Abstract—
Automated search for vulnerabilities in ARM IoT devices is considered. The problems of using symbolic execution for vulnerability detection are investigated. A dynamic symbolic execution approach with taint analysis is proposed to improve the efficiency of vulnerability detection, which eliminates the problems that arise when using classical symbolic execution.
Similar content being viewed by others
REFERENCES
Sparks, P., The route to a trillion devices, White Paper, ARM. 2017. https://community.arm.com/cfs-file/__key/telligent-evolution-components-attachments/01-1996-00-00-00-01-30-09/ARM-_2D00_-The-route-to-a-trillion-devices-_2D00_-June-2017.pdf.
Stanislav, M. and Beardsley, T., Hacking IoT: A case study on baby monitor exposures and vulnerabilities, Rapid7 Report, 2015. https://media.kasperskycontenthub.com/wp-content/uploads/sites/63/2015/11/21031739/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf.
Platonov, V.V. and Semenov, P.O., Detection of abnormal traffic in dynamic computer networks with mobile consumer devices, Autom. Control Comput. Sci., 2018, vol. 52, no. 8, pp. 959–964. https://doi.org/10.3103/S0146411618080217
Krundyshev, V.M., Preparing datasets for training in a neural network system of intrusion detection in industrial systems, Autom. Control Comput. Sci., 2019, vol. 53, no. 8, pp. 1012–1016. https://doi.org/10.3103/S0146411619080121
Krundyshev, V. and Kalinin, M., Hybrid neural network frame work for detection of cyber attacks at smart infrastructures, Proc. 12th Int. Conf. on Security of Information and Networks, Sochi, Russia, 2019, New York: Association for Computing Machinery, 2019, pp. 1–7. https://doi.org/10.1145/3357613.3357623
Belenko, V., Krundyshev, V., and Kalinin, M., Synthetic datasets generation for intrusion detection in VANET, Proc. 11th Int. Conf. on Security of Information and Networks, Cardiff, 2018, New York: Association for Computing Machinery, 2018, pp. 1–6. https://doi.org/10.1145/3264437.3264479
Belenko, V., Krundyshev, V., and Kalinin, M., Intrusion detection for internet of things applying metagenome fast analysis, Third World Conf. on Smart Trends in Systems Security and Sustainability (WorldS4), London, 2019, IEEE, 2019, pp. 129–135. https://doi.org/10.1109/WorldS4.2019.8904022
Kalinin, M.O., Lavrova, D.S., and Yarmak, A.V., Detection of threats in cyberphysical systems based on deep learning methods using multidimensional time series, Autom. Control Comput. Sci., 2018, vol. 52, no. 8, pp. 912–917. https://doi.org/10.3103/S0146411618080151
Kalinin, M. and Zegzhda, P., AI-based security for the smart networks, 13th Int. Conf. on Security of Information and Networks, Merkez, Turkey, 2020, New York: Association for Computing Machinery, 2020, pp. 1–4. https://doi.org/10.1145/3433174.3433593
Demidov, R.A., Zegzhda, P.D., and Kalinin, M.O., Threat analysis of cyber security in wireless adhoc networks using neural network model, Autom. Control Comput. Sci., 2018, vol. 52, no. 8, pp. 971–976. https://doi.org/10.3103/S0146411618080084
Demidov, R.A., Pechenkin, A.I., Zegzhda, P.D., and Kalinin, M.O., Application model of modern artificial neural network methods for the analysis of information systems security, Autom. Control Comput. Sci., 2018, vol. 52, no. 8, pp. 965–970. https://doi.org/10.3103/S0146411618080072
Belenko, V., Chernenko, V., Krundyshev, V., and Kalinin, M., Data-driven failure analysis for the cyber physical infrastructures, IEEE Int. Conf. on Industrial Cyber Physical Systems (ICPS), Taipei, 2019, IEEE, 2019, pp. 1–5. https://doi.org/10.1109/ICPHYS.2019.8854888
