Abstract
Remote exploitation attacks use software vulnerabilities to penetrate through a network of Internet of Things (IoT) devices. This work addresses defending against remote exploitation attacks on vulnerable IoT devices. As an attack mitigation strategy, we assume it is not possible to fix all the vulnerabilities and propose to diversify the open-source software used to manage IoT devices. Our approach is to deploy dynamic cloud-based virtual machine proxies for physical IoT devices. Our architecture leverages virtual machine proxies with diverse software configurations to mitigate vulnerable and static software configurations on physical devices. We develop an algorithm for selecting new configurations based on network anomaly detection signals to learn vulnerable software configurations on IoT devices, automatically shifting towards more secure configurations. Cloud-based proxy machines mediate requests between application clients and vulnerable IoT devices, facilitating a dynamic diversification system. We report on simulation experiments to evaluate the dynamic system. Two models of powerful adversaries are introduced and simulated against the diversified defense strategy. Our experiments show that a dynamically diversified IoT architecture can be invulnerable to large classes of attacks that would succeed against a static architecture.
- [1] . 2018. The blockchain of things, beyond bitcoin: A systematic review. In Proceedings of the 2018 IEEE International Conference on Internet of Things and IEEE Green Computing and Communications and IEEE Cyber, Physical and Social Computing and IEEE Smart Data.IEEE, New York, NY, 1666–1672.
DOI: DOI: Google ScholarCross Ref
- [2] . 2006. A comparison of software and hardware techniques for x86 virtualization. ACM Sigplan Notices 41, 11 (2006), 2–13.Google Scholar
Digital Library
- [3] H. M. J. Almohri, L. T. Watson, and D. Evans. 2020. An Attack-Resilient Architecture for the Internet of Things. In IEEE Transactions on Information Forensics and Security, vol. 15. 3940–3954.
DOI: Google ScholarDigital Library
- [4] . 2012. Cloud computing security: From single to multi-clouds. In Proceedings of the 2012 45th Hawaii International Conference on System Sciences. IEEE, New York, NY,5490–5499.Google Scholar
Digital Library
- [5] . 2020. BIAS: Bluetooth impersonation attacks. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, New York, NY,549–562.Google Scholar
Cross Ref
- [6] . 2013. RIOT OS: Towards an OS for the Internet of Things. In Proceedings of the 2013 IEEE Conference on Computer Communications Workshops.IEEE, New York, NY,79–80.Google Scholar
Cross Ref
- [7] . 2019. BPIIoT: A light-weighted blockchain-based platform for industrial IoT. IEEE Access 7 (2019), 58381–58393.
DOI: DOI: Google ScholarCross Ref
- [8] . 2019. Securing cross-app interactions in IoT platforms. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE, New York, NY,319–335.Google Scholar
Cross Ref
- [9] . 2021. Internet of Things and Ubuntu: 2021 Highlights. (
December 2021). Retrieved from https://ubuntu.com/blog/iot-and-ubuntu-2021.Google Scholar - [10] . 2013. DepSky: Dependable and secure storage in a cloud-of-clouds. ACM Transactions on Storage 9, 4 (2013), 33 pages.
DOI: DOI: Google ScholarDigital Library
- [11] . 1985. Replication and fault-tolerance in the ISIS system. In Proceedings of the 10th ACM Symposium on Operating Systems Principles.Association for Computing Machinery, New York, NY,79–86.
DOI: DOI: Google ScholarDigital Library
- [12] . 2022. Rustls - a Modern TLS Library. (2022). Retrieved from https://docs.rs/rustls.Google Scholar
- [13] . 2019. A scalable blockchain framework for secure transactions in IoT. IEEE Internet of Things Journal 6, 3 (2019), 4650–4659.
DOI: DOI: Google ScholarCross Ref
- [14] . 2017. Securing networks against unpatchable and unknown vulnerabilities using heterogeneous hardening options. In Proceedings of the Data and Applications Security and Privacy XXXI. and (Eds.), Springer International Publishing, Cham, 509–528.Google Scholar
Cross Ref
- [15] . 2018. Using TLS1.3 With OpenSSL. (
Feb. 2018). Retrieved from https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/.Google Scholar - [16] . 2018. Sensitive information tracking in commodity IoT. In Proceedings of the 27th USENIX Security Symposium.IEEE, New York, NY, 1687–1704.Google Scholar
Digital Library
- [17] . 2019. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Computing Surveys 52, 4 (2019), 30 pages.
DOI: DOI: Google ScholarDigital Library
- [18] . 2019. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Computing Surveys 52, 4 (2019), 30 pages.
DOI: DOI: Google ScholarDigital Library
- [19] . 2018. Soteria: Automated IoT safety and security analysis. In Proceedings of the 2018 USENIX Annual Technical Conference. USENIX, Berkeley, CA,147–158.Google Scholar
- [20] . 2019. IoTGuard: Dynamic enforcement of security and safety policy in commodity IoT. In Proceedings of the NDSS. Internet Society, Reston, VA, 15.Google Scholar
Cross Ref
- [21] . 2019. PFirewall: Semantics-Aware Customizable Data Flow Control for Home Automation Systems. (2019). arXiv:1910.07987. Retrieved from https://arxiv.org/abs/1910.07987.Google Scholar
- [22] . 2006. N-variant systems: A secretless framework for security through diversity. In Proceedings of the 15th Conference on USENIX Security Symposium—Volume 15.USENIX Association, 1 pages.Google Scholar
- [23] . 2021. CVE-2021-21410 Detail. (
June 2021). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-21410.Google Scholar - [24] . 2021. CVE-2021-35393 Detail. (
August 2021). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-35393.Google Scholar - [25] . 2019. A novel attribute-based access control scheme using blockchain for IoT. IEEE Access 7 (2019), 38431–38441.
DOI: DOI: Google ScholarCross Ref
- [26] . 2018. Introducing the Tink Cryptographic Software Library. (
August 2018). Retrieved from https://security.googleblog.com/2018/08/introducing-tink-cryptographic-software.html.Google Scholar - [27] . 2020. Towards securing the Internet of Things with QUIC. In Proceedings of the 2020 Workshop on Decentralized IoT Systems and Security. Internet Society, Reston, VA.Google Scholar
Cross Ref
- [28] . 2019. Blockchain technologies for the Internet of Things: Research issues and challenges. IEEE Internet of Things Journal 6, 2 (2019), 2188–2204.
DOI: DOI: Google ScholarCross Ref
- [29] . 2021. HAWatcher: Semantics-aware anomaly detection for appified smart homes. In Proceedings of the 30th USENIX Security Symposium.USENIX Association, Berkeley, CA,4223–4240. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/fu-chenglong.Google Scholar
- [30] . 2011. OS diversity for intrusion tolerance: Myth or reality? In Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems Networks. IEEE, New York, NY,383–394.Google Scholar
Digital Library
- [31] . 2014. Diverse virtual replicas for improving intrusion tolerance in cloud. In Proceedings of the 9th Annual Cyber and Information Security Research Conference.Association for Computing Machinery, New York, NY,41–44.
DOI: Google ScholarDigital Library
- [32] . 2019. Towards secure industrial IoT: Blockchain system with credit-based consensus mechanism. IEEE Transactions on Industrial Informatics 15, 6 (2019), 3680–3689.
DOI: DOI: Google ScholarCross Ref
- [33] . 2010. ZooKeeper: Wait-free coordination for internet-scale systems. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference.USENIX Association, 11.Google Scholar
- [34] . 2010. On the effectiveness of multi-variant program execution for vulnerability detection and prevention. In Proceedings of the 6th International Workshop on Security Measurements and Metrics.Association for Computing Machinery, New York, NY,8 pages.
DOI: DOI: Google ScholarDigital Library
- [35] . 2019. Blockchain-based internet of vehicles: Distributed network architecture and performance analysis. IEEE Internet of Things Journal 6, 3 (2019), 4640–4649.
DOI: DOI: Google ScholarCross Ref
- [36] . 1988. A fault tolerance approach to computer viruses. In Proceedings of the 1988 IEEE Symposium on Security and Privacy. IEEE, New York, NY,52–58.Google Scholar
Cross Ref
- [37] . 2013. Diversity in cloud systems through runtime and compile-time relocation. In Proceedings of the 2013 IEEE International Conference on Technologies for Homeland Security. IEEE, New York, NY,396–402.
DOI: DOI: Google ScholarCross Ref
- [38] . 2018. FreeRTOS TCP/IP Stack Vulnerabilities – The Details. (
Dec. 2018). Retrieved from https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-details/.Google Scholar - [39] . 2013. Software-defined networking. Communications of the ACM 56, 9 (2013), 16–19.Google Scholar
Digital Library
- [40] . 2014. Survivable SCADA via intrusion-tolerant replication. IEEE Transactions on Smart Grid 5, 1 (2014), 60–70.Google Scholar
Cross Ref
- [41] . 1968. A combination hardware-software debugging system. IEEE Transactions on Computers C-17, 1 (1968), 84–86.Google Scholar
Digital Library
- [42] . 2021. Secure OTA Updates for Cortex-M Devices with FreeRTOS. (
July 2021). Retrieved from https://www.freertos.org/2021/07/secure-ota-updates-for-cortex-m-devices-with-freertos.html.Google Scholar - [43] . 1995. \( N \)-version programming: A fault-tolerance approach to reliability of software operation. In Proceedings of the 25th International Symposium on Fault-Tolerant Computing, 1995, ’ Highlights from Twenty-Five Years’.IEEE, New York, NY,113–120.
DOI: DOI: Google ScholarCross Ref
- [44] . 2018. GnuTLS and TLS 1.3. (
May 2018). Retrieved from https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html.Google Scholar - [45] . 2018. Securing consumer IoT in the smart home: Architecture, challenges, and countermeasures. IEEE Wireless Communications 25, 6 (2018), 53–59.
