Principled Flow Tracking in IoT and Low-Level Applications
Doctoral thesis, 2022

Significant fractions of our lives are spent digitally, connected to and dependent on Internet-based applications, be it through the Web, mobile, or IoT. All such applications have access to and are entrusted with private user data, such as location, photos, browsing habits, private feed from social networks, or bank details.

In this thesis, we focus on IoT and Web(Assembly) apps. We demonstrate IoT apps to be vulnerable to attacks by malicious app makers who are able to bypass the sandboxing mechanisms enforced by the platform to stealthy exfiltrate user data. We further give examples of carefully crafted WebAssembly code abusing the semantics to leak user data.

We are interested in applying language-based technologies to ensure application security due to the formal guarantees they provide. Such technologies analyze the underlying program and track how the information flows in an application, with the goal of either statically proving its security, or preventing insecurities from happening at runtime. As such, for protecting against the attacks on IoT apps, we develop both static and dynamic methods, while for securing WebAssembly apps we describe a hybrid approach, combining both.

While language-based technologies provide strong security guarantees, they are still to see a widespread adoption outside the academic community where they emerged.
In this direction, we outline six design principles to assist the developer in choosing the right security characterization and enforcement mechanism for their system.
We further investigate the relative expressiveness of two static enforcement mechanisms which pursue fine- and coarse-grained approaches for tracking the flow of sensitive information in a system. Finally, we provide the developer with an automatic method for reducing the manual burden associated with some of the language-based enforcements.

WebAssembly apps

automatic labeling

IoT apps

enforcement granularity

design principles

information-flow control

language-based security

HA4, Hörsalar HA, Hörsalsvägen 4 | Registration for attendance on site:
Opponent: Limin Jia, Carnegie Mellon University, USA


Iulia Bastys

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Clockwork: Tracking Remote Timing Attacks

Proceedings - IEEE Computer Security Foundations Symposium,; Vol. 2020-June(2020)p. 350-365

Paper in proceeding

Securing IoT Apps

IEEE Security and Privacy,; Vol. 17(2019)p. 22-29

Journal article

Tracking Information Flow via Delayed Output: Addressing Privacy in IoT and Emailing Apps

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 11252 LNCS(2018)p. 19-37

Paper in proceeding

Prudent Design Principles for Information Flow Control

Proceedings of the 13th Workshop on Programming Languages and Analysis for Security, PLAS 2018,; (2018)p. 17-23

Paper in proceeding

If This Then What? Controlling Flows in IoT Apps

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018,; (2018)p. 1102-1119

Paper in proceeding

Automatic Annotation of Confidential Data in Java Code

Lecture Notes in Computer Science,; Vol. 13291(2022)

Paper in proceeding

Type systems for information flow control: the question of granularity

ACM SIGLOG News,; Vol. 4(2017)p. 6-21

Magazine article

Securing IoT and Low-Level Applications

Whenever she parks her car, Alice receives an email with a map where the car is parked, her thermostat turns on automatically based on her proximity to home, and every photo taken with her smartphone is automatically backed up on the cloud.

Through the use of IoT and Web(Assembly) applications, users entrust different services with large amounts of private data: location, photos, private feed from social networks, browser habits, or bank details. But how do we ensure Bob does not receive the map with Alice’s car location, the photos she backs up, or that he doesn’t alter her thermostat settings?

This thesis demonstrates possible scenarios in which Bob does get stealthily access to Alice’s car location or her photos, and it provides rigorous methods with mathematical guarantees for protecting against them. These methods analyze a program at the language level and ensure that inputs to the program containing private data are not output to undesired third parties. We further build similar methods for protecting private data flowing inside low-level applications written in WebAssembly, a recent language for web programming.

To encourage the development and large-scale adoption of these methods outside the academic community, we outline rules and guidelines to assist the developer when faced with novel scenarios, and we propose a technique for automatically inferring which data is private in a program.

Subject Categories

Computer and Information Science



Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5079



HA4, Hörsalar HA, Hörsalsvägen 4 | Registration for attendance on site:


Opponent: Limin Jia, Carnegie Mellon University, USA

More information

Latest update

2/1/2022 8