Decentralized Action Integrity for Trigger-Action IoT Platforms

Fernandes, Earlence; Rahmati, Amir; Jung, Jaeyeon; Prakash, Atul

doi:10.14722/ndss.2018.23119

Cited by 87 publications

(82 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, a user with a SmartThings IoT platform account can authorize the SmartThings service through the OAuth protocol to communicate with her SmartThings account. Services communicate with each other using REST APIs over HTTP(S) [6], [18]. Trigger-action platforms allow users to create custom automation on services through DO and IF rules.…”

Section: B Trigger-action Platformsmentioning

confidence: 99%

IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT

Celik

Tan

McDaniel

2019

Proceedings 2019 Network and Distributed System Security Symposium

186

140

View full text Add to dashboard Cite

Broadly defined as the Internet of Things (IoT), the growth of commodity devices that integrate physical processes with digital connectivity has changed the way we live, play, and work. To date, the traditional approach to securing IoT has treated devices individually. However, in practice, it has been recently shown that the interactions among devices are often the real cause of safety and security violations. In this paper, we present IOTGUARD, a dynamic, policy-based enforcement system for IoT, which protects users from unsafe and insecure device states by monitoring the behavior of IoT and triggeraction platform apps. IOTGUARD operates in three phases: (a) implementation of a code instrumentor that adds extra logic to an app's source code to collect app's information at runtime, (b) storing the apps' information in a dynamic model that represents the runtime execution behavior of apps, and (c) identifying IoT safety and security policies, and enforcing relevant policies on the dynamic model of individual apps or sets of interacting apps. We demonstrate IOTGUARD on 20 flawed apps and find that IOTGUARD correctly enforces 12 of the 12 policy violations. In addition, we evaluate IOTGUARD on 35 SmartThings IoT and 30 IFTTT trigger-action platform market apps executed in a simulated smart home. IOTGUARD enforces 11 unique policies and blocks 16 states in six (17.1%) SmartThings and five (16.6%) IFTTT apps. IOTGUARD imposes only 17.3% runtime overhead on an app and 19.8% for five interacting apps. Through this effort, we introduce a rigorously grounded system for enforcing correct operation of IoT devices through systematically identified IoT policies, demonstrating the effectiveness and value of monitoring IoT apps with tools such as IOTGUARD.

show abstract

Section: B Trigger-action Platformsmentioning

confidence: 99%

IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT

Celik

Tan

McDaniel

2019

Proceedings 2019 Network and Distributed System Security Symposium

186

140

View full text Add to dashboard Cite

show abstract

“…As a countermeasure, they investigate static and dynamic information-flow tracking via security types. Fernandes et al [19] propose the use of decentralization and finegrained authentication tokens to limit privileges and prevent unauthorized actions. In contrast, our work targets security and safety issues in cross-app interactions, and it focuses on the formal underpinnings of these approaches.…”

Section: Related Workmentioning

confidence: 99%

“…Examples of attacks include design flaws due to over privileged permission tokens [18], unexpected information leaks by seemingly harmless apps [36], and sensitive information disclosure by malicious apps [6], [11]. To protect the users against these attacks, defensive mechanism rely on fine-grained access control and capabilities, decentralization [19] or static [7], [11] and dynamic [6] information-flow analysis.…”

Section: Introductionmentioning

confidence: 99%

Securing Cross-App Interactions in IoT Platforms

Balliu

Merro

Pasqua

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

IoT platforms enable users to connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computation on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored. This paper proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The framework generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies in the security and safety context of IoT apps. To demonstrate the usefulness of our framework, we define static mechanisms for enforcing crossapp security and safety, and prove them sound with respect to our semantic conditions. Finally, we leverage real-world apps to validate the practical benefits of our policy framework.

show abstract

“…An access token is then generated and used by IFTTT for future executions of any applets that use such services. Fernandes et al [12] give a detailed overview of IFTTT's use of OAuth protocol and its security implications. Applets can be installed either via IFTTT's web interface or via an IFTTT app on a user device.…”

Section: Ifttt Platform and Attacker Modelmentioning

confidence: 99%

“…Fernandes et al [11] present FlowFence, an approach to information flow tracking for IoT application frameworks. In recent work, Fernandes et al [12] argue that IFTTT's OAuth-based authorization model gives away overprivileged tokens. They suggest fine-grained OAuth tokens to limit privileges and thus prevent unauthorized actions.…”

Section: Related Workmentioning

confidence: 99%

If This Then What?

Bastys

Balliu

Sabelfeld

2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

IoT apps empower users by connecting a variety of otherwise unconnected services. These apps (or applets) are triggered by external information sources to perform actions on external information sinks. We demonstrate that the popular IoT app platforms, including IFTTT (If This Then That), Zapier, and Microsoft Flow are susceptible to attacks by malicious applet makers, including stealthy privacy attacks to exfiltrate private photos, leak user location, and eavesdrop on user input to voice-controlled assistants. We study a dataset of 279,828 IFTTT applets from more than 400 services, classify the applets according to the sensitivity of their sources, and find that 30% of the applets may violate privacy. We propose two countermeasures for short-and longterm protection: access control and information flow control. For short-term protection, we suggest that access control classifies an applet as either exclusively private or exclusively public, thus breaking flows from private sources to sensitive sinks. For longterm protection, we develop a framework for information flow tracking in IoT apps. The framework models applet reactivity and timing behavior, while at the same time faithfully capturing the subtleties of attacker observations caused by applet output. We show how to implement the approach for an IFTTT-inspired setting leveraging state-of-the-art information flow tracking techniques for JavaScript based on the JSFlow tool and evaluate its effectiveness on a collection of applets. CCS CONCEPTS • Security and privacy → Web application security; Domainspecific security and privacy architectures;

show abstract

Decentralized Action Integrity for Trigger-Action IoT Platforms

Cited by 87 publications

References 18 publications

IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT

IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT

Securing Cross-App Interactions in IoT Platforms

If This Then What?

Contact Info

Product

Resources

About