Research on Software Security Testing Automation and Its Applications on Internet of Things

• Main Authors: Chin-Wei Tien, 田謹維
• Other Authors: 郭斯彥
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/xgk7g7

博士 === 國立臺灣大學 === 電機工程學研究所 === 107 === Internet of Things (IoT) applications have been rapidly growing. A market survey predicted that the number of IoT devices will reach to 20 billion in 2020. With this in consideration, security threats due to poor product quality have been addressed as an important factor influencing the evolvement of the IoT industry. Thus, government agencies and organizations have developed IoT security guidelines and testing standards to enhance the security quality of IoT products. However, these large numbers of IoT devices require considerable human workload. It is difficult to meet the original purpose of developing security testing standards, thus generating the demand for security testing automation. In this study, we develop security testing automation and having field tries on IoT security standard testing for evaluations. This study analyzes the content of IoT security testing standards including OWASP, UL-2900-2, and NIST and summarizes testing requirements to develop reversing, static analysis, dynamic analysis, and anomaly analysis technologies. In general, we implement three security automation tools: mobile apps assessment and analysis system (MAS), universal firmware vulnerability observer (UFO), and Kubernetes anomaly detection (KubAnomaly). Further, we design evaluation datasets for benchmarking system accuracy, coverage, and performance. We apply these implementations to the evaluation of real-world IoT system parts in an app, device firmware, and cloud container environment. The main evaluation results are as follows. (1) MAS validates 15,000 popular apps from the Google Play and Apple iTunes stores in USA, Japan, and Taiwan. We found that most apps contain at least three security issues. (2) We use 237 real-world embedded device firmware files to evaluate UFO. The results reported hidden backdoor problems to two IoT device vendors in Taiwan and received their confirmation. (3) KubAnomaly uses machine learning to develop an anomaly detection mechanism in the cloud container orchestration platform, Kubernetes, and achieves an overall accuracy of up to 96%. KubAnomaly has been used to identify real attack events by hackers in China, Thailand, and Portugal during September 2018. In summary, the development of automated security testing tools can effectively test the quality of products of the IoT industry, meet the requirements of international security testing standards, and enhance the development opportunities of Taiwan''s IoT industry.