research-article

Open access

Practical Integrity Validation in the Smart Home with HomeEndorser

Authors:

Mansoor Ahmed-Rengers,

Adwait NadkarniAuthors Info & Claims

WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 207 - 218

https://doi.org/10.1145/3643833.3656116

Published: 27 May 2024 Publication History

Abstract

Modern smart home platforms facilitate home automation using trigger-action routines. While providing flexibility, routines may also cause serious threats to system integrity: untrusted third-parties may use platform APIs to modify the abstract home objects (AHOs) that high-integrity devices (e.g., security camera) rely on (i.e., as triggers). As most AHO accesses are legitimate, applying naive information flow controls or removing permissions would not only fail to prevent these problems, but also break functionality. Therefore, this paper proposes the alternate approach of home abstraction endorsement, which endorses a proposed AHO change by correlating it with expected environmental changes. We present the HomeEndorser framework, which provides a policy model to express changes in device states as endorsement policy templates that are automatically instantiated in a given configuration (based on device availability/placement), and a platform-based reference monitor to mediate all API requests to change AHOs. We implement HomeEndorser as an enhancement to the HomeAssistant platform, and demonstrate less than 10% performance overhead and no false alarms under realistic usage, as well as derive policy templates for 6 key AHOs.

References

[1]

Alarm Grid. Accessed Feb 2021. Introducing the "Privacy When Disarmed" Feature for Total Connect 2.0 HD Cameras - Alarm Grid. https://www.alarmgrid.com/blog/introducing-the-privacy-when-disarmed-feature-for-total-connect- .

[2]

K. J. Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153. MITRE.

[3]

Simon Birnbach, Simon Eberz, and Ivan Martinovic. 2019. Peeves: Physical Event Verification in Smart Homes. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1455--1467.

Digital Library

[4]

Ethan Cecchetti, Andrew C. Myers, and Owen Arden. 2017. Nonmalleable Information Flow Control. In Proceedings of the 2017 ACM Conference on Computer and Communications Security. 1875--1891.

Digital Library

[5]

Z. Berkay Celik, Patrick McDaniel, and Gang Tan. 2018. Soteria: Automated IoT Safety and Security Analysis. In 2018 USENIX Annual Technical Conference (USENIX ATC). 147--158.

Digital Library

[6]

Z. Berkay Celik, Gang Tan, and Patrick McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In Proceedings of the NDSS 2019 Symposium.

[7]

Haotian Chi, Qiang Zeng, Xiaojiang Du, and Lannan Luo. 2021. PFirewall: Semantics-aware customizable data flow control for smart home privacy protection. Network and Distributed Systems Security (NDSS) Symposium2021 (2021).

[8]

D. D. Clark and D. Wilson. 1987. A Comparison of Military and Commercial Security Policies. In Proceedings IEEE Symposium on Security and Privacy.

[9]

CNET. Accessed May 2021. Google reverses course on cutting off Works with Nest connections. https://www.cnet.com/home/smart-home/google-reverses-course-on-cutting-off-works-with-nest-connections/.

[10]

Camille Cobb, Milijana Surbatovich, Anna Kawakami, Mahmood Sharif, Lujo Bauer, Anupam Das, and Limin Jia. 2020. How Risky Are Real Users'$$IFTTT$$ Applets?. In Sixteenth Symposium on Usable Privacy and Security ($$SOUPS$$ 2020). 505--529.

[11]

Digital Trends. Accessed May 2021. Google is ending its Works with Nest system. Here's what that means for you. https://www.digitaltrends.com/home/google-is-ending-its-works-with-nest-system/.

[12]

Digitized House. Accessed May 2021. Fallout Mounts from Impending Works with Nest Sunsetting. https://digitized.house/fallout-mounts-works-with-nest-sunsetting/.

[13]

Wenbo Ding and Hongxin Hu. 2018. On the Safety of IoT Device Physical Interaction Control. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). 832--846.

