To Örebro University

oru.seÖrebro University Publications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Securing the Internet of Things with Security-by-Contract
Örebro University, School of Science and Technology.ORCID iD: 0000-0001-9293-7711
2021 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Smart homes, industry, healthcare, robotics; virtually every market has seen the uprising of Internet of Things (IoT) devices with different degrees and nuances. IoT devices embody different desirable characteristics, such as mobility, ubiquity, variety, and affordability. All combined, these features made so that IoT devices reached 35 billion units in the world. However, the sudden uprising of market demand put enormous pressure on manufacturers. The necessity of delivering to customers as many devices as possible, in the shortest time possible, leads manufacturers to overlook features that are not perceived critical by the users, such as resiliency to cyberattacks. This led to severe security issues. The prime example is Mirai, a malware that infected hundreds of thousands of IoT devices in 2016 and used them to strike lethal Distributed Denial of Service (DDoS) attacks.

In the first part of this thesis, we present the state of the art regarding IoT devices security resilience. In particular, we provide relevant examples of breaches, an analysis of the relationship between IoT and Cloud from a security point of view, and an example of an IoT device penetration test. Then, we focus on the usage of IoT devices in DDoS-enabled botnets and we provide an extensive study of DDoS-enabling malwares, discussing their evolution and their capabilities.

In the second part, we contextualise the gathered knowledge and we show that the highlighted problems stem from two main causes: insecure configurations and insufficient secure configurability.We also show that, to address these two issues, it is necessary to equip IoT devices with precise and formal descriptions of their behaviour. Therefore, we propose SC4IoT, a security framework for IoT devices that combines Security-by-Contract (SC) paradigm and Fog Computing paradigm. First, we provide a thorough breakdown of our proposal. We start from high-level lifecycles that describe how devices participate to SC4IoT. Then, we discuss the pillars that compose the framework (e.g., security contracts and security policies), together with their formal descriptions. Last, we provide precise algorithms for achieving security-policy matching capabilities, as well as routines for allowing the framework to deal with dynamic changes while maintaining consistency.

Place, publisher, year, edition, pages
Örebro: Örebro University , 2021. , p. 55
Series
Örebro Studies in Technology, ISSN 1650-8580 ; 90
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:oru:diva-88151ISBN: 978-91-7529-364-6 (print)OAI: oai:DiVA.org:oru-88151DiVA, id: diva2:1511429
Public defence
2021-01-29, Örebro universitet, Långhuset, Hörsal L2 (and online (zoom)), Fakultetsgatan 1, Örebro, 13:00 (English)
Opponent
Supervisors
Available from: 2020-12-18 Created: 2020-12-18 Last updated: 2021-01-08Bibliographically approved
List of papers
1. The Internet of Hackable Things
Open this publication in new window or tab >>The Internet of Hackable Things
2018 (English)In: Proceedings of 5th International Conference in Software Engineering for Defence Applications: SEDA 2016 / [ed] Ciancarini, P.; Litvinov, S.; Messina, A.; Sillitti, A.; Succi, G., Cham: Springer, 2018, p. 129-140Conference paper, Published paper (Refereed)
Abstract [en]

The Internet of Things makes possible to connect each everyday object to the Internet, making computing pervasive like never before. From a security and privacy perspective, this tsunami of connectivity represents a disaster, which makes each object remotely hackable. We claim that, in order to tackle this issue, we need to address a new challenge in security: education.

Place, publisher, year, edition, pages
Cham: Springer, 2018
Series
Advances in Intelligent Systems and Computing (AISC), ISSN 2194-5357, E-ISSN 2194-5365 ; 717
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-64664 (URN)10.1007/978-3-319-70578-1_13 (DOI)000434086000013 ()2-s2.0-85041846777 (Scopus ID)978-3-319-70577-4 (ISBN)978-3-319-70578-1 (ISBN)
Conference
5th International Conference in Software Engineering for Defence Applications, Rome, Italy, May 10, 2016
Available from: 2018-01-30 Created: 2018-01-30 Last updated: 2021-01-07Bibliographically approved
2. Cyber-Storms Come from Clouds: Security of Cloud Computing in the IoT Era
Open this publication in new window or tab >>Cyber-Storms Come from Clouds: Security of Cloud Computing in the IoT Era
Show others...
2019 (English)In: Future Internet, E-ISSN 1999-5903, Vol. 11, no 6, article id 127Article in journal (Refereed) Published
Abstract [en]

The Internet of Things (IoT) is rapidly changing our society to a world where every thing is connected to the Internet, making computing pervasive like never before. This tsunami of connectivity and data collection relies more and more on the Cloud, where data analytics and intelligence actually reside. Cloud computing has indeed revolutionized the way computational resources and services can be used and accessed, implementing the concept of utility computing whose advantages are undeniable for every business. However, despite the benefits in terms of flexibility, economic savings, and support of new services, its widespread adoption is hindered by the security issues arising with its usage. From a security perspective, the technological revolution introduced by IoT and Cloud computing can represent a disaster, as each object might become inherently remotely hackable and, as a consequence, controllable by malicious actors. While the literature mostly focuses on the security of IoT and Cloud computing as separate entities, in this article we provide an up-to-date and well-structured survey of the security issues of cloud computing in the IoT era. We give a clear picture of where security issues occur and what their potential impact is. As a result, we claim that it is not enough to secure IoT devices, as cyber-storms come from Clouds.

