Adwait Nadkarni, "Building Practical Security Systems for the Post-App Smart Home"
CERIAS Weekly Security Seminar - Purdue University
English - January 20, 2021 21:30 - 384 MB Video - ★★★★ - 6 ratingsTechnology Education Courses infosec security video seminar cerias purdue information sfs research education Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Modern end-user computing platforms such as smartphones
(e.g., Android and iOS)and smart home systems (e.g., SmartThings
and NEST) provide programmable interfaces for third-party
integration, enabling expressive and popular functionality that is
often manifested in applications, or
apps.
Thus, for the last decade, designing security systems to
analyze apps for
vulnerabilities or unwanted behavior has been a major focus within
the security community. This approach has continued well into the
smart home, with researchers developing systems inspired by lessons
from Android security to inspect IoT
apps developed for popular platforms such as
SmartThings. However, emerging characteristics of smart home
ecosystems indicate that IoTapps may not represent automation in
real homes, and may even be unavailable in the near future. That
is, while API misuse by third-party developers is an important
problem, the approach of
analyzing/instrumenting IoT apps may not offer
an effective or sustainable solution.
In this talk, I will describe the challenges for research
in the backdrop of the unsuitability of IoTapps for practical
security analysis, and motivate three alternate research
directions. First, I will describe the need to develop an
alternative artifact for security analysis that is representative
of automation usage in the wild. To this end, I will introduce
Helion, a system that uses statistical language modeling to
generate natural home automation
scenarios, i.e., realistic event
sequences that are closely aligned with the real home automation
usage in end-user homes,which can be used for security or safety
analysis. Second, I will illustrate the need to improve the
security of mobile companion apps, which often form the weakest
link in smart home deployments, and the important position of
security analysis/compliance tools in ensuring the development of
secure companion apps. To this end, I will present the mSE
framework, which automatically and rigorously evaluates static
program analysis-based security systems using mutation testing. Our
work on mSE (and its successor, MASC) culminated in the discovery
of critical security flaws in popular tools such as FlowDroid,
CryptoGuard, Argus, and Coverity that affect the reliability and
soundness of their analysis. Finally, I will conclude the talk by
describing our current efforts to build
system-level defenses into IoT
platforms that are agnostic to IoTapps, i.e., independent of their
visibility or mutability, thereby potentially providing a lasting
solution to API misuse by third-party developers.