Table of Content
- CHEX: statically vetting Android apps for component hijacking vulnerabilities
- OKAPI: In Support of Application Correctness in Smart Home Environments
- Security-Analysis-of-Emerging-Smart-Home-Applications
- SmartMon: Misbehavior Detection via Monitoring Smart Home Automations
- Related Papers
- PScout: analyzing the Android permission specification
- Code & Tools
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.
CHEX: statically vetting Android apps for component hijacking vulnerabilities
This paper explores the requirements for a system to support secure embedded user interfaces by systematically analyzing existing systems like browsers, smartphones, and research systems and evaluates the implementation using case studies that rely on embedded interfaces. An in-depth analysis to four widely used smart home solutions reveals several vulnerabilities that lead to unexpected state transitions and proposes some general design suggestions for building a more secure smart home solution. An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves. A cross-layer security enforcement system for smart home by monitoring the behaviors of both apps and users is proposed, incorporating user activity recognition via the physical-layer wireless signals into the definition and enforcement of security policies to constraint the app behavior. It is argued that if the security and privacy issues are not considered, devices using the solution are inevitably vulnerable and thus the privacy and security of smart home are seriously threatened.
It is demonstrated that existing cloud-based smart home platforms provide insufficient support for applications to correctly deal with concurrency and data consistency issues, and OKAPI, an application-level API that provides strict atomicity and event ordering is presented. This paper takes the approach of user-driven access control, whereby permission granting is built into existing user actions in the context of an application, rather than added as an afterthought via manifests or system prompts. This paper proposes CHEX, a static analysis method to automatically vet Android apps for component hijacking vulnerabilities, and prototyped CHEX based on Dalysis, a generic static analysis framework that was built to support many types of analysis on Android app bytecode. This paper conducts three case studies that evaluate the extent to which commercial smart devices provide affordances related to access control and finds that each device has its own siloed access-control system and that each approach fails to provide seemingly essential affordances. A key finding is that SmartThings apps are automatically overprivileged, which can leave users vulnerable to various remote attacks. A set of guidelines is proposed to aid platform designers in determining the most appropriate permission-granting mechanism for a given permission, and a preliminary evaluation indicates that this model will reduce the number of warnings presented to users, thereby reducing habituation effects.
OKAPI: In Support of Application Correctness in Smart Home Environments
Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege.
Stowaway, a tool that detects overprivilege in compiled Android applications, is built and finds that about one-third of applications are overprivileged. This work examines Android application interaction and identifies security risks in application components and provides a tool, ComDroid, that detects application communication vulnerabilities and found 34 exploitable vulnerabilities. A novel context-aware security framework that can detect malicious behavior in SHS with high accuracy (over 95%) and secure the SHS regardless of the smart home layout, device configuration, installed apps, and enforced user policies is introduced. In the paper, the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers are pinpointed.
Security-Analysis-of-Emerging-Smart-Home-Applications
This paper explores the numerous ways smart homes can and do provide protection for their residents and investigates not only existing commercial products that have been introduced but also discusses the numerous research that has been focused on detecting and identifying potential threats. Dennis Sylvester Elected to National Academy of Inventors Sylvester’s inventions in low-power chip design have led to multiple startup companies and products found in hundreds of millions of devices. Electrical and Computer Engineering is the technological foundation of modern society, and the unseen force behind today’s intelligent systems. With its impact on clean energy, precision health, cybersecurity, autonomy, communications, the quantum revolution and more, ECE holds the key to a better society. Python script that automatically creates skeleton device handlers inside the SmartThings IDE. A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
