A Principled Approach to Securing IoT Apps
We demonstrate that the most popular IoT app platforms are susceptible to attacks by malicious app makers and suggest short and longterm countermeasures for securing the apps. For short-term protection we rely on access control and suggest the apps to be classified either as exclusively private or exclusively public, disallowing in this way information from private sources to flow to public sinks.
For longterm protection we rely on a principled approach for designing information flow controls. Following these principles we define projected security, a variant of noninterference that captures the attacker’s view of an app, and design two mechanisms for enforcing it. A static enforcement based on a flow-sensitive type system may be used by the platform to statically analyze the apps before being published on the app store. This enforcement covers leaks stemming from both explicit and implicit flows, but is not expressive enough to address timing attacks. Hence we design a second enforcement based on a dynamic monitor that covers the timing channels as well.
information flow control
Internet of Things
Chalmers, Data- och informationsteknik, Informationssäkerhet
Informations- och kommunikationsteknik
Technical report L - School of Electrical and Computer Engineering, Chalmers University of Technology. : 185
Chalmers tekniska högskola
EDIT building, ED room
Opponent: Tamara Rezk, INRIA Sophia Antipolis-Méditerranée, France