DOI: DOI: Google ScholarDigital Library
- [46] . 2017. An empirical characterization of IFTTT: Ecosystem, usage, and performance. In Proceedings of the 2017 Internet Measurement Conference.Association for Computing Machinery, New York, NY,398–404.
DOI: DOI: Google ScholarDigital Library
- [47] . 2015. Towards a Definition of the Internet of Things (IoT). (2015). Retrieved from https://iot.ieee.org/definition.html. IEEE Internet Initiative.Google Scholar
- [48] National Vulnerability Database. 2020. CVE-2020-11896 Detail. Retrieved on July 26, 2022 https://nvd.nist.gov/vuln/detail/CVE-2020-11896.Google Scholar
- [49] . 2019. MAD-IoT: Memory anomaly detection for the Internet of Things. In Proceedings of the 2019 IEEE Globecom Workshops. IEEE, New York, NY,1–6.
DOI: DOI: Google ScholarCross Ref
- [50] . 2020. Azure Defender for IoT: Agentless Security for OT. (
September 2020). Retrieved from https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot-blog/azure-defender-for-iot-agentless-security-for-ot/ba-p/1698679.Google Scholar - [51] . 2018. IotSan: Fortifying the safety of IoT systems. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies.Association for Computing Machinery, New York, NY,191–203.
DOI: DOI: Google ScholarDigital Library
- [52] . 2019. DÏoT: A federated self-learning anomaly detection system for IoT. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems.IEEE, New York, NY,756–767.
DOI: DOI: Google ScholarCross Ref
- [53] . 2019. Support for Secure Elements in FreeRTOS. (
Oct. 2019). Retrieved from https://aws.amazon.com/blogs/iot/support-for-secure-elements-in-freertos/.Google Scholar - [54] . 2019. Scalable access management in IoT using blockchain: A performance evaluation. IEEE Internet of Things Journal 6, 3 (2019), 4694–4701.
DOI: DOI: Google ScholarCross Ref
- [55] . 1996. BARON: A general purpose global optimization software package. Journal of Global Optimization 8, 2 (1996), 201–205.Google Scholar
Cross Ref
- [56] . 2017. Towards blockchain-based auditable storage and sharing of IoT data. In Proceedings of the 2017 on Cloud Computing Security Workshop.ACM, New York, NY,45–50.
DOI: DOI: Google ScholarDigital Library
- [57] . 2013. SoK: Eternal war in memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy. IEEE, New York, NY,48–62.
DOI: DOI: Google ScholarDigital Library
- [58] . 2021. US Seizes 2 Domain Names Used in Cyberespionage Campaign. (
June 2021). Retrieved from https://www.washingtonpost.com/politics/us-seizes-2-domain-names-used-in-cyberespionage-campaign/2021/06/01/9c72cb2c-c316-11eb-89a4-b7ae22aa193e_story.html.Google Scholar - [59] . 2014. Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In Proceedings of the Computer Security - ESORICS 2014. and (Eds.), Springer International Publishing, Cham, 494–511.Google Scholar
Digital Library
- [60] . 2015. CosTLO: Cost-effective redundancy for lower latency variance on cloud storage services. In Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation.USENIX Association, Oakland, CA, 543–557. Retrieved from https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/wu.Google Scholar
- [61] . 2018. IoT security techniques based on machine learning: How do IoT devices use AI to enhance security? IEEE Signal Processing Magazine 35, 5 (2018), 41–49.
DOI: DOI: Google ScholarCross Ref
- [62] . 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks.Association for Computing Machinery, New York, NY,7 pages.
DOI: DOI: Google ScholarDigital Library
- [63] . 2020. Secure data transportation with software-defined networking and k-n secret sharing for high-confidence IoT services. IEEE Internet of Things Journal 7, 9 (2020), 7967–7981.Google Scholar
Cross Ref
- [64] . 2016. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks. IEEE Transactions on Information Forensics and Security 11, 5 (2016), 1071–1086.Google Scholar
Digital Library
Index Terms
Dynamic System Diversification for Securing Cloud-based IoT Subnetworks
Recommendations
Source-End DDoS Defense in IoT Environments
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and PrivacyWhile the Internet of Things (IoT) becomes increasingly popular and pervasive in everyday objects, IoT devices often remain unprotected and can be exploited to launch large-scale distributed denial-of-service (DDoS) attacks. One could attempt to employ ...
Securing Cloud Servers Against Flooding Based DDOS Attacks
CSNT '13: Proceedings of the 2013 International Conference on Communication Systems and Network TechnologiesCloud computing is still a juvenile and most dynamic field characterized by a buzzing IT industry. Virtually every industry and even some parts of the public sector are taking on cloud computing today, either as a provider or as a consumer. It has now ...
DDoS Attack and Defense in SDN-Based Cloud
Ubiquitous NetworkingAbstractSoftware defined networking-based cloud has many advantages over traditional network infrastructure, such as improved network flexibility, programmability, and scalability. However, new security concerns and especially new trends of Distributed ...






Comments