Fear and Logging in the Internet of...
Transcript of Fear and Logging in the Internet of...
![Page 1: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/1.jpg)
Fear and Logging in the Internet of Things
Qi Wang, Wajih Ul Hasan, Adam Bates, Carl Gunter University of Illinois at Urbana-Champaign
Published at NDSS 2018
PresentedByMdMahbuburRahman
ComputerScience,WayneStateUniversity
September24,2018
![Page 2: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/2.jpg)
Outline • InternetofThings• Background• ProvThings• Implementation• Evaluation• Conclusion
2
![Page 3: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/3.jpg)
Internet of Things (IoT) • Anetworkofinterconnecteddevices/sensors
• Devicescanexchangedataviaacommoninterface• InterfaceisconnectedtotheInternet
• Asof2017,thenumberofIoTdevicesincreasedto8.4billion• By2020:30billiondevices• By2020:MarketvalueofIoTisprojectedtoreach$7.1trillion
• Example:SmartHome• Lock/unlockyourdoorwithasmartphoneapplication
3
![Page 4: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/4.jpg)
A Smart Home
Source:
4
![Page 5: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/5.jpg)
A Smart Home
Source:
450+othervendors!!!5
![Page 6: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/6.jpg)
Common Architectures • AllthedevicesareconnectedtoaHub• ACloudsynchronizesdevicestatesandprovideinterfacesforremotemonitoring• AnAppisaprogramthatmanagesdevices
Hub-centric&Cloud-centricArchitectures
Cloud-centric,buthaveaHubaswell.
6
![Page 7: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/7.jpg)
Security Concerns • Howtodiagnoseanincorrect/malicious/misconfigurationbehaviors
• Trigger-actionprogrammingcancreateachain(flow)ofdevicesandappstogethertothepointthatdeterminingtherootcauseofanunexpectedbehavior/eventisoftendifficult.
• MaliciousIoTappsmayexistsinachain.
• AmaliciousappmayforgeaCOdetectioneventandanalarmdetectionappmaysoundthealarmbecauseitcannotdetecttheillegitimatehistoryoftheevent.
• Howtoexplaintheoverallsystembehaviors?• Needtounderstandthelineageoftriggersandactionsthatoccurs.
7
![Page 8: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/8.jpg)
Logging in IoT Platforms • CurrentloggingmechanisminIoTisdevice-centric
• Itisdifficulttocreateacausaldependenciesbetweendifferenteventsanddatastates
• AuthorsanalyzedthelogsofanIrisSystem• “MotionwasdetectedbyIrisindoorcameraat11:13AM”• “Frontdoorwasunlockedat11:13AM”• “Lightwasturnedonat11:14AM”
Whythelightwasturnedonat11:14AM?
8
![Page 9: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/9.jpg)
Data Provenance • Describesthehistoryofactionstakenonadataobjectfromitscreationuptothepresent• “Inwhatenvironmentwasthisdatagenerated?”• “Wasthismessagederivedfromsensitivedata?”
ProvenanceofAppleHomeKit
Thelightwasturnedbecausemotionwas
detected
Tool:W3CPROV-DMItspervasiveandrepresentsprovenancegraphinaDAG 9
![Page 10: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/10.jpg)
PROV-DM [1] • PROV-DMhasthreetypesofnodes
• Entity:isadataobject• Activity:isaprocess• Agent:issomethingthatisresponsibleforEntitiesandActivities
ProvenanceofAppleHomeKit1.https://www.w3.org/TR/prov-overview/
• Edges:encodedependencytypesbetweennodes
WhichEntityWasAttributedTowhichAgentWhichActivityWasAssociatedWithwhichAgentWhichEntityWasGeneratedBywhichActivity.......
