Abstract
Defining the intended behaviour of IoT devices is considered as a key aspect to detect and mitigate potential security attacks. In this direction, the Manufacturer Usage Description (MUD) has been recently standardised to reduce the attack surface of a certain device through the definition of access control policies. However, the semantic model is only intended to provide network level restrictions for the communication of such device. In order to increase the expressiveness of this approach, we propose the use of an automated IoT security testing methodology, so that testing results are used to generate augmented MUD profiles, in which additional security aspects are considered. For the enforcement of these profiles, we propose the use of different access control technologies addressing application layer security concerns. Furthermore, the methodology is based on the use of Model-Based Testing (MBT) techniques to automate the generation, design and implementation of security tests. Then, we describe the application of the resulting approach to the Elliptic Curve Diffie-Hellman over COSE (EDHOC) protocol, which represents a standardisation effort to build a lightweight authenticated key exchange protocol for IoT constrained scenarios.
Highlights
The extension of the so-called Internet of Things (IoT) in our daily lives has brought an increase of the number and impact of potential security attacks
The use of a security testing methodology for IoT is considered, so that test results can be used to generate security restrictions that govern the behaviour of a certain device
New tests can be automatically generated from the same model. This aspect is especially relevant for IoT environments, which present a high degree of dynamism and heterogeneity, since the System Under Test (SUT) model does not need to be modified
Summary
The extension of the so-called Internet of Things (IoT) in our daily lives has brought an increase of the number and impact of potential security attacks. The use of a security testing methodology for IoT is considered, so that test results can be used to generate security restrictions that govern the behaviour of a certain device Such approach is based on [8], which is, in turn, based on the risk-based security assessment and testing methodologies proposed by the European Telecommunications Standards Institute (ETSI) [9]. This aspect is especially relevant for IoT environments, which present a high degree of dynamism and heterogeneity, since the SUT model does not need to be modified Such methodology is extended for the generation and enforcement of MUD profiles. Extension of the MUD model to represent additional security aspects, in order to govern the behaviour of IoT devices through a fine-grained approach.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
