research-article

Open access

P-Verifier: Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies

Authors:

Qixu LiuAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 1647 - 1661

https://doi.org/10.1145/3548606.3560680

Published: 07 November 2022 Publication History

Abstract

Modern IoT device manufacturers are taking advantage of the managed Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) IoT clouds (e.g., AWS IoT, Azure IoT) for secure and convenient IoT development/deployment. The IoT access control is achieved by manufacturer-specified, cloud-enforced IoT access policies (cloud-standard JSON documents, called IoT Policies) stating which users can access which IoT devices/resources under what constraints. In this paper, we performed a systematic study on the security of cloud-based IoT access policies on modern PaaS/IaaS IoT clouds. Our research shows that the complexity in the IoT semantics and enforcement logic of the policies leaves tremendous space for device manufacturers to program a flawed IoT access policy, introducing convoluted logic flaws which are non-trivial to reason about. In addition to challenges/mistakes in the design space, it is astonishing to find that mainstream device manufacturers also generally make critical mistakes in deploying IoT Policies thanks to the flexibility offered by PaaS/IaaS clouds and the lack of standard practices for doing so. Our assessment of 36 device manufacturers and 310 open-source IoT projects highlights the pervasiveness and seriousness of the problems, which once exploited, can have serious impacts on IoT users' security, safety, and privacy. To help manufacturers identify and easily fix IoT Policy flaws, we introduce P-Verifier, a formal verification tool that can automatically verify cloud-based IoT Policies. With evaluated high effectiveness and low performance overhead, P-Verifier will contribute to elevating security assurance in modern IoT deployments and access control. We responsibly reported all findings to affected vendors and fixes were deployed or on the way.

References

[1]

2019. MQTT Version 5.0. https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqttv5.0.html.

[2]

2019. Publish--subscribe pattern. https://en.wikipedia.org/wiki/Publishsubscribe_pattern. Accessed: 2019-07.

[3]

2020. Security Best Practices for Amazon S3. https://techcommunity.microsoft. com/t5/azure-architecture-blog/azure-policy-prevent-the-use-of-wildcardfor-source-in-azure/ba-p/1783844.

[4]

2021. Air Puri!er o$cial page. https://molekule.com/.

[5]

2021. Molekule Air Mini Receives FDA clearance to destroy viruses and bacteria. https://molekule.science/molekule-air-mini-receives-fda-510k-clearance/.

[6]

2021. MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. https://www.usenix.org/conference/ usenixsecurity21/presentation/wan-qinying

[7]

2021. Security best practices in AWS IoT Core. https://docs.aws.amazon.com/ iot/latest/developerguide/security-best-practices.html.

[8]

2022. Automata theory . https://en.wikipedia.org/wiki/Automata_theory.

[9]

2022. Avoiding wildcard permissions in IAM policies. https://docs.aws.amazon. com/lambda/latest/operatorguide/wildcard-permissions-iam.html.

[10]

2022. AWS IoT Core. https://aws.amazon.com/en/iot-core/.

[11]

2022. AWS IoT Core endpoints and quotas. https://docs.aws.amazon.com/ general/latest/gr/iot-core.html#security-limits/.

[12]

2022. AWS IoT Core policy variables - AWS IoT Core. https://docs.aws.amazon. com/iot/latest/developerguide/iot-policy-variables.html.

[13]

2022. AWS IoT Defender. https://docs.aws.amazon.com/iot/latest/ developerguide/device-defender.html.

[14]

2022. AWS IoT o$cial documentation about thing registry. https://docs.aws. amazon.com/iot/latest/developerguide/thing-registry.html.

[15]

2022. AWS IoT policies overly permissive. https://docs.aws.amazon.com/iot/ latest/developerguide/audit-chk-iot-policy-permissive.html.

[16]

2022. AWS IoT Policy actions. https://docs.aws.amazon.com/iot/latest/ developerguide/iot-policy-actions.html.

[17]

2022. AWS Publish/Subscribe IoT policy examples. https://docs.aws.amazon. com/iot/latest/developerguide/pub-sub-policy.html.