10
![Page 11: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/11.jpg)
ProvThings: A Framework • ThreatModel&Assumptions
• API-level attacks: attacker is able to access ormanipulate the state of thesmart home through creation and transition of well-formed API controlmessages.• AccidentalAppconfiguration
• PlausiblescenariosthroughwhichAPI-levelattacksmayhappen• MaliciousApps• DeviceVulnerabilities• Proximity
11
![Page 12: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/12.jpg)
ProvThings: A Framework • Assumptions
• Attackercannotgettherootaccessofthedevices• Attacksthroughcommunicationprotocolsareoutofscope• EntityresponsibleforIoTcentralmanagementisnotcompromised
• SmartThingsCloud
12
![Page 13: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/13.jpg)
ProvThings: Overview • ProvThings isageneral frameworkforcollection,management,andanalysisofdataprovenanceinIoTplatform
13
ArchitectureofProvThingsprovenancemanagementsystem Courtesy:theAuthors
![Page 14: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/14.jpg)
Provenance Collection • ProvThingscollectprovenancemetadatafromdifferentcomponentsofanIoTplatform• IoTApps• DeviceHandlers
• Usesautomatedprograminstrumentationtocollectmetadata• Minimallyinvasivesinceitdoesnotdoanyhardwareinstrumentation
14
![Page 15: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/15.jpg)
Program Instrumentation • ProvThingsinstrumentsIoTAppsstatically
• Helpsbuildthecontrolflowanddataflow
• InstrumentedApp/codecollectsprovenancemetadataatruntime
15
Courtesy:theAuthors
![Page 16: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/16.jpg)
Selective Program Instrumentation • Helpstoavoidcollectingunnecessaryprovenancemetadata• DefineprovenanceintermsofSourcesandSinks
• Source:asecuritysensitivedataobject(e.g.,stateofalock)• Sink:asecuritysensitivemethod(e.g.,commandtounlockadoor)
16
Courtesy:theAuthors
![Page 17: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/17.jpg)
Provenance Management • Aggregatesandmergesprovenancerecordsfromdifferentcollectors,filtersthem,andconvertsthemintoaunifiedIoTprovenancemodel
• Buildsandstorestheprovenancegraphinadatabase• Addsmodularsupportfordifferentbackends:SQL,Neo4j.
17
![Page 18: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/18.jpg)
Provenance Analysis • QueryAPIs:cananalyzeforwardandbackwarddependencyanalysis
• PolicyEngine:allowsuserstocreateconfiguration,policiesintheformofgraph
• PolicyMonitor:Cross-checkswithprovenancegraphifit’savalidpolicyornot
18
![Page 19: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/19.jpg)
Implementation • ImplementedontopofSamsungSmartThings
19
![Page 20: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/20.jpg)
Implementation: Comparison
20
![Page 21: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/21.jpg)
Evaluation • Evaluateonfivemetrics
1. Effectivenessofattackreconstruction2. Instrumentationoverhead3. Runtimeoverhead4. Storageoverhead5. Queryperformance
• Evaluationof1and3isdoneatSmartThingsIDEcloud• 2, 4, and 5 is evaluated at a localmachinewith Intel Core i7-2600Quad-Core3.4GHzprocessorwith16GBRAMrunningUbuntu
21
![Page 22: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/22.jpg)
Evaluation • Overheadmeasurements
• Unmodified(vanilla)SmartApps• ProvFull(instrumentsallinstructionstocollectprovenancedata)• ProvSave(Applyselectivecodeinstrumentation)
• Dataset• SmartAppsof26possibleIoTattacks[2]• 236commoditySmartApps
222.ContexIoT,Jiaetal.NDSS’17
![Page 23: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/23.jpg)
Evaluation • ProvThingswereabletoeffectivelyreconstructall26attacks
• 34ms for SmartApps and 27ms for device handlers as theinstrumentationoverhead
• 260KBofdailystorageoverhead
232.ContexIoT,Jiaetal.NDSS’17
![Page 24: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/24.jpg)
Evaluation • End-to-endlatencyoneventhandlingduetoprovenancecollection
• An event handler sends a textmessage if motion is detected by amotionsensor, the end-to-end event handling latency is the time between themotioneventisreceivedandthetimemessageisdeliveredtotheuser.
242.ContexIoT,Jiaetal.NDSS’17
Testedonbothvirtualandphysicaldevices
InsimulationProvSave:20.6%overheadProvFull:40.4%overhead
RealDevicesProvSave:5.3%and4.5%overheadProvFull:13.8%and8.7%overhead
![Page 25: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/25.jpg)
Evaluation • Provenancestoragegrowth&Queryperformance
252.ContexIoT,Jiaetal.NDSS’17
ProvSaveincurslessstoragecosts
PerformancetestonNeo4j
ProvThingscanrespondquicklytoreal-timemonitoringsystem
![Page 26: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/26.jpg)
Conclusion • ProvThings isa framework forcollection,management,andanalysisofdataprovenanceinIoT
• Limitations• StaticSourceCodeInstrumentation
• Unabletohandledynamicfeaturesofalanguage• DeviceIntegrity
• ProvThingsassumesthatthedevicesarenotcompromised• Compromiseddevicesmaycausewrongprovenancegraphs
262.ContexIoT,Jiaetal.NDSS’17
![Page 27: Fear and Logging in the Internet of Thingswebpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/7-IoT-1_mahbubur.pdf• Trigger-action programming can create a chain (flow) of devices](https://reader030.fdocuments.us/reader030/viewer/2022041101/5eda8c605f8d0d7f302a4ee8/html5/thumbnails/27.jpg)
Questions?
27