Biblio

IoT honeypots that mimic the behavior of IoT devices for threat analysis are becoming increasingly important. Existing honeypot systems use devices with a specific version of firmware installed to monitor cyber attacks. However, honeypots frequently receive requests targeting devices and firmware that are different from themselves. When honeypots return an error response to such a request, the attack is terminated, and the monitoring fails.To solve this problem, we introduce FirmPot, a framework that automatically generates intelligent-interaction honeypots using firmware. This framework has a firmware emulator optimized for honeypot generation and learns the behavior of embedded applications by using machine learning. The generated honeypots continue to interact with attackers by a mechanism that returns the best from the emulated responses to the attack request instead of an error response.We experimented on embedded web applications of wireless routers based on the open-source OpenWrt. As a result, our framework generated honeypots that mimicked the embedded web applications of eight vendors and ten different CPU architectures. Furthermore, our approach to the interaction improved the session length with attackers compared to existing ones.

Dynamic Taint Analysis (DTA) technique has been developed for analysis and understanding behavior of Android applications and privacy policy enforcement. Meanwhile, implicit information flows (IIFs) are major concern of security researchers because IIFs can evade DTA technique easily and give attackers an advantage over the researchers. Some researchers suggested approaches to the issue and developed analysis systems supporting privacy policy enforcement against IIF-accompanied attacks; however, there is still no effective technique of comprehensive analysis and privacy policy enforcement against IIF-accompanied attacks. In this paper, we propose an IIF detection technique to enforce privacy policy against IIF-accompanied attacks in Android applications. We developed a new analysis tool, called Smalien, that can discover data leakage caused by IIF-contained information flows as well as explicit information flows. We demonstrated practicability of Smalien by applying it to 16 IIF tricks from ScrubDroid and two IIF tricks from DroidBench. Smalien enforced privacy policy successfully against all the tricks except one trick because the trick loads code dynamically from a remote server at runtime, and Smalien cannot analyze any code outside of a target application. The results show that our approach can be a solution to the current attacker-superior situation.