Threat Modeling Solution for Internet of Things in a Webbased Security Framework
Autor(a) principal: | |
---|---|
Data de Publicação: | 2021 |
Tipo de documento: | Dissertação |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10400.6/11849 |
Resumo: | The Internet of Things (IoT) is a growing paradigm that provides daily life benefits for its users, motivating a fast paced deployment of IoT devices in sensitive scenarios. However, current IoT devices do not correctly apply or integrate security controls or technology, potentially leading to a wide panoply of problems, most of them with harmful impact to the user. Thus, this work proposes the development of a tool that helps developers create properly secure IoT devices by identifying possible weaknesses in the system. This tool consists of a module of a framework, denominated Security Advising Modules (SAM) in the scope of this work, and achieves the referred objective by identifying possible weaknesses found in the software and hardware of IoT devices. To define the weaknesses, a set of databases containing information about vulnerabilities and weaknesses found in a system were investigated throughout this project, and a restricted set of weaknesses to be presented was chosen. Since some databases contain hundreds of thousands of vulnerabilities, it was neither feasible nor pertinent to present them completely in the developed tool. Additionally, the questions to retrieve system information were identified in this work, allowing us to map the chosen weaknesses to the answers given by the developer to those questions. The tool developed was properly tested by running automated tests, with the Selenium framework, and also validated by security experts and evaluated by a set of 18 users. Finally, based on user feedback, it was concluded that the developed tool was useful, simple and straightforward to use, and that 89% of respondents had never interacted with a similar tool (adding, in this way, to the innovative character). |
id |
RCAP_d71bdd8742cd251a9662cf555654cb0b |
---|---|
oai_identifier_str |
oai:ubibliorum.ubi.pt:10400.6/11849 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Threat Modeling Solution for Internet of Things in a Webbased Security FrameworkFerramenta de SegurançaInternet das CoisasModelação de AmeaçasSegurança Por DesignDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaThe Internet of Things (IoT) is a growing paradigm that provides daily life benefits for its users, motivating a fast paced deployment of IoT devices in sensitive scenarios. However, current IoT devices do not correctly apply or integrate security controls or technology, potentially leading to a wide panoply of problems, most of them with harmful impact to the user. Thus, this work proposes the development of a tool that helps developers create properly secure IoT devices by identifying possible weaknesses in the system. This tool consists of a module of a framework, denominated Security Advising Modules (SAM) in the scope of this work, and achieves the referred objective by identifying possible weaknesses found in the software and hardware of IoT devices. To define the weaknesses, a set of databases containing information about vulnerabilities and weaknesses found in a system were investigated throughout this project, and a restricted set of weaknesses to be presented was chosen. Since some databases contain hundreds of thousands of vulnerabilities, it was neither feasible nor pertinent to present them completely in the developed tool. Additionally, the questions to retrieve system information were identified in this work, allowing us to map the chosen weaknesses to the answers given by the developer to those questions. The tool developed was properly tested by running automated tests, with the Selenium framework, and also validated by security experts and evaluated by a set of 18 users. Finally, based on user feedback, it was concluded that the developed tool was useful, simple and straightforward to use, and that 89% of respondents had never interacted with a similar tool (adding, in this way, to the innovative character).A Internet das Coisas (do inglês Internet of Things, IoT) é um paradigma em acentuado crescimento com benefícios inegáveis para o dia a dia dos utilizadores, com uma elevada aplicação dos dispositivos da IoT em cenários sensíveis. No entanto, atualmente os dispositivos da IoT não garantem corretamente as propriedades de segurança, o que pode levar a toda uma panóplia de problemas, muitos com impacto no utilizador. Este trabalho propõe o desenvolvimento de uma ferramenta que auxilie os programadores a criar dispositivos da IoT seguros. A ferramenta é um módulo de uma framework denominada Security Advising Modules (SAM), e procura atingir o referido objetivo através da identificação de fraquezas que possam existir no software ou hardware dos dispositivos IoT. Com o objetivo de delinear as fraquezas, consultouse ao longo deste projeto um conjunto de bases de dados que contêm informações sobre vulnerabilidades e fraquezas encontradas em sistemas, do qual se escolheram um conjunto restrito de fraquezas a apresentar. A escolha deste conjunto devese a algumas das bases de dados consultadas conterem centenas de milhares de vulnerabilidades, pelo que não é exequível nem pertinente a sua completa apresentação na nossa