Abstract: A method, apparatus and system for determining a weakness or risk for devices of an Internet-of-things (IoT) network include determining a representation of a physical environment of the IoT network and expected physical and cyber interactions between the devices of the IoT network based at least in part on operating characteristics of the devices of the IoT network, monitoring the physical environment and actual interactions between the devices to generate a network model including at least one of uncharacteristic physical or cyber interaction paths between the devices, based on the determined network model, determining at least one weakness or risk of at least one of the IoT network or of at least one of the devices, and providing a metric of security of at least one of the IoT network or of at least one of the devices based on at least one of the determined weakness or risk.

Abstract: A method, apparatus and system for determining a weakness or risk for devices of an Internet-of-things (IoT) network include determining a representation of a physical environment of the IoT network and expected physical and cyber interactions between the devices of the IoT network based at least in part on operating characteristics of the devices of the IoT network, monitoring the physical environment and actual interactions between the devices to generate a network model including at least one of uncharacteristic physical or cyber interaction paths between the devices, based on the determined network model, determining at least one weakness or risk of at least one of the IoT network or of at least one of the devices, and providing a metric of security of at least one of the IoT network or of at least one of the devices based on at least one of the determined weakness or risk.

Abstract: A method to determine a valid input sequence for an unknown binary program is provided. The method may include obtaining an input sequence for an unknown binary program. The method may also include obtaining a memory address range for each of one or more variables in the unknown binary program and executing an instrumented version of the unknown binary program with the input sequence as an input to the instrumented version of the unknown binary program. The method may also include recording one or more memory addresses accessed during the execution of the instrumented version of the unknown binary program and determining that the unknown binary program accepts the input sequence as valid based on one or more of the one or more recorded memory addresses corresponding to the memory address range of one or more of the variables in the unknown binary program.

Abstract: A method includes selecting a set of printable characters as one or more test inputs for a binary module having no known valid input. The method also includes executing the binary module with the set of printable characters as the one or more test inputs for the binary module. The method also includes determining a number of instructions executed by the binary module responsive to being executed with the set of printable characters. The method also includes generating set data including the one or more printable characters associated with the number of instructions executed for each of the one or more printable characters. The method also includes analyzing the set data to identify one or more printable characters as one or more valid inputs for the binary module based on a comparison of the number of instructions associated with the one or more printable characters and a threshold range.

Abstract: A method of vulnerability analysis of a deployed program (program) includes inputting a binary program under analysis (BPUA) derived from the program. The method includes analyzing input/output (I/O) behavior of the program. The method includes discovering inputs to the program based on application of exploration techniques to the BPUA and analysis of the I/O behavior. The method includes determining which of the inputs are negative inputs. The negative inputs are inputs that trigger a response that includes a vulnerability of the program. Based on the negative inputs and triggered responses, the method includes developing a patch for the program that modifies the program to process at least some of the negative inputs without triggering a response that includes the vulnerability. The method includes automatically dispatching the patch.

Abstract: A method to determine valid input sequences for an unknown binary program is provided. The method includes obtaining multiple input sequences, which each include two or more different inputs, for an unknown binary program. The inputs for the input sequences may be valid inputs for the unknown binary program. The method may further include executing an instrumented version of the unknown binary program separately for each input sequence. For each execution of the instrumented version of the unknown binary program, a set of execution traces may be generated by recording execution traces generated by the execution of the instrumented version of the unknown binary program. The method may further include comparing the sets of execution traces and determining which of the input sequences the unknown binary program accepts as valid based on the comparison of the sets of execution traces.

Abstract: A method to determine valid input sequences for an unknown binary program is provided. The method includes obtaining multiple input sequences, which each include two or more different inputs, for an unknown binary program. The inputs for the input sequences may be valid inputs for the unknown binary program. The method may further include executing an instrumented version of the unknown binary program separately for each input sequence. For each execution of the instrumented version of the unknown binary program, a set of execution traces may be generated by recording execution traces generated by the execution of the instrumented version of the unknown binary program. The method may further include comparing the sets of execution traces and determining which of the input sequences the unknown binary program accepts as valid based on the comparison of the sets of execution traces.

Abstract: A method to determine a valid input sequence for an unknown binary program is provided. The method may include obtaining an input sequence for an unknown binary program. The method may also include obtaining a memory address range for each of one or more variables in the unknown binary program and executing an instrumented version of the unknown binary program with the input sequence as an input to the instrumented version of the unknown binary program. The method may also include recording one or more memory addresses accessed during the execution of the instrumented version of the unknown binary program and determining that the unknown binary program accepts the input sequence as valid based on one or more of the one or more recorded memory addresses corresponding to the memory address range of one or more of the variables in the unknown binary program.

Abstract: A method of vulnerability analysis of a deployed program (program) includes inputting a binary program under analysis (BPUA) derived from the program. The method includes analyzing input/output (I/O) behavior of the program. The method includes discovering inputs to the program based on application of exploration techniques to the BPUA and analysis of the I/O behavior. The method includes determining which of the inputs are negative inputs. The negative inputs are inputs that trigger a response that includes a vulnerability of the program. Based on the negative inputs and triggered responses, the method includes developing a patch for the program that modifies the program to process at least some of the negative inputs without triggering a response that includes the vulnerability. The method includes automatically dispatching the patch.

Abstract: A method includes selecting a set of printable characters as one or more test inputs for a binary module having no known valid input. The method also includes executing the binary module with the set of printable characters as the one or more test inputs for the binary module. The method also includes determining a number of instructions executed by the binary module responsive to being executed with the set of printable characters. The method also includes generating set data including the one or more printable characters associated with the number of instructions executed for each of the one or more printable characters. The method also includes analyzing the set data to identify one or more printable characters as one or more valid inputs for the binary module based on a comparison of the number of instructions associated with the one or more printable characters and a threshold range.