The design of secure IoT applications using patterns: State of the art and directions for research

Abstract Internet of Things (IoT) systems are exposed to a large variety of threats due to the inclusion of many devices which may have different owners and manufacturers. IoT applications often include parts in clouds and fogs as well as being part of larger cyber-physical systems; that is, these systems are very complex, which also contributes to their security problems. The design of IoT-based applications must be able to handle this complexity and heterogeneity; patterns are a good approach for this purpose because of their abstraction power. When using patterns, a good catalog is necessary. We survey and classify existing IoT security patterns to see their coverage and quality to evaluate how appropriate they are to be part of a useful catalog. A practical catalog must cover most of the standard security mechanisms. Pattern descriptions include several sections according to a template. We conclude that the number of existing patterns is insufficient for a working catalog and most of them are incomplete or use different descriptions; we need to build a unified catalog. We have started in that direction by creating new patterns or rewriting existing patterns to make them follow a common description. To use the patterns, we need a secure development methodology and we survey IoT development methodologies; we find that none of them considers security or uses patterns. As a solution, we propose modifying existing pattern-based methodologies for distributed systems, of which there is a good variety, using one of them as reference for concreteness. We provide a list of possible research directions about these topics.

[1]  Athanasios V. Vasilakos,et al.  A survey on trust management for Internet of Things , 2014, J. Netw. Comput. Appl..

[2]  Nonhlanhla Ntuli,et al.  A Simple Security Architecture for Smart Water Management System , 2016, ANT/SEIT.

[3]  Mohammad Ilyas,et al.  A Pattern for Fog Computing , 2016, VikingPLoP '16.

[4]  Sven Helmer,et al.  An architecture pattern for trusted orchestration in IoT edge clouds , 2018, 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC).

[5]  Robert O. Briggs,et al.  Modifiers: Increasing Richness and Nuance of Design Pattern Languages , 2008, EuroPLoP.

[6]  Arjan Kuijper,et al.  Implementing secure applications in smart city clouds using microservices , 2019, Future Gener. Comput. Syst..

[7]  Kai Jander,et al.  Practical Defense-in-depth Solution for Microservice Systems , 2019, J. Ubiquitous Syst. Pervasive Networks.

[8]  Sotiris Ioannidis,et al.  Pattern-Driven Security, Privacy, Dependability and Interoperability Management of IoT Environments , 2019, 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD).

[9]  Eduardo B. Fernández,et al.  A misuse Pattern for DDoS in the IoT , 2018, EuroPLoP.

[10]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[11]  Eduardo B. Fernandez,et al.  A Pattern for Whitelisting Firewalls (WLF) , 2013 .

[12]  Abdelhakim Hannousse,et al.  Securing Microservices and Microservice Architectures: A Systematic Mapping Study , 2020, ArXiv.

[13]  Eduardo B. Fernandez,et al.  A Comprehensive Pattern-Driven Security Methodology for Distributed Systems , 2014, 2014 23rd Australian Software Engineering Conference.

[14]  Martin Fowler,et al.  Analysis patterns - reusable object models , 1996, Addison-Wesley series in object-oriented software engineering.

[15]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[16]  Stephen S. Yau,et al.  A Reference Architecture for Improving Security and Privacy in Internet of Things Applications , 2014, 2014 IEEE International Conference on Mobile Services.

[17]  Jeffrey Voas,et al.  Internet of Things (IoT) Trust Concerns , 2018 .

[18]  Eduardo B. Fernández,et al.  Security Patterns for Physical Access Control Systems , 2007, DBSec.

[19]  Eduardo B. Fernández,et al.  Modeling and Security in Cloud Ecosystems , 2016, Future Internet.

[20]  Kai Rannenberg,et al.  Applying Privacy Patterns to the Internet of Things’ (IoT) Architecture , 2019, Mob. Networks Appl..

[21]  Zheng Yan,et al.  SecIoT: a security framework for the Internet of Things , 2016, Secur. Commun. Networks.

[22]  Jan Zibuschka,et al.  The ENTOURAGE Privacy and Security Reference Architecture for Internet of Things Ecosystems , 2019, Open Identity Summit.

[23]  Deep Medhi,et al.  A Secure Microservice Framework for IoT , 2017, 2017 IEEE Symposium on Service-Oriented System Engineering (SOSE).

[24]  Pankesh Patel,et al.  Enabling high-level application development for the Internet of Things , 2015, J. Syst. Softw..

[25]  Hernán Astudillo,et al.  Security in microservice-based systems: A Multivocal literature review , 2021, Comput. Secur..

[26]  Eduardo B. Fernández,et al.  Securing distributed systems using patterns: A survey , 2012, Comput. Secur..

[27]  Rodrigo Roman,et al.  Securing the Internet of Things , 2017, Smart Cards, Tokens, Security and Applications, 2nd Ed..

[28]  Eduardo B. Fernández,et al.  Threat Modeling in Cyber-Physical Systems , 2016, 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[29]  Jong Hyuk Park,et al.  A Survey on Cyber Physical System Security for IoT: Issues, Challenges, Threats, Solutions , 2018, J. Inf. Process. Syst..

[30]  Antonio Esposito,et al.  Internet of things reference architectures, security and interoperability: A survey , 2018, Internet Things.

[31]  Paulo F. Pires,et al.  COMFIT: A development environment for the Internet of Things , 2017, Future Gener. Comput. Syst..

[32]  Mihaela Cardei,et al.  A pattern for a sensor node , 2010, PLOP '10.

[33]  Shiuh-Pyng Shieh,et al.  Emerging Security Threats and Countermeasures in IoT , 2015, AsiaCCS.

[34]  Oliver Kopp,et al.  A Detailed Analysis of IoT Platform Architectures: Concepts, Similarities, and Differences , 2018, Internet of Everything.

[35]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[36]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[37]  Panagiotis Katsaros,et al.  Model‐based design of IoT systems with the BIP component framework , 2018, Softw. Pract. Exp..

[38]  Christof Fetzer,et al.  Building Critical Applications Using Microservices , 2016, IEEE Security & Privacy.

[39]  Nicolas Mayer,et al.  A Comprehensive Reference Model for Blockchain-based Distributed Ledger Technology , 2017, ER Forum/Demos.

[40]  Mário M. Freire,et al.  Attack and System Modeling Applied to IoT, Cloud, and Mobile Ecosystems , 2020, ACM Comput. Surv..

[41]  Andreas Seitz,et al.  Fogxy: An Architectural Pattern for Fog Computing , 2018, EuroPLoP.

[42]  Christian Kreiner,et al.  A Microservice Architecture for the Industrial Internet-Of-Things , 2018, EuroPLoP.

[43]  Liang Chen,et al.  A service computing manifesto , 2017, Commun. ACM.

[44]  Liming Chen,et al.  Users' Privacy Concerns in IoT Based Applications , 2018, 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[45]  Eduardo B. Fernández,et al.  Secure Middleware Patterns , 2012, CSS.

[46]  Marco Brambilla,et al.  Model-driven development of user interfaces for IoT systems via domain-specific components and patterns , 2017, Journal of Internet Services and Applications.

[47]  Jan Pries-Heje,et al.  Soft design science methodology , 2009, DESRIST.

[48]  Hans A. Hansson,et al.  Applicability of the IEC 62443 standard in Industry 4.0 / IIoT , 2019, ARES.

[49]  Partha Pratim Ray A survey on Internet of Things architectures , 2018, J. King Saud Univ. Comput. Inf. Sci..

[50]  Sotiris Ioannidis,et al.  Towards a Collection of Security and Privacy Patterns , 2021, Applied Sciences.

[51]  João Pascoal Faria,et al.  A Reactive and Model-Based Approach for Developing Internet-of-Things Systems , 2018, 2018 11th International Conference on the Quality of Information and Communications Technology (QUATIC).

