2UTC - Université de Technologie de Compiègne (Université de Technologie de Compiègne - Centre de Recherche de Royallieu - rue du Docteur Schweitzer- CS 60319 - 60203 COMPIEGNE Cedex - France)
Abstract : IoT devices often operate unsupervised in ever-changing environments for several years. Therefore, they need to be updated on a regular basis. Current approaches for software updates on IoT, like the recent SUIT proposal, focus on granting integrity and confidentiality but do not analyze the content of the software update, especially the IoT application which is deployed to IoT devices. To this aim, in this paper, we present IoTAV, an automated software analysis framework for systematically verifying the security of the applications contained in software updates w.r.t. a given security policy. Our proposal can be adopted transparently by current IoT software updates workflows. We prove the viability of IoTAV by testing our methodology on a set of actual RIOT OS applications. Experimental results indicate that the approach is viable in terms of both reliability and performance, leading to the identification of 26 security policy violations in 31 real-world RIOT applications.
https://hal.inria.fr/hal-03173903 Contributor : Hal IfipConnect in order to contact the contributor Submitted on : Thursday, March 18, 2021 - 5:38:38 PM Last modification on : Tuesday, November 16, 2021 - 5:03:55 AM Long-term archiving on: : Monday, June 21, 2021 - 8:49:10 AM
File
Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed
until : 2023-01-01
Nicolas Dejon, Davide Caputo, Luca Verderame, Alessandro Armando, Alessio Merlo. Automated Security Analysis of IoT Software Updates. 13th IFIP International Conference on Information Security Theory and Practice (WISTP), Dec 2019, Paris, France. pp.223-239, ⟨10.1007/978-3-030-41702-4_14⟩. ⟨hal-03173903⟩