International Journal of Information and Communication Sciences

Submit a Manuscript

Publishing with us to make your research visible to the widest possible audience.

Propose a Special Issue

Building a community of authors and readers to discuss the latest research and develop new ideas.

Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution

Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.

Tizen, Dynamic Symbolic Execution, Native, Web, Vulnerability, IoT, C++, JavaScript

APA Style

Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. (2023). Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. International Journal of Information and Communication Sciences, 8(1), 1-11. https://doi.org/10.11648/j.ijics.20230801.11

ACS Style

Sobhan Safdarian; Mohammad Hossein Asghari; Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int. J. Inf. Commun. Sci. 2023, 8(1), 1-11. doi: 10.11648/j.ijics.20230801.11

AMA Style

Sobhan Safdarian, Mohammad Hossein Asghari, Maryam Mouzarani. Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution. Int J Inf Commun Sci. 2023;8(1):1-11. doi: 10.11648/j.ijics.20230801.11

Copyright © 2023 Authors retain the copyright of this article.
This article is an open access article distributed under the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. Windows IoT core, https://docs.microsoft.com/en-us/windows/iot/, Accessed 18 January 2022.
2. Amazon FreeRTOS, https://aws.amazon.com/freertos/, Accessed 18 January 2022.
3. Samasung Tizen, https://www.tizen.org, Accessed 18 January 2022.
4. Contiki, https://www.contiki-ng.org/, Accessed 18 January 2022.
5. Mullen G., Meany L.: Assessment of Buffer Overflow Based Attacks On an IoT Operating System. IEEE 2019 Global IoT Summit (GIoTS) pp. 1-6 (2019).
6. Chess B., McGraw G.: Static Analysis for Security. IEEE security & privacy, vol. 2, pp. 76-79 (2004).
7. Godefroid P., Klarlund N., Sen K.: DART: Directed Automated Random Testing. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 213-223 (2005).
8. Chaabouni N., Mosbah M., Zemmari A., Sauvignac C., Faruki P.: Network Intrusion Detection for IoT Security Based on Learning Techniques. IEEE Communications Surveys & Tutorials, vol. 21, pp. 2671-2701 (2019).
9. Rizvi S., Orr R., Cox A., Ashokkumar P., Rizvi M.: Identifying the attack surface for IoT network. Internet of Things, vol. 9 (2020).
10. Rathore S., Kwon B. W., HyukPark J.: BlockSecIoTNet: Blockchain-based decentralized security architecture for IoT network. Network and Computer Applications, vol. 143, pp. 167-177 (2019).
11. Alnaeli S., Sarnowski M., Sayedul Aman M., Abdelgawad A., Yelamarthi K.: Vulnerable C/C++ Code Usage in IoT Software Systems. 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 348-352 (2016).
12. Abraham A.: Hacking Tizen: The OS of Everything. In: Proceedings of the HITBSecConf-Hack In The Box Security Conference, Amsterdam, The Netherlands, pp. 26-29 (2015).
13. Gritti F., Fontana L., Gustafson E., Pagani F., Continella A., Kruegel C., Vigna G.: SYMBION: Interleaving Symbolic with concrete execution. IEEE Conference on Communications and Network Security (CNS), pp. 1-10, (2020).
14. Loring B., Mitchell D., Kinder J.: ExpoSE: Practical Symbolic Execution of Standalone JavaScript. In: Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software., pp. 196-199 (2017).
15. Shoshitaishvili, Wang Y., Hauser R., Krugel C., Vigana G.: Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. NDSS, vol. 1, pp. 1-1 (2015).
16. Muench M., Nisi D., Francillon A., Balzarotti D.: Avatar 2: A multi-Target Orchestration Platform. InProc. Workshop on Binary Anal. Res. (colocated with NDSS Symp.), vol. 18, pp. 1-11 (2018).
17. Qiling Framework, https://qiling.io. Accessed 18 January 2022.
18. Li G., Andreasen E., Ghosh I.: SymJS: Automatic Symbolic Testing of JavaScript Web. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 449-459, (2014).
19. JSSeek, http://glasnost.itcarlow.ie/~softeng4/C00137906/index.html. Accessed 18 January 2022.
20. Basiri M., Mouzarani M.: Assessing the Resistance of the Internet of Things Applications to Memory Corruption Attacks. EAI SaSeIoT (2021).
21. Baldoni R., Coppa E., D’ELIA D. C., Demetrescu C., Finocchi I.: A Survey of Symbolic Execution Techniques. ACM Computing Surveys (CSUR) 51. 3, pp. 1-39, (2018).
22. angr. https://angr.ir. Accessed 18 January 2022.
23. Sen K., Kalasapur S., Brutch T., Gibbs S.: Jalangi: A Tool Framework for Concolic Testing, Selective. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 615-618, (2013).
24. MDN Web Docs: JS hoisting. https://developer.mozilla.org/en-US/docs/Glossary/Hoisting. Accessed 18 January 2022.
25. Nicula Ș., Zota R. D: Exploiting stack-based buffer overflow using modern day techniques. Procedia Computer Science, vol. 160, pp. 9-14 (2019).
26. TizenSecurity. https://github.com/SoftwareSecurityLab/TizenSecurity. Accessed 18 January 2022.
27. NIST Software Assurance Reference Dataset. https://samate.nist.gov/SARD/. Accessed 5 August 2022.