[52]  Eduardo B. Fernández,et al.  Modeling Misuse Patterns , 2009, 2009 International Conference on Availability, Reliability and Security.

[53]  Franco Zambonelli,et al.  Towards a General Software Engineering Methodology for the Internet of Things , 2016, ArXiv.

[54]  Aref Meddeb,et al.  Internet of things standards: who stands out from the crowd? , 2016, IEEE Communications Magazine.

[55]  Eduardo B. Fernández,et al.  Abstract security patterns for requirements specification and analysis of secure systems , 2014, WER.

[56]  Nicolas Ferry,et al.  Research Landscape of Patterns and Architectures for IoT Security: A Systematic Review , 2020, 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[57]  Phu Hong Nguyen,et al.  A Systematic Mapping of Patterns and Architectures for IoT Security , 2020, IoTBDS.

[58]  Bedir Tekinerdogan,et al.  Pattern Based Integration of Internet of Things Systems , 2018, ICIOT.

[59]  Praveen Gauravaram,et al.  Blockchain for IoT security and privacy: The case study of a smart home , 2017, 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops).

[60]  Anton V. Uzunov A survey of security solutions for distributed publish/subscribe systems , 2016, Comput. Secur..

[61]  George Spanoudakis,et al.  Architectural Patterns for Secure IoT Orchestrations , 2019, 2019 Global IoT Summit (GIoTS).

[62]  Eduardo B. Fernandez,et al.  An Ontology for Security Patterns , 2019, 2019 38th International Conference of the Chilean Computer Science Society (SCCC).

[63]  Dimitrios Tzovaras,et al.  From Internet of Threats to Internet of Things: A Cyber Security Architecture for Smart Homes , 2019, 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD).

[64]  Frank Leymann,et al.  Internet of Things Patterns for Communication and Management , 2019, Trans. Pattern Lang. Program..

[65]  Roy H. Campbell,et al.  World of Empowered IoT Users , 2016, 2016 IEEE First International Conference on Internet-of-Things Design and Implementation (IoTDI).

[66]  Schahram Dustdar,et al.  Principles for Engineering IoT Cloud Systems , 2015, IEEE Cloud Computing.

[67]  Nasir Ghani,et al.  Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations , 2019, IEEE Communications Surveys & Tutorials.

[68]  Frank Leymann,et al.  Comparison of IoT platform architectures: A field study based on a reference architecture , 2016, 2016 Cloudification of the Internet of Things (CIoT).

[69]  Wen-Tin Lee,et al.  A case study in applying security design patterns for IoT software system , 2017, 2017 International Conference on Applied System Innovation (ICASI).

[70]  Peter Schartner,et al.  Security for the Robot Operating System , 2017, Robotics Auton. Syst..

[71]  Eduardo B. Fernández,et al.  A comprehensive pattern-oriented approach to engineering security methodologies , 2015, Inf. Softw. Technol..

[72]  Paul Davidsson,et al.  IoT-based Systems of Systems , 2016 .

[73]  Mohsen Ahmadvand,et al.  Requirements Reconciliation for Scalable and Secure Microservice (De)composition , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[74]  Michael Weyrich,et al.  Reference Architectures for the Internet of Things , 2016, IEEE Software.

[75]  Andrei Brazhuk Semantic model of attacks and vulnerabilities based on CAPEC and CWE dictionaries , 2019 .

[76]  Anuradha M. Annaswamy,et al.  Trustworthy Cyber Physical Systems , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[77]  Atsuo Hazeyama,et al.  Landscape of Architecture and Design Patterns for IoT Systems , 2020, IEEE Internet of Things Journal.

[78]  Henry Muccini,et al.  IoT Architectural Styles - A Systematic Mapping Study , 2018, ECSA.

[79]  Daniel Minoli,et al.  Blockchain mechanisms for IoT security , 2018, Internet Things.