Place, publisher, year, edition, pages
MDPI, 2019
Keywords
security, Internet of Things, Cloud computing
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-75237 (URN)10.3390/fi11060127 (DOI)000473805800007 ()2-s2.0-85067464961 (Scopus ID)
Available from: 2019-07-25 Created: 2019-07-25 Last updated: 2023-08-03Bibliographically approved
3. Adding Salt to Pepper: A Structured Security Assessment over a Humanoid Robot
Open this publication in new window or tab >>Adding Salt to Pepper: A Structured Security Assessment over a Humanoid Robot
2018 (English)In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ACM , 2018, article id 22Conference paper, Published paper (Refereed)
Abstract [en]

The rise of connectivity, digitalization, robotics, and artificial intelligence (AI) is rapidly changing our society and shaping its future development. During this technological and societal revolution, security has been persistently neglected, yet a hacked robot can act as an insider threat in organizations, industries, public spaces, and private homes. In this paper, we perform a structured security assessment of Pepper, a commercial humanoid robot. Our analysis, composed by an automated and a manual part, points out a relevant number of security flaws that can be used to take over and command the robot. Furthermore, we suggest how these issues could be fixed, thus, avoided in the future. The very final aim of this work is to push the rise of the security level of IoT products before they are sold on the public market.

Place, publisher, year, edition, pages
ACM, 2018
Series
ACM International Conference Proceeding Series
Keywords
Internet of Things (IoT), Penetration Testing, Pepper, Robot, Security
National Category
Computer and Information Sciences Robotics
Identifiers
urn:nbn:se:oru:diva-71106 (URN)10.1145/3230833.3232807 (DOI)000477981800043 ()2-s2.0-85055287152 (Scopus ID)978-1-4503-6448-5 (ISBN)
Conference
13th International Conference on Availability, Reliability and Security (ARES 2018), Hamburg, Germany, August 27-30, 2018
Available from: 2019-01-04 Created: 2019-01-04 Last updated: 2021-01-07Bibliographically approved
4. Analysis of DDoS-Capable IoT Malwares
Open this publication in new window or tab >>Analysis of DDoS-Capable IoT Malwares
2017 (English)In: Proceedings of the 2017 Federated Conference on Computer Science and Information Systems / [ed] M. Ganzha, L. Maciaszek, M. Paprzycki, Institute of Electrical and Electronics Engineers (IEEE), 2017, p. 807-816Conference paper, Published paper (Refereed)
Abstract [en]

The Internet of Things (IoT) revolution promises to make our lives easier by providing cheap and always connected smart embedded devices, which can interact on the Internet and create added values for human needs. But all that glitters is not gold. Indeed, the other side of the coin is that, from a security perspective, this IoT revolution represents a potential disaster. This plethora of IoT devices that flooded the market were very badly protected, thus an easy prey for several families of malwares that can enslave and incorporate them in very large botnets. This, eventually, brought back to the top Distributed Denial of Service (DDoS) attacks, making them more powerful and easier to achieve than ever. This paper aims at provide an up-to-date picture of DDoS attacks in the specific subject of the IoT, studying how these attacks work and considering the most common families in the IoT context, in terms of their nature and evolution through the years. It also explores the additional offensive capabilities that this arsenal of IoT malwares has available, to mine the security of Internet users and systems. We think that this up-to-date picture will be a valuable reference to the scientific community in order to take a first crucial step to tackle this urgent security issue.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2017
Series
Annals of computer science and information systems, E-ISSN 2300-5963 ; 11
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-62795 (URN)10.15439/2017F288 (DOI)000417412800118 ()2-s2.0-85039904613 (Scopus ID)978-83-946253-7-5 (ISBN)
Conference
Federated Conference on Computer Science and Information Systems (FedCSIS 2017), Prague, Czech Republic, September 3-6, 2017
Available from: 2017-11-23 Created: 2017-11-23 Last updated: 2021-01-07Bibliographically approved
5. DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation
Open this publication in new window or tab >>DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation
2018 (English)In: Security and Communication Networks, ISSN 1939-0114, E-ISSN 1939-0122, article id 7178164Article in journal (Refereed) Published
Abstract [en]

The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far.

