligence and Humanized Computing 9, 4 (01 Aug 2018), 1267--1273.Google Scholar
Yongtae Kim, Minkyu Park, Jeonghun Cho, and Daejin Park. 2018. Human Activity Profile Tracking Using Static Analysis of Binary Code Access Patterns For Freeze-Safe IOT Systems. International Journal of Mechanical Engineering and Technology 9, 7 (2018), 852--858.Google Scholar
M. G. Kukkuru. 2019. Testing IoT Applications - A Perspective. Retrieved June, 26th 2019 from https://www.infosys.com/IT-services/validation-solutions/Documents/testing-iot-applications.pdfGoogle Scholar
Y. Liu, Y. Kuang, Y. Xiao, and G. Xu. 2018. SDN-Based Data Transfer Security for Internet of Things. Internet of Things 5, 1 (2018), 257--268.Google ScholarCross Ref
Amit Kr Mandal. 2019. Android App for Plant Monitoring System. Retrieved June, 26th 2019 from https://github.com/amitmandalnitdgp/IOTAppGoogle Scholar
Amit Kr Mandal. 2019. Android App for Plant Monitoring System - Servlet. Retrieved June, 26th 2019 from https://github.com/amitmandalnitdgp/IOT-EcoSyatem/blob/master/HbaseConnection.javaGoogle Scholar
Amit Kr Mandal. 2019. Plant Monitoring System - IoT Backend. Retrieved June, 26th 2019 from https://github.com/amitmandalnitdgp/IOT-EcoSyatem/blob/master/Server.javaGoogle Scholar
Amit Kr Mandal, Federica Panarotto, Agostino Cortesi, Pietro Ferrara, and Fausto Spoto. 2019. Static Analysis of Android Auto Infotainment and ODB-II Apps. Software: Practice and Experience 49 (2019). Issue 7.Google Scholar
Orestis Mavropoulos, Haralambos Mouratidis, Andrew Fish, and Emmanouil Panaousis. 2018. Apparatus: A framework for security analysis in internet of things systems. Ad Hoc Networks (2018), 101743.Google Scholar
Gautier MECHLING. 2019. Bluetooth Low-Energy (BLE) fun - Android (Things). Retrieved June, 26th 2019 from https://github.com/Nilhcem/blefun-androidthingsGoogle Scholar
N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani. 2019. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations. Communications Surveys Tutorials (2019).Google Scholar
J. Newsome and D. Song. 2005. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of NDSS '05. Internet Society.Google Scholar
Mehdi Nobakht, Yulei Sui, Aruna Seneviratne, and Wen Hu. 2018. Permission Analysis of Health and Fitness Apps in IoT Programming Frameworks. In Proceedings of TrustCom/BigDataSE '18). IEEE.Google ScholarCross Ref
OWASP. 2019. OWASP Internet of Things (IoT) Project. Retrieved June, 26th 2019 from https://www.owasp.org/index.php/OWASP_Internet_of_Things_ProjectGoogle Scholar
Federica Panarotto, Agostino Cortesi, Pietro Ferrara, Amit Kr Mandal, and Fausto Spoto. 2018. Static Analysis of Android Apps Interaction with Automotive CAN. In Proceedings of SmartCom '18. Springer.Google Scholar
Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Proceedings of POPL '95. ACM.Google ScholarDigital Library
Rashmi Sahay, G. Geethakumari, Barsha Mitra, and Ipsit Sahoo. 2019. Efficient Framework for Detection of Version Number Attack in Internet of Things. In Intelligent Systems Design and Applications, Ajith Abraham, Aswani Kumar Cherukuri, Patricia Melin, and Niketa Gandhi (Eds.). Springer.Google Scholar
Trusit Shah and S Venkatesan. 2018. Authentication of IoT Device and IoT Server Using Secure Vaults. In Proceedings of TrustCom/BigDataSE '18. IEEE, 819--824.Google ScholarCross Ref
Daemin Shin, Vishal Sharma, Jiyoon Kim, Soonhyun Kwon, and Ilsun You. 2017. Secure and efficient protocol for route optimization in PMIPv6-based smart home IoT networks. IEEE Access 5 (2017), 11100--11117.Google ScholarCross Ref
Dave Smith. 2019. doorbell. Retrieved June, 26th 2019 from https://github.com/androidthings/doorbellGoogle Scholar
Fausto Spoto, Elisa Burato, Michael D. Ernst, Pietro Ferrara, Alberto Lovato, Damiano Macedonio, and Ciprian Spiridon. 2019. Static Identification of Injection Attacks in Java. ACM Transactions on Programming Languages and Systems (TOPLAS) 41 (July 2019). Issue 3.Google Scholar
JuliaSoft srl. 2019. Julia Static Analyzer. Retrieved June, 26th 2019 from https://juliasoft.com/Google Scholar
Omer Tripp, Pietro Ferrara, and Marco Pistoia. 2014. Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation. In Proceedings of ISSTA '14. ACM.Google ScholarDigital Library
Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of PLDI '09. ACM.Google ScholarDigital Library
Yifei Xu, Ting Liu, Pengfei Liu, and Hong Sun. 2018. A Search-based Firmware Code Analysis Method for IoT Devices. In 2018 IEEE Conference on Communications and Network Security (CNS). IEEE, 1--2.Google ScholarCross Ref
Aws Alaa Zaidan, Bilal Bahaa Zaidan, MY Qahtan, OS Albahri, AS Albahri, Mussab Alaa, Fawaz Mohammed Jumaah, Mohammed Talal, Kian Lam Tan, WL Shir, et al. 2018. A survey on communication components for IoT-based technologies in smart homes. Telecommunication Systems 69, 1 (2018), 1--25.Google ScholarDigital Library
Antonio Zugaldia. 2019. Android Robocar. Retrieved June, 26th 2019 from https://github.com/zugaldia/android-robocarGoogle Scholar

Index Terms

Cross-program taint analysis for IoT systems

Index terms have been assigned to the content through auto-classification.

Recommendations

Security Analysis of IoT Frameworks using Static Taint Analysis
CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy

Internet of Things (IoT) frameworks are designed to facilitate provisioning and secure operation of IoT devices. A typical IoT framework consists of various software layers and components including third-party libraries, communication protocol stacks, ...
Read More
P/Taint: unified points-to and taint analysis

Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Read More
Bit-Level Taint Analysis
SCAM '14: Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation

Taint analysis has a wide variety of applications in software analysis, making the precision of taint analysis an important consideration. Current taint analysis algorithms, including previous work on bit-precise taint analyses, suffer from shortcomings ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing
March 2020
2348 pages
ISBN:9781450368667
DOI:10.1145/3341105
Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 March 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 305
  Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Cross-program taint analysis for IoT systems

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security Analysis of IoT Frameworks using Static Taint Analysis

P/Taint: unified points-to and taint analysis

Bit-Level Taint Analysis