*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: A Systematic Approach for Assessing Security Flaws and Threats in IoT Deployments
Committee:
Dr. Manos Antonakakis, ECE, Chair, Advisor
Dr. Fabian Monrose, UNC, Co-Advisor
Dr. Mustaque Ahamad, CoC
Dr. Douglas Blough, ECE
Dr. Roberto Perdisci, UGA
Dr. Michael Bailey, CoC
Abstract: The IoT computing paradigm opens the door to many innovative industrial, medical, and consumer applications. These IoT systems, however, are becoming increasingly complex, coupled, and software-dependent. This complexity also opens the
door to attacks and abuse that can have a real-world impact on critical infrastructure or, worse, cause physical harm. Traditional security assessment approaches are ad-hoc and do not generalize well to modern IoT deployments. Furthermore, the scope is often narrow and focuses on specific components of IoT systems. Worse still, security assessments and threat analyses are often independently studied, which creates a gap between the identification and exploitation of vulnerabilities. This dissertation presents holistic and systematic frameworks that combine network and binary analysis to identify vulnerabilities and their likelihood of transpiring in real-world IoT deployments. The contributions
consist of three large-scale studies, each of which is based on insights from the previous. First, I propose a generalizable and objective security assessment standard for smart-home IoT deployments that I apply to 45 diverse devices and their mobile apps, cloud endpoints, and network communication. The results reveal a disproportional number of flaws affecting the mobile apps and cloud backends components, which warranted a deeper investigation. The second study designs and builds a data-driven security assessment pipeline for mobile cloud backends to automatically find and attribute
vulnerabilities in different software layers. The sheer number of known and unknown vulnerabilities we found motivated my third study to investigate what and how attackers abuse these security flaws. I propose a principled framework that captures the lifecycle of Linux-based IoT malware to uncover how attackers target vulnerable IoT devices and characterize their malware. These studies, and their novel integration of end-host binary program analysis and network vulnerability analysis that enables them, have introduced holistic, generalizable, and reproducible scientific methodologies that reveal far more than traditional security and threat analysis studies for networked systems.