[18]

2022. AWS python SDK boto3 IoT api attach policy. https: //boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ iot.html#IoT.Client.attach_policy.

[19]

2022. AWS S3 Policy Example. https://docs.aws.amazon.com/AmazonS3/latest/ userguide/example-policies-s3.html.

[20]

2022. AWS SDK for Android - 2.22.1. https://aws-amplify.github.io/aws-sdkandroid/docs/reference/.

[21]

2022. Azure IoT Hub. https://azure.microsoft.com/en-us/services/iot-hub/.

[22]

2022. Azure Policy de!nition structure. https://docs.microsoft.com/en-us/azure/ governance/policy/concepts/de!nition-structure.

[23]

2022. Azure Policy Example. https://github.com/Azure/azure-policy.

[24]

2022. Biobeat o$cial page. https://www.bio-beat.com/.

[25]

2022. Broiking o$cial page. https://broilkingbbq.com/.

[26]

2022. Controlling access to a bucket with user policies. https://docs.aws.amazon. com/AmazonS3/latest/userguide/walkthrough1.html.

[27]

2022. Dynamodb Policy Example. https://docs.aws.amazon.com/IAM/latest/ UserGuide/reference_policies_examples_dynamodb_speci!c-table.html.

[28]

2022. eXtensible Access Control Markup Language (XACML) Version 3.0. http: //docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.

[29]

2022. Failing Security|CISA. https://us-cert.cisa.gov/bsi/articles/knowledge/ principles/failing-securely.

[30]

2022. Github o$cial page. https://github.com.

[31]

2022. IAM JSON policy elements: Resource. https://docs.aws.amazon.com/IAM/ latest/UserGuide/reference_policies_elements_resource.html.

[32]

2022. KISS Principle. https://en.wikipedia.org/wiki/KISS_principle.

[33]

2022. Kubernetes' ABAC access control. https://kubernetes.io/docs/reference/ access-authn-authz/abac/.

[34]

2022. Least privilege. https://en.wikipedia.org/wiki/Principle_of_least_ privilege.

[35]

2022. MQTT Version 3.1.1 speci!cation. http://docs.oasis-open.org/mqtt/mqtt/ v3.1.1/os/mqtt-v3.1.1-os.html.

[36]

2022. P3P Language. https://www.w3.org/TR/P3P-preferences/.

[37]

2022. Policies and permissions in IAM. https://docs.aws.amazon.com/IAM/ latest/UserGuide/access_policies.html.

[38]

2022. Publish and subscribe with Azure IoT Edge | Microsoft Docs . https://docs.microsoft.com/en-us/azure/iot-edge/how-to-publish-subscribe" view=iotedge-2020--11.

[39]

2022. Rules for AWS IoT - AWS IoT Core. https://docs.aws.amazon.com/iot/ latest/developerguide/iot-rules.html.

[40]

2022. Scaling authorization policies with AWS IoT Core. https://aws.amazon. com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/.

[41]

2022. Security Best Practices for Amazon S3. https://docs.aws.amazon.com/ AmazonS3/latest/userguide/security-best-practices.html.

[42]

2022. Sun-Pro google play store page. https://play.google.com/store/apps/ details"id=com.SunProtection.

[43]

2022. Supporting website for P-Veri!er. https://sites.google.com/view/p-verify/ home.

[44]

2022. Tuya IoT Cloud. https://www.tuya.com/.

[45]

2022. Using provable security to enhance IoT -- An industry di#erentiator. https://docs.aws.amazon.com/whitepapers/latest/securing-iot-with-aws/ using-provable-security-to-enhance-iot-an-industry-di#erentiator.html.

[46]

2022. What is Amazon CloudWatch Logs" https://docs.aws.amazon.com/ AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html.

