OVER:Overhauling Vulnerability Detection for IoT - Adaptable and Automated Static Analysis Framework

ACM SAC 2020: Internet of Things - Static Analysis

Abstract: Internet of Things (IoT) exposes various vulnerabilities at the software level. In this paper, we propose a static analysis framework for IoT. The proposed framework is designed for detecting security vulnerabilities such as Buffer Overflow, Memory Leaks, Code Injection, TOCTOU, Banned functions, and other code-related vulnerabilities. We consider end-to-end IoT software suite that includes kernels, protocol stacks, APKs, firmware, and others. In particular, we unpacked and analyzed over 21,000 IoT firmware, 628 IoT APKs and 50 IoT Open Source Software (OSS).

Our framework is an adaptable and automated static analysis
technique that begins with crawling the web for fetching the IoT
related files and ends with report generation consisting of IoT Risk
Rating. In total, we were able to raise 7 new CVEs and detected
342 existing CVEs and 894 vulnerable code clones in IoT OSS. We
found over 70% of APKs vulnerable to SQL Injection and 56% APKs
using weak cryptographic algorithms. Also, our framework found
3783 hard-coded passwords and archaic BusyBox versions in IoT
firmware.