Cross-program propagation of tainted data (such as sensitive information or user input) in an interactive IoT system is listed among the OWASP IoT top 10 most critical security risks. When programs run on distinct devices, as it occurs in IoT systems, they communicate through different channels in order to implement some functionality. Hence, in order to prove the overall system secure, an analysis must consider how these components interact. Standard taint analyses detect if a value coming from a source (such as methods that retrieve user input or sensitive data) flows into a sink (typically, methods that execute SQL queries or send data into the Internet), unsanitized (that is, not properly escaped). This work devises a cross-program taint analysis that leverages an existing intra-program taint analysis to detect security vulnerabilities in multiple communicating programs. The proposed framework has been implemented above the intra-program taint analysis of the Julia static analyzer. Preliminary experimental results on multi-program IoT systems, publicly available on GitHub, show that the technique is effective and detects inter-program flows of tainted data that could not be discovered by analyzing each program in isolation.

Cross-program propagation of tainted data (such as sensitive information or user input) in an interactive IoT system is listed among the OWASP IoT top 10 most critical security risks. When programs run on distinct devices, as it occurs in IoT systems, they communicate through different channels in order to implement some functionality. Hence, in order to prove the overall system secure, an analysis must consider how these components interact. Standard taint analyses detect if a value coming from a source (such as methods that retrieve user input or sensitive data) flows into a sink (typically, methods that execute SQL queries or send data into the Internet), unsanitized (that is, not properly escaped). This work devises a cross-program taint analysis that leverages an existing intra-program taint analysis to detect security vulnerabilities in multiple communicating programs. The proposed framework has been implemented above the intra-program taint analysis of the Julia static analyzer. Preliminary experimental results on multiprogram IoT systems, publicly available on GitHub, show that the technique is effective and detects inter-program flows of tainted data that could not be discovered by analyzing each program in isolation.

Cross-Program Taint Analysis for IoT Systems

Amit Mandal;Pietro Ferrara;Agostino Cortesi;
2020

Abstract

Cross-program propagation of tainted data (such as sensitive information or user input) in an interactive IoT system is listed among the OWASP IoT top 10 most critical security risks. When programs run on distinct devices, as it occurs in IoT systems, they communicate through different channels in order to implement some functionality. Hence, in order to prove the overall system secure, an analysis must consider how these components interact. Standard taint analyses detect if a value coming from a source (such as methods that retrieve user input or sensitive data) flows into a sink (typically, methods that execute SQL queries or send data into the Internet), unsanitized (that is, not properly escaped). This work devises a cross-program taint analysis that leverages an existing intra-program taint analysis to detect security vulnerabilities in multiple communicating programs. The proposed framework has been implemented above the intra-program taint analysis of the Julia static analyzer. Preliminary experimental results on multi-program IoT systems, publicly available on GitHub, show that the technique is effective and detects inter-program flows of tainted data that could not be discovered by analyzing each program in isolation.
ACM Symposium on Applied Computing
File in questo prodotto:
File Dimensione Formato  
article.pdf

non disponibili

Tipologia: Documento in Pre-print
Licenza: Accesso chiuso-personale
Dimensione 3.05 MB
Formato Adobe PDF
3.05 MB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/3720937
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 8
  • ???jsp.display-item.citation.isi??? 5
social impact