Detection of Privilege Escalation in IoT Systems
Software vulnerabilities in access control models can represent a serious threat in a system. In face, OWASP lists broken access control as number 5 in severity among the top 10 vulnerabilities. In this thesis, we study the permission model of an emerging Smart-Home platform, SmartThings, and explore two approaches of detecting privilege escalation in its permission model. The first approach applies static analysis to extract vulnerabilities by pattern matching. Our second approach is based on model driven engineering (MDE) in addition to static analysis. The second approach complements the static analysis-based approach which cannot analyse the semantic itself. MDE-based approach allows for better coverage of privilege escalation, by analyzing free-form text that carries extra permissions details. Our experimental results demonstrate a very high accuracy for detecting vulnerabilities in both approaches.
History
Language
EnglishDegree
- Master of Science
Program
- Computer Science
Granting Institution
Ryerson UniversityLAC Thesis Type
- Thesis