Visible to the public Biblio

Filters: Keyword is security weaknesses  [Clear All Filters]
2022-04-18
Disawal, Shekhar, Suman, Ugrasen.  2021.  An Analysis and Classification of Vulnerabilities in Web-Based Application Development. 2021 8th International Conference on Computing for Sustainable Global Development (INDIACom). :782–785.
Nowadays, web vulnerability is a critical issue in web applications. Web developers develop web applications, but sometimes they are not very well-versed with security concerns, thereby creating loopholes for the vulnerabilities. If a web application is developed without considering security, it is harmful for the client and the company. Different types of vulnerabilities encounter during the web application development process. Therefore, vulnerability identification is a crucial and critical task from a web application development perspective. It is vigorous to secure them from the earliest development life cycle process. In this paper, we have analyzed and classified vulnerabilities related to web application security during the development phases. Here, the concern is to identify a weakness, countermeasure, confidentiality impact, access complexity, and severity level, which affect the web application security.
Kang, Ji, Sun, Yi, Xie, Hui, Zhu, Xixi, Ding, Zhaoyun.  2021.  Analysis System for Security Situation in Cyberspace Based on Knowledge Graph. 2021 7th International Conference on Big Data and Information Analytics (BigDIA). :385–392.
With the booming of Internet technology, the continuous emergence of new technologies and new algorithms greatly expands the application boundaries of cyberspace. While enjoying the convenience brought by informatization, the society is also facing increasingly severe threats to the security of cyberspace. In cyber security defense, cyberspace operators rely on the discovered vulnerabilities, attack patterns, TTPs, and other knowledge to observe, analyze and determine the current threats to the network and security situation in cyberspace, and then make corresponding decisions. However, most of such open-source knowledge is distributed in different data sources in the form of text or web pages, which is not conducive to the understanding, query and correlation analysis of cyberspace operators. In this paper, a knowledge graph for cyber security is constructed to solve this problem. At first, in the process of obtaining security data from multi-source heterogeneous cyberspaces, we adopt efficient crawler to crawl the required data, paving the way for knowledge graph building. In order to establish the ontology required by the knowledge graph, we abstract the overall framework of security data sources in cyberspace, and depict in detail the correlations among various data sources. Then, based on the \$$\backslash$mathbfOWL +$\backslash$mathbfSWRL\$ language, we construct the cyber security knowledge graph. On this basis, we design an analysis system for situation in cyberspace based on knowledge graph and the Snort intrusion detection system (IDS), and study the rules in Snort. The system integrates and links various public resources from the Internet, including key information such as general platforms, vulnerabilities, weaknesses, attack patterns, tactics, techniques, etc. in real cyberspace, enabling the provision of comprehensive, systematic and rich cyber security knowledge to security researchers and professionals, with the expectation to provide a useful reference for cyber security defense.
Ahmed-Zaid, Said, Loo, Sin Ming, Valdepena-Delgado, Andres, Beam, Theron.  2021.  Cyber-Physical Security Assessment and Resilience of a Microgrid Testbed. 2021 Resilience Week (RWS). :1–3.
In order to identify potential weakness in communication and data in transit, a microgrid testbed is being developed at Boise State University. This testbed will be used to verify microgrid models and communication methods in an effort to increase the resiliency of these systems to cyber-attacks. If vulnerabilities are found in these communication methods, then risk mitigation techniques will be developed to address them.
Paul, Rajshakhar, Turzo, Asif Kamal, Bosu, Amiangshu.  2021.  Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). :1373–1385.
