Skip navigation

DSpace

機構典藏 DSpace 系統致力於保存各式數位資料(如:文字、圖片、PDF)並使其易於取用。

點此認識 DSpace
DSpace logo
English
中文
  • 瀏覽論文
    • 校院系所
    • 出版年
    • 作者
    • 標題
    • 關鍵字
  • 搜尋 TDR
  • 授權 Q&A
    • 我的頁面
    • 接受 E-mail 通知
    • 編輯個人資料
  1. NTU Theses and Dissertations Repository
  2. 電機資訊學院
  3. 電機工程學系
請用此 Handle URI 來引用此文件: http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/73376
完整後設資料紀錄
DC 欄位值語言
dc.contributor.advisor郭斯彥
dc.contributor.authorChin-Wei Tienen
dc.contributor.author田謹維zh_TW
dc.date.accessioned2021-06-17T07:31:20Z-
dc.date.available2024-07-02
dc.date.copyright2019-07-02
dc.date.issued2019
dc.date.submitted2019-06-11
dc.identifier.citation[1] Peter Gilbert et al. (2011). Vision: Automated Security Validation of Mobile Apps at App Markets. In: Proceedings of the Second International Workshop on Mobile Cloud Computing and Services. MCS ’11. Bethesda, Maryland, USA: ACM, 2011, pp. 21–26.
[2] Tian-yang, Gu, Shi Yin-sheng, and Fang You-yuan. (2010). Research on Software Security Testing. International Scholarly and Scientific Research & Innovation 4 (9): 1446.
[3] Chandramouli, R., and M. Blackburn. (2004). Automated Testing of Security Functions Using a Combined Model and Interface-Driven Approach. In 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the, 10 pp.
[4] Zhemin Yang et al. (2013). AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC conference on Computer communications security. CCS ’13. Berlin, Germany: ACM, 2013, pp. 1043–1054.
[5] William Enck et al. (2010). TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. OSDI’10. Vancouver, BC, Canada: USENIX Association, 2010, pp. 393–407.
[6] Le Yu et al. (2016). Can I Trust the Privacy Policies of Android Apps? In: 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016, Toulouse, France, June 28 - July 1, 2016. 2016, pp. 538–549.
[7] J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti. (2014). Avatar: A framework to support dynamic security analysis of embedded systems' firmwares in Proceedings of the Network and Distributed System Security Symposium, ser. NDSS ' 14, 2014.
[8] F. Schuster and T. Holz. (2013). Towards reducing the attack surface of software backdoors. in Proceedings of the 2013 ACM SIGSAC conference on Computer communications security, ser. CCS ’13. New York, NY, USA: ACM, 2013, pp. 851–862.
[9] Chen, D.D., Woo, M., Brumley, D., & Egele, M. (2016). Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. NDSS.
[10] S. L. Thomas, F. D. Garcia, and T. Chothia. (2017). HumIDIFy: A Tool for Hidden Functionality Detection in Firmware. Cham: Springer International Publishing, 2017, pp. 279–300.
[11] C. H. C. K. Y. Shoshitaishvili, R. Wang and G. Vigna. (2015). Firmalice: Automatic detection of authentication bypass vulnerabilities in binary firmware. in ISOC Network and Distributed System Security Symposium, ser. NDSS.
[12] M. Kayaalp X. Gao Z. Gu, D. Pendarakis, and H. Wang. (2017). ContainerLeaks: Emerging security threats of information leakages in container clouds. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Denver, CO, USA: IEEE, 2017, pp. 237–248.
[13] Qingfeng Du, Tiandi Xie, and Yu He. (2018). Anomaly Detection and Diagnosis for Container-Based Microservices with Performance Monitoring. In: Algorithms and Architectures for Parallel Processing. Ed. by Jaideep Vaidya and Jin Li. Cham:Springer International Publishing, 2018, pp. 560–572.
[14] H. Liang et al. (2016). Semantics-Based Anomaly Detection of Processes in Linux Containers. In: 2016 International Conference on Identification, Information and Knowledge in the Internet of Things (IIKI). Oct. 2016, pp. 60–63.
[15] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. (2014). A large-scale analysis of the security of embedded firmwares. in 23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, 2014, pp. 95–110.
[16] C. Tien, T. Huang, T. Huang, W. Chung and S. Kuo, (2017). MAS: Mobile-Apps Assessment and Analysis System, 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Industry Track (DSN), Denver, CO, pp. 145-148.
[17] C. Tien, T. Tsai, I. Chen and S. Kuo, (2018). UFO - Hidden Backdoor Discovery and Security Verification in IoT Device Firmware, IEEE International Symposium on Software Reliability Engineering Industry Track (ISSRE), Memphis, TN, pp. 18-23.
[18] The Open Web Application Security Project (OWASP). (2018). OWASP Internet of Things project. Retrieved from https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project (June, 2019)
[19] The Open Web Application Security Project (OWASP). (2016). 2014 2016 OWASP Mobile Top 10. Retrieved from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project (June, 2019)
[20] The Open Web Application Security Project (OWASP). (2017). OWASP Zed Attack Proxy (ZAP): One of the world’s most popular free security tools. Retrieved from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project (June, 2019)
[21] Underwriters Laboratories Inc. (2016). UL 2900-1 Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements.
[22] ICSA Labs. (2016). Internet of Things (IoT) Security Testing Framework. Retrieved from https://www.icsalabs.com/sites/default/files/body_images/ICSALABS_IoT_reqts_framework_v2.0_161026.pdf (June, 2019)
[23] National Institute of Standards and Technology. (2015). Vetting the Security of Mobile Applications. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf (June, 2019)
[24] European Union Agency for Network and Information Security. (2016). Smartphone Secure Development Guidelines. Retrieved fromhttps://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines (June, 2019)
[25] Japan Smart Phone Security Association. (2018). Android Application Secure Design/Secure Coding Guidebook. Retrieved from https://www.jssec.org/dl/android_securecoding_en.pdf (June, 2019)
[26] Taiwan Industrial Development Bureau Ministry of Economic Affairs. (2018). Mobile Application Security Guideline v3.0. Retrieved from https://www.mas.org.tw/spaw2/uploads/files/02_1_V3.0_1070803.pdf (June, 2019)
[27] J. Morello M. Souppaya and K. Scarfone. (2017). NIST SP 800-190. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf (June, 2019)
[28] Gartner. (2017). Leading the IoT, Gartner Insights on How to Lead in a Connected World. Retrieved from https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf (June, 2019)
[29] Alex Borhani. (2017). Anomaly Detection, Alerting, and Incident Response for Containers. Retrieved from https://pen-testing.sans.org/resources/papers/gcih/anomaly-detection-alerting-incident-response-containers-139309 (June, 2019)
[30] Eclipse Foundation, Inc. (2018). IoT Developer Survey. Retrieved from https://www.slideshare.net/kartben/iot-developer-survey-2018 (June, 2019)
[31] J. Zaddach and A. Constin. (2013). Embedded devices security and firmware reverse engineering. BlackHat USA Workshop. Retrieved from 
https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf (June, 2019)
[32] Gartner. (2019). Static Application Security Testing (SAST). Retrieved from
https://www.gartner.com/it-glossary/static-application-security-testing-sast/ (June, 2019)
[33] Gartner. (2019). Dynamic Application Security Testing (DAST). Retrieved from https://www.gartner.com/it-glossary/dynamic-application-security-testing-dast/ (June, 2019)
[34] Chin Wei Tien, Chia Wei Tien, Institute for Information Industry. (2019). Analysis Rules of Android and iOS App Security. Retrieved from
https://drive.google.com/open?id=1p8CeI9jG_yID98n7fT3hKZpr6QRNGN2SFGfnFngtDeQ (June, 2019)
[35] Chin Wei Tien, Tse-Yung Huang, Institute For Information Industry. (2019). The data set use for KubAnomaly model training. Retrieved from
https://github.com/a18499/KubAnomaly_DataSet (June, 2019)
[36] Wikipedia, the free encyclopedia. Android (operating system). Retrieved from https://en.wikipedia.org/wiki/Android_(operating_system) (June, 2019)
[37] Wikipedia, the free encyclopedia. iOS. Retrieved from https://en.wikipedia.org/wiki/IOS (June, 2019)
[38] Wikipedia, the free encyclopedia. Firmware. Retrieved from https://en.wikipedia.org/wiki/Firmware (June, 2019)
[39] Wikipedia, the free encyclopedia. Container (virtualization). Retrieved from https://en.wikipedia.org/wiki/Container_(virtualization) (June, 2019)
[40] Wikipedia, the free encyclopedia. Orchestration (computing). Retrieved from https://en.wikipedia.org/wiki/Orchestration_(computing) (June, 2019)
[41] Wikipedia, the free encyclopedia. (2016). Dyn cyberattack. Retrieved from https://en.wikipedia.org/wiki/2016_Dyn_cyberattack (June, 2019)
[42] Wikipedia, the free encyclopedia. (2019). ZmEu vulnerability scanner. Retrieved from https://en.wikipedia.org/wiki/ZmEu_(vulnerability_scanner) (June, 2019)
[43] jgamblin. (2016). Leaked mirai source code for research/ioc development purpose. Retrieved from https://github.com/jgamblin/Mirai-Source-Code (June, 2019)
[44] C. Smith. (2017). firmwalker: Script for searching the extracted firmware file system for goodies! Retrieved from https://github.com/craigz28/firmwalker (June, 2019)
[45] Loris Degioanni. (2014). The Fascinating World of Linux System Calls. Retrieved from https://sysdig.com/blog/fascinating-worldlinux-system-calls/ (June, 2019)
[46] Akamai. (2019). Web Attack Visualization. Retrieved from https://www.akamai.com/uk/en/about/our-thinking/state-of-the-internetreport/web-attack-visualization.jsp (June, 2019)
[47] Checkmarx ltd. (2019). Static Application Security Testing. Retrieved from https://www.checkmarx.com/products/static-application-security-testing/ (June, 2019)
[48] Tenable. (2019). Nessus-Security Vulnerability Assessment. Retrieved from
https://www.tenable.com/products/nessus/nessus-professional (June, 2019)
[49] Acunetix. (2019). Web Security with Acunetix Vulnerability Scanner. Retrieved from https://www.acunetix.com/vulnerability-scanner/ (June, 2019)
[50] SmartBear Software. (2019). SoapUI-REST & SOAP Security Testing Tool. Retrieved from https://www.soapui.org/ (June, 2019)
[51] Tripwire. (2019). Configuration Compliance Manager. Retrieved from http://secure.tripwire.com/it-security-software/scm/ (June, 2019)
[52] MobSF. (2019). Mobile-Security-Framework-MobSF. Retrieved from https://github.com/MobSF/Mobile-Security-Framework-MobSF (June, 2019)
[53] Newsky Security. (2019). Apprisk Scanner. Retrieved from https://www.newskysecurity.com/appriskscanner.html (June, 2019)
[54] App-Ray. (2019). App-Ray mobile security. Retrieved from http://app-ray.co/product/#overview (June, 2019)
[55] AndroBugs. (2019). AndroBugs Framework. Retrieved from https://github.com/AndroBugs/AndroBugs_Framework (June, 2019)
[56] binwalk:firmware analysis tool. (2017). Retrieved from https://github.com/devttys0/binwalk (June, 2019)
[57] Firmware Mod Kit. (2017). Retrieved from https://github.com/rampageX/firmware-mod-kit (June, 2019)
[58] Ubuntu wiki. (2018). AppArmor. Retrieved from https://wiki.ubuntu.com/AppArmor (June, 2019)
[59] Sysdig. (2018). Falco: Sysdig Falco is an open-source, behavioral activity monitor powered by sysdig. Retrieved from https://www.sysdig.org/falco/ (June, 2019)
[60] Sysdig. (2018). Sysdig: Sysdig is open-source, system-level exploration. Retrieved from https://www.sysdig.org/ (June, 2019)
[61] Twistlock. (2018). Twisklock: The Most Complete Container Cybersecurity Platform. Retrieved from https://www.twistlock.com/ (June, 2019)
[62] Aqua. (2018). Aqua Container Security Platform. Retrieved from https://www.aquasec.com/products/aqua- container- securityplatform/ (June, 2019)
