CAREER: Integrating Trust and Accountability into Compliance Enforcement for a Secure Internet of Things

职业:将信任和问责融入安全物联网的合规执行中

基本信息

  • 批准号:
    2237012
  • 负责人:
  • 金额:
    $ 53.77万
  • 依托单位:
  • 依托单位国家:
    美国
  • 项目类别:
    Continuing Grant
  • 财政年份:
    2023
  • 资助国家:
    美国
  • 起止时间:
    2023-03-15 至 2028-02-29
  • 项目状态:
    未结题

项目摘要

Regulators have only recently begun to grapple with the reality of billions of vulnerable Internet of Things (IoT) products and have responded with targeted security and privacy regulations. The usefulness of such policy initiatives relies on their enforcement in practice. The enforcement strategy outlined in such regulations is similar to that used for software security compliance, wherein regulators delegate enforcement to Commercially Licensed Evaluation Facilities (CLEFs), which evaluate vendor products. While such delegation is useful in scaling the enforcement to millions of products, it comes at a price: the affected party, i.e., the regulators and consumers who are the primary beneficiaries of security compliance, play a limited role in it, enabling an incentive structure skewed against effective enforcement. To elaborate, product vendors have little incentive to select an ideal CLEF that would thoroughly evaluate their product, instead of one that offers the fastest route to certification. Even if a vendor searched for an ideal CLEF in good faith, they have few means to gauge the CLEF’s effectiveness aside from brochures, limited demonstrations, and the CLEF’s reputation. Moreover, CLEFs are not licensed on the basis of their performance at detecting vulnerabilities, but instead on procedural competence (e.g., adequate facilities, personnel). Hence, traditional model, if applied as is to the IoT sector, would foster unvalidated CLEFs who have little incentive to improve, and vendors who simply view certifications as liability shields. This project seeks to avert such a future by empowering the affected party with practical tools to objectively measure the performance of CLEFs, and influence accountability in security compliance enforcement. The systematic, data-driven, evaluation techniques developed in this research will enable regulators and standards bodies to reform the compliance infrastructure by directly evaluating the claimed performance of CLEFs as a part of the license-granting process or periodic audits. Moreover, this research will also help CLEFs and vendors improve through self-evaluation, help vendors seek effective CLEFs, and help CLEFs compete on the basis of performance. By improving the compliance enforcement infrastructure for IoT, this project will generate tangible benefits for consumers in the form of secure IoT products, and has the potential to increase consumer confidence in and adoption of IoT technology. The research will be incorporated into graduate and undergraduate security classes at William & Mary through experiential learning activities, and disseminated to key stakeholders such as policymakers and developers, as well as the broader research community. This project synergistically blends the approach of mutation testing with static and dynamic analysis, machine learning, and qualitative studies, to lay the foundation for empirically and systematically evaluating CLEFs, along three core research thrusts and a fourth thrust that investigates extensibility. The first thrust examines if the scope of work assumed by CLEFs is sufficient, by investigating a key underlying question: what should CLEFs look for? To this end, the research acquires and analyzes IoT products at market-scale, in order to develop a generalizable understanding of what vulnerabilities are relevant to detect, i.e., pose risk in the IoT context, resulting in a comprehensive, risk-based IoT vulnerability taxonomy. The second thrust rigorously evaluates a CLEF’s ability to detect non-trivial variants of vulnerabilities from the taxonomy, i.e., mutants. It develops a threat-aware mutation framework that generates mutants guided by a threat model for compliance enforcement that encapsulates the conditions CLEFs must account for, thus ensuring a non-arbitrary evaluation of CLEFs. The third thrust re-imagines security analysis for compliance enforcement with the approach of mutation-driven vulnerability prediction, which combines the strengths of machine learning and security-focused mutation for effective detection. The fourth thrust explores the extensibility of the research to IoT product-types, application domains (e.g., smart cities), and usage paradigms. This research project leverages well-founded techniques from security, software engineering, and machine learning to make novel contributions at the intersection of security and software engineering. Finally, the initial focus on mobile-IoT apps as a target product-type will advance security research at the key intersection of mobile and IoT security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
监管机构最近才开始应对数十亿易受攻击的物联网(IoT)产品的现实,并以有针对性的安全和隐私监管作为回应。这些政策举措的有效性取决于它们在实践中的执行情况。此类法规中概述的执行策略类似于用于软件安全合规性的策略,其中监管机构将执法授权给商业许可的评估机构(CLEF),后者评估供应商的产品。虽然这种授权有助于将执法扩展到数百万种产品,但它是有代价的:受影响的一方,即安全合规的主要受益者--监管者和消费者,在其中发挥的作用有限,导致激励结构偏离有效执法。更详细地说,产品供应商几乎没有动力选择一个能够彻底评估他们的产品的理想工具,而不是一个提供获得认证的最快途径的工具。即使商贩真诚地寻找理想的谱棒,除了小册子、有限的示范和谱棒的声誉之外,他们几乎没有什么方法来衡量谱棒的有效性。此外,CLEF获得许可的依据不是它们在检测漏洞方面的表现,而是程序能力(例如,足够的设施、人员)。因此,如果按原样应用于物联网行业,传统模式将培养出几乎没有改进动力的未经验证的Clef,以及简单地将认证视为责任盾牌的供应商。该项目旨在通过赋予受影响方以实际工具客观地衡量CLEF的业绩,并影响安全合规执法方面的问责制,来避免这种未来。这项研究中开发的系统的、数据驱动的评估技术将使监管机构和标准机构能够通过直接评估作为发放许可证过程或定期审计的一部分的CLEF声称的业绩来改革遵约基础设施。此外,本研究还将帮助CLEF和供应商通过自我评估进行改进,帮助供应商寻找有效的CLEF,帮助CLEF基于绩效进行竞争。通过改善物联网合规执法基础设施,该项目将以安全的物联网产品的形式为消费者带来实实在在的好处,并有可能增加消费者对物联网技术的信心和采用。这项研究将通过体验式学习活动纳入威廉和玛丽大学的研究生和本科生安全课程,并向政策制定者和开发人员等关键利益攸关方以及更广泛的研究社区传播。该项目将突变测试的方法与静态和动态分析、机器学习和定性研究相结合,为经验性和系统地评估CLEF奠定了基础,同时还有三个核心研究推力和第四个研究推力。第一个重点是通过调查一个关键的潜在问题来检查CLEFS承担的工作范围是否足够:CLEFS应该寻找什么?为此,研究在市场范围内获取和分析物联网产品,以便对要检测的相关漏洞(即在物联网环境中构成风险)有一个概括性的理解,从而形成全面的、基于风险的物联网漏洞分类。第二个推力严格评估了CLEF从分类中检测漏洞的非平凡变体的能力,即突变。它开发了一个威胁感知突变框架,该框架在威胁模型的指导下生成突变,用于合规强制执行,该模型概括了CLEF必须考虑的条件,从而确保对CLEF的非武断评估。第三个推力使用突变驱动的漏洞预测方法重新设想了针对合规性强制执行的安全分析,该方法结合了机器学习和以安全为重点的突变的优点来进行有效的检测。第四个重点是探索物联网产品类型、应用领域(例如,智能城市)和使用范例的研究可扩展性。这个研究项目利用了安全、软件工程和机器学习的基础良好的技术,在安全和软件工程的交叉点上做出了新的贡献。最后,最初将重点放在移动物联网应用程序作为目标产品类型,将推动移动和物联网安全关键交汇点的安全研究。该奖项反映了NSF的法定使命,并已通过使用基金会的智力优势和更广泛的影响审查标准进行评估,被认为值得支持。

