Fear and Logging in the Internet of...
Transcript of Fear and Logging in the Internet of...
Fear and Logging in the Internet of Things
Qi Wang, Wajih Ul Hasan, Adam Bates, Carl Gunter University of Illinois at Urbana-Champaign
Published at NDSS 2018
PresentedByMdMahbuburRahman
ComputerScience,WayneStateUniversity
September24,2018
Outline • InternetofThings• Background• ProvThings• Implementation• Evaluation• Conclusion
2
Internet of Things (IoT) • Anetworkofinterconnecteddevices/sensors
• Devicescanexchangedataviaacommoninterface• InterfaceisconnectedtotheInternet
• Asof2017,thenumberofIoTdevicesincreasedto8.4billion• By2020:30billiondevices• By2020:MarketvalueofIoTisprojectedtoreach$7.1trillion
• Example:SmartHome• Lock/unlockyourdoorwithasmartphoneapplication
3
A Smart Home
Source:
4
A Smart Home
Source:
450+othervendors!!!5
Common Architectures • AllthedevicesareconnectedtoaHub• ACloudsynchronizesdevicestatesandprovideinterfacesforremotemonitoring• AnAppisaprogramthatmanagesdevices
Hub-centric&Cloud-centricArchitectures
Cloud-centric,buthaveaHubaswell.
6
Security Concerns • Howtodiagnoseanincorrect/malicious/misconfigurationbehaviors
• Trigger-actionprogrammingcancreateachain(flow)ofdevicesandappstogethertothepointthatdeterminingtherootcauseofanunexpectedbehavior/eventisoftendifficult.
• MaliciousIoTappsmayexistsinachain.
• AmaliciousappmayforgeaCOdetectioneventandanalarmdetectionappmaysoundthealarmbecauseitcannotdetecttheillegitimatehistoryoftheevent.
• Howtoexplaintheoverallsystembehaviors?• Needtounderstandthelineageoftriggersandactionsthatoccurs.
7
Logging in IoT Platforms • CurrentloggingmechanisminIoTisdevice-centric
• Itisdifficulttocreateacausaldependenciesbetweendifferenteventsanddatastates
• AuthorsanalyzedthelogsofanIrisSystem• “MotionwasdetectedbyIrisindoorcameraat11:13AM”• “Frontdoorwasunlockedat11:13AM”• “Lightwasturnedonat11:14AM”
Whythelightwasturnedonat11:14AM?
8
Data Provenance • Describesthehistoryofactionstakenonadataobjectfromitscreationuptothepresent• “Inwhatenvironmentwasthisdatagenerated?”• “Wasthismessagederivedfromsensitivedata?”
ProvenanceofAppleHomeKit
Thelightwasturnedbecausemotionwas
detected
Tool:W3CPROV-DMItspervasiveandrepresentsprovenancegraphinaDAG 9
PROV-DM [1] • PROV-DMhasthreetypesofnodes
• Entity:isadataobject• Activity:isaprocess• Agent:issomethingthatisresponsibleforEntitiesandActivities
ProvenanceofAppleHomeKit1.https://www.w3.org/TR/prov-overview/
• Edges:encodedependencytypesbetweennodes
WhichEntityWasAttributedTowhichAgentWhichActivityWasAssociatedWithwhichAgentWhichEntityWasGeneratedBywhichActivity.......