Peer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities, as some security defects escape those. Therefore, a project manager may wonder if there was any weakness or inconsistency during a code review that missed a security vulnerability. Answers to this question may help a manager pinpointing areas of concern and taking measures to improve the effectiveness of his/her project's code reviews in identifying security defects. Therefore, this study aims to identify the factors that differentiate code reviews that successfully identified security defects from those that missed such defects. With this goal, we conduct a case-control study of Chromium OS project. Using multi-stage semi-automated approaches, we build a dataset of 516 code reviews that successfully identified security defects and 374 code reviews where security defects escaped. The results of our empirical study suggest that the are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and has identified nine code review attributes that influence identifications of security defects. While time to complete a review, the number of mutual reviews between two developers, and if the review is for a bug fix have positive impacts on vulnerability identification, opposite effects are observed from the number of directories under review, the number of total reviews by a developer, and the total number of prior commits for the file under review.
Aivatoglou, Georgios, Anastasiadis, Mike, Spanos, Georgios, Voulgaridis, Antonis, Votis, Konstantinos, Tzovaras, Dimitrios.  2021.  A Tree-Based Machine Learning Methodology to Automatically Classify Software Vulnerabilities. 2021 IEEE International Conference on Cyber Security and Resilience (CSR). :312–317.
Software vulnerabilities have become a major problem for the security analysts, since the number of new vulnerabilities is constantly growing. Thus, there was a need for a categorization system, in order to group and handle these vulnerabilities in a more efficient way. Hence, the MITRE corporation introduced the Common Weakness Enumeration that is a list of the most common software and hardware vulnerabilities. However, the manual task of understanding and analyzing new vulnerabilities by security experts, is a very slow and exhausting process. For this reason, a new automated classification methodology is introduced in this paper, based on the vulnerability textual descriptions from National Vulnerability Database. The proposed methodology, combines textual analysis and tree-based machine learning techniques in order to classify vulnerabilities automatically. The results of the experiments showed that the proposed methodology performed pretty well achieving an overall accuracy close to 80%.
Yuan, Liu, Bai, Yude, Xing, Zhenchang, Chen, Sen, Li, Xiaohong, Deng, Zhidong.  2021.  Predicting Entity Relations across Different Security Databases by Using Graph Attention Network. 2021 IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC). :834–843.
Security databases such as Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Attack Pattern Enumeration and Classification (CAPEC) maintain diverse high-quality security concepts, which are treated as security entities. Meanwhile, security entities are documented with many potential relation types that profit for security analysis and comprehension across these three popular databases. To support reasoning security entity relationships, translation-based knowledge graph representation learning treats each triple independently for the entity prediction. However, it neglects the important semantic information about the neighbor entities around the triples. To address it, we propose a text-enhanced graph attention network model (text-enhanced GAT). This model highlights the importance of the knowledge in the 2-hop neighbors surrounding a triple, under the observation of the diversity of each entity. Thus, we can capture more structural and textual information from the knowledge graph about the security databases. Extensive experiments are designed to evaluate the effectiveness of our proposed model on the prediction of security entity relationships. Moreover, the experimental results outperform the state-of-the-art by Mean Reciprocal Rank (MRR) 0.132 for detecting the missing relationships.
Zhang, Junpeng, Li, Mengqian, Zeng, Shuiguang, Xie, Bin, Zhao, Dongmei.  2021.  A Survey on Security and Privacy Threats to Federated Learning. 2021 International Conference on Networking and Network Applications (NaNA). :319–326.
Federated learning (FL) has nourished a promising scheme to solve the data silo, which enables multiple clients to construct a joint model without centralizing data. The critical concerns for flourishing FL applications are that build a security and privacy-preserving learning environment. It is thus highly necessary to comprehensively identify and classify potential threats to utilize FL under security guarantees. This paper starts from the perspective of launched attacks with different computing participants to construct the unique threats classification, highlighting the significant attacks, e.g., poisoning attacks, inference attacks, and generative adversarial networks (GAN) attacks. Our study shows that existing FL protocols do not always provide sufficient security, containing various attacks from both clients and servers. GAN attacks lead to larger significant threats among the kinds of threats given the invisible of the attack process. Moreover, we summarize a detailed review of several defense mechanisms and approaches to resist privacy risks and security breaches. Then advantages and weaknesses are generalized, respectively. Finally, we conclude the paper to prospect the challenges and some potential research directions.
