Title: Towards Evaluating the Security Risks of Using Third-party Components in IoT Firmware
Committee:
Dr. Beyah, Advisor
Dr. Zonouz, Chair
Dr. Saltaformaggio
Dr. Ji
Abstract: The objective of the proposed research is to evaluate the security risks of using third-party components (TPCs) in IoT firmware. Currently, more and more IoT devices integrate a wealth of TPCs in firmware to shorten the development cycle. Nevertheless, adopting TPCs in IoT firmware may lead to serious consequences. In this proposal, we explore the security issues raised by TPCs in IoT firmware in three steps. First, we present a comprehensive overview of the security issues in real-world IoT devices. We confirm that many N-days vulnerabilities caused by TPCs are still endangering a great number of IoT devices. Second, we conduct a large-scale empirical analysis of the vulnerabilities introduced by TPCs in IoT firmware. We design and implement FirmSec, the first scalable and automated framework to analyze the TPCs used in firmware and identify the corresponding vulnerabilities. Finally, we study the TPC usage violation problem in IoT firmware. To achieve this goal, we propose an NLP-guided and rule-driven method to detect TPC usage violations in IoT firmware.