Principal Investigator: Jamie Davis
Embedded software makes the world go 'round. Static and dynamic analysis of embedded software is a necessary capability for high-assurance software engineering (e.g. IEC 61508, ISO 26262). These capabilities facilitate many security tasks, e.g., vulnerability detection and repair, and reverse engineering. This project evaluates the security of embedded software applications as well as the infrastructure on which they depend, such as embedded network stacks (lwIP etc.) and real-time operating systems (RTOSes like FreeRTOS). We are evaluating static analysis options and identifying shortcomings. We are performing vulnerability analysis to identify common weaknesses across vendors. We are working on automated rehosting to apply state-of-the-art dynamic analysis techniques (e.g. fuzzing) in a UNIX environment.
Other PIs: Aravind Machiry (ECE)
Students: Paschal Amusuo (PhD student @ECE) Ritvik Tanksalkar (PhD student @ECE)
Towards Automated Identification of Layering Violations in Embedded Applications (WIP).
Shen, Davis, and Machiry.
Proceedings of the 24th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems (LCTES) 2023.
Systematically Detecting Packet Validation Vulnerabilities in Embedded Network Stacks.
Amusuo, Méndez, Xu, Machiry, and Davis.
Proceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE’23) 2023.
Towards Rehosting Embedded Applications as Linux Applications.
Srinivasan, Tanksalkar, Amusuo, Davis, and Machiry.
Proceedings of the 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks — Disrupt track (DSN-Disrupt) 2023.
An Empirical Study on the Use of Static Analysis Tools in Open Source Embedded Software.
Shen, Pillai, Yuan, Davis, and Machiry.
arXiv 2023.
“If security is required”: Engineering and Security Practices for Machine Learning-based IoT Devices.
Gopalakrishna, Anandayuvaraj, Detti, Bland, Rahaman, and Davis.
Proceedings of the 4th International Workshop on Software Engineering Research & Practices for the Internet of Things (SERP4IoT) 2022.
Keywords: analysis, CPS, cyber-physical systems, fuzzing, real-time operating systems, RTOS