10:00 - 10:30
||Welcoming & Coffee Break|
10:30 - 11:30
||Keynote I: Nikolai
Kosmatov - CEA LIST (CEA, Saclay) - France (chair Shahid Raza)
Towards Formal Verification of IoT operating systems with Frama-C
Abstract: Connected devices and services, also referred to as the Internet of Things (IoT), have proliferated very quickly in the past years. There are now billions of interconnected devices, and this number is rapidly growing. Some of these devices are in service in security critical domains, and even in domains that are not necessarily critical, privacy issues may arise with devices collecting and transmitting a lot of personal information. Moreover, insufficiently secured devices may become a target for massive distributed denial-of-service attacks. This raises important security challenges. It is natural to expect that formal methods—that have been successfully used for years in highly critical domains—can now help to bring security into the IoT field.
A major security threat for IoT devices is related to the underlying software, and in particular, to the operating systems running the connected device. In this talk, we present recent efforts on formal verification of Contiki, an open-source OS for IoT, using the Frama-C verification platform. Contiki provides basic OS features on an event-based kernel, including a scheduler and a networking stack. Contiki focuses on low-power IPv6 connectivity and typically targets devices with an 8 to 32-bit MCU without Memory Management Unit. This makes such devices a target of choice for attackers.
We describe how formal verification with Frama-C can be applied for verification of IoT operating systems and illustrate it for different critical modules of Contiki, namely the memory allocation module, the AES-CCM cryptographic modules, and the linked list module. We discuss the current achievements and future work perspectives. This talk is based on a joint work with Allan Blanchard, Simon Duquennoy, Frédéric Loulergue, Frédéric Mangano, Alexandre Peyrard, and Shahid Raza.
11:30 - 12:00
||Research papers - Chair: Bengt Jonsson
An Auditing Framework For Vulnerability Analysis of IoT System
Ibrahim Nadir, Haroon Mahmood, Ghalib A. Shah, Zafeer Ahmed, Hassam Khan, Muhammad Umair and Usman GulzarGang Tang, Trent Jaeger.
OneM2M Architecture Based Secure MQTT Binding in Mbed OS
Muhammad Ahsan, Bilal Afzal, Bilal Imran, Asim Tanwir, Ali H. Akbar and Ghalib A. Shah
|12:30 - 14:00||Lunch Break|
14:00 - 15:00
|| Keynote II: Andrei Sabelfeld -
Chalmers University of Technology (chair Alejandro Russo)
Securing IoT Apps
Abstract: IoT apps empower users by connecting a variety of otherwise unconnected services. Unfortunately, the power of IoT apps can be abused by malicious app makers, unnoticeably to users. We demonstrate that popular IoT app platforms are susceptible to several classes of attacks that violate user privacy, integrity, and availability. We estimate the impact of these attacks by an empirical study. We suggest short/medium-term countermeasures based on fine-grained access control and long-term countermeasures based on information flow tracking. We illustrate our findings on two types of IoT app platforms: user automation apps (as supported by IFTTT, Zapier, and Microsoft Flow) and in-vehicle apps (as supported by Android Automotive).
The talk is based on joint work, partly with Iulia Bastys and Musard Balliu and partly with Benjamin Eriksson.
15:00 - 15:30
|| Research papers Chair: Bengt Jonsson
Network Reconnaissance and Vulnerability Excavation of Secure DDS Systems
Ruffin White, Gianluca Caiazza, Chenxu Jiang, Xinyue Ou, Zhiyue Yang, Agostino Cortesi and Henrik Christensen
15:30 - 16:00
16:00 - 16:40
|| Software IoT Security SSF Projects Presentations - Chair: Kostis Sanogas
Dragen2: Random generation of highly structure data, Agustín Mista (Octopi, Chalmers)
DPella: Differential privacy with accuracy. Alejandro Russo (Octopi, Chalmers)
Analyzing DTLS implementations using Model Learning, Paul Fiterau-Brostean (aSSIsT, Uppsala University)
Hardware-based Trusted Execution Environment for Battery-powered IoT. Sileshi Demesie (aSSIsT, RISE)
The Internet of Things (IoT), connecting large numbers of small embedded devices to the internet, is currently being deployed in critical infrastructures, factories, hospitals, smart buildings, and so on. Compromised or faulty IoT components and systems can cause catastrophic damage to individuals, companies, and society. However, existing software for IoT has not been designed with security as a main objective, but rather to cope with constrained memory, power, processing, and bandwidth resources. Consequently, techniques are needed by which software for IoT can achieve a highest level of security and safety. Such techniques are getting mature for other domains, in particular for mainstream computing systems, but IoT devices feature peculiar characteristics that hinder employing conventional software security techniques. There is a great push to bring advanced software security to IoT. At the same time, a targeted scientific IoT software security forum for discussions, publications and networking is currently lacking.
The IEEE Workshop on Software Security for IoT (SSIoT) 2019 is the first international conference focusing primarily on the software security for the Internet of Things (IoT). SSIoT aims to provide a forum for exploring and evaluating ideas on bringing secure software to IoT and a venue to publish novel research ideas on this topic. SSIoT strongly encourages proposals of new, speculative ideas, evaluations of new or known techniques in practical settings, and discussions of emerging threats and important problems. We are especially interested in position papers that are radical, forward-looking, and likely to lead to lively and insightful discussions that will influence future research on IoT security.The scope of SSIoT includes, but is not limited to:
We invite both full papers and short papers. For short papers we especially encourage the submission of position papers that are likely to generate lively discussion.
Submissions should be PDF documents formatted according to the IEEE EuroS&P 2019 formatting requirements provided at https://www.ieee-security.org/TC/EuroSP2019/cfp.php . Both full and short papers must describe work not published in other refereed venues. Accepted papers will appear as publication through IEEE Xplore in a volume accompanying the main IEEE EuroS&P 2019 proceedings.
Submissions should be anonymized for review. Please refer to your own related work in the third person, as though someone else had written it. This also includes, e.g., data sets: "We received data from the authors of  which we reused for this experiment." Do not blind citations except in extraordinary circumstances.
In keeping with IEEE guidelines, all submissions must be original work; authors must clearly document any overlap with previously published or simultaneously submitted papers from any of the authors. Simultaneous submission of the same paper to another venue with proceedings or a journal is not allowed. Serious infringements of these policies may cause the paper to be rejected from publication and the authors put on a warning list, even if the paper is initially accepted by the program committee.