A Model-Driven-Reverse Engineering Approach for Detecting Privilege Escalation in IoT Systems

被引：0

作者：

Alalfi, Manar H. ^{[1
]}

Abu Zaid, Atheer ^{[1
]}

Miri, Ali ^{[1
]}

机构：

[1] Toronto Metropolitan Univ, Dept Comp Sci, Toronto, ON, Canada

来源：

JOURNAL OF OBJECT TECHNOLOGY | 2023年 / 22卷 / 01期

基金：

加拿大自然科学与工程研究理事会;

关键词：

Model Driven Reverse Engineering; Access Control Security vulnerabilities; Security Verification; IoT applications; INTERNET;

D O I：

10.5381/jot.2023.22.1.a1

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Software vulnerabilities in access control models can represent a serious threat in a system. In fact, OWASP lists broken access control as number 1 in severity among the top 10 vulnerabilities. In this paper, we study the permission model of an emerging Smart-Home platform, SmartThings, and explore an approach that detects privilege escalation in its permission model. Our approach is based on Model Driven Reverse Engineering (MDRE) in addition to static analysis. This approach allows for better coverage of privilege escalation detection than static analysis alone as it takes advantage of analyzing free-form text that carries extra permissions details. Our experimental results demonstrate high accuracy in detecting over-privilege vulnerabilities in IoT applications.

引用

页码：1 / 21

页数：21

共 28 条

[1] Abu Zaid A., 2019, CHECK YOUR PRIVILEGE
[2] Automated Identification of Over-Privileged SmartThings Apps
Abu Zaid, Atheer
Alalfi, Manar H.
Miri, Ali
[J]. 2019 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE MAINTENANCE AND EVOLUTION (ICSME 2019), 2019, : 247 - 251
[3] Alalfi MH, 2012, IEEE INT S WEB SYST, P1, DOI 10.1109/WSE.2012.6320525
[4] A Review of Smart Homes-Past, Present, and Future
Alam, Muhammad Raisul
Reaz, Mamun Bin Ibne
Ali, Mohd Alauddin Mohd
[J]. IEEE TRANSACTIONS ON SYSTEMS MAN AND CYBERNETICS PART C-APPLICATIONS AND REVIEWS, 2012, 42 (06): : 1190 - 1203
[5] Alhanahnah Mohannad, 2020, ISSTA '20: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis, P272, DOI 10.1145/3395363.3397347
[6] [Anonymous], 2015, IEEE INTERNET INITIA
[7] Cordy J. R., 2012, TXL PROGRAMMING LANG
[8] Cordy J. R., 2012, TXL WORLD
[9] SmartHomeML: Towards a Domain-Specific Modeling Language for Creating Smart Home Applications
Einarsson, Atli F.
Patreksson, Patrekur
Hamdaqa, Mohammad
Hamou-Lhadj, Abdelwahab
[J]. 2017 IEEE 2ND INTERNATIONAL CONGRESS ON INTERNET OF THINGS (IEEE ICIOT), 2017, : 82 - 88
[10] Favre J.-M., 2004, DAGSTH SEM LANG ENG, V200

← 1 2 3 →