IotSan

Abstract: Today's IoT systems include event-driven smart applications (apps) that interact with sensors and actuators. A problem specific to IoT systems is that buggy apps, unforeseen bad app interactions, or device/communication failures, can cause unsafe and dangerous physical states. Detecting flaws that lead to such states, requires a holistic view of installed apps, component devices, their configurations, and more importantly, how they interact. In this paper, we design IotSan, a novel practical system that uses m… Show more

“…When analyzing the model, the solver checks to see if a path exists from any of a specified set of initial states to states that violate any of the safety properties. Prior works in this domain (e.g., IoTSAN [24], Soteria [11]) have commonly used this state-based approach when modeling the IoT systems they analyze.…”

“…To determine whether rule-based properties are more scalable than the common state-based approach, we analyzed 325 randomly generated bundles of apps drawn from a corpus of 222 real-world IoT apps using both our state-based and rule-based models. We checked both systems for instances of seven general types of app coordination drawn from the literature [11,13,24], such as the Action Conflict and Action Loop inter-rule vulnerabilities described in Wang, et al [31] We tracked the time taken by the Alloy Analyzer to find up to a single counterexample for each assertion and compared the performance of each approach both as the number of apps and rules in the bundles increased.…”

“…These efforts have focused on data security [30], while our research focuses on effective detection of multi-app coordination threats. IotSan [24] provides a state-based model which detects interactions that can lead to unsafe states, requiring the user to provide specific configuration details along with the apps. Chi et al [12] categorize cross-app interference threats, again using a state-based model.…”

“…These cyber-physical systems combine a virtual software-based backend with physical devices-both sensors that monitor the physical environment and actuators that act upon it. This general model allows users to install third-party software apps in the virtual backend to automate tasks performed by physical devices [8,11,12,24]. Apps consist of one or more rules defined using an event-conditionaction paradigm.…”

“…Some explore data-related threats [18], but do not consider ways in which the apps might influence physical devices. Others detect specific unsafe states [11,13,24], but require specific tailoring of the configuration or safety properties. Many of these approaches are subject to a common limitation: they analyze the behavior of single apps and fail to detect instances of multi-app coordination among a bundle of apps installed within the same system.…”

Comparing formal models of IoT app coordination analysis

“…When analyzing the model, the solver checks to see if a path exists from any of a specified set of initial states to states that violate any of the safety properties. Prior works in this domain (e.g., IoTSAN [24], Soteria [11]) have commonly used this state-based approach when modeling the IoT systems they analyze.…”

“…To determine whether rule-based properties are more scalable than the common state-based approach, we analyzed 325 randomly generated bundles of apps drawn from a corpus of 222 real-world IoT apps using both our state-based and rule-based models. We checked both systems for instances of seven general types of app coordination drawn from the literature [11,13,24], such as the Action Conflict and Action Loop inter-rule vulnerabilities described in Wang, et al [31] We tracked the time taken by the Alloy Analyzer to find up to a single counterexample for each assertion and compared the performance of each approach both as the number of apps and rules in the bundles increased.…”

“…These efforts have focused on data security [30], while our research focuses on effective detection of multi-app coordination threats. IotSan [24] provides a state-based model which detects interactions that can lead to unsafe states, requiring the user to provide specific configuration details along with the apps. Chi et al [12] categorize cross-app interference threats, again using a state-based model.…”

“…These cyber-physical systems combine a virtual software-based backend with physical devices-both sensors that monitor the physical environment and actuators that act upon it. This general model allows users to install third-party software apps in the virtual backend to automate tasks performed by physical devices [8,11,12,24]. Apps consist of one or more rules defined using an event-conditionaction paradigm.…”

“…Some explore data-related threats [18], but do not consider ways in which the apps might influence physical devices. Others detect specific unsafe states [11,13,24], but require specific tailoring of the configuration or safety properties. Many of these approaches are subject to a common limitation: they analyze the behavior of single apps and fail to detect instances of multi-app coordination among a bundle of apps installed within the same system.…”

Comparing formal models of IoT app coordination analysis

Vulnerabilities in IoT Systems

Automated Security Analysis of IoT Software Updates