Abstract
With the growing advances in Internet of Things (IoT) technology, it has become an indispensable part of many areas like home automation, industries, medical equipment, etc. Thus, the security of the IoT hardware and software is of utmost importance. The availability of secure IoT software components allows for better confidence in the use of IoT devices for consumers. IoT operating systems are core software components of the IoT ecosystem. There are a lot of IoT operating systems (OSes) available, but Real-time Operating System for IoT (RIOT) is one of the most commonly used open-source OS used by universities and businesses. As the RIOT source code is written in C, it inherently has some security vulnerabilities. With IoT devices having the characteristic of limited battery and computational capability, it is very challenging to detect cyber-attacks online. This would necessitate more rigorous security checks being performed on the device prior to deployment. For the security of the RIOT OS, the analysis techniques used in highly critical domains can also be applied to IoT software. Thus, the purpose of this work is to apply techniques such as formal verification to the crypto module of RIOT using a software analysis platform for C code, namely Frama-C in order to analyze the security aspects of the module.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
This article does not contain any dataset
References
Keerthi K, Indrani R, Aritra H, Chester R (2019) Formal verification for security in IoT devices. In: Chakraborty RS, Mathew J, Vasilakos AV (eds) Security and fault tolerance in internet of things. Springer, Berlin, pp 179–200
Mike D (2022) Formally verifying industry cryptography. IEEE Secur Priv 20(3):65–70
Hasan O, Tahar S (2015) Formal verification methods. In: Khosrow-Pour DBA (ed) Encyclopedia of information science and technology. Igi Global, Pennsylvania
Blanchard A, Kosmatov N, Loulergue F (2018) A lesson on verification of IoT software with Frama-C. In: 2018 International Conference on High Performance Computing & Simulation (HPCS), pp 21–30
Baccelli E, Hahm O, Günes M, Wählisch M, Schmidt TC (2013) RIOT OS: towards an os for the internet of things. In: 2013 IEEE Conference on Computer Communications Eorkshops (INFOCOM WKSHPS), pp 79–80
Cuoq P, Kirchner F, Kosmatov N, Prevosto V, Signoles J, Yakobowski B (2012) Frama-C: a software analysis perspective. Springer, Berlin, pp 233–247
Abdullah A-B, Khaled W, Mohammad E-R (2021) The presence, trends, and causes of security vulnerabilities in operating systems of IoT’s low-end devices. MDPI Sens 21(7):2329
McBride J, Arief B, Hernandez-Castro JC (2018) Security analysis of Contiki IoT operating system. ACM Digital Library Junction Publishing, pp 278–283
Mullen G (2019) Liam meany assessment of buffer overflow based attacks on an IoT operating system. Global IoT Summit (GIoTS)
Liang H, Zhao Q, Wang Y, Liu H (2016) Understanding and detecting performance and security bugs in IoT oses. In: 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), IEEE, pp 413–418
Li D, Zhang Z, Liao W, Xu Z (2018) KLRA: a kernel level resource auditing tool for IoT operating system security. In: 2018 IEEE/ACM Symposium on Edge Computing (SEC), IEEE, pp 427–432
Koivunen L, Rauti S, Leppänen V (2016) Ville applying internal interface diversification to IoT operating systems. In: 2016 International Conference on Software Security and Assurance (ICSSA), IEEE, pp 1–5
Mäki P, Rauti S, Hosseinzadeh S, Koivunen L, Leppänen V (2016) Ville interface diversification in iot operating systems. In: Proceedings of the 9th International Conference on Utility and Cloud Computing, pp 304–309
Calatayud BM, Meany L (2022) A comparative analysis of Buffer Overflow vulnerabilities in High-End IoT devices. In: 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), IEEE, pp 0694–0701.
empel S, Bruns T (2020) RIOT-POLICE: an implementation of spatial memory safety for the RIOT operating system. arXiv:2005.09516
Yuan S, Talpin JP (2021) Verified functional programming of an IoT operating system’s bootloader. In: Proceedings of the 19th ACM-IEEE International Conference on Formal Methods and Models for System Design, pp 89–97
Peyrard A, Kosmatov N, Duquennoy S, Raza S (2018) Towards formal verification of Contiki: analysis of the AES–CCM* modules with Frama-C. In: RED-IOT 2018-Workshop on Recent advances in secure management of data and resources in the IoT
Mangano F, Duquennoy S, Kosmatov N (2016) Formal verification of a memory allocation module of Contiki with Frama-C: a case study. In: International Conference on Risks and Security of Internet and Systems, Springer, pp 114–120
Blanchard A, Kosmatov N, Loulergue F (2018) Ghosts for lists: a critical module of Contiki verified in Frama-C. In: NASA formal methods: 10th international symposium, NFM 2018, Newport News, VA, USA, April 17-19, 2018, Proceedings, vol. 10. Springer, pp 37–53
AAlnaeli SM, Sarnowski M, Aman MS, Abdelgawad A, Yelamarthi K (2016) Vulnerable C/C++ code usage in IoT software systems. In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), IEEE, pp 348–352
Alnaeli SM, Sarnowski M, Aman M, Abdelgawad A, Yelamarthi K (2017) Source code vulnerabilities in IoT software systems. Adv Sci Technol Eng Syst J 2:1502–1507
Karaduman B, Challenger M, Eslampanah R, Denil J, Vangheluwe H (2020) Platform-specific modeling for riot based iot systems. In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, pp 639–646
Boeckmann L, Kietzmann P, Lanzieri L, Schmidt T, Wählisch M (2022) Usable Security for an IoT OS: integrating the zoo of embedded crypto components below a common API. arXiv:2208.09281
Blanchard A (2020) Introduction to C program proof with Frama-C and its WP plugin In: Zeste de Savoir, júl
Garion C, Hattenberger G, Pollien B, Roux P, Thirioux X (2022) A gentle introduction to C code verification using the Frama-C platform. In: ISAE-SUPAERO; ONERA—The French Aerospace Lab; ENAC
Burghardt J, Gerlach J, Hartig K, Pohl H, Soto J (2010) Juan ACSL by example. In: DEVICE-SOFT project publication, Fraunhofer FIRST Institute
Todorov V, Boulanger F, Taha S (2018) Formal verification of automotive embedded software In: Proceedings of the 6th Conference on Formal Methods in Software Engineering
Krichen M (2023) A survey on formal verification and validation techniques for internet of things. Appl Sci 13(14):8122
Funding
No funding was received to assist with the preparation of this manuscript.
Author information
Authors and Affiliations
Contributions
J.G. and N.R. wrote the manuscript; N.R. performed experiments; N.R. and J.G prepared figures and Tables; all authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no Conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
