A Model-Driven-Engineering Approach for Detecting Privilege Escalation in IoT Systems
Atheer Abu Zaid, Manar H. Alalfi, Ali Miri
TL;DR
This paper presents a model-driven engineering approach combined with static analysis to effectively detect privilege escalation vulnerabilities in IoT systems, specifically targeting Smart-Home platforms like SmartThings.
Contribution
It introduces a novel MDE-based method that enhances privilege escalation detection by analyzing permission models and free-form text, improving over static analysis alone.
Findings
High accuracy in detecting over-privilege vulnerabilities
Effective analysis of permission models and descriptive text
Enhanced coverage compared to traditional static analysis
Abstract
Software vulnerabilities in access control models can represent a serious threat in a system. In fact, OWASP lists broken access control as number 5 in severity among the top 10 vulnerabilities. In this paper, we study the permission model of an emerging Smart-Home platform, SmartThings, and explore an approach that detects privilege escalation in its permission model. Our approach is based on Model Driven Engineering (MDE) in addition to static analysis. This approach allows for better coverage of privilege escalation detection than static analysis alone, and takes advantage of analyzing free-form text that carries extra permissions details. Our experimental results demonstrate a very high accuracy for detecting over-privilege vulnerabilities in IoT applications
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAccess Control and Trust · Web Application Security Vulnerabilities · Advanced Malware Detection Techniques