Visible to the public Situational Access Control in the Internet of Things

TitleSituational Access Control in the Internet of Things
Publication TypeConference Paper
Year of Publication2018
AuthorsSchuster, Roei, Shmatikov, Vitaly, Tromer, Eran
Conference NameProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5693-0
KeywordsAccess Control, composability, Cross Layer Security, Human Behavior, Internet of Things, IoT Security 2018, Metrics, pubcrawl, Resiliency
Abstract

Access control in the Internet of Things (IoT) often depends on a situation -- for example, "the user is at home" -- that can only be tracked using multiple devices. In contrast to the (well-studied) smartphone frameworks, enforcement of situational constraints in the IoT poses new challenges because access control is fundamentally decentralized. It takes place in multiple independent frameworks, subjects are often external to the enforcement system, and situation tracking requires cross-framework interaction and permissioning. Existing IoT frameworks entangle access-control enforcement and situation tracking. This results in overprivileged, redundant, inconsistent, and inflexible implementations. We design and implement a new approach to IoT access control. Our key innovation is to introduce "environmental situation oracles" (ESOs) as first-class objects in the IoT ecosystem. An ESO encapsulates the implementation of how a situation is sensed, inferred, or actuated. IoT access-control frameworks can use ESOs to enforce situational constraints, but ESOs and frameworks remain oblivious to each other's implementation details. A single ESO can be used by multiple access-control frameworks across the ecosystem. This reduces inefficiency, supports consistent enforcement of common policies, and -- because ESOs encapsulate sensitive device-access rights -- reduces overprivileging. ESOs can be deployed at any layer of the IoT software stack where access control is applied. We implemented prototype ESOs for the IoT resource layer, based on the IoTivity framework, and for the IoT Web services, based on the Passport middleware.

URLhttp://doi.acm.org/10.1145/3243734.3243817
DOI10.1145/3243734.3243817
Citation Keyschuster_situational_2018