Our homes, hospitals, cities, and industries are being enhanced with devices that have computational and networking capabilities. This emerging network of connected devices, or Internet of Things (IoT), promises better safety, enhanced management of patients, improved energy efficiency, and optimized manufacturing processes. Although there are many such benefits, security vulnerabilities in these systems can lead to user dissatisfaction (e.g., from random bugs), privacy violation (e.g., from stolen information), monetary loss (e.g., denial-of-service attacks or ``ransomware;;;;), or even loss of life (e.g., from malicious actors manipulating critical processes in a hospital). Security design flaws may manifest at several layers of the IoT software/hardware stack. This workfocuses on design flaws that arise in IoT platforms---software systems that manage devices, data analysis results and control logic. Specifically, we showthat empirical security-oriented analyses of personal IoT platforms lead to: (1) an understanding of design flaws that can be leveraged in long-range and device-independent attacks; (2) the development of security mechanisms that limit the potential for these attacks. Concretely, we contribute empirical analyses for two categories of personal IoT platforms---Hub-Based (Samsung SmartThings), and Cloud-First (If-This-Then-That). Our analyses reveal overprivilege as a main enabler for attacks, and we propose a set of information flow control techniques (FlowFence and Decoupled-IFTTT) to manage privilege better in these platforms, therefore reducing the potential for attacks.
【 预 览 】
附件列表
Files
Size
Format
View
Securing Personal IoT Platforms through Systematic Analysis and Design