Decentralized Action Integrity for Trigger-Action IoT Platforms

Summary

Trigger-Action platforms are web-based systems that enable users to create automation rules by stitching together online services representing digital and physical resources using OAuth tokens. Unfortunately, these platforms introduce a longrange large-scale security risk: If they are compromised, an attacker can misuse the OAuth tokens belonging to a large number of users to arbitrarily manipulate their devices and data. We introduce Decentralized Action Integrity, a security principle that prevents an untrusted trigger-action platform from misusing compromised OAuth tokens in ways that are inconsistent with any given user’s set of trigger-action rules. We present the design and evaluation of Decentralized Trigger-Action Platform (DTAP), a trigger-action platform that implements this principle by overcoming practical challenges. DTAP splits currently monolithic platform designs into an untrusted cloud service, and a set of user clients (each user only trusts their client). Our design introduces the concept of Transfer Tokens (XTokens) to practically use fine grained rule-specific tokens without increasing the number of OAuth permission prompts compared to current platforms. Our evaluation indicates that DTAP poses negligible overhead: it adds less than 15ms of latency to rule execution time, and reduces throughput by 2.5%.

Research Paper

PDF

When referring to our work, please cite it as:

Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash
Decentralized Action Integrity for Trigger-Action IoT Platforms
22nd Network and Distributed Security Symposium (NDSS 2018), San Diego, CA, Feb 2018

or, use BibTeX for citation:

@InProceedings{dtap18,
     author = {Earlence Fernandes and Amir Rahmati and Jaeyeon Jung and Atul Prakash},
     title = {{Decentralized Action Integrity for Trigger-Action IoT Platforms}},
     booktitle = {22nd Network and Distributed Security Symposium (NDSS 2018)},
     month = Feb,
     year = 2018
     }

Decentralized Action Integrity for Trigger-Action IoT Platforms

Summary

Research Paper

When referring to our work, please cite it as:

or, use BibTeX for citation:

Team

Earlence Fernandes, Postdoctoral Researcher, University of Washington

Amir Rahmati, Professor, Stony Brook University

Jaeyeon Jung, Vice President, Samsung

Atul Prakash, Professor, University of Michigan

Acknowledgements

Decentralized Action Integrity for Trigger-Action IoT Platforms

Summary

Research Paper

When referring to our work, please cite it as:

or, use BibTeX for citation:

Team

Earlence Fernandes, Postdoctoral Researcher, University of Washington

Amir Rahmati, Professor, Stony Brook University

Jaeyeon Jung, Vice President, Samsung

Atul Prakash, Professor, University of Michigan

Acknowledgements

Share this: