‘CODE-BASED SECURITY FOR THE INTERNET OF THINGS’
The Internet of Things holds much promise, but not without significant security risks. One of the greatest sources of risks is poor software quality that leaves the door open enough to allow attackers to take control of the device. For the foreseeable future, the dominant implementation language for these devices will continue to be C, whose unforgiving semantics permits attackers to take advantage of otherwise innocent-looking programming mistakes or inconsistencies. Such defects typically proliferate at the interfaces between devices, so it is critical that programmers be able to understand how to find and fix the sources of these problems.
Hazardous information flow analysis (aka taint analysis) tracks how potentially dangerous information from untrusted inputs can flow through the code. When computed statically, this yields a view of the code that allows programmers to understand the program’s attack surface and where there are weaknesses that an attacker could exploit. This talk will describe how this analysis works and show how it can be used to find serious security vulnerabilities that are otherwise extremely difficult to find.