2019-08-22
1
An Automated Security Testing Framework for I3 Marketplace
http://cssa.korea.ac.kr https://iotcube.net
Heejo Lee, Seunghoon Woo, Hajin Jang
Center for Software Security and Assurance
Korea University
19th August 2019
Korea UniversityCollege of Informatics
This is a joint work with Prof. Bhaskar Krishnamachari, Dr. Gowri Ramachandran, Kurian Karyakulam.
About speaker
2
• Experience Director, CSSA (2015-current)
CEO, IoTcube Inc. (CSSA Spin-off since 2018)
Professor, Dept. of Computer Science and Eng., Korea Univ. (2004-current)
Visiting Professor, CyLab / Carnegie Mellon Univ. (2010-2011)
CTO, AhnLab Inc. (2001-2003)
• Professional Activities Presidential Committee on the 4th Industrial Revolution (2017-2018)
Advisory Committee for the Consultation of Cyber Security in the Philippines (2006), Uzbekistan (2007), Vietnam (2009), Myanmar (2011), Costa Rica (2013) and Cambodia (2015)
Advisory Committee of Supreme Prosecutor's Office, Nat’l Police Agency, Korea Internet & Security Agency (KISA) and others
• Education Postdoc researcher, CERIAS at Purdue University (2000-2001)
BS, MS, PhD from POSTECH, Korea (1989-2000)
▲ 2016 ISC2 ISLA award of community service star
• Prof. Heejo Lee
2019-08-22
2
3
ContentsI. Introduction to IoT Security
II. IoTcube: an Automated Security Vulnerability
Analysis Platform (https://IoTcube.net)
III. An Automated Security Testing Framework
for I3 Marketplace
IV. Future Work
I. Introduction to IoT Security
4
• Corruption and Distortion of Raw Data
CleanT-shirt
Contaminated
Dirty & Stained T-Shirt
2019-08-22
3
I. Introduction to IoT Security
5
• Corruption and Distortion of Raw Data
Raw Data
VulnerableSensor-devices
Distorted & corrupted data
I. Introduction to IoT Security
6
• According to “2019 Cyber Threat Report” by Sonicwall, IoT sensor attacks
increased 217.5% compared with last year
• Attackers continue to exploit unpatched software in critical infrastructure, and
85% of targeted attacks are preventable, according to US-CERT and ASD (2018)
• Security and Safety of IoT Devices
<Increasing rate of attacks through sensors, Cyber Threat Report, Sonicwall, 2019>
2019-08-22
4
I. Introduction to IoT Security
7
• Catastrophic “panic attacks” against smart city systems are warned by
“Threatcare” and “IBM X-Force Red” teams (Infosecurity Magazine, Aug. 2018)
<https://www.infosecurity-magazine.com/news/smart-cities-at-risk-from-panic/>
• To manipulate water level sensors or radiation leak alarms
• To alter traffic management systems
• Shodan or Censys are used for finding the vulnerabilities, but it is recommended
that application scanning must be performed:
• Security and Safety of IoT Devices
…However, IBM urged more rigorous testing of smart city systems including application scanning and red team exercises.…
I. Introduction to IoT Security
8
• For collecting well-refined data, the security of the device should be guaranteed
• Previous approaches to verify devices security
1) Version-based approach: high false positives
- Check the vulnerabilities with the version information of the devices
- There are many cases of vulnerabilities being patched, even in the vulnerable versions of devices
2) Network-based approach: high false negatives
- Check remotely the vulnerabilities of network services, e.g., Metasploit
- Limited coverage of vulnerabilities by executing exploit codes
• Security and Safety of IoT Devices
Deep scan, rather than surface scan:Static code analysis will be useful for examining
the existence of critical CVE* vulnerabilities!
* CVE is the unique and common identifiers for known security vulnerabilities, https://cve.mitre.org.
2019-08-22
5
II. IoTcube: an Automated Security Vulnerability Analysis Platform
9
• Center for Software Security and Assurance (CSSA)
II. IoTcube: an Automated Security Vulnerability Analysis Platform
10
• Security experts are always with you!
Automation
Easy-to-Use
Scalability
Vulnerable Functions
(69,437)
Total Users
(11,447)
Detected Vulnerable Clones
(724,275)
Analyzed Lines of Codes
(33,317,176,945)Updated 2019-3-4
On April 19, 2016,
IoTcube, as an automated analysis
platform for security vulnerabilities,
opens in public! (https://iotcube.net)
It is to provide security analysis even for non-security experts in order to manage vulnerabilities professionally.