Place, publisher, year, edition, pages
Hindawi Publishing Corporation, 2018
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:oru:diva-65665 (URN)10.1155/2018/7178164 (DOI)000426639800001 ()2-s2.0-85043390832 (Scopus ID)
Available from: 2018-03-12 Created: 2018-03-12 Last updated: 2021-01-07Bibliographically approved
6. Protecting the Internet of Things with Security-by-Contract and Fog Computing
Open this publication in new window or tab >>Protecting the Internet of Things with Security-by-Contract and Fog Computing
2019 (English)In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), IEEE , 2019Conference paper, Published paper (Refereed)
Abstract [en]

Nowadays, the Internet of Things (IoT) is a consolidated reality. Smart homes are equipped with a growing number of IoT devices that capture more and more information about human beings lives. However, manufacturers paid little or no attention to security, so that various challenges are still in place. In this paper, we propose a novel approach to secure IoT systems that combines the concept of Security-by-Contract (SxC) with the Fog computing distributed paradigm. We define the pillars of our approach, namely the notions of IoT device contract, Fog node policy and contract-policy matching, the respective life-cycles, and the resulting SxC workflow. To better understand all the concepts of the SxC framework, and highlight its practical feasibility, we use a running case study based on a context-aware system deployed in a real smart home.

Place, publisher, year, edition, pages
IEEE, 2019
Keywords
security-by-contract, Fog computing, IoT
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-78009 (URN)10.1109/WF-IoT.2019.8767243 (DOI)000492865800001 ()2-s2.0-85073699472 (Scopus ID)978-1-5386-4980-0 (ISBN)
Conference
5th IEEE World Forum on Internet of Things (WF-IoT 2019), Limerick, Ireland, April 15-18, 2019
Available from: 2019-11-22 Created: 2019-11-22 Last updated: 2021-01-07Bibliographically approved
7. IoT Security Configurability with Security-by-Contract
Open this publication in new window or tab >>IoT Security Configurability with Security-by-Contract
2019 (English)In: Sensors, E-ISSN 1424-8220, Vol. 19, no 19, article id E4121Article in journal (Refereed) Published
Abstract [en]

Cybersecurity is one of the biggest challenges in the Internet of Things (IoT) domain, as well as one of its most embarrassing failures. As a matter of fact, nowadays IoT devices still exhibit various shortcomings. For example, they lack secure default configurations and sufficient security configurability. They also lack rich behavioural descriptions, failing to list provided and required services. To answer this problem, we envision a future where IoT devices carry behavioural contracts and Fog nodes store network policies. One requirement is that contract consistency must be easy to prove. Moreover, contracts must be easy to verify against network policies. In this paper, we propose to combine the security-by-contract (S × C) paradigm with Fog computing to secure IoT devices. Following our previous work, first we formally define the pillars of our proposal. Then, by means of a running case study, we show that we can model communication flows and prevent information leaks. Last, we show that our contribution enables a holistic approach to IoT security, and that it can also prevent unexpected chains of events.

Place, publisher, year, edition, pages
MDPI, 2019
Keywords
Fog computing, IoT, configurability, security, security-by-contract
National Category
Computer Systems
Identifiers
urn:nbn:se:oru:diva-76829 (URN)10.3390/s19194121 (DOI)000494823200065 ()31548501 (PubMedID)2-s2.0-85072578077 (Scopus ID)
Available from: 2019-09-30 Created: 2019-09-30 Last updated: 2022-02-10Bibliographically approved
8. S×C4IoT: A Security-by-Contract Framework for Dynamic Evolving IoT Devices
Open this publication in new window or tab >>S×C4IoT: A Security-by-Contract Framework for Dynamic Evolving IoT Devices
(English)Manuscript (preprint) (Other academic)
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-88397 (URN)
Available from: 2021-01-07 Created: 2021-01-07 Last updated: 2021-01-07Bibliographically approved

Open Access in DiVA

Cover(286 kB)96 downloads
File information
File name COVER01.pdfFile size 286 kBChecksum SHA-512
07a4dcb765882212afa263e8f0a81234730c17c5f20deaf02d0fb3cd83b1e64d83b57d817d303817e38126d4a12b3ab4a7f77a22de10d49e2b86b8dc3866510b
Type coverMimetype application/pdf
Spikblad(93 kB)87 downloads
File information
File name SPIKBLAD01.pdfFile size 93 kBChecksum SHA-512
ef9f6ab17f03fff8f0eedaecf39f9ea7d39c58a92185c74993a03c8dbab8eb3447061ee8dec10b42b0fca7b06bcf58900b0185344a5891dc97348de9dbb191c3
Type spikbladMimetype application/pdf

Authority records

Giaretta, Alberto

Search in DiVA

By author/editor
Giaretta, Alberto
By organisation
School of Science and Technology
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 546 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf