摘 要:物联网即“万物相连的互联网”,是利用互联网延伸与扩展,实现频射识别、红外感应、全球定位系统、激光扫描器等设备的互联通信。物联网体系结构复杂,各组件安全问题突出,传统人工测评方式难以适用。目前,以攻击者视角来研究如何整体评估物联网生态安全的报道较少。文章以威胁建模为导向,基于物联网组件分解理论,定义并识别出所有可能的攻击面,提出一种综合评估物联网生态系统安全方式,为自动化渗透测试提供适当的切入点。
关键词:物联网;攻击面;自动化渗透测试;威胁建模
中图分类号:TP391.44;TN929.5 文献标识码:A 文章编号:2096-4706(2020)01-0171-03
The Research of Thread Attacking for Automated Penetration Testing Based on IoT
FENG Wei
(China Southern Power Grid Digital Grid Research Institute Co.,Ltd.,Guangzhou 511458,China)
Abstract:IoT(internet of things) is the considered as the internet of all the things. According to the extension and expansion of internet,the information sensing devices such as frequency identification,infrared sensors,GPS,laser scanner and so on,are able to interconnect with each other. As a new technology production,the architecture of the internet of things is extremely complex,and the security of various components is particularly prominent. Therefore,it will be difficult to carry out the traditional manual evaluation method. At present,there are relatively few studies on the overall assessment of ecosystem security of the internet of things from an attacker’s perspective. In this paper,based on threat modeling,component decomposition theory based on internet of things,and then give a suggestion of identifying all the referring possible attack surfaces,and form a method of how to estimate the IOT ecosystem security assessment. It will be supposed to provide an appropriate entry point for automated penetration testing in the future research.
Keywords:internet of things;attack surfaces;automated penetration testing;threat modeling
参考文献:
[1] JUN Q,PO Y,XU L, 等. Advanced Internet of Things forPersonalised Healthcare System:A Survey [J].Pervasive & Mobile Computing,2017(41):132-149.
[2] OWASP.IoT Attack Surface Areas Project.” [EB/OL].[2019-11-06].https://www.owasp.org/index.php/IoT Attack Surface Areas.
[3] DENIS M,ZENA C,HAYAJNEH T. Penetration testing:Concepts,attack methods,and defense strategies [C]//2016 IEEE Long Island Systems,Applications and Technology Conference (LISAT),IEEE,2016.
[4] CHU G,LISITSA A. Penetration Testing for Internet of Things and Its Automation [C]//IEEE 16th International Conference on Smart City,At Exeter,United Kingdom,2019.
[5] 赵旭赟,宋彬,阮长明,等. 基于BDI 的多Agent 复杂系统建模方法 [J]. 信息技术,2015(10):121-123.
[6] OWASP China,OWASP IoT 项目,OWASP IoT Top 10 2018 [EB/OL].[2019-11-06].http://www.owasp.org.cn/owasp-project/owaspthings.
作者简介:冯伟(1987.03-),男,汉族,湖北黄冈人,工程师,硕士,研究方向:Web 应用安全渗透测试、自主Web 服务组合。