an automated security testing framework for i …...dirty cow vulnerability patch (cve-2016-5195)...

2019-08-22

1

An Automated Security Testing Framework for I3 Marketplace

http://cssa.korea.ac.kr https://iotcube.net

Heejo Lee, Seunghoon Woo, Hajin Jang

Center for Software Security and Assurance

Korea University

19th August 2019

Korea UniversityCollege of Informatics

This is a joint work with Prof. Bhaskar Krishnamachari, Dr. Gowri Ramachandran, Kurian Karyakulam.

About speaker

2

• Experience Director, CSSA (2015-current)

CEO, IoTcube Inc. (CSSA Spin-off since 2018)

Professor, Dept. of Computer Science and Eng., Korea Univ. (2004-current)

Visiting Professor, CyLab / Carnegie Mellon Univ. (2010-2011)

CTO, AhnLab Inc. (2001-2003)

• Professional Activities Presidential Committee on the 4th Industrial Revolution (2017-2018)

Advisory Committee for the Consultation of Cyber Security in the Philippines (2006), Uzbekistan (2007), Vietnam (2009), Myanmar (2011), Costa Rica (2013) and Cambodia (2015)

Advisory Committee of Supreme Prosecutor's Office, Nat’l Police Agency, Korea Internet & Security Agency (KISA) and others

• Education Postdoc researcher, CERIAS at Purdue University (2000-2001)

BS, MS, PhD from POSTECH, Korea (1989-2000)

▲ 2016 ISC2 ISLA award of community service star

• Prof. Heejo Lee

http://cssa.korea.ac.kr/

https://iotcube.net/

2019-08-22

2

3

ContentsI. Introduction to IoT Security

II. IoTcube: an Automated Security Vulnerability

Analysis Platform (https://IoTcube.net)

III. An Automated Security Testing Framework

for I3 Marketplace

IV. Future Work

I. Introduction to IoT Security

4

• Corruption and Distortion of Raw Data

CleanT-shirt

Contaminated

Dirty & Stained T-Shirt

2019-08-22

3


5

• Corruption and Distortion of Raw Data

Raw Data

VulnerableSensor-devices

Distorted & corrupted data


6

• According to “2019 Cyber Threat Report” by Sonicwall, IoT sensor attacks

increased 217.5% compared with last year

• Attackers continue to exploit unpatched software in critical infrastructure, and

85% of targeted attacks are preventable, according to US-CERT and ASD (2018)

• Security and Safety of IoT Devices

<Increasing rate of attacks through sensors, Cyber Threat Report, Sonicwall, 2019>

2019-08-22

4


7

• Catastrophic “panic attacks” against smart city systems are warned by

“Threatcare” and “IBM X-Force Red” teams (Infosecurity Magazine, Aug. 2018)

<https://www.infosecurity-magazine.com/news/smart-cities-at-risk-from-panic/>

• To manipulate water level sensors or radiation leak alarms

• To alter traffic management systems

• Shodan or Censys are used for finding the vulnerabilities, but it is recommended

that application scanning must be performed:


…However, IBM urged more rigorous testing of smart city systems including application scanning and red team exercises.…


8

• For collecting well-refined data, the security of the device should be guaranteed

• Previous approaches to verify devices security

1) Version-based approach: high false positives

- Check the vulnerabilities with the version information of the devices

- There are many cases of vulnerabilities being patched, even in the vulnerable versions of devices

2) Network-based approach: high false negatives

- Check remotely the vulnerabilities of network services, e.g., Metasploit

- Limited coverage of vulnerabilities by executing exploit codes


Deep scan, rather than surface scan:Static code analysis will be useful for examining

the existence of critical CVE* vulnerabilities!

* CVE is the unique and common identifiers for known security vulnerabilities, https://cve.mitre.org.

2019-08-22

5

II. IoTcube: an Automated Security Vulnerability Analysis Platform

9

• Center for Software Security and Assurance (CSSA)


10

• Security experts are always with you!