Helmiawan, Muhammad Agreindra, Julian, Eggi, Cahyan, Yavan, Saeppani, Asep.  2021.  Experimental Evaluation of Security Monitoring and Notification on Network Intrusion Detection System for Server Security. 2021 9th International Conference on Cyber and IT Service Management (CITSM). :1–6.
Security of data and information in servers connected to networks that provide services to user computers, is the most important thing to maintain data privacy and security in network security management mechanisms. Weaknesses in the server security system can be exploited by intruders to disrupt the security of the server. One way to maintain server security is to implement an intrusion detection system using the Intrusion Detection System. This research is experimenting to create a security system prototype, monitoring, and evaluating server security systems using Snort and alert notifications that can improve security monitoring for server security. The system can detect intrusion attacks and provide warning messages and attack information through the Intrusion Detection System monitoring system. The results show that snort and alert notifications on the security server can work well, efficiently, and can be handled quickly. Testing attacks with Secure Shell Protocol and File Transfer Protocol Brute Force, Ping of Death and scanning port attacks requires a detection time of no more than one second, and all detection test results are detected and send real-time notification alerts to the Administrator.
2022-04-01
Aigner, Andreas, Khelil, Abdelmajid.  2021.  A Security Scoring Framework to Quantify Security in Cyber-Physical Systems. 2021 4th IEEE International Conference on Industrial Cyber-Physical Systems (ICPS). :199—206.
The need to achieve a suitable level of security in Cyber-Physical Systems (CPS) presents a major challenge for engineers. The unpredictable communication of highly constrained, but safety-relevant systems in a heterogeneous environment, significantly impacts the number and severity of vulnerabilities. Consequently, if security-related weaknesses can successfully be exploited by attackers, the functionality of critical infrastructure could be denied or malfunction. This might consequently threaten life or leak sensitive information. A toolkit to quantitatively express security is essential for security engineers in order to define security-enhancing measurements. For this purpose, security scoring frameworks, like the established Common Vulnerability Scoring System can be used. However, existing security scoring frameworks may not be able to handle the proposed challenges and characteristics of CPS. Therefore, in this work, we aim to elaborate a security scoring system that is tailored to the needs of CPS. In detail, we analyze security on a System-of-Systems level, while considering multiple attacks, as well as potential side effects to other security-related objects. The positive effects of integrated mitigation concepts should also be abbreviated by our proposed security score. Additionally, we generate the security score for interacting AUTOSAR platforms in a highly-connected Vehicle-to-everything (V2x) environment. We refer to this highly relevant use case scenario to underline the benefits of our proposed scoring framework and to prove its effectiveness in CPS.
2022-01-10
Ibrahim, Mariam, Nabulsi, Intisar.  2021.  Security Analysis of Smart Home Systems Applying Attack Graph. 2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4). :230–234.
In this work, security analysis of a Smart Home System (SHS) is inspected. The paper focuses on describing common and likely cyber security threats against SHS. This includes both their influence on human privacy and safety. The SHS is properly presented and formed applying Architecture Analysis and Design Language (AADL), exhibiting the system layout, weaknesses, attack practices, besides their requirements and post settings. The obtained model is later inspected along with a security requirement with JKind model tester software for security endangerment. The overall attack graph causing system compromise is graphically given using Graphviz.
2020-03-09
PONGSRISOMCHAI, Sutthinee, Ngamsuriyaroj, Sudsanguan.  2019.  Automated IT Audit of Windows Server Access Control. 2019 21st International Conference on Advanced Communication Technology (ICACT). :539–544.

