Attack-based automation of security testing for IoT applications

Sep. 01, 2020 to Aug. 31, 2022

An increasing number of devices in our everyday lives are connected via the Internet—for example, smart home applications, connected vehicles, or agricultural machinery exchange data in this way. However, the extensive interconnectivity means that the risks of attacks, e.g., by hackers, are increasing. Simultaneously, the complexity of the systems and the various application scenarios make it increasingly difficult and complex to secure the systems against security-relevant weak points. At the same time, ever-tighter integration of development and operation and shorter release cycles, means that less time is available for adequate security testing.

The project "Attack-based automation of security testing for IoT applications" will thus develop end-to-end automation of security testing using genetic algorithms, fuzzing, and data analysis techniques for attack detection, to support the development of effective patches against security vulnerabilities.

In the project, scientists support the development of security patches through automated test case creation based on real attacks. They developed an automated procedure for this purpose, in which test cases are derived from successful attacks on the Internet of Things (IoT) applications. The resulting test cases support the creation of a patch against the security vulnerability. Techniques of sensor-supported attack detection using data analysis techniques and test case reduction techniques, such as delta debugging, are applied.

A further development in the project is the sensor-based, analysis-driven test evaluation. The project uses sensors that measure data flow and control flow based aspects of IoT applications. The sensors are not brought into the program to be examined but observe the input and output data streams and the communication with the operating system. Thereby, the behavior of the IoT application is detected. The data collected is analyzed, clustered, and evaluated using modern classification methods such as machine learning.

The project uses automated security testing. For this purpose, fuzzing is combined with search-based test procedures, which can considerably reduce the search envelope. This approach reduces the test effort and increases the test coverage.

Within the project, Fraunhofer FOKUS focuses on test case extraction and genetic fuzzing.

In addition to Fraunhofer FOKUS, IT Power Solutions GmbH, quapona technologies GmbH and the University of Leipzig are collaborating on the project. The project runs from September 1, 2020 to August 31, 2022.

The Federal Ministry of Economics and Energy (BMWi) funds this project based on a German Bundestag resolution.