Internet of Things (IoT) is a system that consists of a large number of smart devices and objects, such as RFID tags, sensors, actuators, and smartphones, which communicate with each other with minimum human interventions (Singh et al., 2017). These smart devices can connect through Wifi, Bluetooth, and RFID (Singh et al., 2017). Additionally, these devices have embedded sensors or RFID tags to send and receive data. IoT covers different areas and applications, such as smart homes, cities, and smart health care (Datta and Sharma, 2017). According to Singh et al. (Singh et al., 2017), the number of objects in IoT, excluding computers, tablets, and cellphones, will create US $ billion revenue until . Singh et al. also pointed out that by , the number of cellphones and tablets will be around billion devices (Singh et al., 2017). These objects will create a massive and complex network with a considerable amount of data communicated over this network (Balte et al., 2015; Razzaq et al., 2017). The existence of such a vast network of connected devices will pose new security, privacy, and trust issues, which put users at high risk (Singh et al., 2017). One of the ways to protect data in transit, thus achieve data confidentiality, is by designing bespoke lightweight encryption algorithms for IoT devices (Andrea et al., 2015). Due to limitations in IoT devices such as power consumption, low memory life, low processing speed (Acharya et al., 2013; Philip and Vaithiyanathan, 2017), lightweight encryption algorithms, such as PRESENT (Bogdanov et al., 2007), Hummingbird (Engels et al., 2010), and WG-8 (Fan et al., 2013), have different properties than traditional encryption algorithms such as AES (D’souza and Panchal, 2017) and RSA (Galla et al., 2016). Thus, different types of lightweight encryption algorithms exist, which are suitable for IoT devices. These algorithms have a small key/block size and many rounds (Bhardwaj et al., 2017). However, implementing encryption for protocols is an error-prone task (Vanhoef and Piessens, 2018); flaws in the implementation can lead to devastating security vulnerabilities (Vanhoef and Piessens, 2018). According to the Common Vulnerability and Exposure (CVE) (20), the number of vulnerabilities reported in is , more than double what was reported in (i.e., ). An attacker can exploit these security vulnerabilities and affect users’ privacy. There exist various techniques for finding such vulnerabilities (Cadar and Sen, 2013; Li et al., 2019). For example, fuzzing (Li et al., 2019) is an automated software testing technique that involves providing invalid or unexpected values as inputs to a program. Another popular technique is bounded model checking (BMC) (Biere, 2009), which can detect bugs by using symbolic values. The basic idea of BMC is to check the negation of a given property at a given depth. However, both fuzzing and BMC have not yet been exploited to detect vulnerabilities in implementations of lightweight cryptographic protocols for IoT devices. In particular, performing fuzzing and BMC alone is inadequate in achieving high-path coverage efficiently. BMC struggles in reaching deep parts of the code because of the state-space explosion issue and its dependency on Boolean Satisfiability (SAT) (Vanhoef and Piessens, 2018) or Satisfiability Modulo Theories (SMT) solvers (Trabish et al., 2018). Fuzzing also has its drawbacks as it is unable to examine all code paths (Tsankov et al., 2012). We make two significant contributions towards the verification of cryptographic protocols in IoT devices. First, we combine fuzzing and BMC in an unprecedented manner to increase code coverage and to detect a maximum number of security vulnerabilities of cryptographic protocols in IoT. Precisely, we execute the program under test using a BMC engine for a particular amount of time. After the first round of BMC, we aim to cover all the functions through various inputs. However, due to limitations in the underlying solvers, BMC can only reach shallow coverage (i.e., it never reaches branches that lie deep in the code) (Ognawala et al., 2018). To solve the issue of the shallow coverage of BMC, as the next step of our technique, we use the inputs or packets in case of protocols generated by BMC as seed inputs for the fuzzer. In contrast to Ognawala et al. (Ognawala et al., 2018) who combine symbolic execution and apply fuzzing to general-purpose software, our proposed method starts with BMC and then use fuzzing by considering intricate properties in IoT protocols. Second, we perform a preliminary evaluation of the application of the Encryption-BMC and Fuzzing (ESF) verification framework to detect security vulnerabilities in implementations of cryptographic protocols for IoT. Although our EBF prototype is not entirely implemented, its application to go beyond design correctness and also to address behavior correctness represents an important research direction in ensuring secure IoT protocols.