To protect sensitive information of an organization, we need to have proper access controls since several data breach incidents were happened because of broken access controls. Normally, the IT auditing process would be used to identify security weaknesses and should be able to detect any potential access control violations in advance. However, most auditing processes are done manually and not performed consistently since lots of resources are required; thus, the auditing is performed for quality assurance purposes only. This paper proposes an automated process to audit the access controls on the Windows server operating system. We define the audit checklist and use the controls defined in ISO/IEC 27002:2013 as a guideline for identifying audit objectives. In addition, an automated audit tool is developed for checking security controls against defined security policies. The results of auditing are the list of automatically generated passed and failed policies. If the auditing is done consistently and automatically, the intrusion incidents could be detected earlier and essential damages could be prevented. Eventually, it would help increase the reliability of the system.

2020-02-17
Yin, Mingyong, Wang, Qixu, Cao, Mingsheng.  2019.  An Attack Vector Evaluation Method for Smart City Security Protection. 2019 International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). :1–7.

In the network security risk assessment on critical information infrastructure of smart city, to describe attack vectors for predicting possible initial access is a challenging task. In this paper, an attack vector evaluation model based on weakness, path and action is proposed, and the formal representation and quantitative evaluation method are given. This method can support the assessment of attack vectors based on known and unknown weakness through combination of depend conditions. In addition, defense factors are also introduced, an attack vector evaluation model of integrated defense is proposed, and an application example of the model is given. The research work in this paper can provide a reference for the vulnerability assessment of attack vector.

Yee, George O. M..  2019.  Designing Good Security Metrics. 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). 2:580–585.

This paper begins with an introduction to security metrics, describing the need for security metrics, followed by a discussion of the nature of security metrics, including the challenges found with some security metrics used in the past. The paper then discusses what makes a good security metric and proposes a rigorous step-by-step method that can be applied to design good security metrics, and to test existing security metrics to see if they are good metrics. Application examples are included to illustrate the method.

Sharma, Aditya, Jain, Aaditya, Sharma, Ila.  2019.  Exposing the Security Weaknesses of Fifth Generation Handover Communication. 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT). :1–6.
With the development of Fifth Generation (5G) mobile telecommunication technology, the Third Generation Partnership Project (3GPP) is attempting to fulfill the increasing security demands of IoT-based applications. 3GPP has published the study report of the 5G handover architecture and security functions. In this work, we discuss the 5G handover key mechanism with its key hierarchy. In addition, the Xn-based, N2-based intra/inter AMF handover mechanism in 5G communication network is analyzed and identify the security weaknesses such as false base-station and Denial-of-Service (DoS) attack. Moreover, the handover mechanism suffers from authentication complexity due to high bandwidth consumption. From these security issues, all the future session keys will be compromised and secure connection between mobile/ user equipment and target basestation will not be established.
Papakonstantinou, Nikolaos, Linnosmaa, Joonas, Alanen, Jarmo, Bashir, Ahmed Z., O'Halloran, Bryan, Van Bossuyt, Douglas L..  2019.  Early Hybrid Safety and Security Risk Assessment Based on Interdisciplinary Dependency Models. 2019 Annual Reliability and Maintainability Symposium (RAMS). :1–7.
Safety and security of complex critical infrastructures are very important for economic, environmental and social reasons. The complexity of these systems introduces difficulties in the identification of safety and security risks that emerge from interdisciplinary interactions and dependencies. The discovery of safety and security design weaknesses late in the design process and during system operation can lead to increased costs, additional system complexity, delays and possibly undesirable compromises to address safety and security weaknesses.
Meijer, Carlo, van Gastel, Bernard.  2019.  Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives. 2019 IEEE Symposium on Security and Privacy (SP). :72–87.
We have analyzed the hardware full-disk encryption of several solid state drives (SSDs) by reverse engineering their firmware. These drives were produced by three manufacturers between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form factor) and external models using the USB interface. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many models using hardware encryption have critical security weaknesses due to specification, design, and implementation issues. For many models, these security weaknesses allow for complete recovery of the data without knowledge of any secret (such as the password). BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises support for it. Thus, for these drives, data protected by BitLocker is also compromised. We conclude that, given the state of affairs affecting roughly 60% of the market, currently one should not rely solely on hardware encryption offered by SSDs and users should take additional measures to protect their data.
Fett, Daniel, Hosseyni, Pedram, Küsters, Ralf.  2019.  An Extensive Formal Security Analysis of the OpenID Financial-Grade API. 2019 IEEE Symposium on Security and Privacy (SP). :453–471.
Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. Such access to financial data and resources needs to meet particularly high security requirements to protect customers. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0, such as Code and Token Binding (including mTLS and OAUTB), JWS Client Assertions, and Proof Key for Code Exchange. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on an existing comprehensive model of the web infrastructure - the Web Infrastructure Model (WIM) proposed by Fett, Küsters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles for read-only and read-write access, different flows, different types of clients, and different combinations of security features, capturing the complex interactions in a web-based environment. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. Although financial applications are high-stakes environments, this work is the first to formally analyze and, importantly, verify an Open Banking security profile. By itself, this analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks before the first implementations of the standard go live. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.
2020-02-10
Rahman, Md Rayhanur, Rahman, Akond, Williams, Laurie.  2019.  Share, But Be Aware: Security Smells in Python Gists. 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). :536–540.

