LazyTAP: On-Demand Data Minimization for Trigger-Action Applications
Paper in proceeding, 2023

Trigger-Action Platforms (TAPs) empower applications (apps) for connecting otherwise unconnected devices and services. The current TAPs like IFTTT require trigger services to push excessive amounts of sensitive data to the TAP regardless of whether the data will be used in the app, at odds with the principle of data minimization. Furthermore, the rich features of modern TAPs, including IFTTT queries to support multiple trigger services and nondeterminism of apps, have been out of the reach of previous data minimization approaches like minTAP. This paper proposes LazyTAP, a new paradigm for fine-grained on-demand data minimization. LazyTAP breaks away from the traditional push-all approach of coarse-grained data over-approximation. Instead, LazyTAP pulls input data on-demand, once it is accessed by the app execution. Thanks to the fine granularity, LazyTAP enables tight minimization that naturally generalizes to support multiple trigger services via queries and is robust with respect to nondeterministic behavior of the apps. We achieve seamlessness for third-party app developers by leveraging laziness to defer computation and proxy objects to load necessary remote data behind the scenes as it becomes needed. We formally establish the correctness of LazyTAP and its minimization properties with respect to both IFTTT and minTAP. We implement and evaluate LazyTAP on app benchmarks showing that on average LazyTAP improves minimization by 95% over IFTTT and by 38% over minTAP, while incurring a tolerable performance overhead.

Author

Seyed Mohammad Mehdi Ahmadpanah

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Daniel Hedin

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Mälardalens högskola

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Proceedings - IEEE Symposium on Security and Privacy

10816011 (ISSN)

Vol. 2023-May 3079-3097
978-166549336-9 (ISBN)

44th IEEE Symposium on Security and Privacy (S&P) 2023.
Oakland, USA,

WebSec: Securing Web-driven Systems

Swedish Foundation for Strategic Research (SSF) (RIT17-0011), 2018-03-01 -- 2023-02-28.

Areas of Advance

Information and Communication Technology

Subject Categories

Computer Science

Computer Systems

DOI

10.1109/SP46215.2023.00147

ISBN

9781665493369

More information

Latest update

7/22/2024