Lim, S., Kalinin, M., and Zegzhda, P., Bioinspired intrusion detection in ITC infrastructures, Technological Transformation: A New Role for Human, Machines and Management. TT 2020, Schaumburg, H., Korablev, V., and Ungvari, L., Eds., Lecture Notes in Networks and Systems, vol. 157, Cham: Springer, 2021, pp. 10–22. https://doi.org/10.1007/978-3-030-64430-7_2
Lavrova, D., Poltavtseva, M., and Shtyrkina, A., Security analysis of cyber-physical systems network infrastructure, IEEE Industrial Cyber-Physical Systems (ICPS), St. Petersburg, 2018, IEEE, 2018, pp. 818–823. https://doi.org/10.1109/ICPHYS.2018.8390812
Zegzhda, D.P., Kalinin, M.O., and Levykin, M.V., Actual vulnerabilities of industrial automation protocols of an open platform communications series, Autom. Control Comput. Sci., 2019, vol. 53, no. 8, pp. 972–979. https://doi.org/10.3103/S0146411619080339
Zegzhda, P.D., Zegzhda, D.P., Aleksandrova, E.B., Kalinin, M.O., and Lavrova, D.S., Ot informatsionnoi bezopasnosti k kiberbezopasnosti. Opyt issledovatel’skikh rabot i podgotovki kadrov v Sankt-Peterburgskom politekhnicheskom universitete Petra Velikogo (From Information Security to Cyber Security: Experience of Research and Training of Personnel at the Peter the Great St. Petersburg Polytechnic University), St. Petersburg: Izd. Politekh. Univ., 2017. https://doi.org/10.18720/SPBPU/2/i17-197
Miessler, D., Securing the internet of things: mapping attack surface areas using the OWASP IoT Top 10, in RSA Conf., San Francisco, 2015, pp. 20–24.
Cadar, C. and Sen, K., Symbolic execution for software testing: three decades later, Commun. ACM, 2013, vol. 56, no. 2, pp. 82–90. https://doi.org/10.1145/2408776.2408795
Bucur, S., Ureche, V., Zamfir, C., and Candea, G., Parallel symbolic execution for automated real-world software testing, Proc. Sixth Conf. on Computer Systems, Salzburg, 2011, New York: Association for Computing Machinery, 2011, pp. 183–198. https://doi.org/10.1145/1966445.1966463
Garg, P., Ivančić, F., Balakrishnan, G., Maeda, N., and Gupta, A., Feedback-directed unit test generation for C/C++ using concolic execution, 35th Int. Conf. on Software Engineering (ICSE), San Francisco, 2013, IEEE, 2013, pp. 132–141. https://doi.org/10.1109/ICSE.2013.6606559
Belenko, V., Krundyshev, V., and Kalinin, M., Intrusion detection for internet of things applying metagenome fast analysis, Third World Conf. on Smart Trends in Systems Security and Sustainability (WorldS4), London, 2019, IEEE, 2019, pp. 129–135. https://doi.org/10.1109/WorldS4.2019.8904022
Ermolinskiy, A., Katti, S., Shenker, S., and Fowler, L., Towards practical taint tracking. EECS Department. Tech. Rep. UCB/EECS-2010-92, Berkeley, Calif.: Univ. of California, 2010.
Ovasapyan, T.D., Knyazev, P.V., and Moskvin, D.A., Application of taint analysis to study the safety of software of the Internet of Things devices based on the ARM architecture, Autom. Control Comput. Sci., 2020, vol. 54, no 8, pp. 834–840. https://doi.org/10.3103/S0146411620080246
Funding
The study is supported by the Russian Foundation for Basic Research, project no. 19-37-90027\19.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
The authors declare that they have no conflicts of interest.
Additional information
Translated by O. Pismenov
About this article
Cite this article
Ovasapyan, T.D., Knyazev, P.V. & Moskvin, D.A. Automated Search for Vulnerabilities in ARM Software Using Dynamic Symbolic Execution. Aut. Control Comp. Sci. 55, 932–940 (2021). https://doi.org/10.3103/S014641162108023X
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.3103/S014641162108023X