Top

Published in:

2019 | OriginalPaper | Chapter

Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORS

Authors : Christoph Stach, Bernhard Mitschang

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Novel smart devices are equipped with various sensors to capture context data. The Internet of Things (IoT) connects these devices with each other in order to bring together data from various domains. Due to the IoT, new application areas come up continuously. For instance, the quality of life and living can be significantly improved by installing connected and remote-controlled devices in Smart Homes. Or the treatment of chronic diseases can be made more convenient for both, patients and physicians, by using Smart Health technologies.

For this, however, a large amount of data has to be collected, shared, and combined. This gathered data provides detailed insights into the user of the devices. Therefore, privacy is a key issue for such IoT applications. As current privacy systems for mobile devices focus on a single device only, they cannot be applied to a distributed and highly interconnected environment as the IoT. Therefore, we determine the special requirements towards a permission models for the IoT. Based on this requirements specification, we introduce ACCESSORS, a data-centric permission model for the IoT and describe how to apply such a model to two promising privacy systems for the IoT, namely the Privacy Management Platform (PMP) and PATRON.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Touch and Move: Incoming Call User Authentication

next chapter A Simple Attack on CaptchaStar

We use the term “Thing” for any device equipped with sensors and Internet access.

A refined version of RTAndroid called emteria.OS is available at https://emteria.com.

A data processing unit is either a data producer or a data consumer (see Paragraph Data Abstraction).

If the access permission is denied, the particular code fragment is skipped in the app.

See http://patronresearch.de.

Aggarwal, C.C., Ashish, N., Sheth, A.: The Internet of Things: a survey from the data-centric perspective. In: Aggarwal, C. (ed.) Managing and Mining Sensor Data, pp. 383–428. Springer, Boston (2013). https://doi.org/10.1007/978-1-4614-6309-2_12CrossRef

Agrawal, D., El Abbadi, A., Wang, S.: Secure and privacy-preserving data services in the cloud: a data centric view. Proc. VLDB Endow. 5(12), 2028–2029 (2012)CrossRef

Alpers, S., et al.: PRIVACY-AVARE: an approach to manage and distribute privacy settings. In: Proceedings of the 2017 3rd IEEE International Conference on Computer and Communications, ICCC 2017, pp. 1460–1468 (2017)

Aman, M.N., Chua, K.C., Sikdar, B.: Secure data provenance for the Internet of Things. In: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, IoTPTS 2017, pp. 11–14 (2017)

Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_39CrossRef

Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – fine-grained policy enforcement for untrusted Android applications. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W.M. (eds.) DPM/SETOP -2013. LNCS, vol. 8247, pp. 213–231. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54568-9_14CrossRef

Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 73–84 (2010)

Bitsaki, M., et al.: An integrated mHealth solution for enhancing patients’ health online. In: Lacković, I., Vasic, D. (eds.) 6th European Conference of the International Federation for Medical and Biological Engineering. IP, vol. 45, pp. 695–698. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-11128-5_173CrossRef

Brush, A.B., Lee, B., Mahajan, R., Agarwal, S., Saroiu, S., Dixon, C.: Home automation in the wild: challenges and opportunities. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2115–2124 (2011)

10.

Cao, J., Carminati, B., Ferrari, E., Tan, K.L.: ACStream: enforcing access control over data streams. In: Proceedings of the 2009 IEEE 25th International Conference on Data Engineering, ICDE 2009, pp. 1495–1498 (2009)

11.

Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smartphone security and privacy. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 1:1–1:16 (2012)

12.

Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_29CrossRef

13.

Cugola, G., Margara, A.: Processing flows of information: from data stream to complex event processing. ACM Comput. Surv. 44(3), 15:1–15:62 (2012)CrossRef

14.

Davies, N., Taft, N., Satyanarayanan, M., Clinch, S., Amos, B.: Privacy mediators: helping IoT cross the chasm. In: Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications, HotMobile 2016, pp. 39–44 (2016)

15.

Davis, B., Chen, H.: RetroSkeleton: retrofitting Android apps. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 181–192 (2013)

16.

Davis, B., Sanders, B., Khodaverdian, A., Chen, H.: I-ARM-Droid: a rewriting framework for in-app reference monitors for Android applications. In: Proceedings of the 2012 IEEE Conference on Mobile Security Technologies, MoST 2012, pp. 28:1–28:9 (2012)

17.

Dey, A.K.: Understanding and using context. Pers. Ubiquitous Comput. 5(1), 4–7 (2001)CrossRef

18.

Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Secur. Priv. 7(1), 50–57 (2009)CrossRef

19.

Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 33–44 (2012)

20.

Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)

21.

Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1CrossRef

22.

Google Inc.: Android Things, May 2018. https://developer.android.com/things

23.

Hamlen, K.W., Jones, M.: Aspect-oriented in-lined reference monitors. In: Proceedings of the Third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2008, pp. 11–20(2008)

24.

