skip to main content

This content will become publicly available on August 1, 2022

Title: Capture: Centralized Library Management for Heterogeneous IoT Devices
With their growing popularity, Internet-of-Things (IoT) devices have become attractive targets for attack. Like most modern software systems, IoT device firmware depends on external third-party libraries extensively, increasing the attack surface of IoT devices. Furthermore, we find that the risk is compounded by inconsistent library management practices and delays in applying security updates—sometimes hundreds of days behind the public availability of critical patches—by device vendors. Worse yet, because these dependencies are "baked into" the vendor-controlled firmware, even security-conscious users are unable to take matters into their own hands when it comes to good security hygiene. We present Capture, a novel architecture for deploying IoT device firmware that addresses this problem by allowing devices on a local network to leverage a centralized hub with third-party libraries that are managed and kept up-to-date by a single trusted entity. An IoT device supporting Capture comprises of two components: Capture-enabled firmware on the device and a remote driver that uses third-party libraries on the Capture hub in the local network. To ensure isolation, we introduce a novel Virtual Device Entity (VDE) interface that facilitates access control between mutually-distrustful devices that reside on the same hub. Our evaluation on a prototype implementation of Capture, along with more » 9 devices and 3 automation applets ported to our framework, shows that our approach incurs low overhead in most cases (<15% increased latency, <10% additional resources). We show that a single Capture Hub with modest hardware can support hundreds of devices, keeping their shared libraries up-to-date. « less
Authors:
; ; ;
Award ID(s):
1801472 1564009
Publication Date:
NSF-PAR ID:
10316413
Journal Name:
30th USENIX Security Symposium (USENIX Security 21)
Sponsoring Org:
National Science Foundation
More Like this
  1. Internet of Things is growing rapidly, with many connected devices now available to consumers. With this growth, the IoT apps that manage the devices from smartphones raise significant security concerns. Typically, these apps are secured via sensitive credentials such as email and password that need to be validated through specific servers, thus requiring permissions to access the Internet. Unfortunately, even when developers of these apps are well-intentioned, such apps can be non-trivial to secure so as to guarantee that user’s credentials do not leak to unauthorized servers on the Internet. For example, if the app relies on third-party libraries, asmore »many do, those libraries can potentially capture and leak sensitive credentials. Bugs in the applications can also result in exploitable vulnerabilities that leak credentials. This paper presents our work in-progress on a prototype that enables developers to control how information flows within the app from sensitive UI data to specific servers. We extend FlowFence to enforce fine-grained information flow policies on sensitive UI data. A version of the paper is also available at: https://arxiv.org/abs/1810.13367. The final version is available at: https://portaldeconteudo.sbc.org.br/index.php/sbseg/article/view/4263« less
  2. Internet of Things is growing rapidly, with many connected devices now available to consumers. With this growth, the IoT apps that manage the devices from smartphones raise significant security concerns. Typically, these apps are secured via sensitive credentials such as email and password that need to be validated through specific servers, thus requiring permissions to access the Internet. Unfortunately, even when developers of these apps are well-intentioned, such apps can be non-trivial to secure so as to guarantee that user’s credentials do not leak to unauthorized servers on the Internet. For example, if the app relies on third-party libraries, asmore »many do, those libraries can potentially capture and leak sensitive credentials. Bugs in the applications can also result in exploitable vulnerabilities that leak credentials. This paper presents our work in-progress on a prototype that enables developers to control how information flows within the app from sensitive UI data to specific servers. We extend FlowFence to enforce fine-grained information flow policies on sensitive UI data.« less
  3. Growth of the Internet-of-things has led to complex system-on-chips (SoCs) being used in the edge devices in IoT applications. The increased complexity is demanding designers to consider several critical factors, such as dynamic requirement changes, long application life, mass production, and tight time-to-market deadlines. These requirements lead to more complex security concerns. SoC manufacturers outsource some of the intellectual property cores integrated on the SoC to untrusted third-party vendors. The untrusted intellectual properties can contain malicious implants, which can launch attacks using the resources provided by the on-chip interconnection network, commonly known as the network-on-chip (NoC). Existing efforts on securingmore »NoC have considered lightweight encryption, authentication, and other attack detection mechanisms such as denial-of-service and buffer overflows. Unfortunately, these approaches focus on designing statically optimized security solutions. As a result, they are not suitable for many IoT systems with long application life and dynamic requirement changes. There is a critical need to design reconfigurable security architectures that can be dynamically tuned based on changing requirements. In this article, we propose a tier-based reconfigurable security architecture that can adapt to different use-case scenarios. We explore how to design an efficient reconfigurable architecture that can support three popular NoC security mechanisms (encryption, authentication, and denial-of-service attack detection and localization) and implement suitable dynamic reconfiguration techniques. We evaluate our proposed framework by running standard benchmarks enabling different tiers of security and provide a comprehensive analysis of how different levels of security can affect application performance, energy efficiency, and area overhead.« less
  4. The edge devices connected to the Internet of Things (IoT) infrastructures are increasingly susceptible to piracy. These pirated edge devices pose a serious threat to security, as an adversary can get access to the private network through these non-authentic devices. It is necessary to authenticate an edge device over an unsecured channel to safeguard the network from being infiltrated through these fake devices. The implementation of security features demands extensive computational power and a large hardware/software overhead, both of which are difficult to satisfy because of inherent resource limitation in the IoT edge devices. This paper presents a low-cost authenticationmore »protocol for IoT edge devices that exploits power-up states of built-in SRAM for device fingerprint generations. Unclonable ID generated from the on-chip SRAM could be unreliable, and to circumvent this issue, we propose a novel ID matching scheme that alleviates the need for enhancing the reliability of the IDs generated from on-chip SRAMs. Security and different attack analysis show that the probability of impersonating an edge device by an adversary is insignificant. The protocol is implemented using a commercial microcontroller, which requires a small code overhead. However, no modification of device hardware is necessary.« less
  5. In this paper, we study the fundamental problem of gossip in the mobile telephone model: a recently introduced variation of the classical telephone model modified to better describe the local peer-to-peer communication services implemented in many popular smartphone operating systems. In more detail, the mobile telephone model differs from the classical telephone model in three ways: (1) each device can participate in at most one connection per round; (2) the network topology can undergo a parameterized rate of change; and (3) devices can advertise a parameterized number of bits about their state to their neighbors in each round before connectionmore »attempts are initiated. We begin by describing and analyzing new randomized gossip algorithms in this model under the harsh assumption of a network topology that can change completely in every round. We prove a significant time complexity gap between the case where nodes can advertise 0 bits to their neighbors in each round, and the case where nodes can advertise 1 bit. For the latter assumption, we present two solutions: the first depends on a shared randomness source, while the second eliminates this assumption using a pseudorandomness generator we prove to exist with a novel generalization of a classical result from the study of two-party communication complexity. We then turn our attention to the easier case where the topology graph is stable, and describe and analyze a new gossip algorithm that provides a substantial performance improvement for many parameters. We conclude by studying a relaxed version of gossip in which it is only necessary for nodes to each learn a specified fraction of the messages in the system. We prove that our existing algorithms for dynamic network topologies and a single advertising bit solve this relaxed version up to a polynomial factor faster (in network size) for many parameters. These are the first known gossip results for the mobile telephone model, and they significantly expand our understanding of how to communicate and coordinate in this increasingly relevant setting.« less