Dairo de Ruck, Victor Goeman, M. Willocx, Jorn Lapon, Vincent Naessens
{"title":"Linux-based IoT Benchmark Generator For Firmware Security Analysis Tools","authors":"Dairo de Ruck, Victor Goeman, M. Willocx, Jorn Lapon, Vincent Naessens","doi":"10.1145/3600160.3600181","DOIUrl":null,"url":null,"abstract":"There is a growing interest of IoT manufacturers to incorporate firmware analysis tools in their development pipeline to evaluate the security of new embedded devices. This has the advantage of discovering security issues before the device is marketed. However, each device has its own design, including different architectures, services and communication protocols, programmed and configured in different programming languages. This diversity results in potentially complete categories of vulnerabilities discarded by the firmware security analysis tools. Hence, a positive outcome of such tools may result in incorrect conclusions. To address this challenge, we propose B4IoT, a platform that generates customized Linux-based firmware benchmarks, that are representative of the manufacturers’ devices. It enables those organizations to evaluate both static and dynamic firmware security analysis tools, to gain insight into what categories of vulnerabilities are found, and which aren’t. This allows either to discard tools completely or complement them with additional tools that focus on the missing categories. The platform will be made available online and is evaluated using five state-of-the-art open-source firmware analysis tools.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3600160.3600181","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
There is a growing interest of IoT manufacturers to incorporate firmware analysis tools in their development pipeline to evaluate the security of new embedded devices. This has the advantage of discovering security issues before the device is marketed. However, each device has its own design, including different architectures, services and communication protocols, programmed and configured in different programming languages. This diversity results in potentially complete categories of vulnerabilities discarded by the firmware security analysis tools. Hence, a positive outcome of such tools may result in incorrect conclusions. To address this challenge, we propose B4IoT, a platform that generates customized Linux-based firmware benchmarks, that are representative of the manufacturers’ devices. It enables those organizations to evaluate both static and dynamic firmware security analysis tools, to gain insight into what categories of vulnerabilities are found, and which aren’t. This allows either to discard tools completely or complement them with additional tools that focus on the missing categories. The platform will be made available online and is evaluated using five state-of-the-art open-source firmware analysis tools.