2019-08-22
6
II. IoTcube: an Automated Security Vulnerability Analysis Platform
11
• Blackbox (4), Whitebox(3), network (2) testing tools are available!
• 9 Types of Automated Analysis Tools
II. IoTcube: an Automated Security Vulnerability Analysis Platform
12
• CVE Analysis Tool: IoTcube hmark
• Hmark – an implementation of VUDDY• Published in IEEE S&P 2017, Computers and Security 2018
• Find CVE vulnerabilities by detecting vulnerable code clones
• Suppose that vulnerable code V exists in program P1
• If another program P2 also has the same code V, there is a high probability
that P2 is vulnerable!
P1
P2
VV
2019-08-22
7
II. IoTcube: an Automated Security Vulnerability Analysis Platform
13
• CVE Analysis Tool: IoTcube hmark
Old code(vulnerable) CVE patch
New code(fixed)
Dirty COW Vulnerability Patch (CVE-2016-5195)
• Hmark – how to collect vulnerable functions
II. IoTcube: an Automated Security Vulnerability Analysis Platform
14
• Why they selected hmark? (IEEE S&P’17, ComSec’18)
① Speed: 2x faster preprocessing and 1,000x faster detection speed
② Scalability: 20 million lines of smartphone software are processed in less than 1.3 seconds
③ Pin-point detection: Detects exact vulnerable functions, so developers can fix it with ease
• Performance for hmark
Token-levelmatching
CCFinder (TSE’02)Graph/treematching
DECKARD (ICSE’07)Bag-of-tokens
matching
SourcererCC (ICSE’15)
ReDeBug (S&P’12)
File-level matching
FCFinder (MSR’10)
VUDDY
Bag-of-tokens matching
IoTcube
Scalability
Accuracy
VUDDY (S&P’17)Line-levelmatching
X1,000
2019-08-22
8
II. IoTcube: an Automated Security Vulnerability Analysis Platform
15
• According to the IoTcube analysis, 15% of the latest versions of
OSS have at least one CVE vulnerability
Top 300 latest version of C/C++ software by star ranking in the GitHub
Vulnerabilities of unpatched code clones exist within the sub-components of OSS
• The use of the latest version of OSS is not perfect: OSS uses other OSS components
Name # CVE Area
FFmpeg 15 Media
kbengine 14 Game (engine)
Torvalds/linux 13 OS
Raspberrypi/linux 13 OS
Freebsd 7 OS
OpenSSL 2 SSL/TLS
…
Name # CVE Area
Emscripten 15 Compiler
Turicreate 14 AI
Godot 10 Game (engine)
Mongo 2 Database
ArangoDB 2 Database
OpenCV 1 Vision
…
<C++ vulnerable software list> <C vulnerable software list>
II. IoTcube: an Automated Security Vulnerability Analysis Platform
16
• Android analysis for detecting CVE vulnerabilities
• IoTcube hmark Demonstration
2019-08-22
9
III. An Automated Security Testing Framework for I3 Marketplace
17
• I3 Marketplace Platform that enables data owners to provide access to and monetize their data
I3 Marketplace Platform
Data Consumer:3rd party app
Data Consumer:IoT cloud platform
Data Broker
Device and Data Owner
18
• Problems caused by vulnerable data source devices
Data sourcedevices
Data Consumer:3rd party app and
IoT cloud platform
I3 Marketplace Platform
Vulnerable
1) Modified data (impair data integrity)
Data
Data ’
Data
Data loss
2) Impair data availability
III. An Automated Security Testing Framework for I3 Marketplace
2019-08-22
10
19
• Integrating IoTcube to the I3 Marketplace
I3 Marketplace Platform
Data Consumer:3rd party app
Data Consumer:IoT cloud platform
Data Broker
Device and Data Owner
IoTcube
III. An Automated Security Testing Framework for I3 Marketplace
20
• Integrating IoTcube to the I3 Marketplace
Device and Data Owner
IoTcube
Data owner => IoTcube
Model and OS version of devices (Weak validation)
Source codes of devices (Strong validation)
Data owner <= IoTcube
Vulnerability check result
Certificate level
III. An Automated Security Testing Framework for I3 Marketplace
Rest API
2019-08-22
11
21
• IoTcube analyzes vulnerabilities at the source code level
• Vulnerabilities detected by IoTcube has more chance to be triggered [1]
• Contents providers can do validation without the source code of devices
• Two types of vulnerability analysis: weak validation and strong validation
• Giving a higher incentive to strong validation
• Integrating IoTcube to the I3 Marketplace
[1] Kim, S., Woo, S., Lee, H., & Oh, H. (2017, May). VUDDY: A scalable approach for vulnerable code clone discovery. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 595-614). IEEE.
Type Input to IoTcube
Weak validation Model and OS version of devices
Strong validation Source codes of devices
III. An Automated Security Testing Framework for I3 Marketplace
22
• How to get source code of the device?
Most IoT devices are developed based on the Linux kernel
Linux kernel under GPL makes the source code of IoT devices opensource
As a result, the source code of the devices is available
• Integrating IoTcube to the I3 Marketplace
III. An Automated Security Testing Framework for I3 Marketplace
<Source code for Raspberry PI, https://github.com/raspberrypi/linux>
2019-08-22
12
23
• How to use hmark tool?
1) Visit https://Iotcube.net
2) Download hmark tool (https://iotcube.net/downloads)
3) Use the hmark tool to create a hash file of the source code for scanning vulnerabilities
% hmark -c ./src
4) As a result, the hash file (i.e., src.hidx) is created
5) When a product is being registered, simply attaching the hidx file for strong validation
• Integrating IoTcube to the I3 Marketplace
III. An Automated Security Testing Framework for I3 Marketplace
hidx
void main(..){if(..){
..}return res
}
Device source code “hmark” tool
void main(..){if(..){
..}return res
}
Hash file of the code
24
• Integrating IoTcube to the I3 Marketplace
III. An Automated Security Testing Framework for I3 Marketplace
• IoTcube integration is possible with REST API
• Simply send the hidx file created by hmark tool to IoTcube server using POST request
- Then user (e.g., data seller) can receive the scanned vulnerability result as JSON
• Even data sellers who are not familiar with security can easily analyze the security
of the data-source devices using IoTcube
hidx
POST request(REST API)
I3 Marketplace Platform
Data seller
or
JSONScanned
vulnerabilities
Hash fileof the device
2019-08-22
13
25
• Overall process of validation
• Integrating IoTcube to the I3 Marketplace
III. An Automated Security Testing Framework for I3 Marketplace
Data Seller
I3 Marketplace Platform
1) Generate hidx file ofthe data-source device
2) While registering the product for sale, attach the hidx file for the strong validation
3) Send hidx file for scanning vulnerabilities(Rest API)
4) Return the vulnerability scanning result andcertificate level of the device
hidx
hidx
III. An Automated Security Testing Framework for I3 Marketplace
26
• How to choose certificate level?
Provides a checklist for software security
The certificated level is decided based on vulnerability analysis result according to the checklist
ID ITEM YES NO
1 Are there any vulnerabilities in the software?
2 Are there high-severity vulnerabilities (CVSS > 7.0) in the software?
3 Are there the named vulnerabilities (e.g., heartbleed, dirtycow) in the software?
4Are there any old OSS components that have not been updated in the software?
(will be added to IoTcube soon)
5Are there any vulnerabilities in the software that the PoC is opened to the public?
(will be added to IoTcube soon)
• Integrating IoTcube to the I3 Marketplace
2019-08-22
14
III. An Automated Security Testing Framework for I3 Marketplace
27
• How to choose certificate level?
Certificate level is determined according to the scanning result of IoTcube
Depending on the existence of high-severity vulnerabilities and named vulnerabilities
• Integrating IoTcube to the I3 Marketplace
Certificatelevel
Weak Validation Strong Validation
★★★★★ -- No high-severity vulnerabilities and
named vulnerabilities
★★★★- No high-severity vulnerabilities and
named vulnerabilities- Either high-severity vulnerabilities or
named vulnerabilities
★★★- Either high-severity vulnerabilities or
named vulnerabilities- Both high-severity vulnerabilities and
named vulnerabilities
★★- Both high-severity vulnerabilities and
named vulnerabilities-
★ - The device had not been analyzed yet by IoTcube
III. An Automated Security Testing Framework for I3 Marketplace
28
• Demo: Integrating IoTcube to the I3 Marketplace
2019-08-22
15
29
Next steps
• Incentives:
• Developing incentive models for the provider doing proper security management
• Penalties:
• When the incorrect versions being entered, verifying their version information and providing the penalties if intended need to be considered.
• Model extension to edge computing
• In the extended model of I3 market place which supports edge computing, security analysis can be done within the devices
IV. Future Work
Q&A
Less vulnerabilities make
more secure software!
How to Contact: IoTcube finds all bugs!
• CSSA: 02-3290-4808, [email protected]
• IoTcube Inc.: 02-921-0419,