Evaluation of a Startup Program Identification for Efficient and Accurate IoT Security Investigations
摘要
Not all file in firmware are executed while using Internet of Things (IoT) devices and hundreds to approximately a thousand executable and linkable format files exist in one firmware. Therefore, security investigations without prioritization may lead to investigate programs that are not executed while using IoT devices first. This has resulted in inefficient security investigations. To perform efficient security investigations, we proposed a method that can identify programs executed during the startup process. However, only two firmware were used for the evaluation which can only evaluate one of the two startup sequences in the OpenWrt-based firmware. In addition, security investigations to validate whether the proposed method addresses the problem of inefficient security investigations were limited to OpenWrt-based firmware. In this study, we use more firmware data for evaluation and validation. We use nine firmware not used in previous studies including startup methods that have not previously been used for evaluation. In addition, we increase the number of firmware used for validation to 225. The evaluation results demonstrate that the proposed method can identify with only few false positives. The validation demonstrates that efficiency can be improved and prioritizing investigations by considering the proposed method result is worthwhile.