Collaborative Research: SaTC: CORE: Medium: Toward safe, private, and secure home automation: from formal modeling to user evaluation

协作研究：SaTC：核心：中：迈向安全、私密和可靠的家庭自动化：从形式建模到用户评估

• 批准号: 2114148
• 负责人: Limin Jia
• 金额: $ 85.56万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2114148&HistoricalAwards=false
• 关键词: Collaborative; Research; SaTC; CORE; Medium

IoT devices such as smart door locks and platforms and applications that connect these devices and other online services (e.g., IFTTT, Zapier) make life more convenient but have also raised security and privacy concerns. These concerns arise because smart home devices can collect potentially sensitive data about their users and the data and devices can be accessed (e.g., to unlock doors or disable home security systems) in the absence of physical human actions. Further, the risks posed by smart-home devices can impact people other than the device owners, such as home service workers and children. There is a need for a systematic understanding of the security and privacy impact of such platforms. However, existing work is often too coarse-grained to capture the context in which these devices are used (e.g., camera in public area vs. in the bedroom) and mostly focuses on risks and harms to device owners rather than more broadly. This project aims to gain a deeper understanding of smart homes' security and privacy impact, with a focus on end-user programming platforms like IFTTT and Zapier, and to mitigate potential harms via formal modeling and automated analysis tools. One of the identifying characteristics of this project is that user studies are used to both identify user needs and to evaluate potential solutions, including models and formal analysis tools.This project follows an iterative process, where tools and models are first built (based on results of preliminary user studies); next, user studies are conducted to evaluate the tools and learn about users' needs; then, results from user studies are used to refine the tools and models. This project builds detailed, context-rich models and characterizations of risks and harms from home automation platforms, customized to individual users' perspective, and thus fills the gap between what existing models and tools can do and users' perceptions and needs. This project also builds usable, context-aware, configurable analysis tools that extend traditional information-flow analysis to calculate attackers’ precise knowledge of and influence over the system. These analysis tools take into consideration different threat models, which account for attackers’ different capabilities to observe relevant events and interact with the system. Finally, the project designs warnings and nudges to help users understand their smart home systems better and avoid potential harm.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

物联网设备（如智能门锁）以及连接这些设备和其他在线服务（例如，IFTTT，Zapier）使生活更加方便，但也引发了安全和隐私问题。这些问题的出现是因为智能家居设备可以收集关于其用户的潜在敏感数据，并且数据和设备可以被访问（例如，解锁门或禁用家庭安全系统）。此外，智能家居设备带来的风险可能会影响设备所有者以外的人，例如家庭服务人员和儿童。有必要系统地了解这些平台的安全和隐私影响。然而，现有的工作通常太粗粒度，无法捕获使用这些设备的上下文（例如，公共区域的摄像头与卧室的摄像头），主要关注的是对设备所有者的风险和危害，而不是更广泛的风险和危害。该项目旨在深入了解智能家居的安全和隐私影响，重点关注IFTTT和Zapier等最终用户编程平台，并通过正式建模和自动分析工具减轻潜在危害。 本项目的一个显著特点是使用用户研究来确定用户需求和评估潜在的解决方案，包括模型和正式分析工具。本项目遵循一个迭代过程，首先建立工具和模型（根据初步用户研究的结果）;其次，进行用户研究，以评价这些工具并了解用户的需要;然后，利用用户研究的结果来改进工具和模型。该项目构建了详细的、上下文丰富的模型，并从家庭自动化平台的角度对风险和危害进行了描述，并根据个人用户的角度进行了定制，从而填补了现有模型和工具与用户的感知和需求之间的差距。该项目还构建了可用的、上下文感知的、可配置的分析工具，这些工具扩展了传统的信息流分析，以计算攻击者对系统的精确了解和影响。这些分析工具考虑了不同的威胁模型，这些模型考虑了攻击者观察相关事件和与系统交互的不同能力。最后，该项目设计警告和轻推，以帮助用户更好地了解他们的智能家居系统，避免潜在的伤害。该奖项反映了NSF的法定使命，并已被认为值得通过使用基金会的智力价值和更广泛的影响审查标准进行评估的支持。

项目成果

Towards Usable Security Analysis Tools for Trigger-Action Programming

• 发表时间: 2023
• 作者: McKenna McCall;Eric Zeng;F. H. Shezan;Mitchell Yang;Lujo Bauer;Abhishek Bichhawat;Camille Cobb;Limin Jia;Yuan Tian