Towards Towards Secure Secure and and Relia liable Io IoT Applica Applicatio ions Gang Gang Tan, Tan, CSE, CSE, Penn Penn State State Nov 15th, 2019 @ 2 nd IoT Security and Privacy Workshop
Internet of Things (IoT) enables the future Power Consumption 30% saving With no smart With smart Usage/ month Smart Homes Smart Farms Smart Energy Healthcare Source: Microsoft Source: Samsung Source: LG Source: John Hopkins IoT is not magic Connected devic Connected devices IoT IoT ap Autom Automation tion Mobile bile app app applic licatio ion 2
IoT enables the future (and a whole lot of problems) Many of these failures are traditional security problems: So Softw ftware re bugs, bugs, user user erro errors, rs, poor poor co configuratio iguration, or or faulty faulty desi design gn 3
IoT app interaction (via the physical world) smoke ‐ alar sm alarm app app If smoke detected then sound alarm, and if also excessive heat detected, activate sprinkler wa water ter ‐ le leak ‐ de detector tector app app If water leak detected, then shut off main water valve • fire ‐ > sprinkler activation ‐ > water leak detection ‐ > shut off water valve ‐ > no water for sprinkler! • Problem: the interaction between IoT apps cause unreliability and insecurity. 4
IoT app interaction: another example Temp ‐ control app: open the window, when temp > 80 ℉ Heater ‐ control app: time at 6pm ‐ > turn the heater on ‐ > temperature rise * Example by Ding & Hu [CCS 2018] 5
In this talk… How to in incre crease se securi security and and reliability reliability of IoT Apps and their interaction? IoT Safety IoT Safety and and Security Security Soteria: Automated IoT Safety and Security Analysis [USENIX Annual Technical Conference, 2018] Z. Berkay Celik, Patrick McDaniel, and Gang Tan IoTGuard: Dynamic Enforcement of Safety and Security Policy in Commodity IoT [NDSS, 2019] Z. Berkay Celik, Gang Tan, and Patrick McDaniel IoT IoT Pri Privac acy Saint: Sensitive Information Tracking in Commodity IoT [USENIX Security, 2018] Z. Berkay Celik, Leo Babun, Amit Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and Selcuk Uluagac IoT IoT Fault Fault Tol Toleran rance IotRepair: Systematically Addressing Device Faults in Commodity IoT [Ongoing work] Michael Norris, Z. Berkay Celik, Prasanna Venkatesh, Shulin Zhao, Gang Tan, Patrick McDaniel, and Anand Sivasubramaniam Surv Surveys: s: Program Analysis of IoT Applications for Security and Privacy: Challenges and Opportunities [ACM Computing Surveys, 2019] Z. Berkay Celik, Earlence Fernandes, Eric Pauley, Gang Tan, and Patrick McDaniel Verifying Internet of Things Safety and Security in Physical Spaces [IEEE S&P magazine, 2019] Z. Berkay Celik, Patrick McDaniel, Gang Tan, Leo Babun, Salcuk Uluagac 6
Collaborators Z. Berkay Celik Patrick McDaniel Michael Norris (Penn State ‐ > Purdue) (Penn State) (Penn State) • Other collaborators Penn State: Prasanna Venkatesh, Shulin Zhao, and Anand Sivasubramaniam Florida International University: Leo Babun, Amit Sikder, Hidayet Aksu, and Selcuk Uluagac 7
Soteria Agenda 8
Soteria * Automated IoT Safety and Security Analysis [U [USE SENIX ATC ATC 2018] 2018] * Greek goddess protecting from harm 9
Soteria Soteria Problem: IoT platforms cannot evaluate whether an IoT app or a collection of apps is safe, secure, and operates correctly • Soteria performs model del checki hecking on IoT apps to see whether they conform to a set of safety/security properties 10
Soteria From IoT apps to finite ‐ state machines IoT environm IoT environmen ent S 0 :alarm ‐ off S 0 :water valve on S 0 S 0 water leak smoke temp>135 ° F S 1 S 1 S 2 S 1 :alarm ‐ on S 1 :water valve closed S 2 : water valve on and sprinkler active Smok Sm oke ‐ Ala Alarm Wa Water ‐ Le Leak ak ‐ Detec Detector Mo Model check Model check Mo checking: Does checking: Does Does the Does the the sprin the sprin sprinkler sprinkler ler system ler system system activate system activate activate when activate when when the when the there there is a fire is is is a fire fire? fire? 11
