The number of devices in the Internet of Things (IoT) is expected to exceed 26 billion within the next four years. Industry experts estimate that 70% of IoT devices presently on the market are vulnerable to cyber attacks, and Gartner predicts that by 2020 more than 25% of enterprise attacks will involve exploits of such devices. Taken together, these statistics forecast an alarming perfect storm brewing in the world of cyber security.
With such a huge network of devices, many of which are likely to be deeply integrated into the daily lives of users, and considering the complexity of the multilayered architecture, securing the IoT is one of the most essential and yet highly challenging tasks facing technologists today.
Unfortunately, while industrial and governmental communities are now slowly becoming more aware that security is a vital consideration for the design, development, and evaluation of IoT products (e.g., IoT security expenditures are expected to exceed $500 million by 2018), it is not yet sufficiently widely recognized that the nature of many security problems of this new platform/technology differs fundamentally from conventional cyber security problems, and that critical gaps still exist in the science of security that will impede conventional defense approaches from scaling adequately to the expected growth of the IoT. For example:
Insufficient language-based consideration:
Many IoT security efforts focus primarily on network and systems security solutions; but a report from NIST has shown that 77% of all reported vulnerabilities are in software applications, not in networks or operating systems. Language-based, software-centered security approaches are therefore needed to fill this void, but few have yet been pursued in the domain of the IoT (relative to the vast collection of expected software architectures of the domain that must be secured).
Many industrial producers of IoT software are not software companies, and therefore lack comprehensive training in cyber security or even foundational software engineering best-practices. As a result, solutions that demand a level of developer expertise commonly found in the mainstream software development industry fall short when applied to security of this domain. For example, defense solutions for this industry should expect that IoT software creators will not use appropriate tools, such as model-checkers or source code validators, to check the security of their products before deployment, and they will not disclose source code to third parties for independent vetting or code review.
Many conventional approaches to software security confine their attention to one hardware architecture at a time; but IoT attacks frequently cross platforms or abuse interactions between the many diverse hardware elements that comprise the IoT.
Consumer-side software protection mechanisms often draw upon the relatively extensive computing resources of modern PCs—for example, to implement virtual machines, hypervisors, or intrusion detection systems. IoT software defenses require the innovation of much lighter-weight solutions, since they typically lack the resources necessary to sustain these conventional, resource-heavy approaches.
To address these concerns, and to establish firmer scientific principles and approaches upon which forthcoming IoT software security solutions can be based, my team at University of North Carolina at Charlotte works on a binary software-centered, language-based approach to the analysis of IoT software attacks and defenses, and to the development of new software defense strategies and algorithms.
A major goal of our research is to design and develop high-assurance solutions that can provably and automatically thwart important, now-prevalent classes of IoT attacks despite low expertise on the part of software producers, or little or no cooperation from such producers.
To achieve this, we plan to refine and extend recently discovered technologies for late-stage binary software security hardening, which perform automated binary software transformations during the final stages of code compilation, or on raw binary code that has already been compiled and deployed.
My future posts will shed more light on what are Language Based Security techniques and what is binary hardening and other related terms.