Static analysis for discovering IoT vulnerabilities

• Published in: International journal on software tools for technology transfer Vol. 23; no. 1; pp. 71 - 88
• Main Authors: Ferrara, Pietro, Mandal, Amit Kr, Cortesi, Agostino, Spoto, Fausto
• Format: Journal Article
• Language: English
• Published: Berlin/Heidelberg Springer Berlin Heidelberg 01.02.2021; Springer Nature B.V
• Subjects: Applications programs; Computer Science; Foundation for Mastering Change; Internet of Things; Robustness (mathematics); Security; Software Engineering; Software Engineering/Programming and Operating Systems; System effectiveness; Theory of Computation; IoT security; IoT privacy; OWASP IoT Top 10; Static analysis; Insecure IoT ecosystem interface
• ISSN: 1433-2779; 1433-2787
• DOI: 10.1007/s10009-020-00592-x

The Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.