ISSTA 2022
Mon 18 - Fri 22 July 2022 Online
Thu 21 Jul 2022 01:20 - 01:40 at ISSTA 2 - Session 1-6: Concurrency, IoT, Embedded A
Thu 21 Jul 2022 07:00 - 07:20 at ISSTA 2 - Session 2-8: Concurrency, IoT, Embedded B

As the core of IoT devices, firmware is undoubtedly vital. Currently, the development of IoT firmware heavily depends on third-party components (TPCs), which significantly improves the development efficiency and meanwhile reduces the cost. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will turn back influence the security of IoT firmware. Currently, existing works pay less attention to the vulnerabilities caused by TPCs and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs at version-level in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the usage of TPCs and the corresponding vulnerabilities in firmware. More specifically, we perform an analysis on 34,136 firmware images, including 11,086 publicly accessible firmware images, and 23,050 private firmware images from TSmart. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security issues for different kinds of firmware from various vendors, and discovers some well-known vulnerabilities are still deeply rooted in many firmware images. We also find that the TPCs used in firmware have fallen behind by five years on average. Besides, we explore the geographical distribution of vulnerable devices, and confirm the security situation of devices in several regions, e.g., South Korea and China, is more severe than in other regions. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms. To facilitate future research, we will open-source our dataset.

Thu 21 Jul

Displayed time zone: Seoul change

01:20 - 02:20
Session 1-6: Concurrency, IoT, Embedded ATechnical Papers at ISSTA 2
01:20
20m
Talk
A Large-Scale Empirical Analysis of the Vulnerabilities Introduced by Third-party Components in IoT Firmware
Technical Papers
Binbin Zhao Georgia Institute of Technology, Shouling Ji Zhejiang University, Jiacheng Xu Zhejiang University, Yuan Tian University of Virginia, Qiuyang Wei Zhejiang University, Qinying Wang Zhejiang University, Chenyang Lyu Zhejiang University, Xuhong Zhang Zhejiang University, Changting Lin Binjiang Institute of Zhejiang University, Jingzheng Wu Institute of Software, The Chinese Academy of Sciences, Raheem Beyah Georgia Institute of Technology
DOI
01:40
20m
Talk
Detecting Multi-Sensor Fusion Errors in Advanced Driver-Assistance Systems
Technical Papers
Ziyuan Zhong Columbia University, Zhisheng Hu Baidu Security, Shengjian Guo Baidu Security, Xinyang Zhang Baidu Security, Zhenyu Zhong Baidu USA, Baishakhi Ray Columbia University
DOI
02:00
20m
Talk
Understanding Device Integration Bugs in Smart Home System
Technical Papers
Tao Wang , Kangkang Zhang Institute of Software Chinese Academy of Sciences, Wei Chen Institute of Software at Chinese Academy of Sciences, China, Wensheng Dou Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jiaxin Zhu Institute of Software at Chinese Academy of Sciences, China, Jun Wei Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Tao Huang Institute of Software Chinese Academy of Sciences
DOI
07:00 - 08:00
Session 2-8: Concurrency, IoT, Embedded BTechnical Papers at ISSTA 2
07:00
20m
Talk
A Large-Scale Empirical Analysis of the Vulnerabilities Introduced by Third-party Components in IoT Firmware
Technical Papers
Binbin Zhao Georgia Institute of Technology, Shouling Ji Zhejiang University, Jiacheng Xu Zhejiang University, Yuan Tian University of Virginia, Qiuyang Wei Zhejiang University, Qinying Wang Zhejiang University, Chenyang Lyu Zhejiang University, Xuhong Zhang Zhejiang University, Changting Lin Binjiang Institute of Zhejiang University, Jingzheng Wu Institute of Software, The Chinese Academy of Sciences, Raheem Beyah Georgia Institute of Technology
DOI
07:20
20m
Talk
Automated Testing of Image Captioning Systems
Technical Papers
BoXi Yu The Chinese University of Hong Kong, Shenzhen, Zhiqing Zhong South China University of Technology, Xinran Qin South China University of Technology, Jiayi Yao The Chinese University of Hong Kong, Shenzhen, Yuancheng Wang The Chinese University of Hong Kong, Shenzhen, Pinjia He The Chinese University of Hong Kong, Shenzhen
DOI
07:40
20m
Talk
LiRTest: Augmenting LiDAR Point Clouds for Automated Testing of Autonomous Driving Systems
Technical Papers
An Guo Nanjing University, Yang Feng Nanjing University, Zhenyu Chen Nanjing University
DOI