skip to main content
research-article

Dynamic System Diversification for Securing Cloud-based IoT Subnetworks

Authors Info & Claims
Published:07 September 2022Publication History
Skip Abstract Section

Abstract

Remote exploitation attacks use software vulnerabilities to penetrate through a network of Internet of Things (IoT) devices. This work addresses defending against remote exploitation attacks on vulnerable IoT devices. As an attack mitigation strategy, we assume it is not possible to fix all the vulnerabilities and propose to diversify the open-source software used to manage IoT devices. Our approach is to deploy dynamic cloud-based virtual machine proxies for physical IoT devices. Our architecture leverages virtual machine proxies with diverse software configurations to mitigate vulnerable and static software configurations on physical devices. We develop an algorithm for selecting new configurations based on network anomaly detection signals to learn vulnerable software configurations on IoT devices, automatically shifting towards more secure configurations. Cloud-based proxy machines mediate requests between application clients and vulnerable IoT devices, facilitating a dynamic diversification system. We report on simulation experiments to evaluate the dynamic system. Two models of powerful adversaries are introduced and simulated against the diversified defense strategy. Our experiments show that a dynamically diversified IoT architecture can be invulnerable to large classes of attacks that would succeed against a static architecture.

REFERENCES

  1. [1] Abadi F. A., Ellul J., and Azzopardi G.. 2018. The blockchain of things, beyond bitcoin: A systematic review. In Proceedings of the 2018 IEEE International Conference on Internet of Things and IEEE Green Computing and Communications and IEEE Cyber, Physical and Social Computing and IEEE Smart Data.IEEE, New York, NY, 16661672. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  2. [2] Adams Keith and Agesen Ole. 2006. A comparison of software and hardware techniques for x86 virtualization. ACM Sigplan Notices 41, 11 (2006), 213.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] H. M. J. Almohri, L. T. Watson, and D. Evans. 2020. An Attack-Resilient Architecture for the Internet of Things. In IEEE Transactions on Information Forensics and Security, vol. 15. 3940–3954. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] AlZain M. A., Pardede E., Soh B., and Thom J. A.. 2012. Cloud computing security: From single to multi-clouds. In Proceedings of the 2012 45th Hawaii International Conference on System Sciences. IEEE, New York, NY,54905499.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Antonioli Daniele, Tippenhauer Nils Ole, and Rasmussen Kasper. 2020. BIAS: Bluetooth impersonation attacks. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, New York, NY,549562.Google ScholarGoogle ScholarCross RefCross Ref
  6. [6] Baccelli E., Hahm O., Günes M., Wählisch M., and Schmidt T. C.. 2013. RIOT OS: Towards an OS for the Internet of Things. In Proceedings of the 2013 IEEE Conference on Computer Communications Workshops.IEEE, New York, NY,7980.Google ScholarGoogle ScholarCross RefCross Ref
  7. [7] Bai L., Hu M., Liu M., and Wang J.. 2019. BPIIoT: A light-weighted blockchain-based platform for industrial IoT. IEEE Access 7 (2019), 5838158393. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  8. [8] Balliu Musard, Merro Massimo, and Pasqua Michele. 2019. Securing cross-app interactions in IoT platforms. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE, New York, NY,319335.Google ScholarGoogle ScholarCross RefCross Ref
  9. [9] Barbieri Edoardo. 2021. Internet of Things and Ubuntu: 2021 Highlights. (December 2021). Retrieved from https://ubuntu.com/blog/iot-and-ubuntu-2021.Google ScholarGoogle Scholar
  10. [10] Bessani Alysson, Correia Miguel, Quaresma Bruno, André Fernando, and Sousa Paulo. 2013. DepSky: Dependable and secure storage in a cloud-of-clouds. ACM Transactions on Storage 9, 4 (2013), 33 pages. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] Birman Kenneth P.. 1985. Replication and fault-tolerance in the ISIS system. In Proceedings of the 10th ACM Symposium on Operating Systems Principles.Association for Computing Machinery, New York, NY,7986. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. [12] Birr-Pixton Joseph. 2022. Rustls - a Modern TLS Library. (2022). Retrieved from https://docs.rs/rustls.Google ScholarGoogle Scholar
  13. [13] Biswas S., Sharif K., Li F., Nour B., and Wang Y.. 2019. A scalable blockchain framework for secure transactions in IoT. IEEE Internet of Things Journal 6, 3 (2019), 46504659. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  14. [14] Borbor Daniel, Wang Lingyu, Jajodia Sushil, and Singhal Anoop. 2017. Securing networks against unpatchable and unknown vulnerabilities using heterogeneous hardening options. In Proceedings of the Data and Applications Security and Privacy XXXI. Livraga Giovanni and Zhu Sencun (Eds.), Springer International Publishing, Cham, 509528.Google ScholarGoogle ScholarCross RefCross Ref
  15. [15] Caswell Matt. 2018. Using TLS1.3 With OpenSSL. (Feb. 2018). Retrieved from https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/.Google ScholarGoogle Scholar
  16. [16] Celik Z. Berkay, Babun Leonardo, Sikder Amit Kumar, Aksu Hidayet, Tan Gang, McDaniel Patrick, and Uluagac A. Selcuk. 2018. Sensitive information tracking in commodity IoT. In Proceedings of the 27th USENIX Security Symposium.IEEE, New York, NY, 16871704.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. [17] Celik Z. Berkay, Fernandes Earlence, Pauley Eric, Tan Gang, and McDaniel Patrick. 2019. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Computing Surveys 52, 4 (2019), 30 pages. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. [18] Celik Z. Berkay, Fernandes Earlence, Pauley Eric, Tan Gang, and McDaniel Patrick. 2019. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Computing Surveys 52, 4 (2019), 30 pages. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. [19] Celik Z. Berkay, McDaniel Patrick, and Tan Gang. 2018. Soteria: Automated IoT safety and security analysis. In Proceedings of the 2018 USENIX Annual Technical Conference. USENIX, Berkeley, CA,147158.Google ScholarGoogle Scholar
  20. [20] Celik Z. Berkay, Tan Gang, and McDaniel Patrick D.. 2019. IoTGuard: Dynamic enforcement of security and safety policy in commodity IoT. In Proceedings of the NDSS. Internet Society, Reston, VA, 15.Google ScholarGoogle ScholarCross RefCross Ref
  21. [21] Chi Haotian, Zeng Qiang, Du Xiaojiang, and Luo Lannan. 2019. PFirewall: Semantics-Aware Customizable Data Flow Control for Home Automation Systems. (2019). arXiv:1910.07987. Retrieved from https://arxiv.org/abs/1910.07987.Google ScholarGoogle Scholar
  22. [22] Cox Benjamin, Evans David, Filipi Adrian, Rowanhill Jonathan, Hu Wei, Davidson Jack, Knight John, Nguyen-Tuong Anh, and Hiser Jason. 2006. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th Conference on USENIX Security Symposium—Volume 15.USENIX Association, 1 pages.Google ScholarGoogle Scholar
  23. [23] Database National Vulnerability. 2021. CVE-2021-21410 Detail. (June 2021). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-21410.Google ScholarGoogle Scholar
  24. [24] Database National Vulnerability. 2021. CVE-2021-35393 Detail. (August 2021). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-35393.Google ScholarGoogle Scholar
  25. [25] Ding S., Cao J., Li C., Fan K., and Li H.. 2019. A novel attribute-based access control scheme using blockchain for IoT. IEEE Access 7 (2019), 3843138441. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  26. [26] Duong Thai. 2018. Introducing the Tink Cryptographic Software Library. (August 2018). Retrieved from https://security.googleblog.com/2018/08/introducing-tink-cryptographic-software.html.Google ScholarGoogle Scholar
  27. [27] Eggert Lars. 2020. Towards securing the Internet of Things with QUIC. In Proceedings of the 2020 Workshop on Decentralized IoT Systems and Security. Internet Society, Reston, VA.Google ScholarGoogle ScholarCross RefCross Ref
  28. [28] Ferrag M. A., Derdour M., Mukherjee M., Derhab A., Maglaras L., and Janicke H.. 2019. Blockchain technologies for the Internet of Things: Research issues and challenges. IEEE Internet of Things Journal 6, 2 (2019), 21882204. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Fu Chenglong, Zeng Qiang, and Du Xiaojiang. 2021. HAWatcher: Semantics-aware anomaly detection for appified smart homes. In Proceedings of the 30th USENIX Security Symposium.USENIX Association, Berkeley, CA,42234240. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/fu-chenglong.Google ScholarGoogle Scholar
  30. [30] Garcia M., Bessani A., Gashi I., Neves N., and Obelheiro R.. 2011. OS diversity for intrusion tolerance: Myth or reality? In Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems Networks. IEEE, New York, NY,383394.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. [31] Guo Minzhe and Bhattacharya Prabir. 2014. Diverse virtual replicas for improving intrusion tolerance in cloud. In Proceedings of the 9th Annual Cyber and Information Security Research Conference.Association for Computing Machinery, New York, NY,4144. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. [32] Huang J., Kong L., Chen G., Wu M., Liu X., and Zeng P.. 2019. Towards secure industrial IoT: Blockchain system with credit-based consensus mechanism. IEEE Transactions on Industrial Informatics 15, 6 (2019), 36803689. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  33. [33] Hunt Patrick, Konar Mahadev, Junqueira Flavio P., and Reed Benjamin. 2010. ZooKeeper: Wait-free coordination for internet-scale systems. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference.USENIX Association, 11.Google ScholarGoogle Scholar
