Cited By
View all- Malik AAnwar Z(2022)Do Charging Stations Benefit from Cryptojacking? A Novel Framework for Its Financial Impact Analysis on Electric VehiclesEnergies10.3390/en1516577315:16(5773)Online publication date: 9-Aug-2022
S×C4IoT: A Security-by-contract Framework for Dynamic Evolving IoT Devices
Article No.: 12, Pages 1 - 51
Abstract
The Internet of Things (IoT) revolutionised the way devices, and human beings, cooperate and interact. The interconnectivity and mobility brought by IoT devices led to extremely variable networks, as well as unpredictable information flows. In turn, security proved to be a serious issue for the IoT, far more serious than it has been in the past for other technologies. We claim that IoT devices need detailed descriptions of their behaviour to achieve secure default configurations, sufficient security configurability, and self-configurability. In this article, we propose S×C4IoT, a framework that addresses these issues by combining two paradigms: Security by Contract (S×C) and Fog computing. First, we summarise the necessary background such as the basic S×C definitions. Then, we describe how devices interact within S×C4IoT and how our framework manages the dynamic evolution that naturally result from IoT devices life-cycles. Furthermore, we show that S×C4IoT can allow legacy S×C-noncompliant devices to participate with an S×C network, we illustrate two different integration approaches, and we show how they fit into S×C4IoT. Last, we implement the framework as a proof-of-concept. We show the feasibility of S×C4IoT and we run different experiments to evaluate its impact in terms of communication and storage space overhead.
References
[1]
Andi Adriansyah and Akhmad W. Dani. 2014. Design of small smart home system based on Arduino. In Electrical Power, Electronics, Communications, Control and Informatics Seminar (EECCIS). 121–125.
[2]
Akash Agarwal, Samuel Dawson, Derrick McKee, Patrick Eugster, Matthew Tancreti, and Vinaitheerthan Sundaram. 2017. Poster abstract: Detecting abnormalities in IoT program executions through control-flow-based features. In IEEE/ACM 2nd International Conference on Internet-of-Things Design and Implementation (IoTDI). 339–340.
[3]
Abduljaleel Al-Hasnawi, Ihab Mohammed, and Ahmed Al-Gburi. 2018. Performance evaluation of the policy enforcement fog module for protecting privacy of IoT data. In IEEE International Conference on Electro/Information Technology (EIT). 0951–0957.
[4]
Arduino. 2018. Memory | Arduino. Retrieved from https://www.arduino.cc/en/Tutorial/Foundations/M emory.
[5]
Arjun P. Athreya, Bruce DeBruhl, and Patrick Tague. 2013. Designing for self-configuration and self-adaptation in the internet of things. In 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing. 585–592.
[6]
Arani Bhattcharya and Pradipta De. 2016. Computation offloading from mobile devices: Can edge devices perform better than the cloud? In 3rd International Workshop on Adaptive Resource Management and Scheduling for Cloud Computing (ARMS-CC’16). Association for Computing Machinery, New York, NY, 1–6.
[7]
Flavio Bonomi, Rodolfo Milito, Preethi Natarajan, and Jiang Zhu. 2014. Fog computing: A platform for internet of things and analytics. In Big Data and Internet of Things: A Roadmap for Smart Environments, Nik Bessis and Ciprian Dobre (Eds.). Springer International Publishing, Cham, 169–186.
[8]
Ismail Butun, Alparslan Sari, and Patrik Österberg. 2019. Security implications of fog computing on the internet of things. In IEEE International Conference on Consumer Electronics (ICCE). 1–6.
[9]
ISO/IEC JTC 1 Technical Committee. 2016. ISO/IEC 20922:2016 Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. Retrieved from https://www.iso.org/standard/69466.html.
[10]
ISO/IEC JTC 1/SC 22 Technical Committee. 2017. ISO/IEC 21778:2017 Information technology – The JSON data interchange syntax. Retrieved from https://www.iso.org/standard/71616.html.
[11]
Mauro Conti, Ali Dehghantanha, Katrin Franke, and Steve Watson. 2018. Internet of things security and forensics: Challenges and opportunities. Fut. Gen. Comput. Syst. 78 (2018), 544–546.
[12]
Nicola Dragoni, Olga Gadyatskaya, and Fabio Massacci. 2010. Supporting applications’ evolution in multi-application smart cards by security-by-contract. In 4th Workshop in Information Security Theory and Practices (WISTP’10). Springer LNCS.
