A Functional Sizing-Based Approach to Memory Vulnerability Assessment in IoT Edge Devices

The Internet of Things (IoT) emerged through the interconnection of edge devices, enabling seamless data exchange over the internet. As IoT adoption expands across diverse domains, the resulting explosion of data has raised significant concerns regarding the security of edge devices responsible for processing this information. Although various scoring functions have been developed to assess the severity of vulnerabilities and guide risk management, these methods often overlook the unique characteristics of IoT systems and lack precision in evaluating hardware-related vulnerabilities. This paper presents a comprehensive review of existing vulnerability assessment frameworks and proposes a novel approach to evaluating memory-related vulnerabilities in IoT edge devices. The approach is centered on the application of functional size measurement using COSMIC (ISO 19761). COSMIC provides a standardized method for measuring what software can do, thereby enabling the quantification of memory-related vulnerabilities from a functional perspective. Furthermore, a prototype tool is introduced, designed to automate the assessment of memory-related vulnerabilities on ESP boards using COSMIC-based measurements. The results demonstrate the potential of integrating functional sizing methodologies into IoT security evaluation frameworks.