MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols

Facilitated by messaging protocols (MP), many home devices are connected to the Internet, bringing convenience and accessibility to customers. However, most deployed MPs on IoT platforms are fragmented, which are not implemented carefully to support secure communication. To the best of our knowledge, there is no systematic solution to perform automatic security checks on MP implementations yet. To bridge the gap, we present MPInspector, the first automatic and systematic solution for vetting the security of MP implementations. MPInspector combines model learning with formal analysis and operates in three stages: (a) using parameter semantics extraction and interaction logic extraction to automatically infer the state machine of an MP implementation, (b) generating security properties based on meta properties and the state machine, and (c) applying automatic property based formal verification to identify property violations. We evaluate MPInspector on three popular MPs, including MQTT, CoAP and AMQP, implemented on nine leading IoT platforms. It identifies 252 property violations, leveraging which we further identify eleven types of attacks under two realistic attack scenarios. In addition, we demonstrate that MPInspector is lightweight (the average overhead of end-to-end analysis is ~4.5 hours) and effective with a precision of 100% in identifying property violations.

[1]  Angelos D. Keromytis,et al.  HVLearn: Automated Black-Box Analysis of Hostname Verification in SSL/TLS Implementations , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[2]  Chunming Wu,et al.  V-Fuzz: Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs , 2020, IEEE Transactions on Cybernetics.

[3]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[4]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  William Enck,et al.  HomeSnitch: behavior transparency and control for smart home IoT devices , 2019, WiSec.

[6]  Shouling Ji,et al.  A Practical Black-Box Attack on Source Code Authorship Identification Classifiers , 2021, IEEE Transactions on Information Forensics and Security.

[7]  Joeri de Ruiter,et al.  Protocol State Fuzzing of TLS Implementations , 2015, USENIX Security Symposium.

[8]  Heather Crawford,et al.  Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices , 2020, 2020 IEEE Security and Privacy Workshops (SPW).

[9]  Mihai Surdeanu,et al.  The Stanford CoreNLP Natural Language Processing Toolkit , 2014, ACL.

[10]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[11]  Frits W. Vaandrager,et al.  Model learning and model checking of SSH implementations , 2017, SPIN.

[12]  Frits W. Vaandrager,et al.  Combining Model Learning and Model Checking to Analyze TCP Implementations , 2016, CAV.

[13]  Andy Chou,et al.  A simple method for extracting models from protocol code , 2001, Proceedings 28th Annual International Symposium on Computer Architecture.

[14]  Sanjay Jha,et al.  Automated Analysis of Secure Internet of Things Protocols , 2017, ACSAC.

[15]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  Cas J. F. Cremers,et al.  Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion , 2019, NDSS.

[17]  Tsun S. Chow,et al.  Testing Software Design Modeled by Finite-State Machines , 1978, IEEE Transactions on Software Engineering.

[18]  Silvio Ranise,et al.  MQTTSA: A Tool for Automatically Assisting the Secure Deployments of MQTT Brokers , 2019, 2019 IEEE World Congress on Services (SERVICES).

[19]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[20]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[21]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[22]  Mohsen Guizani,et al.  Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications , 2015, IEEE Communications Surveys & Tutorials.

[23]  Yan Jia,et al.  Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[24]  Muhammad Imran Malik,et al.  Security vulnerabilities and cyber threat analysis of the AMQP protocol for the internet of things , 2017 .

[25]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[26]  Pan Zhou,et al.  A Large-Scale Empirical Study on the Vulnerability of Deployed IoT Devices , 2022, IEEE Transactions on Dependable and Secure Computing.

[27]  Frits W. Vaandrager,et al.  Combining Model Learning and Model Checking to Analyze TCP Implementations , 2016, CAV.

[28]  Patrick D. McDaniel,et al.  Sensitive Information Tracking in Commodity IoT , 2018, USENIX Security Symposium.

[29]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[30]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[31]  Pamela J. Wisniewski,et al.  Exploring Smart Home Device Use by Airbnb Hosts , 2020, CHI Extended Abstracts.

[32]  Raheem Beyah,et al.  UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers , 2020, USENIX Security Symposium.

[33]  William Enck,et al.  Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things , 2019, WiSec.

[34]  Peng Liu,et al.  Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms , 2018, USENIX Security Symposium.