Formal Verification of an Efficient Architecture to Enhance the Security in IoT

The Internet of Things (IoT) is one of the world's newest intelligent communication technologies. There are several kinds of novels about IoT architectures, but they still suffer from security and privacy challenges. Formal verification is a vital method for detecting potential weaknesses and vulnerabilities at an early stage. During this paper, a framework in the Event-B formal method will be used to design a formal description of the secure IoT architecture to cover the security properties of the IoT architecture. As well as using various Event-B properties like formal verification, functional checks, and model checkers to design different formal spoofing attacks for the IoT environment. Additionally, the Accuracy of the IoT architecture can be obtained by executing different Event-B runs like simulations, proof obligation, and invariant checking. By applied formal verification, functional checks and model checkers verified models of IoT-EAA architecture have automatically discharged 82.35% of proof obligations through different Event-B provers. Finally, this paper will focus on introducing a well-defined IoT security infrastructure to address and reduce the security challenges. Keywords—Internet of things (IoT); IoT architecture; IoT security; formal modeling and verification; Event-B


I. INTRODUCTION
The Internet of Things (IoT) is one of the most recent research topics these days. IoT [1] allows various devices to communicate with one another over the Internet. As a result, it ensures that the device is intelligent and sends information to a central system, which will check and take necessary measures by the task at hand. To make the IoT paradigm a reality, things or objects must be identified, as well as sensing, networking, and processing capabilities.
Recent advances [2] in wireless technology, advanced communications, and intelligent systems have demonstrated a strong potential and a strong attempt to enhance human life in every way possible. Depending on the different application domains of IoT, the heterogeneity of the devices, and the ubiquitous communication, IoT is primarily composed of several sensors (wireless and automatic). It requires a deep understanding of IoT architecture. Its architecture is made up of four main layers [3,4]; Perception, Network, Middleware, and Application layer. The interconnection of massive heterogeneous frameworks and networks of systems is referred to as IoT technology. Because IoT devices [5] have different designs, implementations, and maintenance, they have a variety of problems and weaknesses in their software and hardware.
When all the security requirements are met successfully, a system is considered secure [6]. Confidentiality, integrity, authentication, availability, authorization, non-repudiation, and privacy are all essential requirements. For each one-off them and must ensure security in all different layers from different threats. As a result, the entire deployment architecture must be secured from attacks that could hinder IoT services or jeopardize data privacy, integrity, or confidentiality.
Since this Internet of Things is composed up of interconnected networks and heterogeneous devices, it inherits the security problems facing computer networks. Since small devices or items with sensors have limited power and memory, IoT protection is further complicated by resource constraints. Consequently, security solutions need to be adapted to the constrained architectures.
Recently, a lot of effort has gone into dealing with security issues in the IoT paradigm. Some of these approaches focus on a particular layer of security, while others aim to provide endto-end security for IoT. According to [7], the author proposed a new efficient and secure architecture model for the Internet of things called IoT-EAA, which tends to provide end-to-end security for IoT through the top one of the IoT applications, as well as resolving various security issues that exists at various bottom layers. " Fig. 1" shows the IoT-EAA security architecture model, which contains five layers, (Hardware Layer, Network Communication Layer, Service Application Layer, Connectivity Management Layer, and Security Layer). 134 | P a g e www.ijacsa.thesai.org Event-B is a formal method for formal specification and development of systems [8] that an extension of method B. In formal Event-B methods, step-by-step models of systems can be created starting with an abstract model and enrich the abstract models with more details to form concrete models.
To ensure that a refined model conforms to abstract models [9], a series of test loads are generated to show that the refinements are correct. Event models B contain two parts called context and machine. The static part of the model, such as sets and constants, is contained in the context, while the dynamic part, such as variables and events, is contained in the machine. The main character in Event-B is refinement, which allows for the system's gradual development.
Rodin platform tool [10,11] introduces support for Event-B modeling, automatic creation, and proving rules. Rodin is an Eclipse-based application that implements Event-B. An environment includes advanced automated provers such as PP, ML, and SMT, which generate proofs for refinements, feasibility, invariants, and well-definedness of expressions within guards, acts, and invariants. When the automatic proof discharge fails, a manual proof discharge is used. Event-B also includes an interactive proving method for manual proof. Rodin platform has a critical feature, which is the proof obligation generator. It generates proof obligations.
IoT network security [12] is divided into two categories: technological challenges and security challenges. The technological challenges are those that arise as a result of the heterogeneity and ubiquity of devices, while the security challenges are primarily related to the system's basic functions. The technological challenges mainly include [13] scalability, performance, computing, wireless technologies, and the distributed paradigm while security challenges include ensuring confidentiality, integrity, end-to-end security, and permanent availability of services.
There is a different security threat to IoT such as Denial of Service, Brute Force, Man in the middle attacks and many other attacks are visualized in the interconnected network. There are several reasons [14] for occurs these attacks like weak passwords, no encryption, personal information leakage, etc., if such security attacks are not solved to some safe level the market of IoT will be harmful because of the week service of security. It involves not only these security issues but also have other issues of access control, authentication of different networks, and some problems of the information store. This problem requires having a well-defined security infrastructure to address these problems and reduce security Threats [15]. This paper introduces a contribution by using one of the most important formal methods called Event-B, to enhance the security of IoT technology. This involves model checking and theorem proving for IoT architecture discharge in the Rodin platform. Hence, this paper will provide structured verification for IoT architecture that focuses on security checking for each IoT architecture layer, which considers the early stages of building the IoT systems.
The rest of the paper is organized as follows. Section II discusses related works about using formal methods in the IoT area, including previous studies for the IoT and formal methods. Section III proposed some mathematical definitions for the configurations of the IoT-EAA architecture as well as our methodology for proofing IoT-EAA architecture mathematically. Section IV discusses the verification method. Finally, the last part presents the concluding remarks and future work in Section V.

II. RELATED WORK
Formal Verification is a promising method for ensuring security by using a variety of mathematical and logical methods to mathematically verify the accuracy of designs. Formal methods are used to implement several approaches in the IoT domain.
In [16] authors review formal methods for various protocols used in the IoT environment. They concern with the security mechanisms for communication protocols in the IoT communication layer only, but in this paper, we used formal verification methods to check the security mechanisms for each layer in the IoT architecture.
In [17] Authors improve the security and detecting various security issues at an early stage for the IoT application layer by introducing formal methods on different protocols in this layer. However, the authors concentrate on the security mechanisms for protocols in the IoT application layer only.
In [18] authors suggest a unified approach for verifying the communication protocols over a framework using machinedecomposition within Event-B. However, this approach does not introduce security properties in the IoT area.
The authors of [19] presented a comprehensive study of the most used formal verification methods and approaches for verifying and analyzing the correctness of cryptographic protocols and algorithms' security properties.
Authors in [20] introduced an automated alternative approach for supporting the early stages of the security verification process in chains. The proposed strategy analyzed the control and data planes, which included various security algorithms established in chains as security functions.
The SAT-based Model-Checker (SATMC) was suggested by the authors in [21] as a systematic verification method for verifying the correctness of critical security systems. Security protocols, business processes, and application programming interfaces for security were all included (APIs).

III. METHODOLOGY
This section introduces the proposed method to verify the correctness of the IoT-EAA mathematically through two phases which can be classified into two sub-sections. The first subsection introduces the mathematical description of the IoT-EAA architecture model, and the second subsection will illustrate Modelling and Verifying IoT-EAA Architecture using Event-B.

A. Mathematical Description for the IoT-EAA Architecture
This section describes the IoT-EAA architecture's mathematical description, including its composite entities and operational functions. The key physical and virtual components of the IoT-EAA architecture are also explained below.
• Definition1: (service Application layer) that is defined as a three-tuple.

A = [A id , A type , A sp ]
Where A id denotes the application ID and A type denotes the purpose for which the application is used (such as medicine, education, finance, entertainment, utility, and gaming). A sp specifies the minimum system requirements for running the application, such as the Processor, primary memory, and secondary storage requirements, as well as the operating system version. Where ND is Network devices that called routers are used to direct packets between networks. Also, S denotes the Source, which generates data to be transmitted (sensors or actuators), and T is the Transmitter that Converts data into transmittable signals through Ts, which the Transmission System that Carries data to the R Receiver to Convert the received signal into data and received it to the D the Destination that Takes the incoming data. where, HW id is an integer that represents the hardware's unique ID. where, P stands for the hardware processor specifications, which include information such as processor core speed, bus specifications, and internal register (cache memory) size. The memory size, memory clock, and data rate requirements for primary memory (RAM) are stored in M.
Tuple B contains information about the battery, such as voltage, size (AA or AAA), type (Ni or C electrodes), and the number of batteries needed is the symbolic representation of the various kinds of sensors that make up the node's submodules. The hardware used for wireless communication for the node, such as Bluetooth and ZigBee, is represented by the tuple c. f denotes the frequency range in which the HW runs.
• Definition5: connectivity management layer is defined as a two-tuple.

CM = [HM, NM]
Where the HM dented the management of IoT hardware and NM dented the management of Network communication.
Property1: The function of connectivity management, which mange the connection between HW and NC as represented in Equation (1).
The operator dented the management of the connectivity between HW and NC layers. Now all components of the IoT architecture will define in Equation (2).
The operator ≻ denotes the existence of a successor relationship between two operands. For example, X ≻ Y denotes that Y is a successor of X.
To satisfy the security in wholly the IoT architecture as represented in Equation (3).

IoT AR = ∑ ((HW ≻ NC) / CM) ≻A⇔S
The proposed theory for IoT security: the IoT application service satisfies a high degree of security if and only if secure the connection of hardware devices and network by managing the connection between them.

B. Modeling and Verifying IoT-EAA Architecture using
Event-B Formal methods consider an important tool for providing quantitative statements about safety and security properties for the digital systems [22]. These methods are usually used to formally verify a model. Therefore, Model checkers and Theorem provers are two different types of Formal Method tools. In model checkers, a system's model verifies its state space exhaustively and automatically according to a given specification. Human expertise is often required by theorem provers to guide the proof of correctness by providing design and specification characteristics as algebraic constraints or theorem [23].
Some tools, such as AVISPA [24], Scyther [25], and Tamarin, concentrate on security protocols, while others, such as UPPAAL [26], PRISM [27], and Rodin platform [11], focus on Event-B modeling for statistical and probabilistic verification. When it comes to security design verification, the primary objective is usually to verify or falsify security properties such as secrecy and authentication. Table I shows the various tools for verifying IoT protocols as well as the architecture for probabilistic/statistical model checkers.
According to Table I, the Event-B formal method will be used, which has the simulations and proof obligations that include both model checker the theorem prover that tends to verify the correction of the IoT-EAA architecture model.
To present the IoT-EAA architecture, additionally, introduce three incremental refinements of the IoT-EAA architecture model. These refinements implemented by Event-B modeling language to formalize the given architecture refinements implemented by Event-B modeling language to formalize the given architecture.
As shown in Fig. 2 the relationship between context and machine for IoT-EAA architecture is described. Machines and Event-B contexts are included in the model. The contexts contain all the required data structures and axioms to set up a machine.
The IoT architecture layer is implemented as events on the machine, and the properties that must be verified are written as invariants.
The Initial Model (Hardware layer): it contains several devices, practically; by using the Rodin platform in the preparation phase consisted of the device state on/off, An Event-B context declares a device state-defined using axiom3 for device state. An abstract model declares a list of variables defined by invariants (inv3 -inv8); as well as different events for the network communication layer and security as shown in Fig. 3.
Three events were introduced to one event to specify the desired functional behavior for the hardware layer of an IoT-EAA, As well as an event for the connectivity management layer and the security layer of an IoT-EAA. These events include guard(s) for enabling the given action(s) and the actions that define the changes to the states of the hardware layer. Here, we provide all events related to the hardware layer (data collection, manage the connection, and security), the hardware layer machine component will be described.
The first refinement (Network Communication layer): this refinement refined the initial model behavior into two phases; one focus on the network communication and the other phase refined the connectivity management layer and security layer into several sub-events. Practically, in this refinement, which includes (manage connection and security) events.
As well as Two new events to specifying the desired functional behavior (send data and receive data) are introduced in the network communication layer. In this refinement, we define an enumerated set and a list of variables to formalize the network communication operations defined by invariants (inv1 -inv11) that will be described in Fig. 4.
The second refinement (Service Application layer): this refinement can refine the Network Communication layer by introducing detailed events for the Service Application layer such as an interface with end-users that able to be linked for the major gap between users and applications; as well as security events for the security layer. In this refinement, an enumerated set and a list of variables were defined to formalize the service application operations by invariants (inv1 -inv5) context and machine for these refinements will be described in Fig. 5.

IV. VERIFICATION METHODS
In this section, we present the backbone of Event-B called a proof obligation generator [10]. This step runs after the static checker that checks the texts of the contexts and machines.
The validated models of IoT-EAA have together discharged 140 proof obligations, of which 82.35% proof obligations were automatically discharged through different Event-B provers. Well-definedness of predicates and expressions in invariants, guards, actions, variants, and witnesses for all events, feasibility checks, variable reuse check, guard reinforcing, and witness feasibility in refinements are all part of the proof obligations.
Variant checks for natural numbers and decreasing variants for convergent and predicted occurrences, theorems in axioms and invariant preservation for refinements and invariants used for verification of required security properties, theorems in axioms and invariant preservation for refinements and invariants used for verification of required security properties, theorems in axioms and invariant preservation for refinements and invariants used for verification of required security properties.
• Detecting some IoT security attacks using Event-B formal method.
IoT vision has been suffered from unprecedented attacks, which have resulted in the loss of privacy, organized crime, mental anguish, and the potential for human life to be jeopardized [28]. IoT has different attacks that occur in different IoT layers, one of these attacks called spoofing attack [29] is introduced, which considers a more dangerous attack for IoT applications.
Spoofing is the act of misrepresenting a communication from an unknown source as coming from a reliable source. Spoofing attacks can target a variety of domains, including emails, phone calls, and websites, or they can be more technical, like a computer spoofing an IP address; spoofing an email, Address Resolution Protocol (ARP), or Domain Name System (DNS) server.
On IoT nodes, a dynamic IP address attachment can be expanded from IPV4 to IPV6 when IPV4 addresses are insufficient for future requirements. Simple changes such as the IP stack are updated to support message exchange and avoid the use of complex cryptographic schemes for authentication.
To verify that the proposed method is useful for securing the IoT applications, various types of spoofing attacks are detected using the Rodin platform. We applied two types of spoofing attacks called "ip_address _spoofing" and "ARP_spoofing." Executing various runs and observing the sequence of events and variable values in each of these events will provide accuracy in securing the model.
By establishing a new event in the machine of the hardware layer for IoT_EAA architecture detected the security error because the secure action must be "FALSE " (if the IP address for the hardware layer does not equal the IP address for the attacker device this considers conflict as well as event guard that is (if the security protocol sp is true then the security must be false) as illustrated in Fig. 6 with representing the mechanism of Event-B for detecting different types of spoofing attacks.

V. CONCLUSION AND FUTURE WORKS
This paper looks at a vital application for the Formal Verification of IoT Architectures, focusing on security mechanisms. That is, different Event-B properties such as simulations, proof obligation, and invariant checking are used to verify the accuracy of the IoT-EAA architecture, which are then discharged in the Rodin platform to enhance security and detect security concerns at an early stage. Also, each IoT-EAA architecture layer's security issues will be discussed. Using the proposed method, various types of spoofing attacks were introduced in the Roin platform. We verified that various security properties are discovered, as well as the proposed IoT Architecture (IoT-EAA) in general.