A Model-Driven-Reverse Engineering Approach for Detecting Privilege Escalation in IoT Systems

By: Manar H. Alalfi, Atheer Abu Zaid, Ali Miri

Abstract

Software vulnerabilities in access control models can represent a serious threat in a system. In fact, OWASP lists broken access control as number 1 in severity among the top 10 vulnerabilities. In this paper, we study the permission model of an emerging Smart-Home platform, SmartThings, and explore an approach that detects privilege escalation in its permission model. Our approach is based on Model Driven Reverse Engineering (MDRE) in addition to static analysis. This approach allows for better coverage of privilege escalation detection than static analysis alone as it takes advantage of analyzing free-form text that carries extra permissions details. Our experimental results demonstrate high accuracy in detecting over-privilege vulnerabilities in IoT applications.

Keywords

Model Driven Reverse Engineering, Access Control Security vulnerabilities, Security Verification, IoT applications.

Cite as:

Manar H. Alalfi, Atheer Abu Zaid, Ali Miri, “A Model-Driven-Reverse Engineering Approach for Detecting Privilege Escalation in IoT Systems”, Journal of Object Technology, Volume 22, no. 1 ( 2023), pp. 1:1-21, doi:10.5381/jot.2023.22.1.a1.

PDF | DOI | BiBTeX | Tweet this | Post to CiteULike | Share on LinkedIn

The JOT Journal   |   ISSN 1660-1769   |   DOI 10.5381/jot   |   AITO   |   Open Access   |    Contact