Abstract: The pervasiveness of IoT devices has brought us convenience as well as the risks of security vulnerabilities. However, traditional device vulnerability detection methods cannot efficiently detect command injection vulnerabilities due to heavy execution overheads or false positives and false negatives. Therefore, we propose a novel dynamic detection solution, IoTCID. First, it generates constrained models by parsing the front-end files of the IoT device, and a static binary analysis is performed towards the back-end programs to locate the interface processing function. Then, it utilizes a fuzzing method based on the feedback from Distance Function, which selects high-quality samples through various scheduling strategies. Finally, with the help of the probe code, it compares the parameter of potential risk functions with samples to confirm the command injection vulnerabilities. We implement a prototype of IoTCID and evaluate it on real-world IoT devices from three vendors and confirm six vulnerabilities. It shows that IoTCID are effective in discovering command injection vulnerabilities in IoT devices.

Hao Chen, Jinxin Ma, Baojiang Cui and Junsong Fu, “IoTCID: A Dynamic Detection Technology for Command Injection Vulnerabilities in IoT Devices” International Journal of Advanced Computer Science and Applications(IJACSA), 13(10), 2022. http://dx.doi.org/10.14569/IJACSA.2022.0131002

@article{Chen2022,
title = {IoTCID: A Dynamic Detection Technology for Command Injection Vulnerabilities in IoT Devices},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2022.0131002},
url = {http://dx.doi.org/10.14569/IJACSA.2022.0131002},
year = {2022},
publisher = {The Science and Information Organization},
volume = {13},
number = {10},
author = {Hao Chen and Jinxin Ma and Baojiang Cui and Junsong Fu}
}