[47]

2022. Wikipedia page Deterministic !nite automaton. https://en.wikipedia.org/ wiki/Deterministic_!nite_automaton.

[48]

2022. XACML policy language OASIS standard. http://docs.oasis-open.org/ xacml/3.0/xacml-3.0-core-spec-os-en.html.

[49]

2022. Z3 String Constraint Solver. https://z3string.github.io/.

[50]

2022. Z3Py. https://ericpony.github.io/z3py-tutorial/guide-examples.htm.

[51]

Ava Ahadipour and Martin Schanzenbach. 2017. A Survey on Authorization in Distributed Systems: Information Storage, Data Retrieval and Trust Evaluation. In 2017 IEEE Trustcom/BigDataSE/ICESS. 1016--1023. https://doi.org/10.1109/ Trustcom/BigDataSE/ICESS.2017.346

[52]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Security and Privacy (SP). 1362--1380. https://doi.org/10.1109/SP.2019.00013

[53]

John Backes, Ulises Berrueco, Tyler Bray, Daniel Brim, Byron Cook, Andrew Gacek, Ranjit Jhala, Kasper Luckow, Sean McLaughlin, Madhav Menon, et al. 2020. Strati!ed abstraction of access control policies. In International Conference on Computer Aided Veri!cation. Springer, 165--176.

[54]

John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Søe Luckow, Neha Rungta, Oksana Tkachuk, and Carsten Varming. 2018. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In 2018 Formal Methods in Computer Aided Design, FMCAD 2018, Austin, TX, USA, October 30 - November 2, 2018, Nikolaj Bjørner and Arie Gur!nkel (Eds.). IEEE, 1--9. https://doi.org/10.23919/FMCAD.2018.8602994

[55]

Iulia Bastys, Musard Balliu, and Andrei Sabelfeld. 2018. If this then what?: Controlling "ows in IoT apps. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1102--1119.

Digital Library

[56]

Moritz Y. Becker and Peter Sewell. 2004. Cassandra: Flexible Trust Management, Applied to Electronic Health Records. In 17th IEEE Computer Security Foundations Workshop, (CSFW-17 2004), 28--30 June 2004, Paci!c Grove, CA, USA. IEEE Computer Society, 139--154. https://doi.org/10.1109/CSFW.2004.7

[57]

E. Bertino, E. Ferrari, and A. Squicciarini. 2004. Trust negotiations: concepts, systems, and languages. Computing in Science Engineering 6, 4 (2004), 27--34.

Digital Library

[58]

Smriti Bhatt, Farhan Patwa, and Ravi Sandhu. 2017. Access control model for AWS internet of things. In International Conference on Network and System Security. Springer, 721--736.

[59]

Sandeep Bhatt and Prasad Rao. 2008. Enhancements to the vantage !rewall analyzer. Technical Report. Citeseer.

[60]

M. Blaze, J. Feigenbaum, and J. Lacy. 1996. Decentralized trust management. In Proceedings 1996 IEEE Symposium on Security and Privacy. 164--173. https: //doi.org/10.1109/SECPRI.1996.502679

[61]

Malik Bouchet, Byron Cook, Bryant Cutler, Anna Druzkina, Andrew Gacek, Liana Hadarean, Ranjit Jhala, Brad Marshall, Daniel Peebles, Neha Rungta, Cole Schlesinger, Chriss Stephens, Carsten Varming, and Andy War!eld. 2020. Block public access: trust safety veri!cation of access control policies. In ESEC/FSE '20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8--13, 2020, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 281--291. https://doi.org/10.1145/3368089.3409728

Digital Library

[62]

Z Berkay Celik, Leonardo Babun, Amit K Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A Selcuk Uluagac. 2018. Sensitive Information Tracking in Commodity IoT. arXiv preprint arXiv:1802.08307 (2018).

[63]

Z. Berkay Celik, Patrick McDaniel, and Gang Tan. 2018. Soteria: Automated IoT Safety and Security Analysis. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). Boston, MA, 147--158.

[64]

Z Berkay Celik, Gang Tan, and Patrick D McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In NDSS.

[65]

Long Cheng, Christin Wilson, Song Liao, Je#rey Young, Daniel Dong, and Hongxin Hu. 2020. Dangerous Skills Got Certi!ed: Measuring the Trustworthiness of Skill Certi!cation in Voice Personal Assistant Platforms. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9--13, 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 1699--1716.

Digital Library

[66]

Haotian Chi, Qiang Zeng, Xiaojiang Du, and Jiaping Yu. 2020. Cross-app interference threats in smart homes: Categorization, detection and handling. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 411--423.

[67]

J. DeTreville. 2002. Binder, a logic-based security language. In Proceedings 2002 IEEE Symposium on Security and Privacy. 105--113. https://doi.org/10.1109/ SECPRI.2002.1004365

[68]

Wenbo Ding and Hongxin Hu. 2018. On the safety of iot device physical interaction control. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 832--846.

Digital Library

[69]

Wenbo Ding, Hongxin Hu, and Long Cheng. 2021. IOTSAFE: Enforcing Safety and Security Policy with Real IoT Physical Interaction Discovery. (2021).

[70]

Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2006. Specifying and Reasoning About Dynamic Access-Control Policies. In Automated Reasoning, Third International Joint Conference, IJCAR 2006, Seattle, WA, USA, August 17--20, 2006, Proceedings (Lecture Notes in Computer Science, Vol. 4130), Ulrich Furbach and Natarajan Shankar (Eds.). Springer, 632--646.

[71]

William Eiers, Ganesh Sankaran, Albert Li, Emily O'Mahony, Benjamin Prince, and Tev!k Bultan. 2022. Quantifying permissiveness of access control policies. In 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). IEEE, 1805--1817.

Digital Library

[72]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security analysis of emerging smart home applications. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 636--654.

[73]

Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. 2018. Decentralized Action Integrity for Trigger-Action IoT Platforms. In 22nd Network and Distributed Security Symposium (NDSS 2018).

[74]

Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. 2005. Veri!cation and change-impact analysis of access-control policies. In 27th International Conference on Software Engineering (ICSE 2005), 15--21 May 2005, St. Louis, Missouri, USA, Gruia-Catalin Roman, William G. Griswold, and Bashar Nuseibeh (Eds.). ACM, 196--205.

[75]

Dimitar P. Guelev, Mark Ryan, and Pierre Yves Schobbens. 2004. Model-Checking Access Control Policies. In Information Security, Kan Zhang and Yuliang Zheng (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 219--230.

[76]

Zhixiu Guo, Zijin Lin, Pan Li, and Kai Chen. 2020. SkillExplorer: Understanding the Behavior of Skills in Large Scale. In 29th USENIX Security Symposium (USENIX Security 20). 2649--2666.

[77]

William T Hallahan, Ennan Zhai, and Ruzica Piskac. 2017. Automated repair by example for !rewalls. In 2017 Formal Methods in Computer Aided Design (FMCAD). IEEE, 220--229.

[78]

Allen D Householder, Garret Wassermann, Art Manion, and Chris King. 2017. The cert guide to coordinated vulnerability disclosure. Technical Report. CarnegieMellon Univ Pittsburgh Pa Pittsburgh United States.

[79]

Hang Hu, Limin Yang, Shihan Lin, and Gang Wang. 2020. A Case Study of the Security Vetting Process of Smart-home Assistant Applications. In 2020 IEEE Security and Privacy Workshops, SP Workshops, San Francisco, CA, USA, May 21, 2020. IEEE, 76--81. https://doi.org/10.1109/SPW50608.2020.00029

[80]

Graham Hughes and Tev!k Bultan. 2008. Automated veri!cation of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10, 6 (2008), 503--520. https://doi.org/10.1007/s10009-008-0087--9

[81]

Andrew Hunt. 1900. The pragmatic programmer. Pearson Education India.

[82]

Karthick Jayaraman, Nikolaj Bjørner, Geo# Outhred, and Charlie Kaufman. 2014. Automated analysis and debugging of network connectivity policies. Microsoft Research (2014), 1--11.

[83]

Yan Jia, Luyi Xing, Yuhang Mao, Dongfang Zhao, XiaoFeng Wang, Shangru Zhao, and Yuqing Zhang. 2020. Burglars' IoT paradise: Understanding and mitigating security risks of general messaging protocols on IoT clouds. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 465--481.

[84]

Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Zhuoqing Morley Mao, and Atul Prakash. 2017. ContexloT: Towards Providing Contextual Integrity to Appi!ed IoT Platforms. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society.

[85]

T. Jim. 2001. SD3: a trust management system with certi!ed evaluation. In Proceedings 2001 IEEE Symposium on Security and Privacy. S P 2001. 106--115.

[86]

G. Kolaczek. 2003. Speci!cation and veri!cation of constraints in role based access control. In WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003. 190--195. https://doi.org/10.1109/ENABL.2003.1231406

[87]

Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam Bates, and Michael Bailey. 2018. Skill Squatting Attacks on Amazon Alexa. In 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD, 33--47.

[88]

Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6, 1 (2003), 128--171. https://doi.org/10.1145/605434.605438

Digital Library

[89]

Ninghui Li and John C. Mitchell. 2003. Datalog with Constraints: A Foundation for Trust Management Languages. In Practical Aspects of Declarative Languages, Veronica Dahl and Philip Wadler (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 58--73.

[90]

Ninghui Li, Mahesh V Tripunitara, and Ziad Bizri. 2007. On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security (TISSEC) 10, 2 (2007), 5--es.

Digital Library

[91]

Song Liao, Christin Wilson, Long Cheng, Hongxin Hu, and Huixing Deng. 2020. Measuring the E#ectiveness of Privacy Policies for Voice Assistant Applications. In ACSAC '20: Annual Computer Security Applications Conference, Virtual Event / Austin, TX, USA, 7--11 December, 2020. ACM, 856--869.

Digital Library

[92]

Jorge E Luzuriaga, Miguel Perez, Pablo Boronat, Juan Carlos Cano, Carlos Calafate, and Pietro Manzoni. 2015. A comparative evaluation of AMQP and MQTT protocols over unstable and mobile networks. In 2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC). IEEE, 931--936.

[93]

Chandrakana Nandi and Michael D. Ernst. 2016. Automatic Trigger Generation for Rule-based Smart Homes. In Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2016, Vienna, Austria, October 24, 2016, Toby C. Murray and Deian Stefan (Eds.). ACM, 97-- 102.

Digital Library

[94]

K.E. Seamons, M. Winslett, Ting Yu, B. Smith, E. Child, J. Jacobson, H. Mills, and Lina Yu. 2002. Requirements for policy languages for trust negotiation. In Proceedings Third International Workshop on Policies for Distributed Systems and Networks. 68--79. https://doi.org/10.1109/POLICY.2002.1011295

[95]

Faysal Hossain Shezan, Hang Hu, Gang Wang, and Yuan Tian. 2020. VerHealth: Vetting Medical Voice Applications through Policy Enforcement. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 4, 4 (2020), 153:1--153:21. https: //doi.org/10.1145/3432233

Digital Library

[96]

William Stallings, Lawrie Brown, Michael D Bauer, and Arup Kumar Bhattacharjee. 2012. Computer security: principles and practice. Pearson Education Upper Saddle River, NJ, USA.

[97]

Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes. In Proceedings of the 26th International Conference on World Wide Web (WWW). 1501--1510.

Digital Library

[98]

Yuan Tian, Nan Zhang, Yueh-Hsun Lin, XiaoFeng Wang, Blase Ur, Xianzheng Guo, and Patrick Tague. 2017. SmartAuth: User-Centered Authorization for the Internet of Things. In 26th USENIX Security Symposium (USENIX Security . USENIX Association, Vancouver, BC, 361--378. https://www.usenix.org/ conference/usenixsecurity17/technical-sessions/presentation/tian

[99]

Tavish Vaidya, Yuankai Zhang, Micah Sherr, and Clay Shields. 2015. Cocaine Noodles: Exploiting the Gap between Human and Machine Speech Recognition. In 9th USENIX Workshop on O#ensive Technologies (WOOT 15). Washington, D.C.

[100]

Qi Wang, Pubali Datta, Wei Yang, Si Liu, Adam Bates, and Carl A. Gunter. 2019. Charting the Attack Surface of Trigger-Action IoT Platforms. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, November 11--15, 2019, Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz (Eds.). ACM, 1439--1453.

Digital Library

[101]

Moosa Yahyazadeh, Proyash Podder, Endadul Hoque, and Omar Chowdhury. 2019. Expat: Expectation-based policy analysis and enforcement for appi!ed smart-home platforms. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 61--72.

Digital Library

[102]

Yuqing Zhang Yan Jia, Luyi Xing. 2019. Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds. Accessed: 2020-08.

[103]

Bin Yuan, Yan Jia, Luyi Xing, Dongfang Zhao, XiaoFeng Wang, and Yuqing Zhang. 2020. Shattered chain of trust: Understanding security risks in crosscloud iot access delegation. In 29th {USENIX} Security Symposium ({USENIX} Security 20). 1183--1200.

[104]

Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, XiaoFeng Wang, and Carl A. Gunter. 2018. CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition. In 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD, 49--64.

Digital Library

[105]

Nan Zhang, Xianghang Mi, Xuan Feng, XiaoFeng Wang, Yuan Tian, and Feng Qian. 2019. Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems. In 2019 IEEE Symposium on Security and Privacy (SP). 1381--1396.

[106]

Yangyong Zhang, Lei Xu, Abner Mendoza, Guangliang Yang, Phakpoom Chinprutthiwong, and Guofei Gu. 2019. Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24--27, 2019. The Internet Society.

[107]

Xinan Zhou, Luyi Xing Jiale Guan, and Zhi Qian. 2022. Perils and Mitigation of Security Risks of Cooperation in Mobile-as-a-Gateway IoT. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[108]

Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, 1296--1310.

Cited By

Al-hammuri KGebali FKanan A(2024)ZTCloudGuard: Zero Trust Context-Aware Access Management Framework to Avoid Medical Errors in the Era of Generative AI and Cloud-Based Health Information EcosystemsAI10.3390/ai50300555:3(1111-1131)Online publication date: 8-Jul-2024
https://doi.org/10.3390/ai5030055
Zhang ZZou FHong JChen LYi P(2024)Detection and Analysis of Broken Access Control Vulnerabilities in App–Cloud Interaction in IoTIEEE Internet of Things Journal10.1109/JIOT.2024.340085811:17(28267-28280)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3400858

Index Terms

P-Verifier: Understanding and Mitigating Security Risks in Cloud-based IoT Access Policies
1. Security and privacy
  1. Security services
    1. Access control
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification

Recommendations

Internet of Things security

The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Adaptive context-aware access control for IoT environments leveraging fog computing
Abstract
The increasing use of the Internet of Things (IoT) has driven the demand for enhanced and robust access control methods to protect resources from unauthorized access. A cloud-based access control approach brings significant challenges in terms of ...
SecureSense

Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)
Youth Innovation Promotion Association CAS
Strategic Priority Research Program of Chinese Academy of Sciences

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
1,230
Total Downloads

Downloads (Last 12 months)681
Downloads (Last 6 weeks)72

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Al-hammuri KGebali FKanan A(2024)ZTCloudGuard: Zero Trust Context-Aware Access Management Framework to Avoid Medical Errors in the Era of Generative AI and Cloud-Based Health Information EcosystemsAI10.3390/ai50300555:3(1111-1131)Online publication date: 8-Jul-2024
https://doi.org/10.3390/ai5030055
Zhang ZZou FHong JChen LYi P(2024)Detection and Analysis of Broken Access Control Vulnerabilities in App–Cloud Interaction in IoTIEEE Internet of Things Journal10.1109/JIOT.2024.340085811:17(28267-28280)Online publication date: 1-Sep-2024
https://doi.org/10.1109/JIOT.2024.3400858

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents