International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

1

2

3

Introduction

Requirements for IoT Web Scanners

Conclusion & Future Work

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 IoT Devices  Web interfaces  Attack surface

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 Manual Inspection

 Web Application Vulnerability Scanners  IBM Security AppScan, Subgraph Vega, ...  Not designed for IoT devices

Need web application vulnerability scanners for IoT devices International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 4 Requirements  IoT web scanner should satisfy  Based on the experience from Dr. Lee’s previous projects  Scanning 1,000+ websites using AppScan  Web application vulnerabilities in wireless routers  Found some vulnerabilities in ipTIME, TP-Link, and D-Link routers

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 An IoT web scanner should be able to Use a Browser’s Rendering Engine to parse web interfaces of IoT devices.  Why?  Could NOT render some interfaces properly  Need time-consuming & error-prone manual scans

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 An IoT web scanner should Minimize False Positives by excluding uncommon vulnerabilities in IoT devices.  Why?  Found possible false positives  SQL injections, SSL certificate expiration, private IP address leakage, ...

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 An IoT web scanner should be able to Minimize Device Setting Changes.  Why?  Often changed devices’ settings, even to factory defaults  Usually involved rebooting

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 An IoT web scanner should be able to Trace Injected Code for scanning.  Why?  Found some injected code in other pages  e.g., security log pages

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

 Importance of IoT Web Interface Security

 Proposed 4 Requirements for IoT web scanners  Use Web Browsers’ Rendering Engines  Minimize False Positives  Minimize Device Setting Changes  Trace Injected Code  Further refine the requirements  Develop an IoT web scanner based on the requirements International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

International Conference on Software Security and Assurance (ICSSA) Altoona, PA, USA, Jul. 24-25, 2017

Common Requirements for Web Application ...

Requirements for IoT Web Scanners. 3 ... Need web application vulnerability scanners for IoT devices ... Develop an IoT web scanner based on the.
Download PDF
639KB Sizes 0 Downloads 232 Views
Report

Recommend Documents

Common Requirements Problems, Their Negative ...
verifying, and validating a system's requirements. But if that ... failures to deliver all of the functionality specified, and systems that do not have adequate quality?
Common Application Naviance
Common. Application. Create your account on commonapp.org. Add colleges to your list. Complete the FERPA waiver under "Assign. Recommenders".
Web Application for Semantic Network Editing
DEB – Dictionary Editor and Browser platform for developement of dictionary writing systems all the data stored in XML, Unicode free data structure, any language client-server architecture server data manipulation, most of the functionality data st
Web Application for Semantic Network Editing
and evaluation, the editor will be enhanced to build any wordnet-like semantic network. Key words: semantic network, ontology, editor, web application, DEB-.
Licence Application - Requirements Grid.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Licence ...
Web application security frame
Feb 14, 2006 - tion environment to determine the application type, for example ... intelligence (AI) component that infers an action that a user ...... Files, paths,.
Web application security frame
Feb 14, 2006 - web application security frame component can be applied to. Chen et a1' ...... attacker successfully gains access as a legitimate user or host,.
web application
The mechanism allows us to define stereotypes, tagged values and constraints that can be applied to model elements. A stereotype is an adornment that allows us to define. COMMUNICATIONS OF THE ACM October 1999/Vol. 42, No. 10. 65. 3In the Rational Un
REQUIREMENTS FOR RESEARCH PROPOSALS
Apr 12, 2016 - REQUIREMENTS FOR RESEARCH PROPOSALS. The following itemizes the district's requirements for research to be conducted within the ...
PRINCIPAL-Common-Application-Form.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item.
RELIGARE-Invesco-Common-Application-Form.pdf
Try one of the apps below to open or edit this item. RELIGARE-Invesco-Common-Application-Form.pdf. RELIGARE-Invesco-Common-Application-Form.pdf.
IDFC-Common-Application-Form.pdf
Account No. Bank Name. Branch & City. Account Type Current Savings NRO NRE FCNR. TRANSACTION CHARGES (Please ü any one of the below) (Refer ...
pdf web application
Loading… Page 1. Whoops! There was a problem loading more pages. pdf web application. pdf web application. Open. Extract. Open with. Sign In. Main menu.
secure java for web application development pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. secure java for ...
Tenable Core Web Application Scanner for Microsoft Azure
4 days ago - Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their ...
Web Application for Semantic Network Editing - raslan 2013
Introduction. Semantic network editing. VisDic – offline desktop application. DEBVisDic – online reimplementation in DEBiilatform developed as an extension for ...
Web Application Model Recovery for User Input ...
In the internet era, Web applications are becoming the core business in many areas. Meanwhile, there is ..... Computer Society, Toronto, Ontario, 2001, pp.25-34.
Multi-Model Similarity Propagation and its Application for Web Image ...
Figure 1. The two modalities, image content and textual information, can together help group similar Web images .... length of the real line represents the degree of similarities. The ..... Society for Information Science and Technology, 52(10),.
Web Application for Semantic Network Editing - raslan 2013
user and dictionary management, cooperation modules - building blocks client lightweight applications graphical or web interface. Adam Rambousek, Tomáš ...
secure java for web application development pdf
development pdf. Download now. Click here if your download doesn't start automatically. Page 1 of 1. secure java for web application development pdf.
Web Application for Semantic Network Editing - raslan 2013
The design of the DEB allows us to modify it also for building wordnet-like databases. For this purpose, VisDic tool was re-implemented on top of the DEB platform, as the DEBVisDic editor[1]. DEBVisDic editor was designed as a client application for
Web Application for Semantic Network Editing - raslan 2013
icographic projects, i.e. for development of the Czech Lexical Database [9], or ... The DEB platform is based on client-server architecture, which brings along.