Adaptive Vulnerability Detection in IoT Ecosystems
- LecturerMr. Wei-Lun (Leo) Huang (University of Michigan)
Host: Bo-Yin Yang - Time2024-04-02 (Tue.) 10:00 ~ 12:00
- LocationAuditorium 106 at IIS new Buildin
Abstract
IoT applications are ubiquitous in our daily lives. They collect sensitive user data, help users make critical decisions, and are thus popular targets of security attacks. Most IoT applications run with real-time constraints and limited compute resources, so it is undesirable and sometimes infeasible to patch their vulnerabilities on the fly. IoT vendors detect and remove vulnerabilities in their products beforehand to reduce the need for on-the-fly patches. However, it is hard to design vulnerability detection for general IoT applications since they run on diverse platforms and serve a wide range of purposes.
In this talk, I will share my Ph.D. research on vulnerability detection for general IoT applications. To resolve the challenges posed by the diversity in application platforms and purposes, I have designed several approaches that adapt to the observed executions of IoT applications under test. (1) ES-Fuzz boosts the coverage of firmware fuzz-testing by refining stateless and fixed peripheral models into stateful and adaptive ones. This refinement runs iteratively on the observed high-coverage executions of firmware under test. (2) BLE-Cracker assesses the location privacy of Bluetooth LE (BLE) devices by their data in BLE advertisements. It monitors the BLE traffic in an area, estimates the exploitability of each data therein for area-specific device tracking, and enables real-time tracking attacks in the area that adapt to the latest estimates. (3) Cipherfast mitigates ciphertext side channels in crypto software running on AMD EPYC automatically. It hardens crypto software at the LLVM-IR level rather than the binary level, thus lowering the run-time overhead of masking-based solutions and enabling nonce-based solutions. It adapts side-channel detection from the binary level to the LLVM-IR level by tracing the executions of software under test. My works have respectively improved the security of end devices (leaf nodes), device communications (edges), and the cloud (powerful core) in an IoT ecosystem.
In this talk, I will share my Ph.D. research on vulnerability detection for general IoT applications. To resolve the challenges posed by the diversity in application platforms and purposes, I have designed several approaches that adapt to the observed executions of IoT applications under test. (1) ES-Fuzz boosts the coverage of firmware fuzz-testing by refining stateless and fixed peripheral models into stateful and adaptive ones. This refinement runs iteratively on the observed high-coverage executions of firmware under test. (2) BLE-Cracker assesses the location privacy of Bluetooth LE (BLE) devices by their data in BLE advertisements. It monitors the BLE traffic in an area, estimates the exploitability of each data therein for area-specific device tracking, and enables real-time tracking attacks in the area that adapt to the latest estimates. (3) Cipherfast mitigates ciphertext side channels in crypto software running on AMD EPYC automatically. It hardens crypto software at the LLVM-IR level rather than the binary level, thus lowering the run-time overhead of masking-based solutions and enabling nonce-based solutions. It adapts side-channel detection from the binary level to the LLVM-IR level by tracing the executions of software under test. My works have respectively improved the security of end devices (leaf nodes), device communications (edges), and the cloud (powerful core) in an IoT ecosystem.