隨著硬體的速度與價格高速的進步之下，物聯網已經逐漸成為我們生活中的一部分。為了避免物聯網應用程式遭到濫用，我們時常可以在程式中看到驗證相關的功能。然而若是這些驗證功能會於程式執行時產生資訊洩漏的情況，將會是對系統驗證機制的一大威脅，同時也為有心人士打開一道後門。旁通道攻擊即為一種藉由觀測程式的執行來取得程式內部資訊的方法。
本篇文章提出了指令層級的方法去評估物聯網應用程式的資訊洩漏情形。首先我們將Python之操作碼轉成控制流程圖，在依照控制流程圖上的順序，依照深度優先原則來符號化執行指令，最終產生路徑條件與指令組，並將指令組視為觀測值。最後，我們依據觀測值的異同，利用Automata Based model Counter來估算路徑發生的次數，並計算其發生機率。而利用這些機率，我們可以求出shannon entropy，並以此數據評估此程式之資訊洩漏情形。

With rapidly growing cheaper and faster devices and connections, the Internet of Things (IoT) techniques gradually become ubiquitous and soon to be a part of our lives. In order to prevent IoT applications from being abused, it is often to see authentication functionality in programs. However, if these programs leak secrets during execution, it may damage the authentication mechanism and thus opens a backdoor for people with malicious intentions. Side channel attack that observes execution differences is a way to get the secret behind programs.
This paper presents an instruction-level technique to estimate information leakage of IoT applications. To facilitate analysis on IoT applications, we first parse python opcodes to construct the control flow graph (CFG), and symbolically execute this code by traversing the CFG with depth first strategy to generate path constraints and their instruction sets as observables. Finally we make use of the Automata Based model Counter (ABC) to perform model counting for each observable of path execution. Calculating shannon entropy with the probabilities of path executions enables us to evaluate information leakage of target programs.

[1] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of things (iot): A vision, architectural elements, and future directions,” Future generation computer systems, vol. 29, no. 7, pp. 1645–1660, 2013.
[2] I. Lee and K. Lee, “The internet of things (iot): Applications, investments, and challenges for enterprises,” Business Horizons, vol. 58, no. 4, pp. 431–440, 2015.
[3] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash, “Internet of things: A survey on enabling technologies, protocols, and applications,” IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2347–2376, 2015.
[4] A. Kamilaris, F. Gao, F. X. Prenafeta-Boldú, and M. I. Ali, “Agri-iot: A semantic framework for internet of things-enabled smart farming applications,” in Internet of Things (WF-IoT), 2016 IEEE 3rd World Forum on, pp. 442–447, IEEE, 2016.
[5] P. A. Laplante and N. Laplante, “The internet of things in healthcare: Potential applications and challenges,” IT Professional, vol. 18, no. 3, pp. 2–4, 2016.
[6] Y. Jie, J. Y. Pei, L. Jun, G. Yun, and X. Wei, “Smart home system based on iot technologies,” in Computational and Information Sciences (ICCIS), 2013 Fifth International Conference on, pp. 1789–1791, IEEE, 2013.
[7] S. Kalra and S. K. Sood, “Secure authentication scheme for iot and cloud servers,” Pervasive and Mobile Computing, vol. 24, pp. 210–223, 2015.
[8] E. Brier and M. Joye, “Weierstraß elliptic curves and side-channel attacks,” in International Workshop on Public Key Cryptography, pp. 335–345, Springer, 2002.
[9] W. Schindler, K. Lemke, and C. Paar, “A stochastic model for differential side channel cryptanalysis,” in International Workshop on Cryptographic Hardware and Embedded Systems, pp. 30–46, Springer, 2005.
[10] Y. Zhang, “Cache side channels: State of the art and research opportunities,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications
Security - CCS 17, 2017.
[11] J. Chen, Y. Feng, and I. Dillig, “Precise detection of side-channel vulnerabilities using quantitative cartesian hoare logic,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS 17, 2017.
[12] C. S. Pasareanu, Q.-S. Phan, and P. Malacaria, “Multi-run side-channel analysis using symbolic execution and max-smt,” in Computer Security Foundations Symposium (CSF), 2016 IEEE 29th, pp. 387–400, IEEE, 2016.
[13] P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,” in Annual International Cryptology Conference, pp. 104–113, Springer, 1996.