10
ProvThings: A Framework • ThreatModel&Assumptions
• API-level attacks: attacker is able to access ormanipulate the state of thesmart home through creation and transition of well-formed API controlmessages.• AccidentalAppconfiguration
• PlausiblescenariosthroughwhichAPI-levelattacksmayhappen• MaliciousApps• DeviceVulnerabilities• Proximity
11
ProvThings: A Framework • Assumptions
• Attackercannotgettherootaccessofthedevices• Attacksthroughcommunicationprotocolsareoutofscope• EntityresponsibleforIoTcentralmanagementisnotcompromised
• SmartThingsCloud
12
ProvThings: Overview • ProvThings isageneral frameworkforcollection,management,andanalysisofdataprovenanceinIoTplatform
13
ArchitectureofProvThingsprovenancemanagementsystem Courtesy:theAuthors
Provenance Collection • ProvThingscollectprovenancemetadatafromdifferentcomponentsofanIoTplatform• IoTApps• DeviceHandlers
• Usesautomatedprograminstrumentationtocollectmetadata• Minimallyinvasivesinceitdoesnotdoanyhardwareinstrumentation
14
Program Instrumentation • ProvThingsinstrumentsIoTAppsstatically
• Helpsbuildthecontrolflowanddataflow
• InstrumentedApp/codecollectsprovenancemetadataatruntime
15
Courtesy:theAuthors
Selective Program Instrumentation • Helpstoavoidcollectingunnecessaryprovenancemetadata• DefineprovenanceintermsofSourcesandSinks
• Source:asecuritysensitivedataobject(e.g.,stateofalock)• Sink:asecuritysensitivemethod(e.g.,commandtounlockadoor)
16
Courtesy:theAuthors
Provenance Management • Aggregatesandmergesprovenancerecordsfromdifferentcollectors,filtersthem,andconvertsthemintoaunifiedIoTprovenancemodel
• Buildsandstorestheprovenancegraphinadatabase• Addsmodularsupportfordifferentbackends:SQL,Neo4j.
17
Provenance Analysis • QueryAPIs:cananalyzeforwardandbackwarddependencyanalysis
• PolicyEngine:allowsuserstocreateconfiguration,policiesintheformofgraph
• PolicyMonitor:Cross-checkswithprovenancegraphifit’savalidpolicyornot
18
Implementation • ImplementedontopofSamsungSmartThings
19
Implementation: Comparison
20
Evaluation • Evaluateonfivemetrics
1. Effectivenessofattackreconstruction2. Instrumentationoverhead3. Runtimeoverhead4. Storageoverhead5. Queryperformance
• Evaluationof1and3isdoneatSmartThingsIDEcloud• 2, 4, and 5 is evaluated at a localmachinewith Intel Core i7-2600Quad-Core3.4GHzprocessorwith16GBRAMrunningUbuntu
21
Evaluation • Overheadmeasurements
• Unmodified(vanilla)SmartApps• ProvFull(instrumentsallinstructionstocollectprovenancedata)• ProvSave(Applyselectivecodeinstrumentation)
• Dataset• SmartAppsof26possibleIoTattacks[2]• 236commoditySmartApps
222.ContexIoT,Jiaetal.NDSS’17
Evaluation • ProvThingswereabletoeffectivelyreconstructall26attacks
• 34ms for SmartApps and 27ms for device handlers as theinstrumentationoverhead
• 260KBofdailystorageoverhead
232.ContexIoT,Jiaetal.NDSS’17
Evaluation • End-to-endlatencyoneventhandlingduetoprovenancecollection
• An event handler sends a textmessage if motion is detected by amotionsensor, the end-to-end event handling latency is the time between themotioneventisreceivedandthetimemessageisdeliveredtotheuser.
242.ContexIoT,Jiaetal.NDSS’17
Testedonbothvirtualandphysicaldevices
InsimulationProvSave:20.6%overheadProvFull:40.4%overhead
RealDevicesProvSave:5.3%and4.5%overheadProvFull:13.8%and8.7%overhead
Evaluation • Provenancestoragegrowth&Queryperformance
252.ContexIoT,Jiaetal.NDSS’17
ProvSaveincurslessstoragecosts
PerformancetestonNeo4j
ProvThingscanrespondquicklytoreal-timemonitoringsystem
Conclusion • ProvThings isa framework forcollection,management,andanalysisofdataprovenanceinIoT
• Limitations• StaticSourceCodeInstrumentation
• Unabletohandledynamicfeaturesofalanguage• DeviceIntegrity
• ProvThingsassumesthatthedevicesarenotcompromised• Compromiseddevicesmaycausewrongprovenancegraphs
262.ContexIoT,Jiaetal.NDSS’17
Questions?
27