Improving Internet of Things device certification with policy-based management

摘要

The fast growing rate of the IoT systems with strong pressure to put devices on the market as soon as possible makes these systems vulnerable targets for cyber criminals, as recently seen in the Mirai botnet Distributed Denial-of-Service (DDoS) attack. A way to mitigate these threats is to enforce a comprehensive security certification process of IoT devices based on common standards. In this paper, we present an approach to improve certification of IoT devices using a combination of model-based testing and policy-based management in order to detect post certification vulnerabilities and act on them by introducing runtime policy enforcement capabilities. More precisely, we address these attacks using policy enforcement in order to correct vulnerable IoT device behavior and protect users even if security and privacy were not properly addressed by the device manufactures. We describe the details of our approach and, focusing on authorization vulnerabilities, we present a case study for the oneM2M standard showing how our solution can be applied in practice.