[13]
Nicola Dragoni, Alberto Giaretta, and Manuel Mazzara. 2017. The internet of hackable things. In 5th International Conference in Software Engineering for Defence Applications, Paolo Ciancarini, Stanislav Litvinov, Angelo Messina, Alberto Sillitti, and Giancarlo Succi (Eds.). Springer, 129–140.
[14]
Nicola Dragoni, Fabio Massacci, Katsiaryna Naliuka, and Ida Siahaan. 2007. Security-by-contract: Toward a semantics for digital signatures on mobile code. In Public Key Infrastructure Conference (PKI’07), Javier Lopez, Pierangela Samarati, and Josep L. Ferrer (Eds.). Springer, 297–312.
[15]
Nicola Dragoni, Fabio Massacci, Thomas Walter, and Christian Schaefer. 2009. What the heck is this application doing? A security-by-contract architecture for pervasive services. Comput. Secur. 28, 7 (Oct. 2009), 566–577.
[16]
Clinton Dsouza, Gail-Joon Ahn, and Marthony Taguinod. 2014. Policy-driven security management for fog computing: Preliminary framework and a case study. In IEEE 15th International Conference on Information Reuse and Integration (IRI’14). 16–23.
[17]
Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by internet-wide scanning. In 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). Association for Computing Machinery, New York, NY, 542–553.
[18]
Edlira Dushku, Masoom Rabbani, Mauro Conti, Luigi V. Mancini, and Silvio Ranise. 2020. SARA: Secure asynchronous remote attestation for IoT systems. IEEE Trans. Inf. Forens. Secur. 15 (2020), 3123–3136.
[19]
Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2018. Acquisitional rule-based engine for discovering internet-of-things devices. In 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 327–341. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/feng.
[20]
Francisco Javier Ferrández-Pastor, Higinio Mora, Antonio Jimeno-Morenilla, and Bruno Volckaert. 2018. Deployment of IoT edge and fog computing technologies to develop smart building services. Sustainability 10, 11 (2018).
[21]
David Fisher, Bernhard Isler, and Michael Osborne. 2019. BACnet Secure Connect: A secure infrastructure for building automation. AHRAE BACnet whitepaper 21 (2019). Retrieved from https://www.ashrae.org/File20Library/Technical20Resources/Bookstore/BAC net-SC-Whitepaper-v10_Final_20180710.pdf.
[22]
Eclipse Foundation. 2020. Eclipse Mosquitto—An open source MQTT broker. Retrieved from https://github.com/eclipse/mosquitto.
[23]
Iván Froiz-Míguez, Tiago M. Fernández-Caramés, Paula Fraga-Lamas, and Luis Castedo. 2018. Design, implementation and practical evaluation of an IoT home automation system for fog computing applications based on MQTT and ZigBee-WiFi sensor nodes. Sensors 18, 8 (2018).
[24]
Alberto Giaretta. 2020. SC4IoT. Retrieved from https://github.com/albertogiaretta/SxC4IoT.
[25]
Alberto Giaretta, Nicola Dragoni, and Fabio Massacci. 2019. IoT security configurability with security-by-contract. Sensors 19, 19 (Sept. 2019), 4121.
[26]
Alberto Giaretta, Nicola Dragoni, and Fabio Massacci. 2019. Protecting the internet of things with security-by-contract and fog computing. In IEEE 5th World Forum on Internet of Things (WF-IoT). 1–6.
[27]
Laurence Goasduff. 2019. Gartner Says 5.8 Billion Enterprise and Automotive IoT Endpoints Will Be in Use in 2020. Retrieved from https://www.gartner.com/en/newsroom/press-releas es/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io.
[28]
Google. 2020. A Java serialization/deserialization library to convert Java Objects into JSON and back. Retrieved from https://github.com/google/gson.
[29]
Larry K. Haakenstad. 1999. The open protocol standard for computerized building systems: BACnet. In IEEE International Conference on Control Applications, Vol. 2. IEEE, New York, NY, 1585–1590.
[30]
Ayyoob Hamza, Hassan Habibi Gharakheili, and Vijay Sivaraman. 2018. Combining MUD policies with SDN for IoT intrusion detection. In Workshop on IoT Security and Privacy. 1–7.
[31]
Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Matthew Roughan, and Vijay Sivaraman. 2018. Clear as MUD: Generating, validating and applying IoT behavioral profiles. In Workshop on IoT Security and Privacy. 8–14.
[32]
Josh Juneau, Jim Baker, Victor Ng, Leo Soto, and Frank Wierzbicki. 2010. The Definitive Guide to Jython. Retrieved from https://jython.readthedocs.io/en/latest/.
[33]
Sebastian Kaebisch, Takuki Kamiya, Michael McCool, Victor Charpenay, and Matthias Kovatsch. 2020. Web of Things (WoT) Thing Description. Retrieved from https://www.w3.org/TR/wot-thing-description/.
[34]
Patrick Koeberl, Steffen Schulz, Ahmad-Reza Sadeghi, and Vijay Varadharajan. 2014. TrustLite: A security architecture for tiny embedded devices. In 9th European Conference on Computer Systems (EuroSys’14). Association for Computing Machinery, New York, NY.
[35]
Jarkko Kuusijärvi, Reijo Savola, Pekka Savolainen, and Antti Evesti. 2016. Mitigating IoT security threats with a trusted Network element. In 11th International Conference for Internet Technology and Secured Transactions (ICITST). 260–265.
[36]
Eliot Lear and Brian Weis. 2016. Slinging MUD: Manufacturer usage descriptions: How the network can protect things. In International Conference on Selected Topics in Mobile Wireless Networking (MoWNeT). 1–6.
[37]
Roger Light. 2017. Mosquitto: Server and client implementation of the MQTT protocol. J. Open Source Softw. 2, 13 (May 2017), 265.
[38]
M. Veeramanikandan and Suresh Sankaranarayanan. 2019. Publish/subscribe based multi-tier edge computational model in Internet of Things for latency reduction. J. Parallel Distrib. Comput. 127 (2019), 18–27.
[39]
Zaigham Mahmood. 2018. Fog Computing: Concepts, Frameworks and Technologies. Springer International Publishing, Cham.
[40]
Rwan Mahmoud, Tasneem Yousuf, Fadi A. Aloul, and Imran A. Zualkernan. 2015. Internet of things (IoT) security: Current status, challenges and prospective measures. In 10th International Conference for Internet Technology and Secured Transactions (ICITST). 336–341.
[41]
Neda Maleki, Mohammad Loni, Masoud Daneshtalab, Mauro Conti, and Hossein Fotouhi. 2019. SoFA: A spark-oriented fog architecture. In 45th Annual Conference of the IEEE Industrial Electronics Society, Vol. 1. 2792–2799.
[42]
Sara N. Matheu, José L. Hernández-Ramos, Salvador Pérez, and Antonio F. Skarmeta. 2019. Extending MUD profiles through an automated IoT security testing methodology. IEEE Access 7 (Oct. 2019), 149444–149463.
[43]
Sara N. Matheu-García, José L. Hernández-Ramos, Antonio F. Skarmeta, and Gianmarco Baldini. 2019. Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Comput. Stand. Interf. 62 (Feb. 2019), 64–83.
[44]
Guðni Matthìasson, Alberto Giaretta, and Nicola Dragoni. 2020. IoT device profiling: From MUD files to SC contracts. In Open Identity Summit. 143–154.
[45]
Argyro Mavrogiorgou, Athanasios Kiourtis, and Dimosthenis Kyriazis. 2017. A comparative study of classification techniques for managing IoT devices of common specifications. In Economics of Grids, Clouds, Systems, and Services, Congduc Pham, Jörn Altmann, and José Ángel Bañares (Eds.). Springer International Publishing, Cham, 67–77.
[46]
George C. Necula. 1997. Proof-carrying code. In 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’97). 106–119.
[47]
George C. Necula. 2000. Translation validation for an optimizing compiler. SIGPLAN Not. 35, 5 (May 2000), 83–94.
[48]
George C. Necula and Peter Lee. 1996. Safe kernel extensions without run-time checking. In 2nd USENIX Symposium on Operating Systems Design and Implementation (OSDI’96). 229–243.
[49]
George C. Necula and Peter Lee. 2004. The design and implementation of a certifying compiler. SIGPLAN Not. 39, 4 (Apr. 2004), 612–625.
[50]
Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Andreas Müller, Joel Nothman, Gilles Louppe, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake Vanderplas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and Édouard Duchesnay. 2011. Scikit-learn: Machine learning in Python. J. Mach. Learn. Res. 12, 85 (Oct. 2011), 2825–2830.
[51]
Paul Pop, Bahram Zarrin, Mohammadreza Barzegaran, Stefan Schulte, Sasikumar Punnekkat, Jan Ruh, and Wilfried Steiner. 2021. The FORA fog computing platform for industrial IoT. Inf. Syst. 98 (2021), 101727.
[52]
Ammar Rayes and Samer Salam. 2019. Internet of Things from Hype to Reality: The Road to Digitization. Springer International Publishing, Cham.
[53]
Ramachandran Sekar, C. R. Ramakrishnan, I. V. Ramakrishnan, and Scott A. Smolka. 2001. Model-carrying code (MCC): A new paradigm for mobile-code security. In Workshop on New Security Paradigms (NSPW’01). 23–30.
[54]
Ramachandran Sekar, Venkat N. Venkatakrishnan, Samik Basu, Sandeep Bhatkar, and Daniel C. DuVarney. 2003. Model-carrying code: A practical approach for safe execution of untrusted applications. SIGOPS Oper. Syst. Rev. 37, 5 (Oct. 2003), 15–28.
[55]
Arbia Riahi Sfar, Enrico Natalizio, Yacine Challal, and Zied Chtourou. 2018. A roadmap for security challenges in the internet of things. Dig. Commun. Netw. 4, 2 (2018), 118–137.
[56]
Kewei Sha, Wei Wei, T. Andrew Yang, Zhiwei Wang, and Weisong Shi. 2018. On security challenges and open issues in internet of things. Fut. Gen. Comput. Syst. 83 (2018), 326–337.
[57]
Nico Surantha and Wingky R. Wicaksono. 2018. Design of smart home security system using object recognition and PIR sensor. Procedia Comput. Sci. 135 (2018), 465–472.
[58]
Mathias Dahl Thomsen. 2019. Device-b Access Control. Master’s thesis. Danmarks Tekniske Universitet, Denmark. Retrieved from https://findit.dtu.dk/en/catalog/2452038023.
[59]
Mathias Dahl Thomsen, Alberto Giaretta, and Nicola Dragoni. 2020. Smart lamp or security camera? Automatic identification of IoT devices. In 12th International Network Conference (INC’20).
[60]
Yiji Zhang and Lenore D. Zuck. 2018. Formal verification of optimizing compilers. In Distributed Computing and Internet Technology (LNCS). 50–65.
[61]
Zhi-Kai Zhang, Michael Cheng Yi Cho, Chia-Wei Wang, Chia-Wei Hsu, Chong-Kuan Chen, and Shiuhpyng Shieh. 2014. IoT Security: Ongoing challenges and research opportunities. In IEEE 7th International Conference on Service-oriented Computing and Applications. 230–234.
[62]
Wei Zhou, Yan Jia, Anni Peng, Yuqing Zhang, and Peng Liu. 2019. The effect of IoT new features on security and privacy: New threats, existing solutions, and challenges yet to be solved. IEEE Internet Things J. 6, 2 (Apr. 2019), 1606–1616.
Index Terms
- S×C4IoT: A Security-by-contract Framework for Dynamic Evolving IoT Devices
Recommendations
Cyberentity Security in the Internet of Things
A proposed Internet of Things system architecture offers a solution to the broad array of challenges researchers face in terms of general system security, network security, and application security.
Security threats and countermeasures on the internet of things
Internet of things (IoT) refers to intelligent technologies and services that connect all objects based on the internet to communicate information between people and things, things and systems. However, these IoT-based devices are exposed to many security ...
Comments
Information & Contributors
Information
Published In
February 2022
434 pages
Copyright © 2021 Copyright held by the owner/author(s).
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 05 October 2021
Accepted: 01 August 2021
Revised: 01 July 2021
Received: 01 November 2020
Published in TOSN Volume 18, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
- Refereed
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 839Total Downloads
- Downloads (Last 12 months)250
- Downloads (Last 6 weeks)18
Reflects downloads up to 02 Sep 2024
Other Metrics
Citations
Cited By
View all- Malik AAnwar Z(2022)Do Charging Stations Benefit from Cryptojacking? A Novel Framework for Its Financial Impact Analysis on Electric VehiclesEnergies10.3390/en1516577315:16(5773)Online publication date: 9-Aug-2022
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in