[14] Z. Tao, F. Ming-Yu, and F. Bo, “Side-channel attack on biometric cryptosystem based on keystroke dynamics,” in Data, Privacy, and E-Commerce, 2007. ISDPE 2007. The First International Symposium on, pp. 221–223, IEEE, 2007.
[15] K. Suzaki, K. Iijima, T. Yagi, and C. Artho, “Software side channel attack on memory deduplication,” in ACM Symposium on Operating Systems Principles (SOSP 2011), Poster session, 2011.
[16] N. J. Al Fardan and K. G. Paterson, “Lucky thirteen: Breaking the tls and dtls record protocols,” in Security and Privacy (SP), 2013 IEEE Symposium on, pp. 526–540, IEEE, 2013.
[17] Q.-S. Phan, L. Bang, C. S. Pasareanu, P. Malacaria, and T. Bultan, “Synthesis of adaptive side-channel attacks,” in Computer Security Foundations Symposium (CSF), 2017 IEEE 30th, pp. 328–342, IEEE, 2017.
[18] J. Newsome and D. Song, “Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software,” 2005
[19] A. Aggarwal and P. Jalote, “Integrating static and dynamic analysis for detecting vulnerabilities,” in Computer Software and Applications Conference, 2006. COMPSAC’ 06. 30th Annual International, vol. 1, pp. 343–350, IEEE, 2006.
[20] P. Godefroid, N. Klarlund, and K. Sen, “Dart: directed automated random testing,” in ACM Sigplan Notices, vol. 40, pp. 213–223, ACM, 2005.
[21] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting web application vulnerabilities,” in Security and Privacy, 2006 IEEE Symposium on, pp. 6–pp, IEEE, 2006.
[22] J. C. King, “Symbolic execution and program testing,” Communications of the ACM, vol. 19, no. 7, pp. 385–394, 1976.
[23] W. Visser, C. S. Pˇasˇareanu, and S. Khurshid, “Test input generation with java pathfinder,” ACM SIGSOFT Software Engineering Notes, vol. 29, no. 4, pp. 97–107, 2004.
[24] T. Xie, D. Marinov, W. Schulte, and D. Notkin, “Symstra: A framework for generating object-oriented unit tests using symbolic execution,” in International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 365–381, Springer, 2005.
[25] C. S. Pasareanu, M. B. Dwyer, and W. Visser, “Finding feasible counter-examples when model checking abstracted java programs,” in International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 284–298, Springer, 2001.
[26] C. Csallner and Y. Smaragdakis, “Check’n’crash: combining static checking and testing,” in Proceedings of the 27th international conference on Software engineering, pp. 422–431, ACM, 2005.
[27] C. S. Pasareanu, W. Visser, D. Bushnell, J. Geldenhuys, P. Mehlitz, and N. Rungta, “Symbolic pathfinder: integrating symbolic execution with model checking for java bytecode analysis,” Automated Software Engineering, vol. 20, no. 3, pp. 391–425, 2013.
[28] C. Cadar, D. Dunbar, D. R. Engler, et al., “Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs.,” in OSDI, vol. 8, pp. 209–224, 2008.
[29] K. Sen, D. Marinov, and G. Agha, “Cute: a concolic unit testing engine for c,” in ACM SIGSOFT Software Engineering Notes, vol. 30, pp. 263–272, ACM, 2005.
[30] S. Mechtaev, J. Yi, and A. Roychoudhury, “Angelix: Scalable multiline program patch synthesis via symbolic analysis,” in Software Engineering (ICSE), 2016 IEEE/ACM 38th International Conference on, pp. 691–701, IEEE, 2016.
[31] L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making smart contracts smarter,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, (New York, NY, USA), pp. 254–269, ACM, 2016.
[32] 0vercl0k, “stuffz/python’s internals.” https://github.com/0vercl0k/stuffz, 2013.
[33] C. Barrett, A. Stump, C. Tinelli, et al., “The smt-lib standard: Version 2.0,” in Proceedings of the 8th International Workshop on Satisfiability Modulo Theories (Edinburgh, England), vol. 13, p. 14, 2010.
[34] A. Aydin, L. Bang, and T. Bultan, “Automata-based model counting for string constraints,” in International Conference on Computer Aided Verification, pp. 255–272, Springer, 2015.