Github Gist is a service provided by Github which is used by developers to share code snippets. While sharing, developers may inadvertently introduce security smells in code snippets as well, such as hard-coded passwords. Security smells are recurrent coding patterns that are indicative of security weaknesses, which could potentially lead to security breaches. The goal of this paper is to help software practitioners avoid insecure coding practices through an empirical study of security smells in publicly-available GitHub Gists. Through static analysis, we found 13 types of security smells with 4,403 occurrences in 5,822 publicly-available Python Gists. 1,817 of those Gists, which is around 31%, have at least one security smell including 689 instances of hard-coded secrets. We also found no significance relation between the presence of these security smells and the reputation of the Gist author. Based on our findings, we advocate for increased awareness and rigorous code review efforts related to software security for Github Gists so that propagation of insecure coding practices are mitigated.

2019-08-26
Doynikova, Elena, Fedorchenko, Andrey, Kotenko, Igor.  2018.  Determination of Security Threat Classes on the Basis of Vulnerability Analysis for Automated Countermeasure Selection. Proceedings of the 13th International Conference on Availability, Reliability and Security. :62:1–62:8.
Currently the task of automated security monitoring and responding to security incidents is highly relevant. The authors propose an approach to determine weaknesses of the analyzed system on the basis of its known vulnerabilities for further specification of security threats. It is relevant for the stage of determining the necessary and sufficient set of security countermeasures for specific information systems. The required set of security response tools and means depends on the determined threats. The possibility of practical implementation of the approach follows from the connectivity between open databases of vulnerabilities, weaknesses, and attacks. The authors applied various classification methods for vulnerabilities considering values of their properties. The paper describes source data used for classification, their preprocessing stage, and the classification results. The obtained results and the methods for their enhancement are discussed.
Chaman, Anadi, Wang, Jiaming, Sun, Jiachen, Hassanieh, Haitham, Roy Choudhury, Romit.  2018.  Ghostbuster: Detecting the Presence of Hidden Eavesdroppers. Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. :337–351.
This paper explores the possibility of detecting the hidden presence of wireless eavesdroppers. Such eavesdroppers employ passive receivers that only listen and never transmit any signals making them very hard to detect. In this paper, we show that even passive receivers leak RF signals on the wireless medium. This RF leakage, however, is extremely weak and buried under noise and other transmitted signals that can be 3-5 orders of magnitude larger. Hence, it is missed by today's radios. We design and build Ghostbuster, the first device that can reliably extract this leakage, even when it is buried under ongoing transmissions, in order to detect the hidden presence of eavesdroppers. Ghostbuster does not require any modifications to current transmitters and receivers and can accurately detect the eavesdropper in the presence of ongoing transmissions. Empirical results show that Ghostbuster can detect eavesdroppers with more than 95% accuracy up to 5 meters away.
Shen, Shiyu, Gao, Jianlin, Wu, Aitian.  2018.  Weakness Identification and Flow Analysis Based on Tor Network. Proceedings of the 8th International Conference on Communication and Network Security. :90–94.

As the Internet technology develops rapidly, attacks against Tor networks becomes more and more frequent. So, it's more and more difficult for Tor network to meet people's demand to protect their private information. A method to improve the anonymity of Tor seems urgent. In this paper, we mainly talk about the principle of Tor, which is the largest anonymous communication system in the world, analyze the reason for its limited efficiency, and discuss the vulnerability of link fingerprint and node selection. After that, a node recognition model based on SVM is established, which verifies that the traffic characteristics expose the node attributes, thus revealing the link and destroying the anonymity. Based on what is done above, some measures are put forward to improve Tor protocol to make it more anonymous.