Harle, R.K., Tailor, S., Zidek, A.: Bellrock - anonymous proximity beacons from personal devices. In: Proceedings of the 2018 IEEE International Conference on Pervasive Computing and Communications, PerCom 2018, pp. 284–293 (2018)

25.

He, Y., Barman, S., Wang, D., Naughton, J.F.: On the complexity of privacy-preserving complex event processing. In: Proceedings of the Thirtieth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, PODS 2011, pp. 165–174(2011)

26.

Henrik, Z.J., Garcia, M.O., Klaus, W.: Privacy in the Internet of Things: threats and challenges. Secur. Commun. Netw. 7(12), 2728–2742 (2014)CrossRef

27.

Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_35CrossRef

28.

Istepanian, R.S.H., Hu, S., Philip, N., Sungoor, A.: The potential of internet of m-health things “m-IoT” for non-invasive glucose level sensing. In: Proceedings of the 2011 Annual International Conference of the IEEE Engineering in Medicine and Biology Society, EMBS 2011, pp. 5264–5266 (2011)

29.

Jordan, M., Mitchell, T.: Machine learning: trends, perspectives, and prospects. Science 349(6245), 255–260 (2015)MathSciNetCrossRef

30.

Kalkov, I., Franke, D., Schommer, J.F., Kowalewski, S.: A real-time extension to the Android platform. In: Proceedings of the 10th International Workshop on Java Technologies for Real-time and Embedded Systems, JTRES 2012, pp. 105–114(2012)

31.

Khan, R., Khan, S.U., Zaheer, R., Khan, S.: Future internet: the Internet of Things architecture, possible applications and key challenges. In: Proceedings of the 2012 10th International Conference on Frontiers of Information Technology, FIT 2012, pp. 257–260 (2012)

32.

Knöll, M.: Diabetes City: how urban game design strategies can help diabetics. In: Weerasinghe, D. (ed.) eHealth 2008. LNICST, vol. 0001, pp. 200–204. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00413-1_28CrossRef

33.

Knöll, M.: “On the top of high towers ...” discussing locations in a mobile health game for diabetics. In: Proceedings of the 2010 IADIS International Conference Game and Entertainment Technologies, MCCSIS 2010, pp. 61–68 (2010)

34.

Kovatchev, B.P., Gonder-Frederick, L.A., Cox, D.J., Clarke, W.L.: Evaluating the accuracy of continuous glucose-monitoring sensors. Diabetes Care 27(8), 1922–1928 (2004)CrossRef

35.

Kozlov, D., Veijalainen, J., Ali, Y.: Security and privacy threats in IoT architectures. In: Proceedings of the 7th International Conference on Body Area Networks, BodyNets 2012, pp. 256–262 (2012)

36.

Metzger, A., Cassales Marquezan, C.: Future internet apps: the next wave of adaptive service-oriented systems? In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 230–241. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24755-2_22CrossRef

37.

Migliavacca, M., Papagiannis, I., Eyers, D.M., Shand, B., Bacon, J., Pietzuch, P.: DEFCON: high-performance event processing with information security. In: Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference, USENIXATC 2010, pp. 1–15 (2010)

38.

Mindermann, K., Riedel, F., Abdulkhaleq, A., Stach, C., Wagner, S.: Exploratory study of the privacy extension for system theoretic process analysis (STPA-Priv) to elicit privacy risks in eHealth. In: Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference Workshops, REW 2017, pp. 90–96 (2017)

39.

Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332 (2010)

40.

Park, J., Sandhu, R.: The UCON\(_{\text{ ABC }}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRef

41.

Perera, C., Zaslavsky, A., Christen, P.: Context aware computing for the Internet of Things: a survey. IEEE Commun. Surv. Tutor. 16(1), 414–454 (2014)CrossRef

42.

Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: enforcing complex, data-centric, system-wide policies in Android. In: Proceedings of the 2014 Ninth International Conference on Availability, Reliability and Security, ARES 2014, pp. 40–49 (2014)

43.

Russello, G., Crispo, B., Fernandes, E., Zhauniarovich, Y.: YAASE: yet another Android security extension. In: Proceeding of the 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, PASSAT 2011, pp. 1033–1040 (2011)

44.

Sarkar, S., Misra, S.: Theoretical modelling of fog computing: a green computing paradigm to support IoT applications. IET Netw. 5(2), 23–29 (2016)CrossRef

45.

Schreckling, D., Posegga, J., Hausknecht, D.: Constroid: data-centric access control for Android. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC 2012, pp. 1478–1485 (2012)

46.

Scoccia, G.L., Malavolta, I., Autili, M., Di Salle, A., Inverardi, P.: User-centric Android flexible permissions. In: Proceedings of the 2017 IEEE/ACM 39th International Conference on Software Engineering Companion, ICSE-C 2017, pp. 365–367 (2017)

47.