[63] The Linux Foundation. (2019). Kubernetes: Production-Grade Container Orchestration. Retrieved from https://kubernetes.io/ (June, 2019)
[64] Connor Tumbleson, Ryszard Wiśniewski. Apktool-A tool for reverse engineering Android apk files. Retrieved from https://ibotpeaches.github.io/Apktool/ (June, 2019)
[65] Tungstwenty rovo89. Xposed-framework. Retrieved from http://repo.xposed.info/module/de.robv.android.xposed.installer (June, 2019)
[66] Mitmproxy Project. mitmproxy. Retrieved from https://mitmproxy.org/ (June, 2019)
[67] mefisotelis. (2017). phantom-firmware-tools. Retrieved from https://github.com/mefistotelis/phantom-firmware-tools.git (June, 2019)
[68] scikit-learn. (2019). Retrieved from scikit-learn. https://scikit-learn.org/ (June, 2019)
[69] Keras team. (2019). Keras: The Python Deep Learning library. Retrieved from https://keras.io/ (June, 2019)
[70] TensorFlow. (2019). TensorFlow: An open-source software library for machine intelligence. Retrieved from https://www.tensorflow.org/ (June, 2019)
[71] Apache Foundation. (2019). An open-source tool to simulate user behavior. Retrieved from http://jmeter.apache.org/ (June, 2019)
[72] SQLMap. (2019). Automatic SQL injection and database takeover tool. Retrieved from http://sqlmap.org/ (June, 2019)
dc.identifier.urihttp://tdr.lib.ntu.edu.tw/jspui/handle/123456789/73376-
dc.description.abstract物聯網系統應用愈趨增加,據國際市調組織統計物聯網裝置將於2020年來到200億的規模,其中因品質不佳衍生的資安攻擊威脅,是影響物聯網應用發展中最受關切的議題,各國政府及組織制定物聯網資安指南與檢測標準,協助提昇與保障物聯網系統資安,然而,如此規模龐大的物聯網裝置數量,傳統人力服務為主的檢測業務模式將不堪負荷,難以落實資安標準制定的初衷,因而產生資安自動化檢測之需求,有鑑於此,本篇論文探討資安自動化檢測技術研發,應用於物聯網資安標準檢測實證,具體而言,本文透過分析OWASP、UL 2900-2及NIST等國際物聯網資安檢測標準,依標準所述規劃檢測需求,據此建構逆向拆解、靜態分析、動態分析與異常分析等檢測核心技術,建立3套自動化資安檢測工具:App資安檢測系統MAS(Mobile Apps Assessment and Analysis System)、韌體資安檢測系統UFO(Universal Firmware vulnerability Observer)以及容器資安異常行為偵測系統KubAnomaly(Kubernetes Anomaly Detection),搭配驗測資料建構,設計準確性、標準涵蓋率及系統性能等評量指標,實證檢測於App、設備韌體及雲端容器應用等物聯網系統主要部件,主要研究成果包括:(1)以MAS系統實測15,000個Google Play與iTunes市集App,並協助台灣公部門檢驗百餘款上架App資安品質,回報多數App至少帶有3項嚴重資安問題,(2)以UFO系統檢測237款市售物聯網產品韌體,發現2項台灣IP CAM產品潛藏未知後門漏洞,回報業者改善產品品質,(3)KubAnomaly以機器學習建立雲端容器資安威脅異常塑模與偵測機制,可整合於雲端容器管理平台Kubernetes,偵測準確率可達96%,實際應用於線上容器網站攻擊偵防,發掘多起來自中國、泰國及葡萄牙等地的資安攻擊。整體而言,資安自動化檢測工具的發展,有效檢驗物聯網業者產品資安品質,滿足國際資安檢測規範需求,提昇我國物聯網產業發展機會。zh_TW
dc.description.abstractInternet of Things (IoT) applications have been rapidly growing. A market survey predicted that the number of IoT devices will reach to 20 billion in 2020. With this in consideration, security threats due to poor product quality have been addressed as an important factor influencing the evolvement of the IoT industry. Thus, government agencies and organizations have developed IoT security guidelines and testing standards to enhance the security quality of IoT products. However, these large numbers of IoT devices require considerable human workload. It is difficult to meet the original purpose of developing security testing standards, thus generating the demand for security testing automation. In this study, we develop security testing automation and having field tries on IoT security standard testing for evaluations. This study analyzes the content of IoT security testing standards including OWASP, UL-2900-2, and NIST and summarizes testing requirements to develop reversing, static analysis, dynamic analysis, and anomaly analysis technologies. In general, we implement three security automation tools: mobile apps assessment and analysis system (MAS), universal firmware vulnerability observer (UFO), and Kubernetes anomaly detection (KubAnomaly). Further, we design evaluation datasets for benchmarking system accuracy, coverage, and performance. We apply these implementations to the evaluation of real-world IoT system parts in an app, device firmware, and cloud container environment. The main evaluation results are as follows. (1) MAS validates 15,000 popular apps from the Google Play and Apple iTunes stores in USA, Japan, and Taiwan. We found that most apps contain at least three security issues. (2) We use 237 real-world embedded device firmware files to evaluate UFO. The results reported hidden backdoor problems to two IoT device vendors in Taiwan and received their confirmation. (3) KubAnomaly uses machine learning to develop an anomaly detection mechanism in the cloud container orchestration platform, Kubernetes, and achieves an overall accuracy of up to 96%. KubAnomaly has been used to identify real attack events by hackers in China, Thailand, and Portugal during September 2018. In summary, the development of automated security testing tools can effectively test the quality of products of the IoT industry, meet the requirements of international security testing standards, and enhance the development opportunities of Taiwan's IoT industry.en
dc.description.provenanceMade available in DSpace on 2021-06-17T07:31:20Z (GMT). No. of bitstreams: 1
ntu-108-D99921020-1.pdf: 4131287 bytes, checksum: fc07394cf440f384f810b09cf60d4d82 (MD5)
Previous issue date: 2019		en
dc.description.tableofcontentsTABLE OF CONTENTS i
LIST OF FIGURES iv
LIST OF TABLES vi
摘要 viii
ABSTRACT ix
I. INTRODUCTION 1
1.1 Architecture of IoT System 1
1.2 Security is a Critical Issue in IoT 2
1.3 Security Testing and Standards in IoT 2
1.4 The Needs of IoT Security Testing Automation 5
II. RELATED WORKS 8
2.1 Current Security Testing Automation Solutions 8
2.2 Related Works for App Security Testing 8
2.3 Related Works for Firmware Security Testing 9
2.4 Related Works for Container Security Testing 10
2.5 Summary of Related Security Testing in IoT Software. 11
III. DESIGN 12
3.1 Test Automation Framework. 12
3.2 Testing Requirements from IoT Security Testing Standards. 13
3.3 Summary of Software Security Testing Automation Design. 20
IV. IMPLEMENTATION 21
4.1 Security Testing Tools for IoT software 21
4.2 Implementation of MAS (Mobile Apps Assessment and Analysis System) 21
4.3 Implementation of UFO (Universal Firmware vulnerability Observer) 29
4.4 Implementation of KubAnomaly (Kubernetes Anomaly Detection) 34
4.5 Summary of Software Security Testing Implementation 41
V. EVALUATION 42
5.1 App Security Testing Automation Evaluation 42
5.2 Firmware Security Testing Automation Evaluation 47
5.3 Container Security Testing Automation Evaluation 50
5.4 Summary of Evaluation 57
VI. DISCUSSION 59
6.1 Findings from Real-World Evaluation 59
6.2 Limitations of the Tools 65
VII. CONCLUSION 67
REFERENCES 70
dc.language.isoen
dc.title軟體資訊安全自動化檢測技術研究與在物聯網上之應用zh_TW
dc.titleResearch on Software Security Testing Automation and Its Applications on Internet of Thingsen
dc.typeThesis
dc.date.schoolyear107-2
dc.description.degree博士
dc.contributor.oralexamcommittee雷欽隆,顏嗣鈞,林宗男,游家牧,陳俊良
dc.subject.keyword資安檢測,物聯網資安,檢測標準,行動App,設備韌體,容器虛擬化技術,靜態分析,動態分析,異常分析,zh_TW
dc.subject.keywordSecurity Testing,IoT Security,Testing Standard,App,Firmware,Container Virtualization,Static Analysis,Dynamic Analysis,Anomaly Analysis,en
dc.relation.page77
dc.identifier.doi10.6342/NTU201900882
dc.rights.note有償授權
dc.date.accepted2019-06-11
dc.contributor.author-college電機資訊學院zh_TW
dc.contributor.author-dept電機工程學研究所zh_TW
顯示於系所單位:電機工程學系

文件中的檔案:
檔案 大小格式 
ntu-108-1.pdf
  目前未授權公開取用 		4.03 MBAdobe PDF
顯示文件簡單紀錄


系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。

社群連結
聯絡資訊
10617臺北市大安區羅斯福路四段1號
No.1 Sec.4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 106
Tel: (02)33662353
Email: ntuetds@ntu.edu.tw
意見箱
相關連結
館藏目錄
國內圖書館整合查詢 MetaCat
臺大學術典藏 NTU Scholars
臺大圖書館數位典藏館
本站聲明
© NTU Library All Rights Reserved