| Peer-Reviewed

Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution

Received: 19 November 2022     Accepted: 26 January 2023     Published: 9 February 2023
Views:       Downloads:
Abstract

Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.

Published in International Journal of Information and Communication Sciences (Volume 8, Issue 1)
DOI 10.11648/j.ijics.20230801.11
Page(s) 1-11
Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited.

Copyright

Copyright © The Author(s), 2023. Published by Science Publishing Group

Keywords

Tizen, Dynamic Symbolic Execution, Native, Web, Vulnerability, IoT, C++, JavaScript

References
[1] Windows IoT core, https://docs.microsoft.com/en-us/windows/iot/, Accessed 18 January 2022.
[2] Amazon FreeRTOS, https://aws.amazon.com/freertos/, Accessed 18 January 2022.
[3] Samasung Tizen, https://www.tizen.org, Accessed 18 January 2022.
[4] Contiki, https://www.contiki-ng.org/, Accessed 18 January 2022.
[5] Mullen G., Meany L.: Assessment of Buffer Overflow Based Attacks On an IoT Operating System. IEEE 2019 Global IoT Summit (GIoTS) pp. 1-6 (2019).
[6] Chess B., McGraw G.: Static Analysis for Security. IEEE security & privacy, vol. 2, pp. 76-79 (2004).
[7] Godefroid P., Klarlund N., Sen K.: DART: Directed Automated Random Testing. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 213-223 (2005).
[8] Chaabouni N., Mosbah M., Zemmari A., Sauvignac C., Faruki P.: Network Intrusion Detection for IoT Security Based on Learning Techniques. IEEE Communications Surveys & Tutorials, vol. 21, pp. 2671-2701 (2019).
[9] Rizvi S., Orr R., Cox A., Ashokkumar P., Rizvi M.: Identifying the attack surface for IoT network. Internet of Things, vol. 9 (2020).
[10] Rathore S., Kwon B. W., HyukPark J.: BlockSecIoTNet: Blockchain-based decentralized security architecture for IoT network. Network and Computer Applications, vol. 143, pp. 167-177 (2019).
[11] Alnaeli S., Sarnowski M., Sayedul Aman M., Abdelgawad A., Yelamarthi K.: Vulnerable C/C++ Code Usage in IoT Software Systems. 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 348-352 (2016).
[12] Abraham A.: Hacking Tizen: The OS of Everything. In: Proceedings of the HITBSecConf-Hack In The Box Security Conference, Amsterdam, The Netherlands, pp. 26-29 (2015).
[13] Gritti F., Fontana L., Gustafson E., Pagani F., Continella A., Kruegel C., Vigna G.: SYMBION: Interleaving Symbolic with concrete execution. IEEE Conference on Communications and Network Security (CNS), pp. 1-10, (2020).
[14] Loring B., Mitchell D., Kinder J.: ExpoSE: Practical Symbolic Execution of Standalone JavaScript. In: Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software., pp. 196-199 (2017).
[15] Shoshitaishvili, Wang Y., Hauser R., Krugel C., Vigana G.: Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. NDSS, vol. 1, pp. 1-1 (2015).
[16] Muench M., Nisi D., Francillon A., Balzarotti D.: Avatar 2: A multi-Target Orchestration Platform. InProc. Workshop on Binary Anal. Res. (colocated with NDSS Symp.), vol. 18, pp. 1-11 (2018).
[17] Qiling Framework, https://qiling.io. Accessed 18 January 2022.
[18] Li G., Andreasen E., Ghosh I.: SymJS: Automatic Symbolic Testing of JavaScript Web. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 449-459, (2014).
[19] JSSeek, http://glasnost.itcarlow.ie/~softeng4/C00137906/index.html. Accessed 18 January 2022.
[20] Basiri M., Mouzarani M.: Assessing the Resistance of the Internet of Things Applications to Memory Corruption Attacks. EAI SaSeIoT (2021).
[21] Baldoni R., Coppa E., D’ELIA D. C., Demetrescu C., Finocchi I.: A Survey of Symbolic Execution Techniques. ACM Computing Surveys (CSUR) 51. 3, pp. 1-39, (2018).
[22] angr. https://angr.ir. Accessed 18 January 2022.
[23] Sen K., Kalasapur S., Brutch T., Gibbs S.: Jalangi: A Tool Framework for Concolic Testing, Selective. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 615-618, (2013).
[24] MDN Web Docs: JS hoisting. https://developer.mozilla.org/en-US/docs/Glossary/Hoisting. Accessed 18 January 2022.
[25] Nicula Ș., Zota R. D: Exploiting stack-based buffer overflow using modern day techniques. Procedia Computer Science, vol. 160, pp. 9-14 (2019).
[26] TizenSecurity. https://github.com/SoftwareSecurityLab/TizenSecurity. Accessed 18 January 2022.
[27] NIST Software Assurance Reference Dataset. https://samate.nist.gov/SARD/. Accessed 5 August 2022.
Cite This Article
  • APA Style

    Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. (2023). Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. International Journal of Information and Communication Sciences, 8(1), 1-11. https://doi.org/10.11648/j.ijics.20230801.11

    Copy | Download

    ACS Style

    Sobhan Safdarian; Mohammad Hossein Asghari; Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int. J. Inf. Commun. Sci. 2023, 8(1), 1-11. doi: 10.11648/j.ijics.20230801.11

    Copy | Download

    AMA Style

    Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int J Inf Commun Sci. 2023;8(1):1-11. doi: 10.11648/j.ijics.20230801.11

    Copy | Download

  • @article{10.11648/j.ijics.20230801.11,
      author = {Sobhan Safdarian and Mohammad Hossein Asghari and Maryam Mouzarani},
      title = {Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution},
      journal = {International Journal of Information and Communication Sciences},
      volume = {8},
      number = {1},
      pages = {1-11},
      doi = {10.11648/j.ijics.20230801.11},
      url = {https://doi.org/10.11648/j.ijics.20230801.11},
      eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ijics.20230801.11},
      abstract = {Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.},
     year = {2023}
    }
    

    Copy | Download

  • TY  - JOUR
    T1  - Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution
    AU  - Sobhan Safdarian
    AU  - Mohammad Hossein Asghari
    AU  - Maryam Mouzarani
    Y1  - 2023/02/09
    PY  - 2023
    N1  - https://doi.org/10.11648/j.ijics.20230801.11
    DO  - 10.11648/j.ijics.20230801.11
    T2  - International Journal of Information and Communication Sciences
    JF  - International Journal of Information and Communication Sciences
    JO  - International Journal of Information and Communication Sciences
    SP  - 1
    EP  - 11
    PB  - Science Publishing Group
    SN  - 2575-1719
    UR  - https://doi.org/10.11648/j.ijics.20230801.11
    AB  - Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.
    VL  - 8
    IS  - 1
    ER  - 

    Copy | Download

Author Information
  • Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran

  • Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran

  • Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran

  • Sections