Maverick: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime

Many solutions have been proposed to curb unexpected behavior of automation apps installed on programmable IoT platforms by enforcing safety policies at runtime. However, all prior work addresses a weaker version of the actual problem due to a simpler, unrealistic threat model. These solutions are not general enough as they are heavily dependent on the installed apps and catered to specific IoT platforms. Here, we address a stronger version of the problem via a realistic threat model, where (i) undesired cyber actions can come from not only automation platform backends (e.g., SmartThings) but also close-sourced third-party services (e.g., IFTTT), and (ii) physical actions (e.g., user interactions) on devices can move the IoT system to an undesirable state. We propose a runtime mechanism, dubbed Maverick, which employs an app-independent, platform-agnostic mediator to enforce policies against all undesired cyber actions and applies corrective-actions to bring the IoT system back to a safe state from an unsafe state transition. Maverick is equipped with a policy language capable of expressing rich temporal invariants and an automated toolchain that includes a policy synthesizer and a policy analyzer for user assistance. We implemented Maverick in a prototype and showed its efficacy in both physical and virtual testbeds, incurring minimal overhead.

已经提出了许多解决方案，通过在运行时实施安全策略来遏制安装在可编程物联网平台上的自动化应用程序的意外行为。然而，由于更简单、不现实的威胁模型，所有以前的工作都解决了实际问题的较弱版本。这些解决方案不够通用，因为它们严重依赖于安装的应用程序，并迎合特定的物联网平台。在这里，我们通过现实的威胁模型来解决问题的更强版本，其中(I)不受欢迎的网络操作不仅可能来自自动化平台后端(例如SmartThings)，还可能来自封闭源代码的第三方服务(例如IFTTT)，以及(Ii)对设备的物理操作(例如用户交互)可能会将物联网系统移动到不受欢迎的状态。我们提出了一种名为Maverick的运行时机制，该机制使用独立于应用程序、与平台无关的调解器来针对所有不希望看到的网络操作执行策略，并应用纠正操作将物联网系统从不安全的状态转换恢复到安全状态。Maverick配备了一种能够表达丰富的时间不变量的策略语言和一个自动化工具链，其中包括一个策略合成器和一个用于用户协助的策略分析器。我们在一个原型中实现了Maverick，并在物理和虚拟试验台上展示了它的有效性，产生的开销最小。