SmartFuzz: An automated smart fuzzing approach for testing SmartThings apps

Author

Lwin Khin SHAR, Singapore Management UniversityFollow
Nguyen Binh Duong TA, Singapore Management UniversityFollow
Lingxiao JIANG, Singapore Management UniversityFollow
David LO, Singapore Management UniversityFollow
Wei MINN, Singapore Management UniversityFollow
Kiah Yong Glenn YEO, Singapore Management UniversityFollow
Eugene KIM, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

12-2020

Abstract

As IoT ecosystem has been fast-growing recently, there have been various security concerns of this new computing paradigm. Malicious IoT apps gaining access to IoT devices and capabilities to execute sensitive operations (sinks), e.g., controlling door locks and switches, may cause serious security and safety issues. Unlike traditional mobile/web apps, IoT apps highly interact with a wide variety of physical IoT devices and respond to environmental events, in addition to user inputs. It is therefore important to conduct comprehensive testing of IoT apps to identify possible anomalous behaviours. On the other hand, it is also important to optimize the number of test cases generated, considering that there may be many possible ways in which apps, devices, environmental events, and user inputs interact. Existing works investigating security in IoT apps have been using ad-hoc testing approaches, in which test cases are usually designed to test some particular aspects of apps or devices.In this work, we develop an automated, smart fuzzing ap- proach, called SmartFuzz, for testing Samsung SmartThings IoT apps. More specifically, SmartFuzz combines combinatorial test generation with light-weight program analysis, and aims to improve test coverage of sinks in an efficient, automated manner. We have implemented and evaluated our approach using a publicly available dataset of 60 SmartApps. The results have demonstrated the effectiveness and efficiency of SmartFuzz. In particular, SmartFuzz improved coverage of sinks by 184%, while generating and executing 20% fewer test cases as compared to ad-hoc testing.

Keywords

fuzzing, smart apps, IoT security, SmartThings

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

2020 27th Asia-Pacific Software Engineering Conference (APSEC): December 1-4, Singapore: Proceedings

First Page

365

Last Page

374

ISBN

9781728195537

Identifier

10.1109/APSEC51365.2020.00045

Publisher

IEEE

City or Country

Piscataway, NJ

Citation

SHAR, Lwin Khin; TA, Nguyen Binh Duong; JIANG, Lingxiao; LO, David; MINN, Wei; YEO, Kiah Yong Glenn; and KIM, Eugene. SmartFuzz: An automated smart fuzzing approach for testing SmartThings apps. (2020). 2020 27th Asia-Pacific Software Engineering Conference (APSEC): December 1-4, Singapore: Proceedings. 365-374.
Available at: https://ink.library.smu.edu.sg/sis_research/5604

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/APSEC51365.2020.00045