Search for: All records

We present CAPLets, an authorization mechanism that extends capability based security to support fine grained access control for multi-scale (sensors, edge, cloud) IoT deployments. To enable this, CAPLets uses a strong cryptographic construction to provide integrity while preserving computational efficiency for resource constrained systems. Moreover, CAPLets augments capabilities with dynamic, user defined constraints to describe arbitrary access control policies. We introduce an application specific, turing complete virtual machine, CapVM, alongside with eBPF and Wasm, to describe constraints. We show that CAPLets is able to express permissions and requirements at a fine grain, facilitating construction of non-trivial access control policies. We empirically evaluate the efficiency and flexibility of CAPLets abstractions using resource constrained devices and end-to-end IoT deployments, and compare it against related mechanisms in wide use today. Our empirical results show that CAPLets is an order of magnitude faster and more energy efficient than current IoT authorization systems. 

We present MSDBench – a set of benchmarks designed to illuminate the effects of deployment choices and operating system ab- stractions on microservices performance in IoT settings. The microser- vices architecture has emerged as a mainstay set of design principles for cloud-hosted, network-facing applications. Their utility as a design pattern for “The Internet of Things” (IoT) is less well understood. We use MSDBench to show the performance impacts of different deploy- ment choices and isolation domain assignments for Linux and Ambience, an experimental operating system specifically designed to support mi- croservices for IoT. These results indicate that deployment choices can have a dramatic impact on microservices performance, and thus, MSD- Bench is a useful tool for developers and researchers in this space.