Post on 31-May-2020
Fear and Logging in the Internet of Things
Qi Wang, Wajih Ul Hasan, Adam Bates, Carl Gunter University of Illinois at Urbana-Champaign
Published at NDSS 2018
PresentedByMdMahbuburRahman
ComputerScience,WayneStateUniversity
September24,2018
Outline • InternetofThings• Background• ProvThings• Implementation• Evaluation• Conclusion
2
Internet of Things (IoT) • Anetworkofinterconnecteddevices/sensors
• Devicescanexchangedataviaacommoninterface• InterfaceisconnectedtotheInternet
• Asof2017,thenumberofIoTdevicesincreasedto8.4billion• By2020:30billiondevices• By2020:MarketvalueofIoTisprojectedtoreach$7.1trillion
• Example:SmartHome• Lock/unlockyourdoorwithasmartphoneapplication
3
A Smart Home
Source:
4
A Smart Home
Source:
450+othervendors!!!5
Common Architectures • AllthedevicesareconnectedtoaHub• ACloudsynchronizesdevicestatesandprovideinterfacesforremotemonitoring• AnAppisaprogramthatmanagesdevices
Hub-centric&Cloud-centricArchitectures
Cloud-centric,buthaveaHubaswell.
6
Security Concerns • Howtodiagnoseanincorrect/malicious/misconfigurationbehaviors
• Trigger-actionprogrammingcancreateachain(flow)ofdevicesandappstogethertothepointthatdeterminingtherootcauseofanunexpectedbehavior/eventisoftendifficult.
• MaliciousIoTappsmayexistsinachain.
• AmaliciousappmayforgeaCOdetectioneventandanalarmdetectionappmaysoundthealarmbecauseitcannotdetecttheillegitimatehistoryoftheevent.
• Howtoexplaintheoverallsystembehaviors?• Needtounderstandthelineageoftriggersandactionsthatoccurs.
7
Logging in IoT Platforms • CurrentloggingmechanisminIoTisdevice-centric
• Itisdifficulttocreateacausaldependenciesbetweendifferenteventsanddatastates
• AuthorsanalyzedthelogsofanIrisSystem• “MotionwasdetectedbyIrisindoorcameraat11:13AM”• “Frontdoorwasunlockedat11:13AM”• “Lightwasturnedonat11:14AM”
Whythelightwasturnedonat11:14AM?
8
Data Provenance • Describesthehistoryofactionstakenonadataobjectfromitscreationuptothepresent• “Inwhatenvironmentwasthisdatagenerated?”• “Wasthismessagederivedfromsensitivedata?”
ProvenanceofAppleHomeKit
Thelightwasturnedbecausemotionwas
detected
Tool:W3CPROV-DMItspervasiveandrepresentsprovenancegraphinaDAG 9
PROV-DM [1] • PROV-DMhasthreetypesofnodes
• Entity:isadataobject• Activity:isaprocess• Agent:issomethingthatisresponsibleforEntitiesandActivities
ProvenanceofAppleHomeKit1.https://www.w3.org/TR/prov-overview/
• Edges:encodedependencytypesbetweennodes
WhichEntityWasAttributedTowhichAgentWhichActivityWasAssociatedWithwhichAgentWhichEntityWasGeneratedBywhichActivity.......
