Smart homes are interconnected homes in which a wide variety of digital devices with limited resources communicate with multiple users and among themselves using multiple protocols. The deployment of resource-limited devices and the use of a wide range of technologies expand the attack surface and position the smart home as a target for many potential security threats. Access control is among the top security challenges in smart home IoT. Several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. Most of these models are built on the role-based access control (RBAC) model or the attribute-based access control (ABAC) model. However, recently some researchers demonstrated that the need arises for a hybrid model combining ABAC and RBAC, thereby incorporating the benefits of both models to better meet IoT access control challenges in general and smart homes requirements in particular. In this paper, we used two approaches to develop two different hybrid models for smart home IoT. We followed a role-centric approach and an attribute-centric approach to develop HyBAC RC and HyBAC AC , respectively. We formally define these models and illustrate their features through a use case scenario demonstration. We further provide a proof-of-concept implementation for each model in Amazon Web Services (AWS) IoT platform. Finally, we conduct a theoretical comparison between the two models proposed in this paper in addition to the EGRBAC model (RBAC model for smart home IoT) and HABAC model (ABAC model for smart home IoT), which were previously developed to meet smart homes’ challenges.
more »
« less
An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based Approach
The area of smart homes is one of the most popular for deploying smart connected devices. One of the most vulnerable aspects of smart homes is access control. Recent advances in IoT have led to several access control models being developed or adapted to IoT from other domains, with few specifically designed to meet the challenges of smart homes. Most of these models use role-based access control (RBAC) or attribute-based access control (ABAC) models. As of now, it is not clear what the advantages and disadvantages of ABAC over RBAC are in general, and in the context of smart-home IoT in particular. In this paper, we introduce HABACα, an attribute-based access control model for smart-home IoT. We formally define HABACα and demonstrate its features through two use-case scenarios and a proof-of-concept implementation. Furthermore, we present an analysis of HABACα as compared to the previously published EGRBAC (extended generalized role-based access control) model for smart-home IoT by first describing approaches for constructing HABACα specification from EGRBAC and vice versa in order to compare the theoretical expressiveness power of these models, and second, analyzing HABACα and EGRBAC models against standard criteria for access control models. Our findings suggest that a hybrid model that combines both HABACα and EGRBAC capabilities may be the most suitable for smart-home IoT, and probably more generally.
more »
« less
- Award ID(s):
- 1736209
- PAR ID:
- 10331590
- Date Published:
- Journal Name:
- Information
- Volume:
- 13
- Issue:
- 2
- ISSN:
- 2078-2489
- Page Range / eLocation ID:
- 60
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Smart homes are interconnected homes in which a wide variety of digital devices with limited resources communicate with multiple users and among themselves using multiple protocols. The deployment of resource-limited devices and the use of a wide range of technologies expand the attack surface and position the smart home as a target for many potential security threats. Access control is among the top security challenges in smart home IoT. Several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. Most of these models are built on the role-based access control (RBAC) model or the attribute-based access control (ABAC) model. However, recently some researchers demonstrated that the need arises for a hybrid model combining ABAC and RBAC, thereby incorporating the benefits of both models to better meet IoT access control challenges in general and smart homes requirements in particular. In this paper, we used two approaches to develop two different hybrid models for smart home IoT. We followed a role-centric approach and an attribute-centric approach to develop HyBAC RC and HyBAC AC , respectively. We formally define these models and illustrate their features through a use case scenario demonstration. We further provide a proof-of-concept implementation for each model in Amazon Web Services (AWS) IoT platform. Finally, we conduct a theoretical comparison between the two models proposed in this paper in addition to the EGRBAC model (RBAC model for smart home IoT) and HABAC model (ABAC model for smart home IoT), which were previously developed to meet smart homes’ challenges.more » « less
-
Creating effective access control policies is a significant challenge to many organizations. Over-privilege increases security risk from compromised credentials, insider threats, and accidental misuse. Under-privilege prevents users from performing their duties. Policies must balance between these competing goals of minimizing under-privilege vs. over-privilege. The Attribute Based Access Control (ABAC) model has been gaining popularity in recent years because of its advantages in granularity, flexibility, and usability. ABAC allows administrators to create policies based on attributes of users, operations, resources, and the environment. However, in practice, it is often very difficult to create effective ABAC policies in terms of minimizing under-privilege and over-privilege especially for large and complex systems because their ABAC privilege spaces are typically gigantic. In this paper, we take a rule mining approach to mine systems' audit logs for automatically generating ABAC policies which minimize both under-privilege and over-privilege. We propose a rule mining algorithm for creating ABAC policies with rules, a policy scoring algorithm for evaluating ABAC policies from the least privilege perspective, and performance optimization methods for dealing with the challenges of large ABAC privilege spaces. Using a large dataset of 4.7 million Amazon Web Service (AWS) audit log events, we demonstrate that our automated approach can effectively generate least privilege ABAC policies, and can generate policies with less over-privilege and under-privilege than a Role Based Access Control (RBAC) approach. Overall, we hope our work can help promote a wider and faster deployment of the ABAC model, and can help unleash the advantages of ABAC to better protect large and complex computing systems.more » « less
-
The pervasive nature of smart connected devices has intruded on our daily lives and has become an intrinsic part of our world. However, the wide use of the Internet of Things (IoT) in critical application domains has raised concerns for user privacy and security against growing cyber threats. In particular, the implications of cyber exploitation for IoT devices are beyond financial losses and could constitute risks to human life. Most deployed access control solutions for smart IoT systems do not offer policy individualization, the ability to specify or change the policy according to the individual user’s preference. As a result, currently deployed systems are not well suited to specify access control policies in a multi-user environment, where users access the same devices to perform different operations. The system’s security gets tricky when the smart ecosystem involves complicated social relationships, much like in a smart home. Relationship-based access control (ReBAC), widely used in online social networks, offers the ability to consider user relationships in defining access control decisions and supports policy individualization. However, to the best of our knowledge, no such attempt has been made to develop a formal ReBAC model for smart IoT systems. This paper proposes a ReBAC IoT dynamic and fine-grained access control model which considers the social relationships among users along with the attributes to support an attributes-aware relationship-based access control model for smart IoT systems. ReBAC IoT is formally defined, illustrated through different use cases, implemented, and tested.more » « less
-
The pervasive nature of smart connected devices has intruded on our daily lives and has become an intrinsic part of our world. However, the wide use of the Internet of Things (IoT) in critical application domains has raised concerns for user privacy and security against growing cyber threats. In particular, the implications of cyber exploitation for IoT devices are beyond financial losses and could constitute risks to human life. Most deployed access control solutions for smart IoT systems do not offer policy individualization, the ability to specify or change the policy according to the individual user’s preference. As a result, currently deployed systems are not well suited to specify access control policies in a multi-user environment, where users access the same devices to perform different operations. The system’s security gets tricky when the smart ecosystem involves complicated social relationships, much like in a smart home. Relationship-based access control (ReBAC), widely used in online social networks, offers the ability to consider user relationships in defining access control decisions and supports policy individualization. However, to the best of our knowledge, no such attempt has been made to develop a formal ReBAC model for smart IoT systems. This paper proposes a ReBAC IoT dynamic and fine-grained access control model which considers the social relationships among users along with the attributes to support an attributes-aware relationship-based access control model for smart IoT systems. ReBAC IoT is formally defined, illustrated through different use cases, implemented, and tested.more » « less