ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms

The Internet-of-Things (IoT) has quickly evolved to a new appified era where third-party developers can write apps for IoT platforms using programming frameworks. Like other appified platforms, e.g., the smartphone platform, the permission system plays an important role in platform security. However, design flaws in current IoT platform permission models have been reported recently, exposing users to significant harm such as break-ins and theft. To solve these problems, a new access control model is needed for both current and future IoT platforms. In this paper, we propose ContexIoT, a context-based permission system for appified IoT platforms that provides contextual integrity by supporting fine-grained context identification for sensitive actions, and runtime prompts with rich context information to help users perform effective access control. Context definition in ContexIoT is at the inter-procedure control and data flow levels, that we show to be more comprehensive than previous context-based permission systems for the smartphone platform. ContexIoT is designed to be backward compatible and thus can be directly adopted by current IoT platforms. We prototype ContexIoT on the Samsung SmartThings platform, with an automatic app patching mechanism developed to support unmodified commodity SmartThings apps. To evaluate the system’s effectiveness, we perform the first extensive study of possible attacks on appified IoT platforms by reproducing reported IoT attacks and constructing new IoT attacks based on smartphone malware classes. We categorize these attacks based on lifecycle and adversary techniques, and build the first taxonomized IoT attack app dataset. Evaluating ContexIoT on this dataset, we find that it can effectively distinguish the attack context for all the tested apps. The performance evaluation on 283 commodity IoT apps shows that the app patching adds nearly negligible delay to the event triggering latency, and the permission request frequency is far below the threshold that is considered to risk user habituation or annoyance.

[1]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[2]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[5]  Ramjee Prasad,et al.  Proposed embedded security framework for Internet of Things (IoT) , 2011, 2011 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE).

[6]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[7]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[8]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[10]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  David A. Wagner,et al.  How to Ask for Permission , 2012, HotSec.

[12]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[13]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[14]  Lorrie Faith Cranor,et al.  Privacy as part of the app decision-making process , 2013, CHI.

[15]  Blase Ur,et al.  The Current State of Access Control for Smart Devices in Homes , 2013 .

[16]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[17]  Rui Wang,et al.  Unauthorized origin crossing on mobile platforms: threats and mitigation , 2013, CCS.

[18]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[19]  Tongxin Li,et al.  Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services , 2014, CCS.

[20]  Blase Ur,et al.  Practical trigger-action programming in the smart home , 2014, CHI.

[21]  Peng Liu,et al.  Duet: library integrity verification for android applications , 2014, WiSec '14.

[22]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[24]  Carl A. Gunter,et al.  Inside Job: Understanding and Mitigating the Threat of External Device Mis-Binding on Android , 2014, NDSS.

[25]  Nan Zhang,et al.  The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[27]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[28]  Nan Zhang,et al.  Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android , 2015, 2015 IEEE Symposium on Security and Privacy.

[29]  Amir Rahmati,et al.  Context-Specific Access Control: Conforming Permissions With User Expectations , 2015, SPSM@CCS.

[30]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[31]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[32]  Carl A. Gunter,et al.  What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources , 2015, NDSS.

[33]  Kai Chen,et al.  From System Services Freezing to System Server Shutdown in Android: All You Need Is a Loop in an App , 2015, CCS.

[34]  Peng Wang,et al.  Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale , 2015, USENIX Security Symposium.

[35]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[36]  Shi-Min Hu,et al.  Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS , 2015, CCS.

[37]  Xiao Zhang,et al.  Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References , 2015, CCS.

[38]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[39]  Xiaofeng Wang,et al.  UIPicker: User-Input Privacy Identification in Mobile Applications , 2015, USENIX Security Symposium.

[40]  Insik Shin,et al.  FLEXDROID: Enforcing In-App Privilege Separation in Android , 2016, NDSS.

[41]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[42]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[43]  Zhuoqing Morley Mao,et al.  Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework , 2016, NDSS.

[44]  Dawn Song,et al.  Smart Locks: Lessons for Securing Commodity Internet of Things Devices , 2016, AsiaCCS.

[45]  Xiangyu Liu,et al.  No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[46]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[47]  Matthew Smith,et al.  SoK: Lessons Learned from Android Security Research for Appified Software Platforms , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[48]  Eric Bodden,et al.  Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques , 2016, NDSS.

[49]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[50]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[51]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[52]  Atul Prakash,et al.  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks , 2016, USENIX Security Symposium.

[53]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[54]  Shi-Min Hu,et al.  Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[55]  Xiao Zhang,et al.  Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android , 2016, NDSS.

[56]  Wenke Lee,et al.  The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads , 2016, NDSS.