  34. [34] Jackson Todd, Salamat Babak, Wagner Gregor, Wimmer Christian, and Franz Michael. 2010. On the effectiveness of multi-variant program execution for vulnerability detection and prevention. In Proceedings of the 6th International Workshop on Security Measurements and Metrics.Association for Computing Machinery, New York, NY,8 pages. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Jiang T., Fang H., and Wang H.. 2019. Blockchain-based internet of vehicles: Distributed network architecture and performance analysis. IEEE Internet of Things Journal 6, 3 (2019), 46404649. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  36. [36] Joseph M. K. and Avizienis A.. 1988. A fault tolerance approach to computer viruses. In Proceedings of the 1988 IEEE Symposium on Security and Privacy. IEEE, New York, NY,5258.Google ScholarGoogle ScholarCross RefCross Ref
  37. [37] Kanter Morgon and Taylor Stephen. 2013. Diversity in cloud systems through runtime and compile-time relocation. In Proceedings of the 2013 IEEE International Conference on Technologies for Homeland Security. IEEE, New York, NY,396402. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  38. [38] Karliner Ori. 2018. FreeRTOS TCP/IP Stack Vulnerabilities – The Details. (Dec. 2018). Retrieved from https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-details/.Google ScholarGoogle Scholar
  39. [39] Kirkpatrick Keith. 2013. Software-defined networking. Communications of the ACM 56, 9 (2013), 1619.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. [40] Kirsch J., Goose S., Amir Y., Wei D., and Skare P.. 2014. Survivable SCADA via intrusion-tolerant replication. IEEE Transactions on Smart Grid 5, 1 (2014), 6070.Google ScholarGoogle ScholarCross RefCross Ref
  41. [41] Knowlton K. C.. 1968. A combination hardware-software debugging system. IEEE Transactions on Computers C-17, 1 (1968), 8486.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Kuriakose Shebu Varghese. 2021. Secure OTA Updates for Cortex-M Devices with FreeRTOS. (July 2021). Retrieved from https://www.freertos.org/2021/07/secure-ota-updates-for-cortex-m-devices-with-freertos.html.Google ScholarGoogle Scholar
  43. [43] Chen Liming and Avizienis A.. 1995. \( N \)-version programming: A fault-tolerance approach to reliability of software operation. In Proceedings of the 25th International Symposium on Fault-Tolerant Computing, 1995, ’ Highlights from Twenty-Five Years’.IEEE, New York, NY,113120. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  44. [44] Mavrogiannopoulos Nikos. 2018. GnuTLS and TLS 1.3. (May 2018). Retrieved from https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html.Google ScholarGoogle Scholar
  45. [45] Meng Yan, Zhang Wei, Zhu Haojin, and Shen Xuemin Sherman. 2018. Securing consumer IoT in the smart home: Architecture, challenges, and countermeasures. IEEE Wireless Communications 25, 6 (2018), 5359. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. [46] Mi Xianghang, Qian Feng, Zhang Ying, and Wang XiaoFeng. 2017. An empirical characterization of IFTTT: Ecosystem, usage, and performance. In Proceedings of the 2017 Internet Measurement Conference.Association for Computing Machinery, New York, NY,398404. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. [47] Minerva Roberto, Biru Abyi, and Rotondi Domenico. 2015. Towards a Definition of the Internet of Things (IoT). (2015). Retrieved from https://iot.ieee.org/definition.html. IEEE Internet Initiative.Google ScholarGoogle Scholar
  48. [48] National Vulnerability Database. 2020. CVE-2020-11896 Detail. Retrieved on July 26, 2022 https://nvd.nist.gov/vuln/detail/CVE-2020-11896.Google ScholarGoogle Scholar
  49. [49] Myers Jonathan, Babun Leonardo, Yao Edward, Helble Sarah, and Allen Patrick. 2019. MAD-IoT: Memory anomaly detection for the Internet of Things. In Proceedings of the 2019 IEEE Globecom Workshops. IEEE, New York, NY,16. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  50. [50] Neray Phil. 2020. Azure Defender for IoT: Agentless Security for OT. (September 2020). Retrieved from https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot-blog/azure-defender-for-iot-agentless-security-for-ot/ba-p/1698679.Google ScholarGoogle Scholar