Automation

Easy-to-Use

Scalability

Vulnerable Functions

(69,437)

Total Users

(11,447)

Detected Vulnerable Clones

(724,275)

Analyzed Lines of Codes

(33,317,176,945)Updated 2019-3-4

On April 19, 2016,

IoTcube, as an automated analysis

platform for security vulnerabilities,

opens in public! (https://iotcube.net)

It is to provide security analysis even for non-security experts in order to manage vulnerabilities professionally.

2019-08-22

6


11

• Blackbox (4), Whitebox(3), network (2) testing tools are available!

• 9 Types of Automated Analysis Tools


12

• CVE Analysis Tool: IoTcube hmark

• Hmark – an implementation of VUDDY• Published in IEEE S&P 2017, Computers and Security 2018

• Find CVE vulnerabilities by detecting vulnerable code clones

• Suppose that vulnerable code V exists in program P1

• If another program P2 also has the same code V, there is a high probability

that P2 is vulnerable!

P1

P2

VV

2019-08-22

7


13

• CVE Analysis Tool: IoTcube hmark

Old code(vulnerable) CVE patch

New code(fixed)

Dirty COW Vulnerability Patch (CVE-2016-5195)

• Hmark – how to collect vulnerable functions


14

• Why they selected hmark? (IEEE S&P’17, ComSec’18)

① Speed: 2x faster preprocessing and 1,000x faster detection speed

② Scalability: 20 million lines of smartphone software are processed in less than 1.3 seconds

③ Pin-point detection: Detects exact vulnerable functions, so developers can fix it with ease

• Performance for hmark

Token-levelmatching

CCFinder (TSE’02)Graph/treematching

DECKARD (ICSE’07)Bag-of-tokens

matching

SourcererCC (ICSE’15)

ReDeBug (S&P’12)

File-level matching

FCFinder (MSR’10)

VUDDY

Bag-of-tokens matching

IoTcube

Scalability

Accuracy

VUDDY (S&P’17)Line-levelmatching

X1,000

2019-08-22

8


15

• According to the IoTcube analysis, 15% of the latest versions of

OSS have at least one CVE vulnerability

Top 300 latest version of C/C++ software by star ranking in the GitHub

Vulnerabilities of unpatched code clones exist within the sub-components of OSS

• The use of the latest version of OSS is not perfect: OSS uses other OSS components

Name # CVE Area

FFmpeg 15 Media

kbengine 14 Game (engine)

Torvalds/linux 13 OS

Raspberrypi/linux 13 OS

Freebsd 7 OS

OpenSSL 2 SSL/TLS

…

Name # CVE Area

Emscripten 15 Compiler

Turicreate 14 AI

Godot 10 Game (engine)

Mongo 2 Database

ArangoDB 2 Database

OpenCV 1 Vision

…

<C++ vulnerable software list> <C vulnerable software list>


16

• Android analysis for detecting CVE vulnerabilities

• IoTcube hmark Demonstration

2019-08-22

9

III. An Automated Security Testing Framework for I3 Marketplace

17

• I3 Marketplace Platform that enables data owners to provide access to and monetize their data

I3 Marketplace Platform

Data Consumer:3rd party app

Data Consumer:IoT cloud platform

Data Broker

Device and Data Owner

18

• Problems caused by vulnerable data source devices

Data sourcedevices

Data Consumer:3rd party app and

IoT cloud platform


Vulnerable

1) Modified data (impair data integrity)

Data

Data ’

Data

Data loss

2) Impair data availability


2019-08-22

10

19

• Integrating IoTcube to the I3 Marketplace


Data Consumer:3rd party app

Data Consumer:IoT cloud platform

Data Broker


IoTcube


20



IoTcube

Data owner => IoTcube

Model and OS version of devices (Weak validation)

Source codes of devices (Strong validation)

Data owner <= IoTcube

Vulnerability check result

Certificate level


Rest API

2019-08-22

11

21

• IoTcube analyzes vulnerabilities at the source code level

• Vulnerabilities detected by IoTcube has more chance to be triggered [1]

• Contents providers can do validation without the source code of devices

• Two types of vulnerability analysis: weak validation and strong validation

• Giving a higher incentive to strong validation


[1] Kim, S., Woo, S., Lee, H., & Oh, H. (2017, May). VUDDY: A scalable approach for vulnerable code clone discovery. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 595-614). IEEE.

Type Input to IoTcube

Weak validation Model and OS version of devices

Strong validation Source codes of devices


22

• How to get source code of the device?

Most IoT devices are developed based on the Linux kernel

Linux kernel under GPL makes the source code of IoT devices opensource

As a result, the source code of the devices is available



<Source code for Raspberry PI, https://github.com/raspberrypi/linux>

https://github.com/raspberrypi/linux

2019-08-22

12

23

• How to use hmark tool?

1) Visit https://Iotcube.net

2) Download hmark tool (https://iotcube.net/downloads)

3) Use the hmark tool to create a hash file of the source code for scanning vulnerabilities

% hmark -c ./src

4) As a result, the hash file (i.e., src.hidx) is created

5) When a product is being registered, simply attaching the hidx file for strong validation



hidx

void main(..){if(..){

..}return res

}

Device source code “hmark” tool

void main(..){if(..){

..}return res

}

Hash file of the code

24



• IoTcube integration is possible with REST API

• Simply send the hidx file created by hmark tool to IoTcube server using POST request

- Then user (e.g., data seller) can receive the scanned vulnerability result as JSON

• Even data sellers who are not familiar with security can easily analyze the security

of the data-source devices using IoTcube

hidx

POST request(REST API)


Data seller

or

JSONScanned

vulnerabilities

Hash fileof the device


https://iotcube.net/downloads

2019-08-22

13

25

• Overall process of validation



Data Seller


1) Generate hidx file ofthe data-source device

2) While registering the product for sale, attach the hidx file for the strong validation

3) Send hidx file for scanning vulnerabilities(Rest API)

4) Return the vulnerability scanning result andcertificate level of the device

hidx

hidx


26

• How to choose certificate level?

Provides a checklist for software security

The certificated level is decided based on vulnerability analysis result according to the checklist

ID ITEM YES NO

1 Are there any vulnerabilities in the software?

2 Are there high-severity vulnerabilities (CVSS > 7.0) in the software?

3 Are there the named vulnerabilities (e.g., heartbleed, dirtycow) in the software?

4Are there any old OSS components that have not been updated in the software?

(will be added to IoTcube soon)

5Are there any vulnerabilities in the software that the PoC is opened to the public?

(will be added to IoTcube soon)


2019-08-22

14


27

• How to choose certificate level?

Certificate level is determined according to the scanning result of IoTcube

Depending on the existence of high-severity vulnerabilities and named vulnerabilities


Certificatelevel

Weak Validation Strong Validation

★★★★★ -- No high-severity vulnerabilities and

named vulnerabilities

★★★★- No high-severity vulnerabilities and

named vulnerabilities- Either high-severity vulnerabilities or


★★★- Either high-severity vulnerabilities or

named vulnerabilities- Both high-severity vulnerabilities and


★★- Both high-severity vulnerabilities and

named vulnerabilities-

★ - The device had not been analyzed yet by IoTcube


28

• Demo: Integrating IoTcube to the I3 Marketplace

2019-08-22

15

29

Next steps

• Incentives:

• Developing incentive models for the provider doing proper security management

• Penalties:

• When the incorrect versions being entered, verifying their version information and providing the penalties if intended need to be considered.

• Model extension to edge computing

• In the extended model of I3 market place which supports edge computing, security analysis can be done within the devices

IV. Future Work

Q&A

Less vulnerabilities make

more secure software!

How to Contact: IoTcube finds all bugs!

• CSSA: 02-3290-4808, [email protected]

• IoTcube Inc.: 02-921-0419,

[email protected]



an automated security testing framework for i …...dirty cow vulnerability patch (cve-2016-5195)...

Documents