SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2021 |
| Tipo de documento: | Dissertação |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/10400.6/11844 |
Resumo: | Internet of Things (IoT) is expanding at a global level and its influence in our daily lives is increasing. This fast expansion, with companies competing to be the first to deploy new IoT systems, has led to the majority of the software being created and produced without due attention being given to security considerations and without adequate security testing. Software quality and security testing are inextricably linked. The most successful approach to achieve secure software is to adhere to secure development, deployment, and maintenance principles and practices throughout the development process. Security testing is a procedure for ensuring that a system keeps the users data secure and performs as expected. However, extensively testing a system can be a very daunting task, that usually requires professionals to be well versed in the subject, so as to be performed correctly. Moreover, not all development teams can have access to a security expert to perform security testing in their IoT systems. The need to automate security testing emerged as a potential means to solve this issue. This dissertation describes the process undertaken to design and develop a module entitled Assessing Correct Integration of Security Mechanisms (ACISM) that aims to provide system developers with the means to improve system security by anticipating and preventing potential attacks. Using the list of threats that the system is vulnerable as inputs, this tool provides developers with a set of security tests and tools that will allow testing how susceptible the system is to each of those threats. This tool outputs a set of possible attacks derived from the threats and what tools could be used to simulate these attacks. The tool developed in this dissertation has the purpose to function as a plugin of a framework called Security Advising Modules (SAM). It has the objective of advising users in the development of secure IoT, cloud and mobile systems during the design phases of these systems. SAM is a modular framework composed by a set of modules that advise the user in different stages of the security engineering process. To validate the usefulness of the ACISM module in real life, it was tested by 17 computer science practitioners. The feedback received from these users was very positive. The great majority of the participants found the tool to be extremely helpful in facilitating the execution of security tests in IoT. The principal contributions achieved with this dissertation were: the creation of a tool that outputs a set of attacks and penetration tools to execute the attacks mentioned, all starting from the threats an IoT system is susceptible to. Each of the identified attacking tools will be accompanied with a brief instructional guide; all summing up to an extensive review of the state of the art in testing. |
| id |
RCAP_ee0fe3f9f73d41d6eeb3d7a85a44e2c5 |
|---|---|
| oai_identifier_str |
oai:ubibliorum.ubi.pt:10400.6/11844 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of ThingsAutomatização de TestesInternet das CoisasIotTestesTestes de SegurançaDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaInternet of Things (IoT) is expanding at a global level and its influence in our daily lives is increasing. This fast expansion, with companies competing to be the first to deploy new IoT systems, has led to the majority of the software being created and produced without due attention being given to security considerations and without adequate security testing. Software quality and security testing are inextricably linked. The most successful approach to achieve secure software is to adhere to secure development, deployment, and maintenance principles and practices throughout the development process. Security testing is a procedure for ensuring that a system keeps the users data secure and performs as expected. However, extensively testing a system can be a very daunting task, that usually requires professionals to be well versed in the subject, so as to be performed correctly. Moreover, not all development teams can have access to a security expert to perform security testing in their IoT systems. The need to automate security testing emerged as a potential means to solve this issue. This dissertation describes the process undertaken to design and develop a module entitled Assessing Correct Integration of Security Mechanisms (ACISM) that aims to provide system developers with the means to improve system security by anticipating and preventing potential attacks. Using the list of threats that the system is vulnerable as inputs, this tool provides developers with a set of security tests and tools that will allow testing how susceptible the system is to each of those threats. This tool outputs a set of possible attacks derived from the threats and what tools could be used to simulate these attacks. The tool developed in this dissertation has the purpose to function as a plugin of a framework called Security Advising Modules (SAM). It has the objective of advising users in the development of secure IoT, cloud and mobile systems during the design phases of these systems. SAM is a modular framework composed by a set of modules that advise the user in different stages of the security engineering process. To validate the usefulness of the ACISM module in real life, it was tested by 17 computer science practitioners. The feedback received from these users was very positive. The great majority of the participants found the tool to be extremely helpful in facilitating the execution of security tests in IoT. The principal contributions achieved with this dissertation were: the creation of a tool that outputs a set of attacks and penetration tools to execute the attacks mentioned, all starting from the threats an IoT system is susceptible to. Each of the identified attacking tools will be accompanied with a brief instructional guide; all summing up to an extensive review of the state of the art in testing.A Internet das Coisas (IoT) é um dos paradigmas com maior expansão mundial à data de escrita da dissertação, traduzindose numa influência incontornável no quotidiano. As empresas pretendem ser as primeiras a implantar novos sistemas de IoT como resultado da sua rápida expansão, o que faz com que a maior parte do software seja criado e produzido sem considerações de segurança ou testes de segurança adequados. A qualidade do software e os testes de segurança estão intimamente ligados. A abordagem mais bemsucedida para obter software seguro é aderir aos princípios e práticas de desenvolvimento, implantação e manutenção seguros em todo o processo de desenvolvimento. O teste de segurança é um procedimento para garantir que um sistema proteja os dados do utilizador e execute conforme o esperado. Esta dissertação descreve o esforço despendido na concepção e desenvolvimento de uma ferramenta que, tendo em consideração as ameaças às quais um sistema é vulnerável, produz um conjunto de testes e identifica um conjunto de ferramentas de segurança para verificar a susceptibilidade do sistema às mesmas. A ferramenta mencionada anteriormente foi desenvolvida em Python e tem como valores de entrada uma lista de ameaças às quais o sistema é vulnerável. Depois de processar estas informações, a ferramenta produz um conjunto de ataques derivados das ameaças e possíveis ferramentas a serem usadas para simular esses ataques. Para verificar a utilidade da ferramenta em cenários reais, esta foi testada por 17 pessoas com conhecimento na área de informática. A ferramenta foi avaliada pelos sujeitos de teste de uma forma muito positiva. A grande maioria dos participantes considerou a ferramenta extremamente útil para auxiliar a realização de testes de segurança em IoT. As principais contribuições alcançadas com esta dissertação foram: a criação de uma ferramenta que, através das ameaças às quais um sistema IoT é susceptível, produzirá um conjunto de ataques e ferramentas de penetração para executar os ataques mencionados. Cada uma das ferramentas será acompanhada por um breve guia de instruções; uma extensa revisão do estado da arte em testes.The work described in this dissertation was carried out at the Instituto de Telecomunicações, Multimedia Signal Processing – Covilhã Laboratory, in Universidade da Beira Interior, at Covilhã, Portugal. This research work was funded by the S E C U R I o T E S I G N Project through FCT/COMPETE/FEDER under Reference Number POCI010145FEDER030657 and by Fundação para Ciência e Tecnologia (FCT) research grant with reference BIL/Nº11/2019B00701.The work described in this dissertation was carried out at the Instituto de Telecomunicações, Multimedia Signal Processing – Covilhã Laboratory, in Universidade da Beira Interior, at Covilhã, Portugal. This research work was funded by the S E C U R I o T E S I G N Project through FCT/COMPETE/FEDER under Reference Number POCI010145FEDER030657 and by Fundação para Ciência e Tecnologia (FCT) research grant with reference BIL/Nº11/2019B00701.Inácio, Pedro Ricardo MoraisSimões, Tiago Miguel CarrolauBibliorumLopes, Carolina Galvão2022-01-17T16:46:08Z2021-10-142021-07-282021-10-14T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10400.6/11844TID:202858278enginfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-12-15T09:54:35Zoai:ubibliorum.ubi.pt:10400.6/11844Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T00:51:32.432965Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| title |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| spellingShingle |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things Lopes, Carolina Galvão Automatização de Testes Internet das Coisas Iot Testes Testes de Segurança Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| title_short |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| title_full |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| title_fullStr |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| title_full_unstemmed |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| title_sort |
SemiAutomatic Generation of Tests for Assessing Correct Integration of Security Mechanisms in the Internet of Things |
| author |
Lopes, Carolina Galvão |
| author_facet |
Lopes, Carolina Galvão |
| author_role |
author |
| dc.contributor.none.fl_str_mv |
Inácio, Pedro Ricardo Morais Simões, Tiago Miguel Carrola uBibliorum |
| dc.contributor.author.fl_str_mv |
Lopes, Carolina Galvão |
| dc.subject.por.fl_str_mv |
Automatização de Testes Internet das Coisas Iot Testes Testes de Segurança Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| topic |
Automatização de Testes Internet das Coisas Iot Testes Testes de Segurança Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática |
| description |
Internet of Things (IoT) is expanding at a global level and its influence in our daily lives is increasing. This fast expansion, with companies competing to be the first to deploy new IoT systems, has led to the majority of the software being created and produced without due attention being given to security considerations and without adequate security testing. Software quality and security testing are inextricably linked. The most successful approach to achieve secure software is to adhere to secure development, deployment, and maintenance principles and practices throughout the development process. Security testing is a procedure for ensuring that a system keeps the users data secure and performs as expected. However, extensively testing a system can be a very daunting task, that usually requires professionals to be well versed in the subject, so as to be performed correctly. Moreover, not all development teams can have access to a security expert to perform security testing in their IoT systems. The need to automate security testing emerged as a potential means to solve this issue. This dissertation describes the process undertaken to design and develop a module entitled Assessing Correct Integration of Security Mechanisms (ACISM) that aims to provide system developers with the means to improve system security by anticipating and preventing potential attacks. Using the list of threats that the system is vulnerable as inputs, this tool provides developers with a set of security tests and tools that will allow testing how susceptible the system is to each of those threats. This tool outputs a set of possible attacks derived from the threats and what tools could be used to simulate these attacks. The tool developed in this dissertation has the purpose to function as a plugin of a framework called Security Advising Modules (SAM). It has the objective of advising users in the development of secure IoT, cloud and mobile systems during the design phases of these systems. SAM is a modular framework composed by a set of modules that advise the user in different stages of the security engineering process. To validate the usefulness of the ACISM module in real life, it was tested by 17 computer science practitioners. The feedback received from these users was very positive. The great majority of the participants found the tool to be extremely helpful in facilitating the execution of security tests in IoT. The principal contributions achieved with this dissertation were: the creation of a tool that outputs a set of attacks and penetration tools to execute the attacks mentioned, all starting from the threats an IoT system is susceptible to. Each of the identified attacking tools will be accompanied with a brief instructional guide; all summing up to an extensive review of the state of the art in testing. |
| publishDate |
2021 |
| dc.date.none.fl_str_mv |
2021-10-14 2021-07-28 2021-10-14T00:00:00Z 2022-01-17T16:46:08Z |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10400.6/11844 TID:202858278 |
| url |
http://hdl.handle.net/10400.6/11844 |
| identifier_str_mv |
TID:202858278 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
|
| _version_ |
1799136404558577664 |