论文标题
一种模型驱动的工程方法,用于检测物联网系统中的特权升级
A Model-Driven-Engineering Approach for Detecting Privilege Escalation in IoT Systems
论文作者
论文摘要
访问控制模型中的软件漏洞可以代表系统中的严重威胁。实际上,OWASP将破碎的访问控制列为前十名漏洞中的严重性5号。在本文中,我们研究了新兴的智能家庭平台的许可模型,并探索了一种在其许可模型中检测特权升级的方法。除静态分析外,我们的方法基于模型驱动工程(MDE)。这种方法可以比单独进行静态分析更好地覆盖特权升级检测,并利用分析带有额外权限细节的自由形式文本。我们的实验结果表明,在物联网应用中检测过度特异性漏洞的精度非常高
Software vulnerabilities in access control models can represent a serious threat in a system. In fact, OWASP lists broken access control as number 5 in severity among the top 10 vulnerabilities. In this paper, we study the permission model of an emerging Smart-Home platform, SmartThings, and explore an approach that detects privilege escalation in its permission model. Our approach is based on Model Driven Engineering (MDE) in addition to static analysis. This approach allows for better coverage of privilege escalation detection than static analysis alone, and takes advantage of analyzing free-form text that carries extra permissions details. Our experimental results demonstrate a very high accuracy for detecting over-privilege vulnerabilities in IoT applications