Soteria Soteria components 4 4 1 1 2 IoT app IoT app indi indi ndivi ndivi vidual vidual dual dual source source Obtain IR Obtai IR union unio code code Pass Pass Pass Property Property Property Property State State ‐ mod model extractio extraction verificatio verificatio verific verific tion tion (Mod (M (Mod (M odel checke odel checke checker) checker) r) r) 3 3 Fail Fail Fail Property Property Tem Temporal Tem Temporal oral lo oral lo logic logic identification identification 12
Soteria State ‐ model extraction from source code • What is a state model? Events Even ts Device attributes Device tributes States and transitions 2 2 In IoT applications… 1 1 ‐ States: Device attributes 1 1 2 2 ‐ Transitions: Labeled by events that 2 2 2 3 3 S 4 S 4 S 3 S 3 S 1 S 1 S 2 S 2 trigger the attribute changes 3 3 1 1 2 2 1 1 3 3 3 3 • Challenges of extracting state models State State ‐ mod model of of an an exam example ple app app ‣ IoT programming platforms are diverse ‣ Transitions may be guarded by conditions ‣ State ‐ explosion problem 13
Soteria Coping with diverse IoT platform languages IoT platform programming language Groovy DSL Python IR IR State ‐ model State model Extraction Extraction • App source ‐ > IR ‐ > state model • We can reuse the part from IR to state ‐ model extraction, for a new source language 14
Soteria An example toy app • The app: when users are back at home, turn on the light, unlock the door, and send a notification email ‣ Between fromTime and toTime 15
Soteria The IR of the example app Devices Computation input (p, presenceSensor, type:device) input (s, switch, type:device) input (d, door, type:device) input (fromTime, time, type:user_defined) input (toTime, time, type:user_defined) input (c, contact, type:user_defined) Event subscription subscribe(p, “present”, handler) * Extracted from Groovy code for Samsung’s SmartThings 16
handler(){ def between = inBetween() if (between){ s.on() d.unlock() notify() } } inBetween(){ return timeOfDayIsBetween(fromTime, toTime) } notify(){ sendSms(c, “...”) } 17
Soteria Conditional device attribute changes • Perform path exploration and accumulate path conditions ‣ Add a transition using end states and path conditions Entry point Entry point 1: subscribe(presence, present, handler) get_power(){ latest_pow=power_meter.currentValue("power") // Entry point return latest_pow handler(){ } above = 50 below = 5 power = get_power() 6: power>50 power>50 if(power > above){ switch.off() 8: } power<5 power<5 if(power < below){ 11: switch.on() Without Wi out path path ex exploratio ation Wi With path path exp exploratio ation } present present } S 0 S 1 S 0 S 1 power<5 power<5 switch ‐ off switch ‐ on switch ‐ off switch ‐ on Source code Source code of of Energy Energy ‐ control control Io IoT app app 18
Soteria Soteria Coping with state explosion • Reduce states by aggregating numerical ‐ valued attributes 0 (2: 2: te temp = 68) def modeChangeHandler(evt){ 1: 5: def setTemp(t){ def temp = 68 � 2: 6: ther.setHeatingPoint(t) � � setTemp(temp) 3: } 7: � (6: 6: t, 3: 3: tem temp) } 4: (6: 6: t) Thermostat Therm stat ‐ control control Io IoT app app Worklist rklist Wi Without out state state redu reductio ion Wi With state state redu reduction ion Therm Thermosta stat tem temperature Thermosta Therm stat tem temperature . . . t=68 t=95 t=50 t=51 t<>68 19
Soteria Microbencmarks Setup: Intel i5 Core 2 Duo, Java Runtime 1.8, NuSMV 2.6, Graphviz 2.36 • State • State State ‐ reduction reduction effica efficacy State mo model extra extractio tion overhead overhead* ‣ 10 numerical ‐ valued devices in 14 apps ‣ An app with 180 states, on avg. ~ 17 secs 20 20 10 4 10 4 Extraction Time (s) Extraction Time (s) Before state reduction Before state reduction Avg. State-model Avg. State-model 16 16 Number of States Number of States After state reduction After state reduction 10 3 10 3 12 12 10 2 10 2 8 8 10 1 10 1 4 4 0 0 10 0 10 0 0 0 20 20 40 40 60 60 80 80 100 100 120 120 140 140 160 160 180 180 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 9 9 10 10 11 11 Number of States Number of States App ID App ID
Recommend
More recommend