Enforcing security and safety policies in IoT applications

在物联网应用中执行安全策略

• 批准号: RGPIN-2020-04283
• 负责人: Tawbi, Nadia
• 金额: $ 1.75万
• 依托单位: Université Laval
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=716812
• 关键词: Enforcing; security; safety; policies; IoT

Smart devices (IoT) are omnipresent in both private and public spaces. There are now billions of them worldwide and this number is still growing. IoT devices are composed of sensors, actuators and software components. While these devices contribute to offering a better lifestyle and better performances their extensive use and their interconnectivity pose many challenges in terms of safety, security and privacy. The purpose of this proposal is to address some of these challenges by developing formally based techniques and mechanisms to detect security flaws in IoT applications and enforcement mechanisms aimed at correcting or avoiding them. More precisely, we will strive to bring relevant answers to the following challenges. a) In order to operate adequately, smart devices have access to sensitive information on which they base decisions. We must ensure that this sensitive information does not leak to untrusted parties. b) Applications may trigger via actuators, actions on physical devices such as open or close a door, put on a heater or an engine, etc. We seek to find how to ensure that these actions do not compromise safety or security and that they are compliant to the end-user intents. c) An IoT application may control many devices. Many applications can work concurrently in an interconnected way. Which models should be used to allow the best trade-off between acceptable performances and solid guarantees concerning safety, security and privacy. d) Which security and safety policies should be enforced and which mechanisms should be used to enforce them? The challenge is that halting-based enforcement mechanisms are not adequate in the IoT context. We must find corrective enforcement mechanisms that do not interrupt vital services. e) How to scale the proposed techniques to a context where smart devices generate a huge number of events and have to comply with a huger number of rules? Some of the challenges are related to security issues in general but many are IoT specific. Smart devices have limited memories and computation capabilities. Physical events are sensed by captors and actuated by smart devices. These events constitute a part of the communication paradigm in an IoT environment and must be dealt with appropriately. Representing these events in a relevant way is challenging. The environment that communicates with smart devices is not only physical but it includes web-based services such that IFTTT (IF This Then That) applets. These applets have to be considered when we devise our analyses and enforcement mechanisms. The research work proposed in this program is an opportunity to train students in computing security, a domain where the lack of highly qualified personnel is important and where the needs are tremendous. Enforcing security and safety of IoT environments operating is urgent and the success of this kind of research will bring benefits not only to the Canadian society but also worldwide.

智能设备（IoT）在私人和公共空间中无处不在。现在全世界有数十亿人，而且这个数字还在增长。物联网设备由传感器、执行器和软件组件组成。虽然这些设备有助于提供更好的生活方式和更好的性能，但它们的广泛使用及其互连性在安全性，保密性和隐私方面提出了许多挑战。该提案的目的是通过开发正式的技术和机制来解决其中的一些挑战，以检测物联网应用程序中的安全缺陷以及旨在纠正或避免这些缺陷的执行机制。更准确地说，我们将努力为以下挑战提供相关答案。 a）为了充分运行，智能设备可以访问它们基于决策的敏感信息。我们必须确保这些敏感信息不会泄露给不受信任的各方。 B）应用程序可以通过执行器触发物理设备上的动作，例如打开或关闭门，打开加热器或发动机等。我们试图找到如何确保这些动作不会危及安全性或安全性，并且它们符合最终用户的意图。 c）IoT应用程序可以控制许多设备。许多应用程序可以以互连的方式并发工作。应使用哪些模型来在可接受的性能和有关安全、安保和隐私的可靠保证之间进行最佳权衡。 d）应执行哪些安全和安保政策，应使用哪些机制来执行这些政策？面临的挑战是，基于暂停的执行机制在物联网环境中是不够的。我们必须找到不中断重要服务的纠正性执行机制。 e）如何将所提出的技术扩展到智能设备生成大量事件并且必须遵守胡格规则的上下文？ 其中一些挑战与一般的安全问题有关，但许多是物联网特有的。智能设备的内存和计算能力有限。物理事件由捕获者感知并由智能设备驱动。这些事件构成了物联网环境中通信范式的一部分，必须妥善处理。以相关的方式呈现这些事件是一项挑战。与智能设备通信的环境不仅是物理的，而且还包括基于Web的服务，例如IFTTT（IF This Then That）小程序。当我们设计分析和执行机制时，必须考虑这些小程序。 该计划中提出的研究工作是培养学生计算安全的机会，这是一个缺乏高素质人才的重要领域，需求巨大。 加强物联网环境运行的安全性是当务之急，这种研究的成功不仅会给加拿大社会带来好处，也会给全世界带来好处。