10
ProvThings: A Framework • ThreatModel&Assumptions
• API-level attacks: attacker is able to access ormanipulate the state of thesmart home through creation and transition of well-formed API controlmessages.• AccidentalAppconfiguration
• PlausiblescenariosthroughwhichAPI-levelattacksmayhappen• MaliciousApps• DeviceVulnerabilities• Proximity
11
ProvThings: A Framework • Assumptions
• Attackercannotgettherootaccessofthedevices• Attacksthroughcommunicationprotocolsareoutofscope• EntityresponsibleforIoTcentralmanagementisnotcompromised
• SmartThingsCloud
12
ProvThings: Overview • ProvThings isageneral frameworkforcollection,management,andanalysisofdataprovenanceinIoTplatform
13
ArchitectureofProvThingsprovenancemanagementsystem Courtesy:theAuthors
Provenance Collection • ProvThingscollectprovenancemetadatafromdifferentcomponentsofanIoTplatform• IoTApps• DeviceHandlers
• Usesautomatedprograminstrumentationtocollectmetadata• Minimallyinvasivesinceitdoesnotdoanyhardwareinstrumentation
14
Program Instrumentation • ProvThingsinstrumentsIoTAppsstatically
• Helpsbuildthecontrolflowanddataflow
• InstrumentedApp/codecollectsprovenancemetadataatruntime
15
Courtesy:theAuthors
Selective Program Instrumentation • Helpstoavoidcollectingunnecessaryprovenancemetadata• DefineprovenanceintermsofSourcesandSinks
• Source:asecuritysensitivedataobject(e.g.,stateofalock)• Sink:asecuritysensitivemethod(e.g.,commandtounlockadoor)
16
Courtesy:theAuthors
Provenance Management • Aggregatesandmergesprovenancerecordsfromdifferentcollectors,filtersthem,andconvertsthemintoaunifiedIoTprovenancemodel
• Buildsandstorestheprovenancegraphinadatabase• Addsmodularsupportfordifferentbackends:SQL,Neo4j.
17
Provenance Analysis • QueryAPIs:cananalyzeforwardandbackwarddependencyanalysis
• PolicyEngine:allowsuserstocreateconfiguration,policiesintheformofgraph
• PolicyMonitor:Cross-checkswithprovenancegraphifit’savalidpolicyornot
18
Implementation • ImplementedontopofSamsungSmartThings
19
Implementation: Comparison
20
Evaluation • Evaluateonfivemetrics
1. Effectivenessofattackreconstruction2. Instrumentationoverhead3. Runtimeoverhead4. Storageoverhead5. Queryperformance
• Evaluationof1and3isdoneatSmartThingsIDEcloud• 2, 4, and 5 is evaluated at a localmachinewith Intel Core i7-2600Quad-Core3.4GHzprocessorwith16GBRAMrunningUbuntu
21
Evaluation • Overheadmeasurements
• Unmodified(vanilla)SmartApps• ProvFull(instrumentsallinstructionstocollectprovenancedata)• ProvSave(Applyselectivecodeinstrumentation)
• Dataset• SmartAppsof26possibleIoTattacks[2]• 236commoditySmartApps
222.ContexIoT,Jiaetal.NDSS’17
Evaluation • ProvThingswereabletoeffectivelyreconstructall26attacks
• 34ms for SmartApps and 27ms for device handlers as theinstrumentationoverhead
• 260KBofdailystorageoverhead
232.ContexIoT,Jiaetal.NDSS’17
Evaluation • End-to-endlatencyoneventhandlingduetoprovenancecollection
• An event handler sends a textmessage if motion is detected by amotionsensor, the end-to-end event handling latency is the time between themotioneventisreceivedandthetimemessageisdeliveredtotheuser.
242.ContexIoT,Jiaetal.NDSS’17
Testedonbothvirtualandphysicaldevices
InsimulationProvSave:20.6%overheadProvFull:40.4%overhead
RealDevicesProvSave:5.3%and4.5%overheadProvFull:13.8%and8.7%overhead
Evaluation • Provenancestoragegrowth&Queryperformance
252.ContexIoT,Jiaetal.NDSS’17
ProvSaveincurslessstoragecosts
PerformancetestonNeo4j
ProvThingscanrespondquicklytoreal-timemonitoringsystem
Conclusion • ProvThings isa framework forcollection,management,andanalysisofdataprovenanceinIoT
• Limitations• StaticSourceCodeInstrumentation
• Unabletohandledynamicfeaturesofalanguage• DeviceIntegrity
• ProvThingsassumesthatthedevicesarenotcompromised• Compromiseddevicesmaycausewrongprovenancegraphs
262.ContexIoT,Jiaetal.NDSS’17
Questions?
27