项目成果

期刊论文数量(1)
专著数量(0)
科研奖励数量(0)
会议论文数量(0)
专利数量(0)

数据更新时间:{{ journalArticles.updateTime }}

{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

数据更新时间:{{ journalArticles.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ monograph.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ sciAawards.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ conferencePapers.updateTime }}

{{ item.title }}
  • 作者:
    {{ item.author }}

数据更新时间:{{ patent.updateTime }}

Adwait Nadkarni其他文献

Towards Practical Data Secrecy in Modern Operating Systems.
  • DOI:
  • 发表时间:
    2017-02
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Adwait Nadkarni
  • 通讯作者:
    Adwait Nadkarni
“ Belt and suspenders ” or “ just red tape ”?: Investigating Early Artifacts and User Perceptions of IoT App Security Certification
“腰带和吊带”还是“只是繁文缛节”?:调查物联网应用程序安全认证的早期产物和用户认知
  • DOI:
  • 发表时间:
  • 期刊:
  • 影响因子:
    0
  • 作者:
    Prianka Mandal;Amit Seal;Victor Olaiya;Sayyed Hadi Razmjo;Adwait Nadkarni;William Mary
  • 通讯作者:
    William Mary
MASC: A Tool for Mutation-Based Evaluation of Static Crypto-API Misuse Detectors
MASC:基于突变的静态加密 API 滥用检测器评估工具
NativeWrap: ad hoc smartphone application creation for end users
NativeWrap:为最终用户创建临时智能手机应用程序
Practical Integrity Validation in the Smart Home with HomeEndorser
使用 HomeEndorser 在智能家居中进行实用的完整性验证

Adwait Nadkarni的其他文献

{{ item.title }}
{{ item.translation_title }}
  • DOI:
    {{ item.doi }}
  • 发表时间:
    {{ item.publish_year }}
  • 期刊:
  • 影响因子:
    {{ item.factor }}
  • 作者:
    {{ item.authors }}
  • 通讯作者:
    {{ item.author }}

{{ truncateString('Adwait Nadkarni', 18)}}的其他基金

Collaborative Research: CPS: Medium: Enabling Data-Driven Security and Safety Analyses for Cyber-Physical Systems
协作研究:CPS:中:为网络物理系统实现数据驱动的安全和安全分析
  • 批准号:
    2132281
  • 财政年份:
    2022
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant
SaTC: CORE: Small: Enabling Systematic Evaluation of the Soundness of Android Security Analysis Techniques
SaTC:CORE:小型:支持对 Android 安全分析技术的健全性进行系统评估
  • 批准号:
    1815336
  • 财政年份:
    2018
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant

相似海外基金

Challenging Health Outcomes/Integrating Care Environments Ph3: A Community Consortium to Tackle Health Disparity for People Living with Mental Illness
挑战健康成果/整合护理环境第三阶段:解决精神疾病患者健康差距的社区联盟
  • 批准号:
    AH/Z505420/1
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Research Grant
Evaluating the effectiveness and sustainability of integrating helminth control with seasonal malaria chemoprevention in West African children
评估西非儿童蠕虫控制与季节性疟疾化学预防相结合的有效性和可持续性
  • 批准号:
    MR/X023133/1
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Fellowship
Integrating metabolic signals through FOXO transcriptional complexes.
通过 FOXO 转录复合物整合代谢信号。
  • 批准号:
    BB/X000265/1
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Research Grant
Collaborative Research: BoCP-Implementation: Alpine plants as a model system for biodiversity dynamics in a warming world: Integrating genetic, functional, and community approaches
合作研究:BoCP-实施:高山植物作为变暖世界中生物多样性动态的模型系统:整合遗传、功能和社区方法
  • 批准号:
    2326020
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Continuing Grant
Collaborative Research: BoCP-Implementation: Alpine plants as a model system for biodiversity dynamics in a warming world: Integrating genetic, functional, and community approaches
合作研究:BoCP-实施:高山植物作为变暖世界中生物多样性动态的模型系统:整合遗传、功能和社区方法
  • 批准号:
    2326021
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant
Integrating Self-Regulated Learning Into STEM Courses: Maximizing Learning Outcomes With The Success Through Self-Regulated Learning Framework
将自我调节学习融入 STEM 课程:通过自我调节学习框架取得成功,最大化学习成果
  • 批准号:
    2337176
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant
CAREER: Hybridization and radiation: Integrating across phylogenomics, ancestral niche evolution, and pollination biology
职业:杂交和辐射:系统基因组学、祖先生态位进化和授粉生物学的整合
  • 批准号:
    2337784
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Continuing Grant
EAGER: Integrating Pathological Image and Biomedical Text Data for Clinical Outcome Prediction
EAGER:整合病理图像和生物医学文本数据进行临床结果预测
  • 批准号:
    2412195
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant
Integrating Signals in Iron Homeostasis
将信号整合到铁稳态中
  • 批准号:
    2343917
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Standard Grant
FDSS Track 1: Integrating Research and Education in Magnetosphere-Ionosphere-Atmosphere Coupling at Clemson University
FDSS Track 1:克莱姆森大学磁层-电离层-大气耦合研究与教育相结合
  • 批准号:
    2347149
  • 财政年份:
    2024
  • 资助金额:
    $ 53.77万
  • 项目类别:
    Continuing Grant
{{ showInfoDetail.title }}

作者:{{ showInfoDetail.author }}

知道了