Focus on source code security, access to the latest information at home and abroad!
*Recently, CNCERT released the "open source software code security defect analysis report - Internet of things software topic". In this report, 20 well-known Internet of things software in the world are selected for source code security defect analysis, and the security of the project is evaluated based on the results of defect analysis tools and manual audit. The 360 code guard team provided technical support for this report.
The following is the full report:
Analysis report on source code security defects of open source software
——Internet of things software
1. Overview
With the rapid development of software technology, open source software has been widely used in the world. Data shows that 99% of organizations use open source software in their IT systems. Once the code of open source software has security problems, it will cause extensive and serious impact. In order to understand the security situation of open source software, CNCERT continues to analyze the source code security defects of widely used well-known open source software, and issues the quarterly security defect analysis report.
Since the International Telecommunication Union (ITU) formally proposed the concept of "Internet of things" (IOT) in 2005, IOT has been recognized rapidly all over the world. With the development and innovation of Internet of things technology, a large number of smart homes and wearable devices have entered people's lives, "everything connected" has become an important direction for the future development of global network. According to Gartner report, the number of Internet of things devices in the world will reach 26 billion in 2020. However, due to the lag of security standards and the lack of security awareness and investment of intelligent device manufacturers, the Internet of things has laid a great hidden danger, which brings serious security threats to personal privacy, enterprise information security and even national key infrastructure.
In this report, 20 well-known Internet of things software in the world are selected for source code security defect analysis, and the security of the project is evaluated based on the results of defect analysis tools and manual audit. From the evaluation results, compared with other open-source software in the past, Internet of things software has more security defects, and potential security problems can not be ignored. At the same time, the technical personnel randomly selected the security defects for manual utilization, found that there are security vulnerabilities that can be verified, through which they can obtain the rights of the Internet of things cloud server. Once the vulnerability is exploited by hackers, there is a security risk that the Internet of things devices are remotely manipulated.
2. Tested open source software
Considering the number of users, the degree of attention and update frequency, 20 representative open-source IOT software are selected. Table 1 lists the general situation of the tested open source Internet of things software projects, which are arranged in descending order according to the number of stars on GitHub. This test software covers C, C + +, Java, JavaScript (JS) and other programming languages. These open-source software projects are internationally known and have a wide range of users, including some developed by well-known software companies. Because most of these software have huge user groups, the security defects in the software are likely to cause serious consequences.
Table 1 overview of tested open source software projects
entry name
Version number
Main programming language
Function description
Number of lines of code
GitHub star number
Serverless
Master
JS
Using serverless architecture to build the framework of web, mobile and Internet of things applications
Twenty thousand one hundred and fifty
Twenty-six thousand one hundred and twenty-four
Node-RED
Master
JS
Visualization tools for connecting the Internet of things
One hundred thousand eight hundred and forty
Six thousand four hundred and forty-seven
JerryScript
V1.0
C
Super lightweight JavaScript engine for Internet of things
Ninety-seven thousand five hundred and fifty-nine
Three thousand two hundred and twenty-three
ArduinoJson
V5.13.4
C++
JSON Library of Internet of things
Twenty-seven thousand five hundred and eighty-three
Three thousand and seventy-eight
POCO
V1.9.0
C++
Cross platform C + + function library supporting networking application development on desktop, server, mobile, Internet of things and embedded system
Five hundred and twenty-six thousand seven hundred and twenty-one
Two thousand nine hundred and twenty-nine
CrateDB
Master
Java
A distributed SQL database can easily store and analyze a large number of machine data in real time
Three hundred and fourteen thousand nine hundred and eighty-four
Two thousand one hundred and thirty-one
ThingsBoard
Master
Java
An Internet of things platform for data collection, processing, visualization and device management
One hundred and twelve thousand seven hundred and four
One thousand nine hundred and eighty-seven
RIOT
The 2018.10 Edition
C
Real time, multithreaded operating system supporting common Internet of things devices
One million three hundred and forty-one thousand five hundred and thirty-nine
One thousand nine hundred and seventy-nine
Blynk Library
V0.5.4
C++
Blynk library for embedded hardware. Blynk is an Internet of things application platform, which aims to simplify the construction of mobile or web applications of the Internet of things.
Seventeen thousand two hundred and six
One thousand eight hundred and thirty-one
IoT.js
Master
JS
Internet of things platform using JavaScript
Forty-two thousand nine hundred and ten
One thousand eight hundred and twenty-six
OpenThread
V2.0.0
C++
Openthread is an open source implementation of thread network protocol
Six hundred and sixty-one thousand six hundred and ninety-six
One thousand seven hundred and thirteen
Blynk Server
V0.39.6
Java
The java server based on netty is mainly used to deliver messages between blynk mobile applications and embedded devices.
Seventy-five thousand five hundred and fifty-five
One thousand and ninety-seven
Kaa
Master
Java
Open source middleware platform for building, managing and integrating networked products and devices
Four hundred and sixty-one thousand five hundred and eleven
Nine hundred and eighty-four
MySensors
V2.3.0
C++
Focus on providing DIY services of smart home and Internet of things
Seventeen thousand seven hundred and eighty-eight
Eight hundred and seventy-one
SmartHome
Master
Java
Flexible framework of smart home
Eight hundred and one thousand and fifty-three
Seven hundred and forty-five
OpenIoT
Develop
Java
The infrastructure of Internet of things middleware is used to support the flexible configuration and deployment of data collection, traffic cleaning, and event processing algorithms of networking devices
Two hundred and sixty-nine thousand three hundred and eighty-seven
Three hundred and sixty-nine
Freedomotic
V5.6.0
Java
Open Internet of things framework
Two hundred and fifty-nine thousand seven hundred and eight
Two hundred and fifty-eight
Link Kit SDK
V2.3.0
C
Alibaba cloud Internet of things Suite
Fifty-six thousand three hundred and eighty-four
Two hundred and fifty-seven
SiteWhere
Master
Java
An industrial open source application support platform for the Internet of things
Two hundred and sixteen thousand seven hundred and ninety-six
Two hundred and thirty-five
IotXmpp
Master
Java
The Android client based on XMPP realizes the interaction with IOT nodes
One hundred and thirty thousand six hundred and seven
One hundred and eighteen
3. Test content
3.1 types of safety defects
This test covers all kinds of common safety defects. According to the comprehensive consideration of the causes of defects, the possibility of being used, the degree of harm caused and the difficulty of solving, the common safety defects can be divided into eight categories:
1. Input validation
Input verification and representation problems are usually caused by special characters, encoding and number representation, which are caused by trust in input. These problems include buffer overflow, cross site scripting, SQL injection, command injection, etc.
2. API usage
API is a contract between the caller and the callee. Most of the misuse of API is caused by the caller's failure to understand the purpose of the contract. When the API is not used, it will also cause security problems.
3. Safety features
This category mainly includes authentication, access control, confidentiality, password use and privilege management.
4. Parallel computing
The interaction between threads and processes and the time sequence of executing tasks are often determined by the shared state, such as semaphores, variables, file systems, etc. The defects related to distributed computing include race condition, blocking misuse and so on.
5. Error and exception handling
This kind of defect is related to error and exception handling. One of the most common defects is that there is no proper handling error (or no handling error) which leads to unexpected termination of program operation. The other is that the generated error provides too much information to potential attackers.
6. Code quality
Poor code quality can lead to unpredictable behavior. For attackers, poor code allows them to threaten the system in unexpected ways. Common defects in this category include dead code, null pointer dereference, resource disclosure, etc.
7. Encapsulation and hiding
Reasonable encapsulation means to distinguish the verified data from the unchecked data, the data of different users, or the data that users can see and cannot see. Common defects include hidden domain, information leakage, Cross Site Request Forgery and so on.
8. Code running environment
Such defects are beyond the source code, such as running environment configuration, sensitive information management, and so on. They are still critical to product security.
The first seven types of defects are related to the security defects in the source code. They can be the targets of malicious attacks. Once they are used, they will cause serious consequences such as information disclosure, authority promotion, command execution and so on. The last kind of defects describe the security problems beyond the actual code, which are easy to cause serious problems such as abnormal operation of the software, data loss and so on.
3.2 safety defect level
We divide source code security into three levels: high, medium, and low. There are two dimensions to measure the level, confidence and severity. Confidence level refers to the possibility of finding out whether the problem is accurate. For example, the confidence level of marking every strcpy() call as a buffer overflow defect is very low. Severity refers to the severity of the detection problem under the assumption that the testing technology is authentic. For example, buffer overflow is usually a more serious security problem than null pointer reference. The combination of these two factors can accurately classify security issues, as shown in Figure 1.
Figure 1 Relationship between defect level, severity and confidence level
4. Security defects of open source Internet of things software project
4.1 overview of safety defects
Figure 2 defects of open source software project
It can be seen from this that the selected open-source software of the Internet of things has different degrees of security problems. A total of 667 high-risk defects and 3702 medium risk defects were found in these projects. The items with the highest number of defects are in a state that can be easily used by attackers. The actual users need to install patches or update versions to repair and upgrade.
Among all the tested software, blynk library, the function library of the Internet of things application platform, has the highest security (no high-risk defects, 3 medium risk defects). Internet of things application framework serverless, Internet of things development JS platform iot.js, Internet of things real-time operating system riot has fewer defects and higher overall security.
Openiot, the Internet of things middleware infrastructure platform, has the most high-risk defects in the 20 software tested, including 370 high-risk defects and 669 medium risk defects. Among them, there are 556 input verification defects, 283 of which are cross site scripting problems (high risk) and 344 resource non release problems (medium risk), suggesting that the project should strengthen the management of security defects, especially the filtering and verification of user input from outside the trust boundary; at the same time, the code quality should be further improved to prevent attackers from using resource disclosure Problem initiates a denial of service attack.
The largest number of medium and high risk defects is poco, which contains one high risk defect and 1380 medium risk defects. Among them, 748 "bit operations are performed on operands with different bits", 300 "unsafe memory copy functions are used" and 234 "symbol attributes are not defined when comparing character types" are detected. These problems will reduce the stability and portability of the program, may lead to unexpected behavior of the program, but also increase the security risks. It is suggested that the developers of the project should improve their security awareness and use the code defect scanning tool to improve the code quality and security during the development process.
Considering that the absolute number of defects in the project may be related to the project size, this report calculates the number of defects per thousand lines, and uses this data to reflect the distribution density of defects in the project. According to the data, the number of defects per thousand lines of IOT real-time operating system riot is only 0.002, with an average of less than one medium and high-risk defect per 100000 lines of code, which is the tested item with the lowest density of safety defects in the software under test. In addition, the projects with low density of code security defects include the Internet of things application framework serverless, the Internet of things development JS platform iot.js. On average, these projects have less than one medium and high-risk defect per 10000 lines of code. The projects with relatively high distribution density of security defects are mysensors (6.97), openiot (3.79), jerryscript (3.53), the JS engine of the Internet of things. On average, there are several medium and high-risk defects in every 1000 lines of code.
4.2 distribution of high-risk safety defects
This part analyzes the distribution of high-risk defects. Figure 3 shows the distribution of high-risk defects in the tested project. The data shows that most of the defects are "input verification" defects, which are mainly caused by insufficient verification of user input, and are prone to buffer overflow, path traversal, cross site scripting and various injection defects. Once an attacker constructs malicious input, it can cause serious security problems such as arbitrary command execution, arbitrary file reading, etc.
Figure 3 distribution of high-risk safety defects in the tested project (by category)
Figure 4 further shows the distribution of various specific high-risk safety defects in the tested project. For the convenience of display, the defects that occur no more than 10 times are classified as "others", mainly including cross-border access (9), hard coded password (6), etc. Among the 20 projects tested, there are several kinds of specific defects, which are cross site scripts (488), path traversal (76), and SQL injection (53). As the tested software in this phase is mainly the Internet of things application development framework, which provides Internet of things server-side services, these defects will greatly enhance the risk of the server being controlled by the attacker, resulting in the risk of the Internet of things devices being maliciously manipulated and the user's personal privacy disclosure.
Figure 4 distribution of high-risk safety defects in the tested project (divided by specific defects)
4.3. General distribution of safety defects
In view of the detection of high-risk defects in the tested project, the safety status of the project is analyzed. Generally speaking, compared with high-risk defects, medium risk defects in the actual operating environment are relatively less harmful, but still can not be ignored, and to a certain extent, it can reflect the code quality of the project, the attention of developers to code security issues. In order to have a more comprehensive understanding of the safety status of the tested project, this section further shows the overall distribution of safety defects, including medium risk defects.
Figure 5 shows the distribution of safety defects in the tested project. Compared with the distribution of defects in high-risk level, the proportion of defects in code quality and API usage is greatly increased. There are a lot of problems in the project, such as "improper bit operation", "improper character comparison", "resource not released", "using unsafe functions", which reflect the bad programming habits of developers. Compared with the problem of input verification, the threshold for attackers to exploit this kind of problem is relatively high, but once exploited, serious risks such as denial of service and arbitrary command execution still occur.
Figure 5 distribution of medium and high risk safety defects in the tested items (by category)
Table 2 further shows the distribution of various specific medium and high risk safety defects in the tested project. Due to the large number of defects detected this time, there are 85 kinds of medium and high risk defects in total. For the convenience of reading, only 50 kinds of defects are listed in the table.
Table 2 distribution of medium and high risk safety defects in the tested items
(classified according to specific types of safety defects)
Types of medium and high risk defects
Frequency of occurrence
Carry out bit operation on operands with different bits
One thousand and seventy-six
Cross site scripting
Five hundred and seventy-one
Resource not released
Five hundred and sixty-two
Unsafe memory copy function
Three hundred and fifty-two
Improper character type comparison
Two hundred and fifty-six
Empty finger dereference
One hundred and fifty-seven
Unsafe string handler
One hundred and thirty-two
path traversal
Ninety-eight
SQL injection
Ninety-seven
Thread safety of Servlet
Ninety
XML external entity injection
Ninety
Privacy leak
Sixty-three
Improper format string
Sixty-two
Hard coded password
Fifty-three
Unchecked cycle conditions
Fifty-two
5. Horizontal comparison of project safety in this year
This part makes a horizontal comparison between the Internet of things software projects tested in this period and the artificial intelligence and development framework software tested in previous periods of this year from the perspective of the average number of defects per thousand lines.
Figure 6 Comparison of defects per thousand lines of software tested in different fields in 2018
As shown in Figure 6, the density of software security defects in the Internet of things category is high, which reflects the relatively weak security awareness of intelligent device manufacturers to some extent, suggesting that developers of the Internet of things category should pay more attention to code security and take effective measures to improve software security.
6. Defect verification
For the security defects detected this time, the report preparation team randomly selected the defects for manual utilization, and found that there are security vulnerabilities that can be verified. This part takes blynk server path traversal vulnerability as an example to illustrate. Blynk server is a server-side component of the Internet of things, which is mainly used to deliver messages between blynk mobile applications and embedded devices.
Figure 7: screenshot of path traversal vulnerability in blynk server (version 0.39.6)
Figure 7 shows the code fragment in question. The code directly reads the URI (188 lines) entered by the user, and directly reads the file (210 lines) without any verification and filtering, so that the user can traverse the path of the server file system through ".. /" to obtain any file content. For example, as shown in Figure 8, sensitive content such as system account files can be obtained through the URL "/ static / JS /.. / etc / passwd". Due to Blynk Server is mainly used to deliver messages between the mobile application and the micro control panel of the IOT device. Once the attacker obtains the server permission, he will be able to intercept all messages from the IOT device, which will lead to the problem of personal privacy disclosure of the IOT device owner. In addition, the attacker can also tamper with and manipulate the instructions sent to the IOT device to achieve Remote control of Internet of things devices.
The vulnerability was confirmed by the blynk Server Developer and CVE (cve-2018-17785), which was fixed in 0.39.13 and later. Users of the software are advised to update to the latest version as soon as possible to avoid unnecessary security risks.
Figure 8: screenshot of path traversal vulnerability in blynk server (version 0.39.6)
7. Notes on this report
1、 This report only analyzes defects from the perspective of code. The statistical defects in this report refer to potential security risks that may be exploited by attackers due to improper code writing. In the actual system, due to the limitations of the actual deployment environment and security equipment, some defects may not be verified by penetration test.
2、 The defects in this report apply only to the specific software versions listed in Table 1. This report is no longer applicable when there is any update, modification and optimization of the software version.
3、 This report is supported by the 360 code guard team.
Recommended reading
Analysis report on source code security defects of open source software
Analysis report on source code security defects of open source software -- special topic of framework software
Analysis report on source code security defects of open source software
CNCERT issues analysis report on security defects of open source software code
Please indicate "transferred from 360 code guardian www.codesafe.cn".