Abstract
Command injection vulnerabilities are among the most common and dangerous attack vectors in IoT devices. Current detection approaches can detect single-step injection vulnerabilities well by fuzzing tests. However, an attacker could inject malicious commands in an IoT device via a multi-step exploit if he first abuses an interface to store the injection payload and later use it in a command interpreter through another interface. We identify a large class of such multi-step injection attacks to address these stealthy and harmful threats and define them as higher-order command injection vulnerabilities (HOCIVs). We develop an automatic system named Request Linking (ReLink) to detect data stores that would be transferred to command interpreters and then identify HOCIVs. ReLink is validated on an experimental embedded system injected with 150 HOCIVs. According to the experimental results, ReLink is significantly better than existing command injection detection tools in terms of detection rate, test space and time.
Highlights
IoT devices provide daily services interacting with users and often handle large amounts of userprovided data
We implemented an experimental embedded system based on ARM Vexpress OS simulated in QEMU with 150 higher-order command injection vulnerabilities (HOCIVs) implanted for evaluation
For detection rate: As shown in Table IV, 87.3% of all the vulnerable embedded applications with HOCIVs had been detected by Request Linking (ReLink)
Summary
IoT devices provide daily services interacting with users and often handle large amounts of userprovided data. The analysis tools determine if the injected commands are executed These approaches have high false-negative rates when detecting HOCIVs since triggering HOCIVs need to send different requests in specific orders. A detailed data flow analysis is performed to determine if the request chain could trigger commands’ execution with user’s input We fuzz these selected request sequences to detect HOCIVs. With ReLink, we can detect HOCIVs with linear test space and low memory consumption, while most of the other methods require exponential test space and high memory consumption. We could identify the inputting and processing request that could lead to common command injection vulnerabilities, but we ignore them since this paper focuses on HOCIVs. Data stores are important links between different requests. Such vulnerabilities bring significant security risks to IoT devices
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: International Journal of Digital Crime and Forensics
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
