@inproceedings{oai:ipsj.ixsq.nii.ac.jp:00228701,
 author = {森井, 裕大 and 木原, 百々香 and 佐々木, 貴之 and 秋山, 満昭 and 植田, 宏 and 吉岡, 克成 and 松本, 勉 and Yudai, Morii and Momoka, Kihara and Takayuki, Sasaki and Mitsuaki, Akiyama and Hiroshi, Ueda and Katsunari, Yoshioka and Tsutomu, Matsumoto},
 book = {コンピュータセキュリティシンポジウム2023論文集},
 month = {Oct},
 note = {脆弱性管理手法の一つとして，SBOMの利用が検討されており，その生成ツールとして，SCAツールが注目されている．しかし，IoT機器のファームウェアにSCAツールを適用し，その結果を分析した研究は少ない．本研究では，まず，商用SCAツールのソフトウェア構成要素判定能力の評価を行った．結果，当該ツールは83.5%の精度でOSSコンポーネント名を，65.2%の精度でコンポーネント名とバージョンの両方を特定できることがわかった．次に，当該ツールを用いてコンシューマ向けIoT機器のファームウェア239個を解析したところ，1ファームウェアあたり平均39種類のOSSコンポーネントと712種類の脆弱性が検出された．また，公知の脆弱性を含んだファームウェアを定常的にリリースするメーカや，公知の脆弱性をほとんど排除してリリースするメーカが確認された．さらに，ファームウェア更新の際には，多くのIoT機器で使用されるOSSコンポーネントの脆弱性増加がファームウェアに脆弱性をもたらしていることが確認された．, The use of Software Bill of Materials (SBOM) has been considered as one of the vulnerability management methods, and Software Composition Analysis (SCA) tools have attracted attention as tools for generating SBOM. However, few studies have applied SCA tools to firmware of IoT devices and analyzed the results. In this study, first, we evaluated the ability of commercial SCA tools to identify software components. The result showed that the tool can identify OSS component names with an accuracy of 83.5%, and both component names and versions with an accuracy of 65.2%. Next, we analyzed 239 consumer IoT devices’ firmware using the tool, and found an average of 39 OSS components and 712 vulnerabilities per firmware. We also found that there were significant differences in security measures, with three manufacturers having more than half of the detected vulnerabilities that were released more than 1,000 days before the firmware release date, and one manufacturer eliminating most of the publicly known vulnerabilities at the time of firmware release. In addition, it was found that the increasing number of vulnerabilities in OSS components such as busybox and openssl, which are used in many IoT devices, have introduced vulnerabilities into the
firmware when firmware is updated.},
 pages = {644--651},
 publisher = {情報処理学会},
 title = {IoTファームウェアに含まれるOSSの脆弱性に関するSCAツールを用いた調査},
 year = {2023}
}