Sekar, L.P., Gankidi, V.R., Subramanian, S.: Avoidance of security breach through selective permissions in Android operating system. ACM SIGSOFT Softw. Eng. Notes 5(37), 1–9 (2012)CrossRef

48.

Sellwood, J., Crampton, J.: Sleeping Android: the danger of dormant permissions. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM 2013, pp. 55–66 (2013)

49.

Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in Internet of Things: the road ahead. Comput. Netw. 76(C), 146–164 (2015)CrossRef

50.

Siewiorek, D.: Generation smartphone. IEEE Spectr. 49(9), 54–58 (2012)CrossRef

51.

Stach, C.: How to assure privacy on Android phones and devices? In: Proceedings of the 2013 IEEE 14th International Conference on Mobile Data Management, MDM 2013, pp. 350–352 (2013)

52.

Stach, C.: Secure Candy Castle – a prototype for privacy-aware mHealth apps. In: Proceedings of the 2016 IEEE 17th International Conference on Mobile Data Management, MDM 2016, pp. 361–364 (2016)

53.

Stach, C., et al.: The AVARE PATRON: a holistic privacy approach for the Internet of Things. In: Proceedings of the 15th International Conference on Security and Cryptography, SECRYPT 2018, pp. 372–379 (2018)

54.

Stach, C., et al.: PATRON – Datenschutz in Datenstromverarbeitungssystemen. In: Informatik 2017: Digitale Kulturen, Tagungsband der 47. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 25 September–29 September 2017, Chemnitz. LNI, vol. 275, pp. 1085–1096 (2017, in German)

55.

Stach, C., Dürr, F., Mindermann, K., Palanisamy, S.M., Wagner, S.: How a pattern-based privacy system contributes to improve context recognition. In: Proceedings of the 2018 IEEE International Conference on Pervasive Computing and Communications Workshops, CoMoRea 2018, pp. 238–243 (2018)

56.

Stach, C., Mitschang, B.: Privacy management for mobile platforms - a review of concepts and approaches. In: Proceedings of the 2013 IEEE 14th International Conference on Mobile Data Management, MDM 2013, pp. 305–313 (2013)

57.

Stach, C., Mitschang, B.: Design and implementation of the Privacy Management Platform. In: Proceedings of the 2014 IEEE 15th International Conference on Mobile Data Management, MDM 2014, pp. 69–72 (2014)

58.

Stach, C., Mitschang, B.: ACCESSORS: a data-centric permission model for the Internet of Things. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, pp. 30–40 (2018)

59.

Stach, C., Schlindwein, L.F.M.: Candy Castle – a prototype for pervasive health games. In: Proceedings of the 2012 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom 2012, pp. 501–503 (2012)

60.

Stach, C., Steimle, F., Mitschang, B.: The Privacy Management Platform: an enabler for device interoperability and information security in mHealth applications. In: Proceedings of the 11th International Conference on Health Informatics, HEALTHINF 2018, pp. 27–38 (2018)

61.

Stach, C., Steimle, F., Franco da Silva, A.C.: TIROL: the extensible interconnectivity layer for mHealth applications. In: Damaševičius, R., Mikašytė, V. (eds.) ICIST 2017. CCIS, vol. 756, pp. 190–202. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67642-5_16CrossRef

62.

Svangren, M.K., Skov, M.B., Kjeldskov, J.: The connected car: an empirical study of electric cars as mobile digital devices. In: Proceedings of the 19th International Conference on Human-Computer Interaction with Mobile Devices and Services, MobileHCI 2017, pp. 6:1–6:12 (2017)

63.

Takabi, H., Joshi, J.B.D., Ahn, G.J.: Security and privacy challenges in cloud computing environments. IEEE Secur. Priv. 8(6), 24–31 (2010)CrossRef

64.

The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official journal of the european union, European Union (2016)

65.

Vashist, S.K., Schneider, E.M., Luong, J.H.: Commercial smartphone-based devices and smart applications for personalized healthcare monitoring and management. Diagnostics 4(3), 104–128 (2014)CrossRef

66.

Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Permission evolution in the Android ecosystem. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 31–40 (2012)

67.

Weiser, M.: The computer for the 21st century. Sci. Am. 265(3), 94–105 (1991)CrossRef

68.

Xie, X., Ray, I., Adaikkalavan, R., Gamble, R.: Information flow control for stream processing in clouds. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 89–100 (2013)

69.

Zeevi, D., et al.: Personalized nutrition by prediction of glycemic responses. Cell 163(5), 1079–1094 (2015)CrossRef

Title: Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORS
Authors: Christoph Stach
Bernhard Mitschang
Publisher: Springer International Publishing
Book: Information Systems Security and Privacy
Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-25109-3_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner