IOTSCA

A software and firmware composition analysis tool for Internet of Things devices.

Get Started

Input

Prepare a .img file of your IoT devices firmware and give the prepared image's path as an input to our application

Wait

Wait for the application to analyze the image. Your image will be extracted then each file in your firmware's filesystem will be analyzed using multiple methodologies

Use

Issue commands to the presented interactive command line interface to use features of our product.

Cache

Since analysis takes time, our application will cache the results of analysis and other features so that the application can be frequently used

What is IOTSCA?

Recent log4j vulnerabilities which was found in many popular products that used Java have proven us that it is extremely important for developers and executives to know what components are used in their project along with their vulnerabilities. Also in recent years there has been increasing number of attacks carried out to IoT devices which includes life critical devices such as medical devices therefore composition analysis is also very important for IoT devices. Since it is time consuming task to manually analyze components one by one, IOTSCA solves this problem by providing an automated IoT firmware and software composition analysis tool made for developers and security professionals.

IOTSCA is a cybersecurity tool developed with standards such as CVE and CPE public databases and features an interactive command line interface like Metasploit. Users issue commands to use main features of the project.

  • Developed with cyber security standards.
  • Easy to use by developers and cyber security professionals.
  • Formatted output for the developer to easily process outputs.
  • Extendible for the developer to add another analyzing method.

Features

IOTSCA is an extendible application featuring interactive command line interface with a caching feature and an automated local database updater.

List Components

List each component in the firmware along with its details such as names, versions, types, CPEs etc.

List Vulnerabilities

List vulnerabilities of each component with CVE IDs and their description. Pretty print these vulnerabilities along with the component it belongs to.

List Licenses

List what license each component posses. Also list open source components and possible licensing issues if it is meant to be redistributed.

Dependency Tree

Generate a dependency tree of components and identify which component depends on which. Also based on this dependency tree identify inherited vulnerabilities.

List Encryption Algorithms

List used encryption algorithms, cryptographic signatures of each component. Also list strings reside in the component such as ip addresses, website addresses, username and passwords.

Output SBOM

Output Software Bill of Materials according to CycloneDX standards to get a fine print of the results of analysis which includes components, vulnerabilities etc.

Portfolio

Demo and Poster

Poster

Team

Cevat Şener

Supervisor

Ahmet Emre Kılıç

Developer

Gökçe Kankaya

Developer

Göksel Kabadayı

Developer

Technologies