ferramenta. Complementarmente, identificaramse neste trabalho as questões que permitem obter informações sobre o sistema em desenvolvimento que depois nos permitem mapear as fraquezas em função das respostas do programador. A ferramenta desenvolvida foi devidamente testada através da execução de testes automáticos, com a framework Selenium, e também validada por especialistas de segurança e avaliada por um conjunto de 18 utilizadores. Por fim, com base no feedback dos utilizadores, concluiuse que a ferramenta desenvolvida era útil, de utilização simples e direta, e que 89% dos inquiridos nunca tinham interagido com uma ferramenta similar (nesse sentido inovadora).The work described in this dissertation was carried out at the Instituto de Telecomunicações, Multimedia Signal Processing Cv Laboratory, in Universidade da Beira Interior, at Covilhã, Portugal. This research work was funded by the S E C U R I o T E S I G N Project through FCT/COMPETE/FEDER under Reference Number POCI010145FEDER030657 and by Fundação para Ciência e Tecnologia (FCT) research grant with reference BIL/ Nº12/2019B00702.The work described in this dissertation was carried out at the Instituto de Telecomunicações, Multimedia Signal Processing Cv Laboratory, in Universidade da Beira Interior, at Covilhã, Portugal. This research work was funded by the S E C U R I o T E S I G N Project through FCT/COMPETE/FEDER under Reference Number POCI010145FEDER030657 and by Fundação para Ciência e Tecnologia (FCT) research grant with reference BIL/ Nº12/2019B00702.Simões, Tiago Miguel CarrolaInácio, Pedro Ricardo MoraisuBibliorumCosta, Joana Cabral Amaral Nunes da2022-01-17T16:46:11Z2021-10-212021-07-272021-10-21T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.6/11849TID:202858359enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-12-15T09:54:36Zoai:ubibliorum.ubi.pt:10400.6/11849Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T00:51:32.665452Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
title |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
spellingShingle |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework Costa, Joana Cabral Amaral Nunes da Ferramenta de Segurança Internet das Coisas Modelação de Ameaças Segurança Por Design Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
title_short |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
title_full |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
title_fullStr |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
title_full_unstemmed |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
title_sort |
Threat Modeling Solution for Internet of Things in a Webbased Security Framework |
author |
Costa, Joana Cabral Amaral Nunes da |
author_facet |
Costa, Joana Cabral Amaral Nunes da |
author_role |
author |
dc.contributor.none.fl_str_mv |
Simões, Tiago Miguel Carrola Inácio, Pedro Ricardo Morais uBibliorum |
dc.contributor.author.fl_str_mv |
Costa, Joana Cabral Amaral Nunes da |
dc.subject.por.fl_str_mv |
Ferramenta de Segurança Internet das Coisas Modelação de Ameaças Segurança Por Design Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
topic |
Ferramenta de Segurança Internet das Coisas Modelação de Ameaças Segurança Por Design Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
description |
The Internet of Things (IoT) is a growing paradigm that provides daily life benefits for its users, motivating a fast paced deployment of IoT devices in sensitive scenarios. However, current IoT devices do not correctly apply or integrate security controls or technology, potentially leading to a wide panoply of problems, most of them with harmful impact to the user. Thus, this work proposes the development of a tool that helps developers create properly secure IoT devices by identifying possible weaknesses in the system. This tool consists of a module of a framework, denominated Security Advising Modules (SAM) in the scope of this work, and achieves the referred objective by identifying possible weaknesses found in the software and hardware of IoT devices. To define the weaknesses, a set of databases containing information about vulnerabilities and weaknesses found in a system were investigated throughout this project, and a restricted set of weaknesses to be presented was chosen. Since some databases contain hundreds of thousands of vulnerabilities, it was neither feasible nor pertinent to present them completely in the developed tool. Additionally, the questions to retrieve system information were identified in this work, allowing us to map the chosen weaknesses to the answers given by the developer to those questions. The tool developed was properly tested by running automated tests, with the Selenium framework, and also validated by security experts and evaluated by a set of 18 users. Finally, based on user feedback, it was concluded that the developed tool was useful, simple and straightforward to use, and that 89% of respondents had never interacted with a similar tool (adding, in this way, to the innovative character). |
publishDate |
2021 |
dc.date.none.fl_str_mv |
2021-10-21 2021-07-27 2021-10-21T00:00:00Z 2022-01-17T16:46:11Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10400.6/11849 TID:202858359 |
url |
http://hdl.handle.net/10400.6/11849 |
identifier_str_mv |
TID:202858359 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799136404572209152 |