TAPInspector: Safety and Liveness Verification of Concurrent Trigger-Action IoT Systems

Trigger-action programming (TAP) is a popular enduser programming framework that can simplify the Internet of Things (IoT) automation with simple trigger-action rules. However, it also introduces new security and safety threats. A lot of advanced techniques have been proposed to address this problem. Rigorously reasoning about the security of a TAPbased IoT system requires a well-defined model and verification method both against rule semantics and physical-world states, e.g., concurrency, rule latency, and connection-based interactions, which has been missing until now. This paper presents TAPInspector, a novel system to detect vulnerabilities in concurrent TAP-based IoT systems using model checking. It automatically extracts TAP rules from IoT apps, translates them into a hybrid model with model slicing and state compression, and performs model checking with various safety and liveness properties. Our experiments corroborate that TAPInspector is effective: it identifies 533 violations with 9 new types of violations from 1108 real-world market IoT apps and is 60000 times faster than the baseline without optimization at least.

[1]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[2]  Dawn Song,et al.  Smart Locks: Lessons for Securing Commodity Internet of Things Devices , 2016, AsiaCCS.

[3]  Shan Lu,et al.  AutoTap: Synthesizing and Repairing Trigger-Action Programs Using LTL Properties , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[4]  Aditya Akella,et al.  Liveness Verification of Stateful Network Functions , 2020, NSDI.

[5]  Mohannad J. Alhanahnah,et al.  Scalable analysis of interaction threats in IoT systems , 2020, ISSTA.

[6]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[7]  Carl A. Gunter,et al.  Charting the Attack Surface of Trigger-Action IoT Platforms , 2019, CCS.

[8]  Matthew B. Dwyer,et al.  Using the Bandera Tool Set to Model-Check Properties of Concurrent Java Software , 2001, CONCUR.

[9]  Patrick D. McDaniel,et al.  IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT , 2019, NDSS.

[10]  Patrick D. McDaniel,et al.  Program Analysis of Commodity IoT Applications for Security and Privacy , 2018, ACM Comput. Surv..

[11]  Xiaojiang Du,et al.  Cross-App Interference Threats in Smart Homes: Categorization, Detection and Handling , 2018, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[12]  Leslie Lamport,et al.  Proving Liveness Properties of Concurrent Programs , 1982, TOPL.

[13]  Amit Kumar Sikder,et al.  6thSense: A Context-aware Sensor-based Attack Detector for Smart Devices , 2017, USENIX Security Symposium.

[14]  Ying Zhang,et al.  An empirical characterization of IFTTT: ecosystem, usage, and performance , 2017, Internet Measurement Conference.

[15]  Zhao Li,et al.  SIFT: building an internet of safe things , 2015, IPSN.

[16]  Rajarshi Gupta,et al.  All Things Considered: An Analysis of IoT Devices on Home Networks , 2019, USENIX Security Symposium.

[17]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[18]  Yuqiong Sun,et al.  Looking from the Mirror: Evaluating IoT Device Security through Mobile Companion Apps , 2019, USENIX Security Symposium.

[19]  Srikanth V. Krishnamurthy,et al.  IotSan: fortifying the safety of IoT systems , 2018, CoNEXT.

[20]  Frederik Armknecht,et al.  Insecure to the touch: attacking ZigBee 3.0 via touchlink commissioning , 2017, WISEC.

[21]  Hongxin Hu,et al.  On the Safety of IoT Device Physical Interaction Control , 2018, CCS.

[22]  Denys Poshyvanyk,et al.  Towards a Natural Perspective of Smart Homes for Practical Security and Safety Analyses , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[23]  Roland Meyer,et al.  Liveness in broadcast networks , 2019, Computing.

[24]  Fulvio Corno,et al.  Empowering End Users in Debugging Trigger-Action Rules , 2019, CHI.

[25]  Behrang Fouladi,et al.  Security Evaluation of the Z-Wave Wireless Protocol , 2013 .

[26]  Musard Balliu,et al.  If This Then What?: Controlling Flows in IoT Apps , 2018, CCS.

[27]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[28]  Hae Young Noh,et al.  Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing Using Different Sensor Types , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[29]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Omar Alrawi,et al.  SoK: Security Evaluation of Home-Based IoT Deployments , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Patrick D. McDaniel,et al.  Soteria: Automated IoT Safety and Security Analysis , 2018, USENIX Annual Technical Conference.

[32]  Xiaojiang Du,et al.  HAWatcher: Semantics-Aware Anomaly Detection for Appified Smart Homes , 2021, USENIX Security Symposium.

[33]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[34]  Hsu-Chun Hsiao,et al.  SafeChain: Securing Trigger-Action Programming From Attack Chains , 2019, IEEE Transactions on Information Forensics and Security.

[35]  Maya Cakmak,et al.  Supporting mental model accuracy in trigger-action programming , 2015, UbiComp.

[36]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[37]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).