AbstractInternet of Things (IoT) systems are ubiquitous, highly complex and dynamic eventbased systems. These characteristics make their security analysis challenging. One of the most significant concerns about IoT is that it is not secure. Prominent attacks,
such as WannaCry and the Mirai botnets, have only stoked these fears and raised questions about the security of IoT. This thesis aims to develop a framework to facilitate design and security analysis in IoT systems. The proposed framework is composed of the following components: (1) a modeling language to represent IoT systems; (2) a modeling methodology to create models; (3) processes to assess the security of the models and (4) propose countermeasures to increase the security of the models. The modeling language provides components to create IoT system models that capture the information needed by a security engineer to design and perform security analysis on an IoT system. The modeling methodology provides instructions as well
as restrictions on how models are created using the modeling language. It provides a structured approach to transition models between the engineering phases. Then, automated and semi-automated processes are used to identify existing vulnerabilities
and configurations that increase the attack surface in the models. Finally, a report of the countermeasures is generated based on the attributes of the models to mitigate the identified threats and vulnerabilities. To evaluate the framework, it was applied to case studies. Each case study assessed specific aspects of the framework. One case study was performed to assess the processes of eliciting security requirements from the existing
hardware architecture of a system. The feedback from the case study was used to refine the modeling language. A case study was performed to evaluate the automated and semi-automated analysis processes that are part of the framework. The processes were measured regarding resources, error rate, and additional information when compared to the same task undertaken by a human engineer. This case study was performed on a real-life infrastructure of a security organization. The organization’s infrastructure was modeled and analyzed using the framework to measure the attack surface of their system and improve its security mechanisms with the use of the analysis processes of
the framework. Another case study was performed to model the infrastructure of a smart city. This was made to assess the scalability of the framework when designing and analyzing large-scale systems.
|Date of Award||Oct 2019|
|Supervisor||Haris Mouratidis (Supervisor), Andrew Fish (Supervisor) & Manos Panaousis (Supervisor)|