  51. [51] Nguyen Dang Tu, Song Chengyu, Qian Zhiyun, Krishnamurthy Srikanth V., Colbert Edward J. M., and McDaniel Patrick. 2018. IotSan: Fortifying the safety of IoT systems. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies.Association for Computing Machinery, New York, NY,191203. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. [52] Nguyen Thien Duc, Marchal Samuel, Miettinen Markus, Fereidooni Hossein, Asokan N., and Sadeghi Ahmad-Reza. 2019. DÏoT: A federated self-learning anomaly detection system for IoT. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems.IEEE, New York, NY,756767. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  53. [53] Noal Dan. 2019. Support for Secure Elements in FreeRTOS. (Oct. 2019). Retrieved from https://aws.amazon.com/blogs/iot/support-for-secure-elements-in-freertos/.Google ScholarGoogle Scholar
  54. [54] Novo O.. 2019. Scalable access management in IoT using blockchain: A performance evaluation. IEEE Internet of Things Journal 6, 3 (2019), 46944701. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  55. [55] Sahinidis Nikolaos V.. 1996. BARON: A general purpose global optimization software package. Journal of Global Optimization 8, 2 (1996), 201205.Google ScholarGoogle ScholarCross RefCross Ref
  56. [56] Shafagh Hossein, Burkhalter Lukas, Hithnawi Anwar, and Duquennoy Simon. 2017. Towards blockchain-based auditable storage and sharing of IoT data. In Proceedings of the 2017 on Cloud Computing Security Workshop.ACM, New York, NY,4550. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. [57] Szekeres Laszlo, Payer Mathias, Wei Tao, and Song Dawn. 2013. SoK: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy. IEEE, New York, NY,4862. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. [58] Tucker Eric. 2021. US Seizes 2 Domain Names Used in Cyberespionage Campaign. (June 2021). Retrieved from https://www.washingtonpost.com/politics/us-seizes-2-domain-names-used-in-cyberespionage-campaign/2021/06/01/9c72cb2c-c316-11eb-89a4-b7ae22aa193e_story.html.Google ScholarGoogle Scholar
  59. [59] Wang Lingyu, Zhang Mengyuan, Jajodia Sushil, Singhal Anoop, and Albanese Massimiliano. 2014. Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In Proceedings of the Computer Security - ESORICS 2014. Kutyłowski Mirosław and Vaidya Jaideep (Eds.), Springer International Publishing, Cham, 494511.Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. [60] Wu Zhe, Yu Curtis, and Madhyastha Harsha V.. 2015. CosTLO: Cost-effective redundancy for lower latency variance on cloud storage services. In Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation.USENIX Association, Oakland, CA, 543557. Retrieved from https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/wu.Google ScholarGoogle Scholar
  61. [61] Xiao Liang, Wan Xiaoyue, Lu Xiaozhen, Zhang Yanyong, and Wu Di. 2018. IoT security techniques based on machine learning: How do IoT devices use AI to enhance security? IEEE Signal Processing Magazine 35, 5 (2018), 4149. DOI:DOI:Google ScholarGoogle ScholarCross RefCross Ref
  62. [62] Yu Tianlong, Sekar Vyas, Seshan Srinivasan, Agarwal Yuvraj, and Xu Chenren. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks.Association for Computing Machinery, New York, NY,7 pages. DOI:DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. [63] Yuan B., Lin C., Zhao H., Zou D., Yang L. T., Jin H., and Rong C.. 2020. Secure data transportation with software-defined networking and k-n secret sharing for high-confidence IoT services. IEEE Internet of Things Journal 7, 9 (2020), 79677981.Google ScholarGoogle ScholarCross RefCross Ref
  64. [64] Zhang M., Wang L., Jajodia S., Singhal A., and Albanese M.. 2016. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks. IEEE Transactions on Information Forensics and Security 11, 5 (2016), 10711086.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Dynamic System Diversification for Securing Cloud-based IoT Subnetworks

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Autonomous and Adaptive Systems
        ACM Transactions on Autonomous and Adaptive Systems  Volume 17, Issue 1-2
        June 2022
        128 pages
        ISSN:1556-4665
        EISSN:1556-4703
        DOI:10.1145/3543994
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 7 September 2022
        • Online AM: 11 July 2022
        • Accepted: 1 May 2022
        • Revised: 1 January 2022
        • Received: 1 November 2021
        Published in taas Volume 17, Issue 1-2

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed
      • Article Metrics

        • Downloads (Last 12 months)198
        • Downloads (Last 6 weeks)10

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!