A survey on Iot security: Application Areas, Security Threats, and Solution Architectures
C. SECURITY ISSUES AT MIDDLEWARE LAYER
tải về 6.16 Mb. Chế độ xem pdf
|
thong-tin-so bao-cao-qpsk-1 - [cuuduongthancong.com]
| C. SECURITY ISSUES AT MIDDLEWARE LAYER
The role of the middleware in IoT is to create an abstraction layer between the network layer and the application layer. Middleware can also provide powerful computing and stor- age capabilities [29]. This layer provides APIs to fulfill the demands of the application layer. Middleware layer includes brokers, persistent data stores, queuing systems, machine learning, etc. Although the middleware layer is useful to provide a reliable and robust IoT application, it is also sus- ceptible to various attacks. These attacks can take control of the entire IoT application by infecting the middleware. Database security and cloud security are other main security challenges in the middleware layer. Various possible attacks in the middleware layer are discussed as follows. 1. Man-in-the-Middle Attack: The MQTT protocol uses publish-subscribe model of communication be- tween clients and subscribers using the MQTT bro- ker, which effectively acts as a proxy. This helps in decoupling the publishing and the subscribing clients from each other and messages can be sent without the knowledge of the destination. If the attacker can con- trol the broker and become a man-in-the-middle, then he/she can get complete control of all communication without any knowledge of the clients. 2. SQL Injection Attack: MIddleware is also suscep- tible to SQL Injection (SQLi) attacks. In such at- tacks, attacker can embed malicious SQL statements in a program [30], [31]. Then, the attackers can obtain private data of any user and can even alter records in the database [32]. Open Web Application Security Project (OWASP) has listed SQLi as a top threat to web security in their OWASP top 10 2018 document [33]. 3. Signature Wrapping Attack: In the web services used in the middleware, XML signatures are used [34]. In a signature wrapping attack, the attacker breaks the signature algorithm and can execute opera- tions or modify eavesdropped message by exploit- ing vulnerabilities in SOAP (Simple Object Access Protocol) [35]. 4. Cloud Malware Injection: In cloud malware injec- tion, the attacker can obtain control, inject malicious code or can inject a virtual machine into the cloud. The attacker pretends to be a valid service by trying to create a virtual machine instance or a malicious service module. In this way, the attacker can obtain access to service requests of the victim’s service and can capture sensitive data which can be modified as per the instance. 5. Flooding Attack in Cloud: This attack works almost the same as DoS attack in the cloud and affects the quality of service (QoS). For depleting cloud resources, the attackers continuously send multiple requests to a VOLUME x, 2019 7 This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2019.2924045, IEEE Access Vikas Hassija et al.: A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures service. These attacks can have a big impact on cloud systems by increasing the load on the cloud servers. tải về 6.16 Mb. Chia sẻ với bạn bè của bạn:
|