Abstract
IoT platforms enable users to connect various smart devices and online services via reactive apps running on the cloud. These apps, often developed by third-parties, perform simple computations on data triggered by external information sources and actuate the results of computations on external information sinks. Recent research shows that unintended or malicious interactions between the different (even benign) apps of a user can cause severe security and safety risks. These works leverage program analysis techniques to build tools for unveiling unexpected interference across apps for specific use cases. Despite these initial efforts, we are still lacking a semantic framework for understanding interactions between IoT apps. The question of what security policy cross-app interference embodies remains largely unexplored.
This article proposes a semantic framework capturing the essence of cross-app interactions in IoT platforms. The framework generalizes and connects syntactic enforcement mechanisms to bisimulation-based notions of security, thus providing a baseline for formulating soundness criteria of these enforcement mechanisms. Specifically, we present a calculus that models the behavioral semantics of a system of apps executing concurrently, and use it to define desirable semantic policies targeting the security and safety of IoT apps. To demonstrate the usefulness of our framework, we define and implement static analyses for enforcing cross-app security and safety, and prove them sound with respect to our semantic conditions. We also leverage real-world apps to validate the practical benefits of our tools based on the proposed enforcement mechanisms.
- Ravi Akella, Han Tang, and Bruce M. McMillin. 2010. Analysis of information flow security in cyber-physical systems. Int. J. Crit. Infrast. Protect. 3, 3–4 (2010), 157--173. DOI:https://doi.org/10.1016/j.ijcip.2010.09.001Google Scholar
Cross Ref
- Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security evaluation of home-based IoT deployments. In Proceedings of the Symposium on Security and Privacy (S&P’19). IEEE Computer Society, 1362--1380. DOI:https://doi.org/10.1109/SP.2019.00013Google Scholar
Cross Ref
- Roberto M. Amadio, Ilaria Castellani, and Davide Sangiorgi. 1998. On bisimulations for the asynchronous pi-calculus. Theor. Comput. Sci. 195, 2 (1998), 291--324. DOI:https://doi.org/10.1016/S0304-3975(97)00223-5Google Scholar
Digital Library
- Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-insensitive noninterference leaks more than just a bit. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’08) (Lecture Notes in Computer Science), Vol. 5283. Springer Berlin, 333--348. DOI:https://doi.org/10.1007/978-3-540-88313-5_22Google Scholar
Digital Library
- Musard Balliu, Iulia Bastys, and Andrei Sabelfeld. 2019. Securing IoT apps. IEEE Secur. Priv. Mag. 17, 5 (2019), 22--29. DOI:https://doi.org/10.1109/MSEC.2019.2914190Google Scholar
Cross Ref
- Musard Balliu, Massimo Merro, and Michele Pasqua. 2019. Securing cross-app interactions in IoT platforms. In Proceedings of the Computer Security Foundations Symposium (CSF’19). IEEE Computer Society, 319--334. DOI:https://doi.org/10.1109/CSF.2019.00029Google Scholar
Cross Ref
- Iulia Bastys, Musard Balliu, Tamara Rezk, and Andrei Sabelfeld. 2020. Clockwork: Tracking remote timing attacks. In Proceedings of the Computer Security Foundations Symposium (CSF’20). IEEE Computer Society, 350--365. DOI:https://doi.org/10.1109/CSF49147.2020.00032Google Scholar
Cross Ref
- Iulia Bastys, Musard Balliu, and Andrei Sabelfeld. 2018. If this then what?: Controlling flows in IoT apps. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, 1102--1119. DOI:https://doi.org/10.1145/3243734.3243841Google Scholar
Digital Library
- Iulia Bastys, Frank Piessens, and Andrei Sabelfeld. 2018. Tracking information flow via delayed output – Addressing privacy in IoT and emailing apps. In Proceedings of the Nordic Conference on Secure IT Systems (NordSec’18) (Lecture Notes in Computer Science), Vol. 11252. 19--37. DOI:https://doi.org/10.1007/978-3-030-03638-6_2Google Scholar
Cross Ref
- Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time monitoring and formal analysis of information flows in chromium. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS’15).Google Scholar
Cross Ref
- Nataliia Bielova, Dominique Devriese, Fabio Massacci, and Frank Piessens. 2011. Reactive non-interference for a browser model. In Proceedings of the International Conference on Network and System Security (NSS’11). IEEE Computer Society, 97--104. DOI:https://doi.org/10.1109/ICNSS.2011.6059965Google Scholar
Cross Ref
- Chiara Bodei, Stefano Chessa, and Letterio Galletta. 2019. Measuring security in IoT communications. Theor. Comput. Sci. 764 (2019), 100--124. DOI:https://doi.org/10.1016/j.tcs.2018.12.002Google Scholar
Cross Ref
- Chiara Bodei, Pierpaolo Degano, Gian Luigi Ferrari, and Letterio Galletta. 2017. Tracing where IoT data are collected and aggregated. Log. Meth. Comput. Sci. 13, 3 (2017). DOI:https://doi.org/10.23638/LMCS-13(3:5)2017Google Scholar
- Aaron Bohannon, Benjamin C. Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the Conference on Computer and Communications Security (CCS’09). ACM, 79--90. DOI:https://doi.org/10.1145/1653662.1653673Google Scholar
Digital Library
- Brandon Bohrer and André Platzer. 2018. A hybrid, dynamic logic for hybrid-dynamic information flow. In Proceedings of the ACM/IEEE Symposium on Logic in Computer Science (LICS’18). IEEE Computer Society, 115--124. DOI:https://doi.org/10.1145/3209108.3209151Google Scholar
Digital Library
- Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick D. McDaniel, and A. Selcuk Uluagac. 2018. Sensitive information tracking in commodity IoT. In Proceedings of the USENIX Security Symposium (USENIX’18). USENIX Association, 1687--1704.Google Scholar
- Z. Berkay Celik, Earlence Fernandes, Eric Pauley, Gang Tan, and Patrick D. McDaniel. 2019. Program analysis of commodity IoT applications for security and privacy: Challenges and opportunities. ACM Comput. Surv. 52, 4 (2019), 74:1–74:30. DOI:https://doi.org/10.1145/3333501Google Scholar
- Z. Berkay Celik, Patrick D. McDaniel, and Gang Tan. 2018. Soteria: Automated IoT safety and security analysis. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC’18). USENIX Association, 147--158.Google Scholar
- Z. Berkay Celik, Gang Tan, and Patrick D. McDaniel. 2019. IoTGuard: Dynamic enforcement of security and safety policy in commodity IoT. In Proceedings of the Network and Distributed System Security Symposium (NDSS’19). The Internet Society.Google Scholar
- Haotian Chi, Qiang Zeng, Xiaojiang Du, and Jiaping Yu. 2020. Cross-app interference threats in smart homes: Categorization, detection and handling. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’20). IEEE Computer Society, 411--423. DOI:https://doi.org/10.1109/DSN48063.2020.00056Google Scholar
Cross Ref
- Delphine Demange and David Sands. 2009. All secrets great and small. In Proceedings of the European Symposium on Programming Languages and Systems (ESOP’09) (Lecture Notes in Computer Science), Vol. 5502. Springer-Verlag, 207--221. DOI:https://doi.org/10.1007/978-3-642-00590-9_16Google Scholar
Digital Library
- Jose Desharnais, Radha Jagadeesan, Vineet Gupta, and Prakash Panangaden. 2002. The metric analogue of weak bisimulation for probabilistic processes. In Proceedings of the IEEE Symposium on Logic in Computer Science (LICS’02). IEEE Computer Society, 413--422. DOI:https://doi.org/10.1145/1967701.1967710Google Scholar
Cross Ref
- Wenbo Ding and Hongxin Hu. 2018. On the safety of IoT device physical interaction control. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, 832--846. DOI:https://doi.org/10.1145/3243734.3243865Google Scholar
Digital Library
- dotnet. 2020. .NET - Free. Cross-platform. Open source. Retrieved from https://dotnet.microsoft.com/.Google Scholar
- Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016. FlowFence: Practical data protection for emerging IoT application frameworks. In Proceedings of the USENIX Security Symposium (USENIX Security’16). IUSENIX Association, 531--548.Google Scholar
- Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. 2018. Decentralized action integrity for trigger-action IoT platforms. In Proceedings of the Network and Distributed System Security Symposium (NDSS’18). The Internet Society.Google Scholar
Cross Ref
- Riccardo Focardi and Roberto Gorrieri. 2000. Classification of security properties (Part I: Information flow). In Proceedings of the Conference on Foundations of Security Analysis and Design (FOSAD’00) (Lecture Notes in Computer Science), Vol. 2171. 331--396. DOI:https://doi.org/10.1007/3-540-45608-2_6Google Scholar
- Riccardo Focardi and Fabio Martinelli. 1999. A uniform approach for the definition of security properties. In Proceedings of the World Congress on Formal Methods (FM’99) (Lecture Notes in Computer Science), Vol. 1708. Springer, 794--813. DOI:https://doi.org/10.1007/3-540-48119-2_44Google Scholar
Cross Ref
- Kohei Honda and Mario Tokoro. 1991. An object calculus for asynchronous communication. In Proceedings of the European Conference on Object-oriented Programming (ECOOP’91) (Lecture Notes in Computer Science), Vol. 512. Springer, 133--147. DOI:https://doi.org/10.1007/BFb0057019Google Scholar
Cross Ref
- Kai-Hsiang Hsu, Yu-Hsi Chiang, and Hsu-Chun Hsiao. 2019. SafeChain: Securing trigger-action programming from attack chains. IEEE Trans. Inf. Forens. Secur. 14, 10 (2019), 2607--2622. DOI:https://doi.org/10.1109/TIFS.2019.2899758Google Scholar
Cross Ref
- Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’06). ACM, 79--90. DOI:https://doi.org/10.1145/1111037.1111045Google Scholar
Digital Library
- IFTTT. 2020. IFTTT: If This Then That. Retrieved from https://ifttt.com.Google Scholar
- Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake. 2013. Run-time enforcement of information-flow properties on Android. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’13) (Lecture Notes in Computer Science), Vol. 8134. Springer, 775--792. DOI:https://doi.org/10.1007/978-3-642-40203-6_43Google Scholar
Cross Ref
- Maxwell N. Krohn and Eran Tromer. 2009. Noninterference for a practical DIFC-based operating system. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P’09). IEEE Computer Society, 61--76. DOI:https://doi.org/10.1109/SP.2009.23Google Scholar
- Ivan Lanese, Luca Bedogni, and Marco Di Felice. 2013. Internet of things: A process calculus approach. In Proceedings of the ACM Symposium on Applied Computing (SAC’13). ACM, 1339--1346. DOI:https://doi.org/10.1145/2480362.2480615Google Scholar
Digital Library
- Ruggero Lanotte and Massimo Merro. 2018. A semantic theory of the Internet of Things. Inf. Comput. 259, 1 (2018), 72--101. DOI:https://doi.org/10.1016/j.ic.2018.01.001Google Scholar
Cross Ref
- Ruggero Lanotte, Massimo Merro, and Simone Tini. 2018. Towards a formal notion of impact metric for cyber-physical attacks. In Proceedings of the International Conference on Integrated Formal Methods (IFM’18) (Lecture Notes in Computer Science), Vol. 11023. Springer, 296--315.Google Scholar
Cross Ref
- Massimo Merro and Davide Sangiorgi. 2004. On asynchrony in name-passing calculi. Math. Struct. Comput. Sci. 14, 5 (2004), 715--767. DOI:https://doi.org/10.1017/S0960129504004323Google Scholar
Digital Library
- MSPA. 2020. Microsoft Power Automate. Retrieved from https://flow.microsoft.com/en-us/.Google Scholar
- Julie L. Newcomb, Satish Chandra, Jean-Baptiste Jeannin, Cole Schlesinger, and Manu Sridharan. 2017. IOTA: A calculus for Internet of Things automation. In Proceedings of the ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software. ACM, 119--133. DOI:https://doi.org/10.1145/3133850.3133860Google Scholar
Digital Library
- Dang Tu Nguyen, Chengyu Song, Zhiyun Qian, Srikanth V. Krishnamurthy, Edward J. M. Colbert, and Patrick McDaniel. 2018. IotSan: Fortifying the safety of IoT systems. In Proceedings of the International Conference on Emerging Networking EXperiments and Technologies (CoNEXT’18). ACM, 191--203. DOI:https://doi.org/10.1145/3281411.3281440Google Scholar
Digital Library
- NST. 2019. Nest Thermostat. Retrieved from https://ifttt.com/services/nest_thermostat.Google Scholar
- Federica Paci, Davide Bianchin, Elisa Quintarelli, and Nicola Zannone. 2020. IFTTT privacy checker. In Proceedings of the Conference on Emerging Technologies for Authorization and Authentication (ETAA’20) (Lecture Notes in Computer Science), Vol. 12515. Springer, 90--107. DOI:https://doi.org/10.1007/978-3-030-64455-0_6Google Scholar
Digital Library
- T. Parr. 2013. The Definitive ANTLR 4 Reference (2nd ed.). Pragmatic Bookshelf, Raleigh, NC.Google Scholar
Digital Library
- Andrei Sabelfeld and Andrew C. Myers. 2003. Language-based information-flow security. J. Select. Areas Commun. 21, 1 (2003), 5--19. DOI:https://doi.org/10.1109/JSAC.2002.806121Google Scholar
Digital Library
- Andrei Sabelfeld and Andrew C. Myers. 2003. A model for delimited information release. In Proceedings of the International Symposium on Software Security (ISSS’03) (Lecture Notes in Computer Science), Vol. 3233. Springer, 174--191. DOI:https://doi.org/10.1007/978-3-540-37621-7_9Google Scholar
- Andrei Sabelfeld and David Sands. 2009. Declassification: Dimensions and principles. J. Comput. Secur. 17, 5 (2009), 517--548. DOI:https://doi.org/10.3233/JCS-2009-0352Google Scholar
Digital Library
- smt. 2020. SmartThings. Retrieved from https://ifttt.com/smartthings.Google Scholar
- Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes. In Proceedings of the International Conference on World Wide Web (WWW’17). ACM, 1501--1510. DOI:https://doi.org/10.1145/3038912.3052709Google Scholar
Digital Library
- Katja Tuma, Musard Balliu, and Riccardo Scandariato. 2019. Flaws in flows: Unveiling design flaws via information flow analysis. In Proceedings of the IEEE International Conference on Software Architecture (ICSA’19). IEEE Computer Society, 191--200. DOI:https://doi.org/10.1109/ICSA.2019.00028Google Scholar
Cross Ref
- Dennis M. Volpano, Cynthia E. Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. J. Comput. Secur. 4, 2/3 (1996), 167--188. DOI:https://doi.org/10.3233/JCS-1996-42-304Google Scholar
Digital Library
- Jingming Wang and Huiqun Yu. 2014. Analysis of the composition of non-deducibility in cyber-physical systems. Appl. Math. Inf. 8, 6 (2014), 3137--3143. DOI:https://doi.org/10.12785/amis/080655Google Scholar
Cross Ref
- Zapier. 2020. Zapier. Retrieved from https://zapier.com.Google Scholar
Index Terms
Friendly Fire: Cross-app Interactions in IoT Platforms






Comments