Digital Library

[14]

Wenbo Ding, Hongxin Hu, and Long Cheng. 2021. IOTSAFE: Enforcing Safety and Security Policy with Real IoT Physical Interaction Discovery. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS).

[15]

Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazieres, Frans Kaashoek, and Robert Morris. 2005. Labels and event processes in the Asbestos operating system. In Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, Vol. 39. 17--30.

Digital Library

[16]

Timothy Fraser, Lee Badger, and Mark Feldman. 1999. Hardening COTS Software with Generic Software Wrappers. In Proceedings of the IEEE Symposium on Security and Privacy. 2--16.

[17]

Chenglong Fu, Qiang Zeng, and Xiaojiang Du. 2021. $$HAWatcher$$:$$Semantics-Aware$$ Anomaly Detection for Appified Smart Homes. In 30th USENIX Security Symposium (USENIX Security 21). 4223--4240.

[18]

Google. Accessed June 2019. Local Home SDK. https://developers.google.com/actions/smarthome/local-home-sdk.

[19]

Google. Accessed May 2021. We hear you: updates to Works with Nest. https://blog.google/products/google-nest/updates-works-with-nest/.

[20]

Stephan Heuser, Adwait Nadkarni, William Enck, and Ahmad-Reza Sadeghi. 2014. ASM: A Programmable Interface for Extending Android Security. In Proceedings of the USENIX Security Symposium.

[21]

HomeEndorser. 2020. tool Online Appendix. https://sites.google.com/view/homeendorser.

[22]

How-to Geek. 2021. How to Use Your Nest Thermostat as a Motion Detector. https://www.howtogeek.com/249093/how-to-use-your-nest-thermostat-as-a-motion-detector/.

[23]

IFTTT. Accessed Feb 2023. Google Nest is Back on IFTTT. https://ifttt.com/explore/new-google-nest-thermostat-phase1.

[24]

IFTTT. Accessed June 2018. IFTTT helps your apps and devices work together. https://ifttt.com/.

[25]

IFTTT. Accessed May 2021. Important update about Nest services. https://help.ifttt.com/hc/en-us/articles/360022524734-Important-update-about-the-Nest-services.

[26]

IoTivity. Accessed June 2019. IoTivity Wiki: IoTivity Initialization and Setting. https://wiki.iotivity.org/initialize_setting.

[27]

Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z Morley Mao, Atul Prakash, and Shanghai JiaoTong Unviersity. 2017. ContexIoT: Towards providing contextual integrity to appified IoT platforms. In Proceedings of the 2017 Network and Distributed System Security Symposium (NDSS).

[28]

Arun Cyril Jose and Reza Malekian. 2017. Improving smart home security: Integrating logical sensing into smart home. IEEE Sensors Journal, Vol. 17, 13 (2017), 4269--4286.

[29]

Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk. 2019. A Study of Data Store-based Home Automation. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[30]

Kaushal Kafle, Kevin Moran, Sunil Manandhar, Adwait Nadkarni, and Denys Poshyvanyk. 2020. Security in Centralized Data Store-based Home Automation Platforms: A Systematic Analysis of Nest and Hue. ACM Transactions on Cyber-Physical Systems (TCPS), Vol. 5, 1 (Dec. 2020).

[31]

Kami. Accessed May 2021. How to use Home and Away mode in YI Home app. https://help.yitechnology.com/hc/en-us/articles/360041767214-How-to-use-Home-and-Away-mode-in-YI-Home-app.

[32]

David H. King, Susmit Jha, Divya Muthukumaran, Trent Jaeger, Somesh Jha, and Sanjit Seshia. 2010. Automating Security Mediation Placement. In Proceedings of the 19th European Symposium on Programming (ESOP '10). 327--344.

Digital Library

[33]

Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. 2007. Information Flow Control for Standard OS Abstractions. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP). 321--334.

Digital Library

[34]

Sanghak Lee, Jiwon Choi, Jihun Kim, Beumjin Cho, Sangho Lee, Hanjun Kim, and Jong Kim. 2017. FACT: Functionality-centric access control system for IoT programming frameworks. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. 43--54.

Digital Library

[35]

Sunil Manandhar, Kevin Moran, Kaushal Kafle, Ruhao Tang, Denys Poshyvanyk, and Adwait Nadkarni. 2020. Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses. In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland). San Fransisco, CA, USA.

[36]

M Hammad Mazhar, Li Li, Endadul Hoque, and Omar Chowdhury. 2023. MAVERICK: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime. arXiv preprint arXiv:2302.01452 (2023).

[37]

M. Douglas McIlroy and James A. Reeds. 1992. Multilevel security in the UNIX tradition. Software: Practice and Experience (1992).

[38]

Adwait Nadkarni, Benjamin Andow, William Enck, and Somesh Jha. 2016. Practical DIFC Enforcement on Android. In Proceedings of the 25th USENIX Security Symposium.

Digital Library

[39]

Adwait Nadkarni and William Enck. 2013. Preventing Accidental Data Disclosure in Modern Operating Systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[40]

Nest Labs. Accessed Feb 2021. Turn your Nest camera on or off - Google Nest Help. https://bit.ly/33lkfPE.

[41]

Nest Labs. Accessed June 2018. Nest Developers. https://developers.nest.com///.

[42]

Dang Tu Nguyen, Chengyu Song, Zhiyun Qian, Srikanth V. Krishnamurthy, Edward J. M. Colbert, and Patrick McDaniel. 2018. IotSan: Fortifying the Safety of IoT Systems. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT). 191--203.

Digital Library

[43]

OCF. 2020. Open Connectivity Foundation - OCF. https://openconnectivityfoundation.github.io/devicemodels/docs/index.html.

[44]

Amir Rahmati, Earlence Fernandes, Kevin Eykholt, and Atul Prakash. 2018. Tyche: A Risk-Based Permission Model for Smart Homes. In 2018 IEEE Cybersecurity Development (SecDev). 29--36.

[45]

Ring. Accessed Feb 2021. Control All your Ring Cameras with Modes - Ring Help. https://support.ring.com/hc/en-us/articles/360036107792-Control-All-your-Ring-Cameras-with-Modes.

[46]

Samsung. 2018. Samsung SmartThings SmartApp Public Repository. https://github.com/SmartThingsCommunity/SmartThingsPublic.

[47]

Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2018. Situational access control in the internet of things. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1056--1073.

Digital Library

[48]

Umesh Shankar, Trent Jaeger, and Reiner Sailer. 2006. Toward Automated Information-Flow Integrity Verification for Security-Critical Applications. In Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS).

[49]

Amit Kumar Sikder, Leonardo Babun, Z Berkay Celik, Abbas Acar, Hidayet Aksu, Patrick McDaniel, Engin Kirda, and A Selcuk Uluagac. 2020. Kratos: Multi-user multi-device-aware access control system for the smart home. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 1--12.

Digital Library

[50]

Simplisafe. Accessed Feb 2021. What is the privacy shutter? https://support.simplisafe.com/hc/en-us/articles/360029760591.

[51]

SimpliSafe. Accessed May 2021. Everything You Need to Know About Home Mode. https://simplisafe.com/blog/home-mode.

[52]

SmartThings. Accessed Aug 2022. The End of Groovy Has Arrived. https://community.smartthings.com/t/the-end-of-groovy-has-arrived/246280.

[53]

SmartThings. Accessed Dec 2018. Capabilities Reference. https://docs.smartthings.com/en/latest/capabilities-reference.html.

[54]

SmartThings. Accessed June 2019. The SmartThings Ecosystem. https://smartthings.developer.samsung.com/docs/index.html.

[55]

Statista. 2020. Smart Home - Worldwide. https://www.statista.com/outlook/279/100/smart-home/worldwide.

[56]

Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes. In Proceedings of the 26th International Conference on World Wide Web. 1501--1510.

Digital Library

[57]

The Ambient. Accessed May 2021. Life360 guide: How to smarten up your home with the geolocation app. https://www.the-ambient.com/guides/life360-complete-guide-804.

[58]

Yuan Tian, Nan Zhang, Yueh-Hsun Lin, XiaoFeng Wang, Blase Ur, XianZheng Guo, and Patrick Tague. 2017. SmartAuth: User-Centered Authorization for the Internet of Things. In Proceedings of the 26th USENIX Security Symposium.

Digital Library

[59]

Qi Wang, Wajih Ul Hassan, Adam Bates, and Carl Gunter. 2018. Fear and Logging in the Internet of Things. In Network and Distributed Systems Symposium.

[60]

Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, and Greg Kroah-Hartman. 2002. Linux Security Modules: General Security Support for the Linux Kernel. In Proceedings of the 11th USENIX Security Symposium.

Digital Library

[61]

Moosa Yahyazadeh, Syed Rafiul Hussain, Endadul Hoque, and Omar Chowdhury. 2020. PATRIOT: Policy assisted resilient programmable IoT system. In Runtime Verification: 20th International Conference, RV 2020, Los Angeles, CA, USA, October 6--9, 2020, Proceedings 20. Springer, 151--171.

[62]

Moosa Yahyazadeh, Proyash Podder, Endadul Hoque, and Omar Chowdhury. 2019. Expat: Expectation-based policy analysis and enforcement for appified smart-home platforms. In Proceedings of the 24th ACM symposium on access control models and technologies. 61--72.

Digital Library

[63]

Steve Zdancewic, Lantian Zheng, Nathaniel Nystrom, and Andrew C. Myers. 2002. Secure program partitioning. ACM Transactions on Computing Systems, Vol. 20, 3 (2002), 283--328.

Digital Library

[64]

Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. 2006. Making Information Flow Explicit in HiStar. In Proceedings of the 7th symposium on Operating Systems Design and Implementation (OSDI). 263--278.

Digital Library

Cited By

Alam MZhang SRodriguez ENafis AHoque E(2024)iConPAL: LLM-guided Policy Authoring Assistant for Configuring IoT Defenses2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00014(76-92)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00014

Index Terms

Practical Integrity Validation in the Smart Home with HomeEndorser
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Smart Home Technologies: A Preliminary Review
ICIT '18: Proceedings of the 6th International Conference on Information Technology: IoT and Smart City

In recent years, smart homes have become increasingly popular with the deployment of Internet of Things (IoT). Rapid diffusion of sensing technology also enabled advancement in smart homes. The advancements in these technologies surroundings smart homes ...
Smart Home

The smart home service is a key part of the smart grid consumption. It is a real-time interactive response between the power grid and users, and enhances the comprehensive service capability of the power grid, also realizes the intelligent and ...
Smart Home 2.0: Innovative Smart Home System Powered by Botanical IoT and Emotion Detection

Advances in human-centric technologies, such as artificial intelligence (AI), application-oriented sensing and smart home, along with recent developments in internet of things (IoT) and machine-to-machine (M2M) networks are enabling the design and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '24: Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2024

312 pages

ISBN:9798400705823

DOI:10.1145/3643833

General Chairs:
Yongdae Kim
KAIST, South Korea
,
Jong Kim
Pohang University of Science and Technology, South Korea
,
Program Chairs:
Farinaz Koushanfar
University of California San Diego, USA
,
Kasper Rasmussen
University of Oxford, England

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2024

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Conference

WiSec '24

Sponsor:

WiSec '24: 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 27 - 29, 2024

Seoul, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
202
Total Downloads

Downloads (Last 12 months)202
Downloads (Last 6 weeks)32

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alam MZhang SRodriguez ENafis AHoque E(2024)iConPAL: LLM-guided Policy Authoring Assistant for Configuring IoT Defenses2024 IEEE Secure Development Conference (SecDev)10.1109/SecDev61143.2024.00014(76-92)Online publication date: 7-Oct-2024
https://doi.org/10.1109/SecDev61143.2024.00014

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents