Towards Evaluating the Security Risks of Using Third-Party Components in IoT Firmware

Zhao, Binbin

Towards Evaluating the Security Risks of Using Third-Party Components in IoT Firmware

Files

ZHAO-DISSERTATION-2023.pdf (4.12 MB)

Author(s)

Zhao, Binbin

Advisor(s)

Beyah, Raheem A.

Associated Organization(s)

Organizational Unit

College of Engineering

Organizational Unit

School of Electrical and Computer Engineering

Abstract

Currently, more and more IoT devices integrate a wealth of third-party components (TPCs) in firmware to shorten the development cycle. Nevertheless, adopting TPCs in IoT firmware may lead to serious consequences. In this dissertation, we explore the security issues raised by TPCs in IoT firmware in three steps. First, we present a comprehensive overview of the security issues in real-world IoT devices. We confirm that many N-days vulnerabilities caused by TPCs are still endangering a great number of IoT devices. Second, we conduct a large-scale empirical analysis of the vulnerabilities introduced by TPCs in IoT firmware. We design and implement FirmSec, the first scalable and automated framework to analyze the TPCs used in firmware and identify the corresponding vulnerabilities. Finally, we study the TPC usage violation problem in IoT firmware. To achieve this goal, we propose UVScan, an NLP-guided and rule-driven method, to detect TPC usage violations in IoT firmware.

Date

2023-06-30

Resource Type

Text

Resource Subtype

Dissertation

Full item page