fear and logging in the internet of things · internet of things (iot) • a network of...

Fear and Logging in the Internet of Things

Qi Wang, Wajih Ul Hasan, Adam Bates, Carl Gunter University of Illinois at Urbana-Champaign

Published at NDSS 2018

PresentedByMdMahbuburRahman

ComputerScience,WayneStateUniversity

September24,2018

Outline •  InternetofThings• Background• ProvThings•  Implementation•  Evaluation• Conclusion

2

Internet of Things (IoT) • Anetworkofinterconnecteddevices/sensors

•  Devicescanexchangedataviaacommoninterface•  InterfaceisconnectedtotheInternet

• Asof2017,thenumberofIoTdevicesincreasedto8.4billion•  By2020:30billiondevices•  By2020:MarketvalueofIoTisprojectedtoreach$7.1trillion

•  Example:SmartHome•  Lock/unlockyourdoorwithasmartphoneapplication

3

A Smart Home

Source:

4

A Smart Home

Source:

450+othervendors!!!5

Common Architectures • AllthedevicesareconnectedtoaHub• ACloudsynchronizesdevicestatesandprovideinterfacesforremotemonitoring• AnAppisaprogramthatmanagesdevices

Hub-centric&Cloud-centricArchitectures

Cloud-centric,buthaveaHubaswell.

6

Security Concerns • Howtodiagnoseanincorrect/malicious/misconfigurationbehaviors

•  Trigger-actionprogrammingcancreateachain(flow)ofdevicesandappstogethertothepointthatdeterminingtherootcauseofanunexpectedbehavior/eventisoftendifficult.

•  MaliciousIoTappsmayexistsinachain.

•  AmaliciousappmayforgeaCOdetectioneventandanalarmdetectionappmaysoundthealarmbecauseitcannotdetecttheillegitimatehistoryoftheevent.

• Howtoexplaintheoverallsystembehaviors?• Needtounderstandthelineageoftriggersandactionsthatoccurs.

7

Logging in IoT Platforms • CurrentloggingmechanisminIoTisdevice-centric

•  Itisdifficulttocreateacausaldependenciesbetweendifferenteventsanddatastates

• AuthorsanalyzedthelogsofanIrisSystem•  “MotionwasdetectedbyIrisindoorcameraat11:13AM”•  “Frontdoorwasunlockedat11:13AM”•  “Lightwasturnedonat11:14AM”

Whythelightwasturnedonat11:14AM?

8

Data Provenance • Describesthehistoryofactionstakenonadataobjectfromitscreationuptothepresent•  “Inwhatenvironmentwasthisdatagenerated?”•  “Wasthismessagederivedfromsensitivedata?”

ProvenanceofAppleHomeKit

Thelightwasturnedbecausemotionwas

detected

Tool:W3CPROV-DMItspervasiveandrepresentsprovenancegraphinaDAG 9

PROV-DM [1] • PROV-DMhasthreetypesofnodes

•  Entity:isadataobject•  Activity:isaprocess•  Agent:issomethingthatisresponsibleforEntitiesandActivities

ProvenanceofAppleHomeKit1.https://www.w3.org/TR/prov-overview/

•  Edges:encodedependencytypesbetweennodes

WhichEntityWasAttributedTowhichAgentWhichActivityWasAssociatedWithwhichAgentWhichEntityWasGeneratedBywhichActivity.......

10

ProvThings: A Framework •  ThreatModel&Assumptions

•  API-level attacks: attacker is able to access ormanipulate the state of thesmart home through creation and transition of well-formed API controlmessages.•  AccidentalAppconfiguration

• PlausiblescenariosthroughwhichAPI-levelattacksmayhappen•  MaliciousApps•  DeviceVulnerabilities•  Proximity

11

ProvThings: A Framework • Assumptions

•  Attackercannotgettherootaccessofthedevices•  Attacksthroughcommunicationprotocolsareoutofscope•  EntityresponsibleforIoTcentralmanagementisnotcompromised

•  SmartThingsCloud

12

ProvThings: Overview • ProvThings isageneral frameworkforcollection,management,andanalysisofdataprovenanceinIoTplatform

