Automatic Vulnerability Detection in Tizen Applications with Dynamic Symbolic Execution

Abstract

Security of Internet-of-Things (IoT) systems is important due to their widespread usage in everyday life. Much research has been performed on analyzing the security of IoT communication protocols and operating systems. However, few studies have focused on analyzing the security of IoT applications and automatic detection of vulnerabilities in them. In these studies, the code of IoT applications and operating systems are analyzed statically to detect vulnerabilities. To the best of our knowledge, there is no dynamic analysis solution suggested for vulnerability detection in such applications, although this method is more accurate than static analysis. In fact, IoT applications are executed in special-purpose hardware, which makes their dynamic analysis more difficult than ordinary applications. In this paper, we propose a technical solution that combines static and dynamic analysis methods to automatically detect vulnerability in applications of Tizen IoT operating system. We consider Native and Web Tizen applications and present an automatic vulnerability detection method for each type of application. Our focus is on detecting buffer overflow and XSS vulnerability classes in Native and Web applications, respectively. We have evaluated the effectiveness of our method using a group of native and web test programs. The results of our experiments show that our solution is able to detect the vulnerability in these programs effectively.