Runtime Vulnerability Discovery as a Service on Industrial Internet of Things (IIoT) Systems

The IoT and IIoT paradigms are creating new business opportunities. However, high-interconnectivity among all objects introduce new security concerns and challenges. Security is not a product, but a process. Security tests and audits have to constantly be accomplished. Once a security flaw is detected, a software patch fixing the security weakness could be then produced. This continuous security evaluation, which is iterative, might be expensive. In this paper, a novel vulnerability discovery approach is presented: Hadros. The particularity of the proposed design is that security tests are distributively executed among all the deployed IoT/IIoT nodes and performed at the idle time of the system, while runtime. Hadros is suitable and advantageous for the IoT and IIoT era, due to the fact that testing coverage is broadly increased as more devices are incorporated. Meanwhile, resources employed by the security researchers are also significantly reduced.

[1]  Dominik Reinhardt,et al.  An embedded hypervisor for safety-relevant automotive E/E-systems , 2014, Proceedings of the 9th IEEE International Symposium on Industrial Embedded Systems (SIES 2014).

[2]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[3]  Antonia Bertolino,et al.  Online Robustness Testing of Distributed Embedded Systems: An Industrial Approach , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[4]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[5]  Marko Wolf,et al.  Security Crash Test - Practical Security Evaluations of Automotive Onboard IT Components , 2014, Automotive - Safety & Security.

[6]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[7]  Stavros A. Koubias,et al.  A Modbus/TCP Fuzzer for testing internetworked industrial systems , 2015, 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA).

[8]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[9]  Samarjit Chakraborty,et al.  VM-Based Real-Time Services for Automotive Control Applications , 2010, 2010 IEEE 16th International Conference on Embedded and Real-Time Computing Systems and Applications.

[10]  Sergey Bratus,et al.  Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing , 2011, Critical Infrastructure Protection.

[11]  Ariel Tseitlin The Antifragile Organization , 2013, ACM Queue.

[12]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[13]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[14]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[15]  Hui Liu,et al.  A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism , 2015, 2015 IEEE International Conference on Electro/Information Technology (EIT).