Abstract
Due to the high increase of IoT technologies and devices, analyzing their security is crucial for their acceptance. Towards this end, an automated security testing approach should be considered as a cornerstone to cope with the business interests and the high fragmentation of new approaches. In particular, this work analyses the use of the Model-Based Testing (MBT) approach and specific technologies and tools to automate the generation of security tests. Then, we provide a detailed description of its application to the Elliptic Curve Diffie-Hellman over COSE (EDHOC) protocol, which is being defined within the scope of the Internet Engineering Task Force (IETF).
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Arkin, B., Stender, S., McGraw, G.: Software penetration testing. IEEE Secur. Priv. 3(1), 84–87 (2005). https://doi.org/10.1109/MSP.2005.23
Atapour, C., Agrafiotis, I., Creese, S.: Modeling advanced persistent threats to enhance anomaly detection techniques. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA) 9(4), 71–102 (2018). https://doi.org/10.22667/JOWUA.2018.12.31.071
Bernabeu, G., Jaffuel, E., Legeard, B., Peureux, F.: MBT for global platform compliance testing: experience report and lessons learned. In: 25th IEEE International Symposium on Software Reliability Engineering Workshops, Naples, Italy (2014). https://doi.org/10.1109/ISSREW.2014.91
Bormann, C., Hoffman, P.: Concise Binary Object Representation (CBOR) (RFC7049) (2013). https://tools.ietf.org/html/rfc7049
Bouquet, F., Grandpierre, C., Legeard, B., Peureux, F., Vacelet, N., Utting, M.: A subset of precise UML for model-based testing. In: Proceedings of the 3rd International Workshop on Advances in Model-Based Testing - A-MOST 2007, pp. 95–104. ACM Press, London (2007). https://doi.org/10.1145/1291535.1291545. http://portal.acm.org/citation.cfm?doid=1291535.1291545
Bruni, A., Sahl Jørgensen, T., Grønbech Petersen, T., Schürmann, C.: Formal verification of ephemeral Diffie-Hellman over COSE (EDHOC). In: Cremers, C., Lehmann, A. (eds.) SSR 2018. LNCS, vol. 11322, pp. 21–36. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04762-7_2
Eric Rescorla: The Transport Layer Security (TLS) Protocol Version 1.3 (2018). https://tools.ietf.org/html/draft-ietf-tls-tls13-28
Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Chapter one - security testing: a survey. In: Advances in Computers, vol. 101, pp. 1–51. Elsevier (2015). https://doi.org/10.1016/bs.adcom.2015.11.003. http://www.sciencedirect.com/science/article/pii/S0065245815000649
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE - whitebox fuzzing for security testing. Queue 10(1), 20:20–20:27 (2012). https://doi.org/10.1145/2090147.2094081
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D.: Security of the internet of things: perspectives and challenges. Wirel. Netw. 20(8), 2481–2501 (2014)
Kammuller, F., Kerber, M., Probst, C.W., Kammueller, F., Kerber, M.: Insider threats and auctions: formalization, mechanized proof, and code generation. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. 8(1), 44–78 (2017). https://doi.org/10.22667/JOWUA.2017.03.31.044
Krawczyk, H.: Perfect forward secrecy. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security, pp. 457–458. Springer, Boston (2005). https://doi.org/10.1007/0-387-23483-7_298
Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF) (RFC869) (2010). https://tools.ietf.org/html/rfc5869
Li, W., Le Gall, F., Spaseski, N.: A survey on model-based testing tools for test case generation. In: Itsykson, V., Scedrov, A., Zakharov, V. (eds.) TMPA 2017. CCIS, vol. 779, pp. 77–89. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-71734-0_7
Matheu-Garcia, S.N., Hernandez-Ramos, J.L., Skarmeta, A.F.: Test-based risk assessment and security certification proposal for the internet of things. In: 2018 IEEE 4th World Forum on Internet of Things (WF-IoT), pp. 641–646. IEEE, Singapore, February 2018. https://doi.org/10.1109/WF-IoT.2018.8355193. https://ieeexplore.ieee.org/document/8355193/
Matheu-Garcia, S.N., Hernandez-Ramos, J.L., Skarmeta, A.F., Baldini, G.: Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Comput. Stand. Interfaces 62, 64–83 (2019). https://doi.org/10.1016/j.csi.2018.08.003. https://www.sciencedirect.com/science/article/abs/pii/S0920548918301375?via%3Dihub
McGrew, D., Igoe, K., Salter, M.: Fundamental elliptic curve cryptography algorithms (2010). https://tools.ietf.org/id/draft-mcgrew-fundamental-ecc-04.html
Palombini, F., Seitz, L., Selander, G., Mattsson, J.: Object security for constrained RESTful environments (OSCORE) (2018). https://tools.ietf.org/html/draft-ietf-core-object-security-15
Rescorla, E., Modadugu, N.: Datagram transport layer security version 1.2 (2012). https://tools.ietf.org/html/rfc6347. Published: RFC 6347
Schaad, J.: CBOR Object Signing and Encryption (COSE) (RFC8152), July 2017. https://doi.org/10.17487/RFC8152. https://www.rfc-editor.org/info/rfc8152
Selander, G., Palombini, F., Hartke, K.: Requirements for CoAP end-to-end security (2017)
Selander, G., Mattsson, J., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC) (2019). https://tools.ietf.org/id/draft-selander-ace-cose-ecdhe-13.html
Shelby, Z., Hartke, K., Bormann, C.: The Constrained Application Protocol (CoAP) (RFC7252) (2014). https://tools.ietf.org/html/rfc7252
Yoo, S., Harman, M.: Regression testing minimization, selection and prioritization: a survey. Softw. Test. Verif. Reliab. 22(2), 67–120 (2012). https://doi.org/10.1002/stv.430. http://doi.wiley.com/10.1002/stv.430
Acknowledgments
This work was supported in part by the Spanish Ministry of Economy and Competitiveness and the ERDF funds cofinantiation through the PERSEIDES project under GrantTIN2017-86885-R and the USEIT project under Grant PCIN-2016-010, in part by the H2020-780139 SerIoT project, and in part by the FPU-16/03305 Research Contract of the Ministry of Education and Professional Training of Spain.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Matheu, S.N., Pérez, S., Ramos, J.L.H., Skarmeta, A. (2020). On the Automation of Security Testing for IoT Constrained Scenarios. In: You, I. (eds) Information Security Applications. WISA 2019. Lecture Notes in Computer Science(), vol 11897. Springer, Cham. https://doi.org/10.1007/978-3-030-39303-8_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-39303-8_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39302-1
Online ISBN: 978-3-030-39303-8
eBook Packages: Computer ScienceComputer Science (R0)