Securing IOT Devices Via Protocol Reduction And Formal Analysis

Speaker: Jianliang WU
         Purdue University

Title: "Securing IOT Devices Via Protocol Reduction And Formal Analysis"

Date:   Monday, 20 February 2023

Time:   10:00 am - 11:00am HKT

Zoom Link:
https://hkust.zoom.us/j/465698645?pwd=aVRaNWs2RHNFcXpnWGlkR05wTTk3UT09

Meeting ID: 465-698-645
Passcode: 20222023


Abstract:

Internet of Things (IoT) devices ease our daily life in all aspects, but
attacks caused by security breaches and privacy leaks remain their primary
threats. Existing approaches to secure IoT devices focus on only one of
the three parties in the ecosystem, the designer, developer, or user,
without considering the intersections among these parties. In this talk, I
will describe my research on securing IoT devices, focusing on the
intersection between different parties. I will first talk about LightBlue,
the tool that reduces the attack surface of Bluetooth stack
implementations from the users' perspective. It leverages Bluetooth domain
knowledge to address the multi-entry points challenge faced by data and
flow analysis. LightBlue is applicable to several platforms, and it can
remove 20 CVEs and prevent 2 real-world attacks. Then, I will introduce my
work on identifying previously-unknown design vulnerabilities, leveraging
formal analysis considering both the designers' and developers'
assumptions. In this work, I built a comprehensive formal model for
Bluetooth security protocols, including Bluetooth Classic, Bluetooth Low
Energy, and Bluetooth Mesh. To address the challenge posed by the protocol
complexity, the model adopts a modular design. It abstracts each step
within a protocol into an interface and implements different methods in
each step as modules to instantiate the interface, through which all
configurations of the protocol can be modeled with ease. Additionally, the
model supports both the Dolev-Yao attack model (i.e., the designers'
assumption) and the semi-compromised device attack model (i.e., an
assumption of the developers). Using this model, I rediscovered 5 known
vulnerabilities and 2 new issues. Lastly, I will briefly talk about my
future research plan for securing IoT devices.


****************
Biography:

Jianliang Wu is a Ph.D. candidate at Purdue University, advised by Dongyan
Xu and Antonio Bianchi. He also works closely with Dave (Jing) Tian. His
research interest lies in Systems Security, with a focus on the security
and privacy issues caused by the communication between different parties
in a system. His research has been published in top-tier security
conferences (e.g., S&P and Security) and received the Best Paper Award
from WOOT, and was one of the CSAW Applied Research Competition finalists.