13

ArchitectureofProvThingsprovenancemanagementsystem Courtesy:theAuthors

Provenance Collection • ProvThingscollectprovenancemetadatafromdifferentcomponentsofanIoTplatform•  IoTApps•  DeviceHandlers

• Usesautomatedprograminstrumentationtocollectmetadata•  Minimallyinvasivesinceitdoesnotdoanyhardwareinstrumentation

14

Program Instrumentation • ProvThingsinstrumentsIoTAppsstatically

•  Helpsbuildthecontrolflowanddataflow

•  InstrumentedApp/codecollectsprovenancemetadataatruntime

15

Courtesy:theAuthors

Selective Program Instrumentation • Helpstoavoidcollectingunnecessaryprovenancemetadata• DefineprovenanceintermsofSourcesandSinks

•  Source:asecuritysensitivedataobject(e.g.,stateofalock)•  Sink:asecuritysensitivemethod(e.g.,commandtounlockadoor)

16

Courtesy:theAuthors

Provenance Management • Aggregatesandmergesprovenancerecordsfromdifferentcollectors,filtersthem,andconvertsthemintoaunifiedIoTprovenancemodel

• Buildsandstorestheprovenancegraphinadatabase•  Addsmodularsupportfordifferentbackends:SQL,Neo4j.

17

Provenance Analysis • QueryAPIs:cananalyzeforwardandbackwarddependencyanalysis

• PolicyEngine:allowsuserstocreateconfiguration,policiesintheformofgraph

• PolicyMonitor:Cross-checkswithprovenancegraphifit’savalidpolicyornot

18

Implementation •  ImplementedontopofSamsungSmartThings

19

Implementation: Comparison

20

Evaluation •  Evaluateonfivemetrics

1.  Effectivenessofattackreconstruction2.  Instrumentationoverhead3.  Runtimeoverhead4.  Storageoverhead5.  Queryperformance

•  Evaluationof1and3isdoneatSmartThingsIDEcloud•  2, 4, and 5 is evaluated at a localmachinewith Intel Core i7-2600Quad-Core3.4GHzprocessorwith16GBRAMrunningUbuntu

21

Evaluation • Overheadmeasurements

•  Unmodified(vanilla)SmartApps•  ProvFull(instrumentsallinstructionstocollectprovenancedata)•  ProvSave(Applyselectivecodeinstrumentation)

• Dataset•  SmartAppsof26possibleIoTattacks[2]•  236commoditySmartApps

222.ContexIoT,Jiaetal.NDSS’17

Evaluation • ProvThingswereabletoeffectivelyreconstructall26attacks

•  34ms for SmartApps and 27ms for device handlers as theinstrumentationoverhead

•  260KBofdailystorageoverhead

232.ContexIoT,Jiaetal.NDSS’17

Evaluation •  End-to-endlatencyoneventhandlingduetoprovenancecollection

•  An event handler sends a textmessage if motion is detected by amotionsensor, the end-to-end event handling latency is the time between themotioneventisreceivedandthetimemessageisdeliveredtotheuser.

242.ContexIoT,Jiaetal.NDSS’17

Testedonbothvirtualandphysicaldevices

InsimulationProvSave:20.6%overheadProvFull:40.4%overhead

RealDevicesProvSave:5.3%and4.5%overheadProvFull:13.8%and8.7%overhead

Evaluation • Provenancestoragegrowth&Queryperformance

252.ContexIoT,Jiaetal.NDSS’17

ProvSaveincurslessstoragecosts

PerformancetestonNeo4j

ProvThingscanrespondquicklytoreal-timemonitoringsystem

Conclusion • ProvThings isa framework forcollection,management,andanalysisofdataprovenanceinIoT

•  Limitations•  StaticSourceCodeInstrumentation

•  Unabletohandledynamicfeaturesofalanguage•  DeviceIntegrity

•  ProvThingsassumesthatthedevicesarenotcompromised•  Compromiseddevicesmaycausewrongprovenancegraphs

262.ContexIoT,Jiaetal.NDSS’17

Questions?

27