Tainted flow analysis and propagation across interfaces of IoT ecosystem

Abstract

Internet of things is the network extension consisting of lots of physical objects which integrates various sensors and a software. A modern IoT ecosystem still comprises lots of security, privacy and data consistency threats. They are due to various reasons and in particular Cross-program propagation of tainted data which has been also listed in the OWASP IoT top 10 most critical security risks. When interactive programs run on distinct devices (like in IoT systems), they are possibly written in a different programming languages and communicate over different channels. Standard taint analyses detects if an un-sanitized value (e.g., properly escaped) coming from a source (e.g., methods retrieving some user input or sensitive data) flows into a sink (e.g., methods executing SQL queries or sending data through Internet) within a program. In this work we enhanced the existing static analysis mechanism for taint analysis in order to support the interactive multi-program system. The proposed framework has been implemented with a JuliaSoft static analyzer. Preliminary experimental on randomly chosen Github projects demonstrates the effectiveness of our approach by detecting serious vulnerabilities which are not getting discovered when analysis kept in isolation.