Chakraborty, Saurav, Thomas, Drew, DeHart, Joanathan, Saralaya, Kishan, Tadepalli, Prabhakar, Narendra, Siva G..  2018.  Solving Internet's Weak Link for Blockchain and IoT Applications. Proceedings of the 1st ACM/EIGSCC Symposium on Smart Cities and Communities. :6:1–6:5.
Blockchain normalizes applications that run on the internet through the standardization of decentralized data structure, computational requirements and trust in transactions. This new standard has now spawned hundreds of legitimate internet applications in addition to the cryptocurrency revolution. This next frontier that standardizes internet applications will dramatically increase productivity to levels never seen before, especially when applied to Internet of Things (IoT) applications. The blockchain framework relies on cryptographic private keys to sign digital data as its foundational principle. Without the security of private keys to sign data blocks, there can be no trust in blockchain. Central storage of these keys for managing IoT machines and users, while convenient to implement, will be highly detrimental to the assumed safety and security of this next frontier. In this paper, we will introduce decentralized and device agnostic cryptographic signing solutions suitable for securing users and machines in blockchain and IoT applications.
Mavroeidis, V., Vishi, K., Jøsang, A..  2018.  A Framework for Data-Driven Physical Security and Insider Threat Detection. 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). :1108–1115.

This paper presents PSO, an ontological framework and a methodology for improving physical security and insider threat detection. PSO can facilitate forensic data analysis and proactively mitigate insider threats by leveraging rule-based anomaly detection. In all too many cases, rule-based anomaly detection can detect employee deviations from organizational security policies. In addition, PSO can be considered a security provenance solution because of its ability to fully reconstruct attack patterns. Provenance graphs can be further analyzed to identify deceptive actions and overcome analytical mistakes that can result in bad decision-making, such as false attribution. Moreover, the information can be used to enrich the available intelligence (about intrusion attempts) that can form use cases to detect and remediate limitations in the system, such as loosely-coupled provenance graphs that in many cases indicate weaknesses in the physical security architecture. Ultimately, validation of the framework through use cases demonstrates and proves that PS0 can improve an organization's security posture in terms of physical security and insider threat detection.

Mohammad, Z., Qattam, T. A., Saleh, K..  2019.  Security Weaknesses and Attacks on the Internet of Things Applications. 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). :431–436.

Internet of Things (IoT) is a contemporary concept for connecting the existing things in our environment with the Internet for a sake of making the objects information are accessible from anywhere and anytime to support a modern life style based on the Internet. With the rapid development of the IoT technologies and widely spreading in most of the fields such as buildings, health, education, transportation and agriculture. Thus, the IoT applications require increasing data collection from the IoT devices to send these data to the applications or servers which collect or analyze the data, so it is a very important to secure the data and ensure that do not reach a malicious adversary. This paper reviews some attacks in the IoT applications and the security weaknesses in the IoT environment. In addition, this study presents the challenges of IoT in terms of hardware, network and software. Moreover, this paper summarizes and points to some attacks on the smart car, smart home, smart campus, smart farm and healthcare.

Wang, C., Jiang, Y., Zhao, X., Song, X., Gu, M., Sun, J..  2018.  Weak-Assert: A Weakness-Oriented Assertion Recommendation Toolkit for Program Analysis. 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion). :69–72.

Assertions are helpful in program analysis, such as software testing and verification. The most challenging part of automatically recommending assertions is to design the assertion patterns and to insert assertions in proper locations. In this paper, we develop Weak-Assert, a weakness-oriented assertion recommendation toolkit for program analysis of C code. A weakness-oriented assertion is an assertion which can help to find potential program weaknesses. Weak-Assert uses well-designed patterns to match the abstract syntax trees of source code automatically. It collects significant messages from trees and inserts assertions into proper locations of programs. These assertions can be checked by using program analysis techniques. The experiments are set up on Juliet test suite and several actual projects in Github. Experimental results show that Weak-Assert helps to find 125 program weaknesses in 26 actual projects. These weaknesses are confirmed manually to be triggered by some test cases.