EBF: A Hybrid Verification Tool for Finding Software Vulnerabilities in IoT Cryptographic Protocols Fatimah Aljaafari 1 , Lucas C. Cordeiro 1 , Mustafa A. Mustafa 1 , and Rafael Menezes 2 1 The University of Manchester, UK 2 Federal University of Amazonas, Brazil Abstract. Internet of Things (IoT) consists of a large number of smart devices connected through a network, which creates a vast amount of data communication, thereby posing new security, privacy, and trust is- sues. One way to address these issues is ensuring data confidentiality using lightweight encryption algorithms for IoT protocols. However, the design and implementation of such protocols is an error-prone task; flaws in the implementation can lead to devastating security vulnerabilities. Here we propose a new verification approach named Encryption-BMC and Fuzzing (EBF), which combines Bounded Model Checking (BMC) and Fuzzing techniques to verify software and detect security vulnera- bilities exploited by an attacker concerning users’ privacy and integrity. EBF models IoT protocols as a client and server using POSIX threads, thereby simulating both entities’ communication. It also employs static and dynamic verification to cover the system’s state-space exhaustively. We evaluate EBF using the concurrency benchmarks from SV-COMP and show that it outperforms other state-of-the-art tools such as ES- BMC, AFL, Lazy-CSeq, and TSAN w.r.t. bug finding. We also evaluate an open-source implementation called WolfMQTT. It is an MQTT client implementation that uses the WolfSSL library. We show that EBF detects a data race, which other approaches are unable to identify. 1 Introduction An Internet of Things (IoT) system usually comprises a large number of smart devices and objects, such as RFID tags, sensors, actuators, and smartphones, which communicate with each other (usually via Wifi, Bluetooth, and RFID) with minimum human interventions [33]. IoT covers different areas and applica- tions, such as smart homes, cities, and health care [22]. According to Mehavarunan [29], from 2020 to 2030, IoT devices will grow from 75 billion to more than 100 billion, the upgrade from 4G to 5G playing an important part in this growth. This large number of devices will create a massive and complex network with an exceedingly high volume of data communicated over it [15,32]. The existence of such a vast network of connected devices will inevitably pose new security, privacy and trust issues that can put users at high risk [33]. arXiv:2103.11363v1 [cs.CR] 21 Mar 2021