軟體資訊安全自動化檢測技術研究與在物聯網上之應用

Abstract

物聯網系統應用愈趨增加，據國際市調組織統計物聯網裝置將於2020年來到200億的規模，其中因品質不佳衍生的資安攻擊威脅，是影響物聯網應用發展中最受關切的議題，各國政府及組織制定物聯網資安指南與檢測標準，協助提昇與保障物聯網系統資安，然而，如此規模龐大的物聯網裝置數量，傳統人力服務為主的檢測業務模式將不堪負荷，難以落實資安標準制定的初衷，因而產生資安自動化檢測之需求，有鑑於此，本篇論文探討資安自動化檢測技術研發，應用於物聯網資安標準檢測實證，具體而言，本文透過分析OWASP、UL 2900-2及NIST等國際物聯網資安檢測標準，依標準所述規劃檢測需求，據此建構逆向拆解、靜態分析、動態分析與異常分析等檢測核心技術，建立3套自動化資安檢測工具：App資安檢測系統MAS(Mobile Apps Assessment and Analysis System)、韌體資安檢測系統UFO(Universal Firmware vulnerability Observer)以及容器資安異常行為偵測系統KubAnomaly(Kubernetes Anomaly Detection)，搭配驗測資料建構，設計準確性、標準涵蓋率及系統性能等評量指標，實證檢測於App、設備韌體及雲端容器應用等物聯網系統主要部件，主要研究成果包括：(1)以MAS系統實測15,000個Google Play與iTunes市集App，並協助台灣公部門檢驗百餘款上架App資安品質，回報多數App至少帶有3項嚴重資安問題，(2)以UFO系統檢測237款市售物聯網產品韌體，發現2項台灣IP CAM產品潛藏未知後門漏洞，回報業者改善產品品質，(3)KubAnomaly以機器學習建立雲端容器資安威脅異常塑模與偵測機制，可整合於雲端容器管理平台Kubernetes，偵測準確率可達96%，實際應用於線上容器網站攻擊偵防，發掘多起來自中國、泰國及葡萄牙等地的資安攻擊。整體而言，資安自動化檢測工具的發展，有效檢驗物聯網業者產品資安品質，滿足國際資安檢測規範需求，提昇我國物聯網產業發展機會。

Internet of Things (IoT) applications have been rapidly growing. A market survey predicted that the number of IoT devices will reach to 20 billion in 2020. With this in consideration, security threats due to poor product quality have been addressed as an important factor influencing the evolvement of the IoT industry. Thus, government agencies and organizations have developed IoT security guidelines and testing standards to enhance the security quality of IoT products. However, these large numbers of IoT devices require considerable human workload. It is difficult to meet the original purpose of developing security testing standards, thus generating the demand for security testing automation. In this study, we develop security testing automation and having field tries on IoT security standard testing for evaluations. This study analyzes the content of IoT security testing standards including OWASP, UL-2900-2, and NIST and summarizes testing requirements to develop reversing, static analysis, dynamic analysis, and anomaly analysis technologies. In general, we implement three security automation tools: mobile apps assessment and analysis system (MAS), universal firmware vulnerability observer (UFO), and Kubernetes anomaly detection (KubAnomaly). Further, we design evaluation datasets for benchmarking system accuracy, coverage, and performance. We apply these implementations to the evaluation of real-world IoT system parts in an app, device firmware, and cloud container environment. The main evaluation results are as follows. (1) MAS validates 15,000 popular apps from the Google Play and Apple iTunes stores in USA, Japan, and Taiwan. We found that most apps contain at least three security issues. (2) We use 237 real-world embedded device firmware files to evaluate UFO. The results reported hidden backdoor problems to two IoT device vendors in Taiwan and received their confirmation. (3) KubAnomaly uses machine learning to develop an anomaly detection mechanism in the cloud container orchestration platform, Kubernetes, and achieves an overall accuracy of up to 96%. KubAnomaly has been used to identify real attack events by hackers in China, Thailand, and Portugal during September 2018. In summary, the development of automated security testing tools can effectively test the quality of products of the IoT industry, meet the requirements of international security testing standards, and enhance the development opportunities of Taiwan's IoT industry.