Automated IoT Security and Privacy Analysis
Open Access
- Author:
- Celik, Zeynel Berkay
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Doctor of Philosophy
- Document Type:
- Dissertation
- Date of Defense:
- March 08, 2019
- Committee Members:
- Patrick McDaniel, Dissertation Advisor/Co-Advisor
Patrick Drew Mcdaniel, Committee Chair/Co-Chair
Thomas F. La Porta, Committee Member
Gang Tan, Committee Member
David Reitter, Outside Member
A. Selcuk Uluagac, Special Member - Keywords:
- IoT security and privacy
program analysis
security
privacy - Abstract:
- The introduction of Internet of Things (IoT) devices that integrate online processes and services with the physical world has had profound effects on society---smart homes, personal monitoring devices, enhanced manufacturing, and other IoT applications have changed the way we live, play and work. While industry and users have widely embraced the systems supporting IoT, we have yet to understand the implications of these devices on our safety, security, and privacy. In this dissertation, we explore the limitations of existing IoT systems to reason about security and privacy not only as individual devices but as environments of physically and digitally interacting systems. We develop techniques and systems that target safety, security and privacy analysis of IoT applications and environments within physical spaces. First, we characterize the use and potential misuse of sensitive information and identify sensitive data flows in IoT applications. We introduce SainT, a static taint analysis system that uncovers privacy risks an IoT application presents. Second, we explore the interactions among devices within the physical spaces that lead to unsafe or insecure environments. We design and build Soteria, a static analysis system, that models the interactions between devices through source code analysis and verifies via model checking not only the correct operation of a device but the composite behavior of the devices in an environment. Lastly, we develop IoTGuard, a dynamic policy-based enforcement system for IoT devices, which enforces identified properties by monitoring the device execution behavior at runtime. IoTGuard eliminates the limitations of source code analysis in over-approximating IoT states and state transitions, more precisely tracks them using runtime information, and deals with new devices dynamically plugged into an IoT environment. Additionally, we extend safety and security analysis within physical domains to digital domains. Using these systems, we identify threats to safety, security, and privacy and provide consumers, developers, and industry with systems that mitigate threats to IoT in practice.