2.1. Lightweight cryptographic protocols for IoT devices
Lightweight encryption is suggested as a concept to handle security in resource constraint devices such as IoT devices (Okello et al., 2017). This lightweight encryption is based on the traditional principles of cryptography, but its purpose is to design algorithms, which have stricter requirements than other algorithms in terms of performance. They must be ultra-efficient as they will be run on devices with low computational capabilities (Okello et al., 2017). Thus, they can be used in the IoT protocols to secure communication between two endpoints. Encryption schemes can be divided into two main categories: (1) Symmetric key encryption, which uses the same key for both encryption and decryption (Bhardwaj et al., 2017) such as AES (D’souza and Panchal, 2017), DES and 3DES (Mitchell, 2016); and (2) Asymmetric key encryption, which uses different keys, a public key for encryption and private key for decryption (Bhardwaj et al., 2017), such as RSA (Aumasson and Romailler, 2017) and Elliptic Curve Cryptography (ECC) (Okello et al., 2017). We evaluate our EBF prototype on the Secure Message Queue Telemetry Transport (S-MQTT) protocol (Bisne and Parmar, 2017). S-MQTT is a messaging transport protocol for IoT devices, which uses Transport Layer Security (TLS) (Singh et al., 2015) that support different types of cipher suite such as AES.
2.2. Software verification for lightweight cryptographic protocols
Here we focus on verifying lightweight cryptographic protocols for IoT devices using fuzzing and BMC to detect security vulnerabilities. Given the current knowledge in software verification, our proposed verification algorithm is the first to address the implementation aspects of cryptographic protocols for IoT devices, such as memory leak and buffer overflow. In implementations of lightweight cryptographic protocols, a memory leak may occur if the developer unintentionally fails to free an assigned block of memory when that chunk of memory is no longer needed (Xu et al., 2003). Another typical implementation error is buffer overflow, which happens when a program attempts to write more data and exceeds the length of the allocated memory. In any particular case, the attacker then can exploit these vulnerabilities and affect the system. For example, Cisco found a vulnerability in the cryptographic driver for Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software (Cisco, (accessed September 30, 2019)). This vulnerability occurred because of the insufficient input validation of a Secure Sockets Layer (SSL) or TLS packet header. It allows the attacker to reboot the device suddenly, which will result in a denial of service (DoS) condition (Cisco, 2018).
Fuzzing is an automated security vulnerabilities detector technique, which works by feeding protocol implementations with random or semi-random inputs (Li et al., 2019). The specification of the software does not foresee these inputs. Then, the system behavior is checked for abnormalities, such as crashes or failures. (Tsankov et al., 2012). Fuzzing often suffers from a low code coverage dilemma (Pak, 2012). Fuzzing can detect implementation level flaws, but it cannot find design issues. For example, fuzzing can detect buffer overflow, but it cannot detect the use of weak encryption algorithm (Biyani et al., 2011). In terms of cryptographic protocols, we can fuzz a running protocol that uses encryption with invalid packets and check the connection behavior of the client and server. In our proposed verification method, we provide to our fuzzer the necessary cryptographic keys/algorithms in a log file.
2.2.2. Bounded Model Checking (BMC)
A principal aim of BMC in the context of software verification is to examine bounded program runs and thus generate verification conditions (VCs) that reflect the exact path in which a statement is executed, the context in which a given function is called, and the bit-accurate representation of expressions (Biere, 2009; Cordeiro et al., 2012). A VC is a logical formula (constructed from a bounded program and desired correctness properties), whose validity implies that a program’s behavior agrees with its specification. Correctness properties, in programs, can be specified by users via assert statements or automatically generated from a specification language. If all of a bounded program’s VCs are valid, then it complies with its specification, up to a given bound. For cryptographic protocols, we deal with symbolic packet instead of regular input. Our BMC engine will initially explore the cryptographic functions, which will help the fuzzer to examine the paths deeply.
3. Detecting Vulnerabilities in Implementations of Lightweight Cryptographic Protocols
A large number of recent attacks targeting improper implementations of cryptographic protocols, such as man-in-the-middle and side-channel attacks (Tsankov et al., 2012), has motivated us to provide security analysis of cryptographic protocols such as S-MQTT (Bisne and Parmar, 2017). Here we develop a novel verification algorithm to detect vulnerabilities such as buffer overflow and memory leak using fuzzing and BMC techniques. The novelty of our approach does not rely only on a scalable and precise verification method to check for implementation errors but also in the application domain due to the importance of securing IoT and its respective lack of research on finding security vulnerabilities in cryptographic protocol implementations. Therefore, the main objective of our proposed method is to overcome the limitations of fuzzing and BMC in isolation, such as low-code coverage and state-space explosion resp., by combining them to achieve precision and scalability in an unprecedented manner. We aim to apply our method to ensure the safety and security of IoT software and also evaluate the effectiveness of this method by determining the code coverage and the number of found vulnerabilities. Lastly, we aim to analyze and compare the results with other verification tools such as Csur (Goubault-Larrecq and Parrennes, 2005) and CDF (Aumasson and Romailler, 2017), which are designed to verify traditional cryptographic protocols. As a result, our ultimate goal is to detect implementation and behavior errors in cryptographic protocol implementations by combining fuzzing and BMC, thus improving safety and security in IoT devices.
3.1. Encryption-BMC and Fuzzing (Ebf) Method
Here we describe our EBF verification method, which combines fuzzing with BMC in an unprecedented manner. Our EBF method can be described as follows:
We symbolically execute the initial state of the cryptographic protocol implementation (e.g., the S-MQTT implementation). Since we are dealing with protocols, we will use packets instead of regular inputs to our BMC engine to produce test cases that can exercise different program paths.
We expect to cover most program paths using symbolic packets after the first round of the BMC engine. To create symbolic packets, we will replace some bytes of concrete packets by symbolic values.
We use the inputs generated by BMC as seed inputs for the fuzzing tool in the form of a test case. These test cases contain symbolic values, but we do not expect them to reveal any vulnerabilities. These test cases will be regenerated with concrete values extracted from the BMC engine, to feed them to the fuzzer engine for the second round.
We start a protocol session between two endpoints to share encrypted messages (which is the important part we want to test in the fuzzing stage) and pass the test cases to the running protocol to check for irregularity, e.g., denial-of-service. The server will also generate inputs and pass them to the fuzzer to ensure the exploration of all the paths. Then the fuzzer will mutate the inputs and send them to the client.
Our fuzzer reads the required keys and cryptographic algorithms to mutate encrypted messages properly from a log file to explore different unique paths, which were initially difficult to reach. This particular log file will be automatically exported from the server implementation; it will contain the key and the encryption algorithm used.
If the fuzzer explored all the paths that BMC had difficulty to cover and used all the inputs generated from BMC, then it can collect and save the results within the log file.
Figure 1 illustrates our EBF verification method.
We will build our EBF verification framework on top of two tools to implement our methodology; these tools have been chosen based on the comparison by Beyer et al. (Beyer and Lemberger, 2017) between testing and model checking. In the BMC phase, we will use the ESBMC tool for the initial state exploration to search for various implementation errors, including memory leak and buffer overflow. We then will use the AFL tool for the fuzzing phase to complete the verification by testing running sessions for the cryptographic protocol. In order to provide the fuzzer with the necessary keys and encryption algorithm, we will develop a file, which the fuzzer can read such information from and also implement a code to analyze the verification results.
3.1.1. Illustrative Example
As an illustrative example, we describe our part of the EBF verification framework using the S-MQTT protocol. In the first step of our method, we use our BMC engine to check for errors in the S-MQTT implementation for a short amount of time. Then we check whether the engine finds some vulnerabilities by collecting the log results. After that, we take the test cases generated by the BMC phase and feed them to the fuzzer as the second step. Fuzzer will use the test cases as input. Then we execute the protocol and feed the client with the invalid inputs and check its behavior. The client communicates with the server using encrypted messages; if the server decrypts messages correctly, then it passes the encryption key to the log file. Also, the server will generate invalid inputs and pass them to the fuzzer to ensure the exploration of all the paths, particularly the paths BMC could not reach. By combining both techniques, we expect to cover most paths in the code.
3.1.2. Preliminary Evaluation
Here we only will evaluate two parts of our EBF methodology. First, we will evaluate the BMC engine as illustrated in Figure 1 by evaluating the ESBMC tool (3). Second, we will evaluate fuzzing by evaluating AFL tool (4). We used Paho MQTT client implementation V1.3.1 (Synchronous and Asynchronous modes) (1) and Mosquitto MQTT server V1.6.7 (2), which support TLS V1.3. The main objective of this initial evaluation is to check whether the ESBMC and AFL tools are promising tools to be further developed in terms of verifying cryptographic protocols. The first implementation, which is the synchronous mode, consists of 61 functions, and the second one is an asynchronous mode, which consists of 77 functions. In Figure 2, we can see the number of functions, which were verified successfully, and which functions ESBMC detected a bug in them. Most bugs found were array bounds and invalid pointer; as future work, we will validate these bugs based on witness checking, as part of our methodology, and also confirm these bugs with the developers. However, regarding the time, the entire implementation required around one hour to be tested by ESBMC. Thus, the average time of each function in both modes was around one second, as shown in figure 2. As example, we considered a simple code fragment of function _ in MQTT synchronous mode implementation, this function frees the memory allocated to an MQTT message, including the additional memory allocated to the message payload. However, the developer of this function does not check whether the pointer passed as argument to _ points to an a live object. Figure 3 illustrates a fragment of the counterexample produced by ESBMC for the function in Listing 1. One way to fix this pointer dereference failure is to ensure that message is different than NULL. As the next step in our EBF method, we initially evaluate AFL. We manually generated three test cases as a start and fed them to the tool. Unfortunately, AFL required a long time to find crashes, e.g., almost one day running, and still, did not find any crashes (cf. Figure 4). AFL needs further evaluation and development in terms of cryptographic protocols in the next stage of our research.
4. Limitations, Related Work and Future Directions
Many IoT applications depend on complicated cryptographic protocols for communicating over an insecure Internet. The C programming language is mostly used in writing cryptographic software (Aizatulin et al., 2011). Both the design and implementation of cryptographic primitives such as encryption and hash functions are error-prone. However, flaws in the implementation can lead to devastating security vulnerabilities, which may be exploited by an attacker (Vanhoef and Piessens, 2018). Recent years have seen a real development in software verification of cryptographic protocols, as witnessed by the development of different tools either in BMC or fuzzing techniques (Aizatulin et al., 2011). However, there exists still a need for further development of these tools. Although the obligation to verify cryptographic protocols is now well identified, a few recent studies try to suggest solutions. One of the attempts to verify cryptographic primitive using symbolic execution is Csur (Goubault-Larrecq and Parrennes, 2005), which analyzes C code for security properties using a set of horn clauses, which are then solved using a theorem prover. One of the limitations of this method is that the results are only valid in a symbolic model of cryptography proposed by Dolev and Yao (Lim and Paterson, 2009). Also, Vanhoef and Piessens (Vanhoef and Piessens, 2018) modified the KLEE tool to efficiently handle cryptographic protocol by simulating their behavior under the Dolev-Yao model. Aizatulin et al. (Aizatulin et al., 2011, 2012) combined symbolic execution with proof techniques by using it to obtain a ProVerif model from a cryptographic protocol implementation in C. However, the limitation of their technique is that it only considers a single execution path. Another tool used to verify cryptographic primitives using fuzzing is CDF (Aumasson and Romailler, 2017), which can be used to achieve security verification, and in particular, to find logic bugs with standard specifications. It uses differential fuzzing technique, to find inconsistencies between two implementations of the same primitive, e.g., between two implementations of RSA cipher (Aumasson and Romailler, 2017). One of the weaknesses of CDF is that it provides limited detection of timing leaks. ESPIKE (Biyani et al., 2011) is another fuzzing tool, which is an extension of SPIKE; it is designed to handle encrypted protocols by sending all the SPIKE data through the SSL layer. The limitation of SPIKE is that it is only valid for the protocols that are already compatible with SPIKE. In general, the main challenge of fuzzing is that it is not directly applicable to encryption because exchanging encrypted messages include randomly generated numbers or symbols (Tsankov et al., 2012). Considering that mutating encrypted messages always lead to a non-understandable format, the fuzzer needs to have access to the encryption key and the cryptographic algorithm used in the protocol. Thus, in our proposed EBF method, the server automatically transmits the information required for decryption (i.e., encryption keys and the cryptographic algorithm used in the protocol) from a log file to the fuzzer. State-of-the-art methods employed only fuzzing or symbolic execution for cryptographic network protocols; none of them ever considered BMC techniques, which outperform typical path-based symbolic execution (Beyer and Lemberger, 2017). Given the current knowledge in software verification and applied cryptography, this is the first method that combines BMC and fuzzing to detect software vulnerabilities for cryptographic protocols in IoT. We expect by designing this algorithm that we efficiently cover most code paths and avoid the path explosion issue. Moreover, we intend to develop an automated method that finds the most common kinds of vulnerabilities. As future work, we will implement our entire methodology. In the beginning, we will evaluate ESBMC in the TLS library and validate any bugs ESBMC finds, based on witness checking and later confirmation by developers. Then, we will further develop and evaluate AFL when two endpoints are sharing encrypted messages. Last, we will create the log file to automatically provide AFL with the encryption key ad algorithm used and report the result.
-  (2019) Note: https://github.com/eclipse/paho.mqtt.c Cited by: §3.1.2.
-  (2019) Note: https://mosquitto.org/download/ Cited by: §3.1.2.
-  (2019) Note: https://github.com/esbmc/esbmc Cited by: §3.1.2.
-  (2019) Note: https://github.com/google/AFL Cited by: §3.1.2.
- Analysis of cryptographic algorithms for network security. International Journal of Computer Applications Technology and Research 3, pp. 130–135. Cited by: §1.
- Computational verification of c protocol implementations by symbolic execution. In CCS, pp. 712–723. Cited by: §4.
- Extracting and verifying cryptographic models from C protocol code by symbolic execution. CoRR abs/1107.1017, pp. . Cited by: §4.
- Internet of things: security vulnerabilities and challenges. (ISCC) (), pp. 180–187. Cited by: §1.
- Automated testing of crypto software using differential fuzzing. Black Hat USA 7, pp. . Cited by: §2.1, §3, §4.
- Security issues in internet of things (iot): a survey. International Journal of Advanced Research in Computer Science and Software Engineering 5 (4), pp. 450–455. Cited by: §1.
- Software verification: testing vs. model checking. In Hardware and Software: Verification and Testing, pp. 99–114. Cited by: §3.1, §4.
- A review on lightweight cryptography algorithms for data security and authentication in iots. In (ISPCC), pp. 504–509. Cited by: §1, §2.1.
- Bounded model checking. In Handbook of Satisfiability, pp. 457–481. Cited by: §1, §2.2.2.
- Composite secure mqtt for internet of things using abe and dynamic s-box aes. In 2017 (i-PACT), pp. 1–5. Cited by: §2.1, §3.
- Extension of spike for encrypted protocol fuzzing. In 2011 Third International Conference on Multimedia Information Networking and Security, pp. 343–347. Cited by: §2.2.1, §4.
- PRESENT: an ultra-lightweight block cipher. In International workshop on cryptographic hardware and embedded systems, pp. 450–466. Cited by: §1.
- Symbolic execution for software testing: three decades later.. Commun. ACM 56 (2), pp. 82–90. Cited by: §1.
- Cisco asa and ftd software cryptographic tls and ssl driver denial of service vulnerability. External Links: Cited by: §2.2.
- Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability. External Links: Cited by: §2.2.
-  (2018 (accessed September 30, 2019)) Common vulnerabilities and exposures. CVE. External Links: Cited by: §1.
- SMT-based bounded model checking for embedded ANSI-C software. IEEE Trans. Software Eng. 38 (4), pp. 957–974. External Links: Cited by: §2.2.2.
- Advanced encryption standard (aes) security enhancement using hybrid approach. In 2017 (ICCCA), Greater Noida, India, pp. 647–652. Cited by: §1, §2.1.
- A survey on iot architectures, protocols, security and smart city based applications. In (ICCCNT), Delhi, India, pp. 1–5. Cited by: §1.
- Hummingbird: ultra-lightweight cryptography for resource-constrained devices. In Financial Cryptography and Data Security, pp. 3–18. External Links: Cited by: §1.
- WG-8: a lightweight stream cipher for resource-constrained smart devices. In Quality, Reliability, Security and Robustness in Heterogeneous Networks, pp. 617–632. External Links: Cited by: §1.
- Implementation of rsa. In 2016 (ICCICCT), Kumaracoil, India, pp. 81–87. Cited by: §1.
- Cryptographic protocol analysis on real c code. In International Workshop on Verification, Model Checking, and Abstract Interpretation, Berlin, Heidelberg, pp. 363–379. Cited by: §3, §4.
- V-fuzz: vulnerability-oriented evolutionary fuzzing. CoRR , pp. . Cited by: §1, §2.2.1.
- Secret public key protocols revisited. In Security Protocols, B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe (Eds.), pp. 237–256. Cited by: §4.
- On the security of 2-key triple des. IEEE Transactions on Information Theory 62 (11), pp. 6260–6267. Cited by: §2.1.
- Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach. In SAC, pp. 1475–1482. Cited by: §1.
- A survey of the current state of lightweight cryptography for the internet of things. In 2017 (CITS), pp. 292–296. Cited by: §2.1.
- Hybrid fuzz testing: discovering software bugs via fuzzing and symbolic execution. Cited by: §2.2.1.
- A survey on lightweight ciphers for iot devices. In 2017 (TAP Energy), Vol. , pp. 1–4. Cited by: §1.
- Security issues in the internet of things (iot): a comprehensive study. International Journal of Advanced Computer Science and Applications 8 (6), pp. 383. Cited by: §1.
- Secure mqtt for internet of things (iot). In 2015 Fifth International Conference on Communication Systems and Network Technologies, Gwalior, India, pp. 746–751. External Links: Cited by: §2.1.
- Advanced lightweight encryption algorithms for iot devices: survey, challenges and solutions. Journal of Ambient Intelligence and Humanized Computing (), pp. 1–18. Cited by: §1.
- Chopped symbolic execution. In 2018 (ICSE), pp. 350–360. Cited by: §1.
- SECFUZZ: fuzz-testing security protocols. In 2012 (AST), pp. 1–7. Cited by: §1, §2.2.1, §3, §4.
- Symbolic execution of security protocol implementations: handling cryptographic primitives. In 12th (WOOT), Baltimore, MD. Cited by: §1, §4.
- Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems, Proceedings., Vol. , pp. 260–269. Cited by: §2.2.