Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.
| Published in | International Journal of Information and Communication Sciences (Volume 8, Issue 1) |
| DOI | 10.11648/j.ijics.20230801.11 |
| Page(s) | 1-11 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
Tizen, Dynamic Symbolic Execution, Native, Web, Vulnerability, IoT, C++, JavaScript
| [1] | Windows IoT core, https://docs.microsoft.com/en-us/windows/iot/, Accessed 18 January 2022. |
| [2] | Amazon FreeRTOS, https://aws.amazon.com/freertos/, Accessed 18 January 2022. |
| [3] | Samasung Tizen, https://www.tizen.org, Accessed 18 January 2022. |
| [4] | Contiki, https://www.contiki-ng.org/, Accessed 18 January 2022. |
| [5] | Mullen G., Meany L.: Assessment of Buffer Overflow Based Attacks On an IoT Operating System. IEEE 2019 Global IoT Summit (GIoTS) pp. 1-6 (2019). |
| [6] | Chess B., McGraw G.: Static Analysis for Security. IEEE security & privacy, vol. 2, pp. 76-79 (2004). |
| [7] | Godefroid P., Klarlund N., Sen K.: DART: Directed Automated Random Testing. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 213-223 (2005). |
| [8] | Chaabouni N., Mosbah M., Zemmari A., Sauvignac C., Faruki P.: Network Intrusion Detection for IoT Security Based on Learning Techniques. IEEE Communications Surveys & Tutorials, vol. 21, pp. 2671-2701 (2019). |
| [9] | Rizvi S., Orr R., Cox A., Ashokkumar P., Rizvi M.: Identifying the attack surface for IoT network. Internet of Things, vol. 9 (2020). |
| [10] | Rathore S., Kwon B. W., HyukPark J.: BlockSecIoTNet: Blockchain-based decentralized security architecture for IoT network. Network and Computer Applications, vol. 143, pp. 167-177 (2019). |
| [11] | Alnaeli S., Sarnowski M., Sayedul Aman M., Abdelgawad A., Yelamarthi K.: Vulnerable C/C++ Code Usage in IoT Software Systems. 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 348-352 (2016). |
| [12] | Abraham A.: Hacking Tizen: The OS of Everything. In: Proceedings of the HITBSecConf-Hack In The Box Security Conference, Amsterdam, The Netherlands, pp. 26-29 (2015). |
| [13] | Gritti F., Fontana L., Gustafson E., Pagani F., Continella A., Kruegel C., Vigna G.: SYMBION: Interleaving Symbolic with concrete execution. IEEE Conference on Communications and Network Security (CNS), pp. 1-10, (2020). |
| [14] | Loring B., Mitchell D., Kinder J.: ExpoSE: Practical Symbolic Execution of Standalone JavaScript. In: Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software., pp. 196-199 (2017). |
| [15] | Shoshitaishvili, Wang Y., Hauser R., Krugel C., Vigana G.: Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. NDSS, vol. 1, pp. 1-1 (2015). |
| [16] | Muench M., Nisi D., Francillon A., Balzarotti D.: Avatar 2: A multi-Target Orchestration Platform. InProc. Workshop on Binary Anal. Res. (colocated with NDSS Symp.), vol. 18, pp. 1-11 (2018). |
| [17] | Qiling Framework, https://qiling.io. Accessed 18 January 2022. |
| [18] | Li G., Andreasen E., Ghosh I.: SymJS: Automatic Symbolic Testing of JavaScript Web. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 449-459, (2014). |
| [19] | JSSeek, http://glasnost.itcarlow.ie/~softeng4/C00137906/index.html. Accessed 18 January 2022. |
| [20] | Basiri M., Mouzarani M.: Assessing the Resistance of the Internet of Things Applications to Memory Corruption Attacks. EAI SaSeIoT (2021). |
| [21] | Baldoni R., Coppa E., D’ELIA D. C., Demetrescu C., Finocchi I.: A Survey of Symbolic Execution Techniques. ACM Computing Surveys (CSUR) 51. 3, pp. 1-39, (2018). |
| [22] | angr. https://angr.ir. Accessed 18 January 2022. |
| [23] | Sen K., Kalasapur S., Brutch T., Gibbs S.: Jalangi: A Tool Framework for Concolic Testing, Selective. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 615-618, (2013). |
| [24] | MDN Web Docs: JS hoisting. https://developer.mozilla.org/en-US/docs/Glossary/Hoisting. Accessed 18 January 2022. |
| [25] | Nicula Ș., Zota R. D: Exploiting stack-based buffer overflow using modern day techniques. Procedia Computer Science, vol. 160, pp. 9-14 (2019). |
| [26] | TizenSecurity. https://github.com/SoftwareSecurityLab/TizenSecurity. Accessed 18 January 2022. |
| [27] | NIST Software Assurance Reference Dataset. https://samate.nist.gov/SARD/. Accessed 5 August 2022. |
APA Style
Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. (2023). Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. International Journal of Information and Communication Sciences, 8(1), 1-11. https://doi.org/10.11648/j.ijics.20230801.11
ACS Style
Sobhan Safdarian; Mohammad Hossein Asghari; Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int. J. Inf. Commun. Sci. 2023, 8(1), 1-11. doi: 10.11648/j.ijics.20230801.11
AMA Style
Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int J Inf Commun Sci. 2023;8(1):1-11. doi: 10.11648/j.ijics.20230801.11
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ijics.20230801.11,
author = {Sobhan Safdarian and Mohammad Hossein Asghari and Maryam Mouzarani},
title = {Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution},
journal = {International Journal of Information and Communication Sciences},
volume = {8},
number = {1},
pages = {1-11},
doi = {10.11648/j.ijics.20230801.11},
url = {https://doi.org/10.11648/j.ijics.20230801.11},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ijics.20230801.11},
abstract = {Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.},
year = {2023}
}
TY - JOUR T1 - Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution AU - Sobhan Safdarian AU - Mohammad Hossein Asghari AU - Maryam Mouzarani Y1 - 2023/02/09 PY - 2023 N1 - https://doi.org/10.11648/j.ijics.20230801.11 DO - 10.11648/j.ijics.20230801.11 T2 - International Journal of Information and Communication Sciences JF - International Journal of Information and Communication Sciences JO - International Journal of Information and Communication Sciences SP - 1 EP - 11 PB - Science Publishing Group SN - 2575-1719 UR - https://doi.org/10.11648/j.ijics.20230801.11 AB - Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively. VL - 8 IS - 1 ER -
Email: