nach oben

International Journal of Information Security

Erschienen in:

02.07.2021 | Regular contribution

Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system

verfasst von: Tahir Ahmad, Umberto Morelli, Silvio Ranise, Nicola Zannone

Erschienen in: International Journal of Information Security | Ausgabe 2/2022

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In recent years, the design of effective authorization mechanisms for IoT and, in particular, for smart home applications has gained increasing attention from researchers and practitioners. However, very little attention is given to the performance evaluation of those authorization mechanisms. To fill this gap, this paper presents a thorough experimental evaluation of cloud- and edge-based access control mechanisms for smart home applications. We discuss the main architectural choices, namely (a) where the access control logic is deployed (in the cloud or the edge) and (b) how the attributes needed for policy evaluation are provided to the policy evaluation point and identify possible deployment models for cloud- and edge-based access control mechanisms. To study the impact of these choices on the performance of smart homes, we realized the identified deployment models within the IoT platforms offered by Amazon Web Services (AWS), namely AWS IoT and Greengrass, and empirically evaluate them using a smart lock system. Based on our experimental evaluation, we provide recommendations to both researchers and practitioners.

Vorheriger Artikel A novel malicious remote administration tool using stealth and self-defense techniques

Nächster Artikel Password guessers under a microscope: an in-depth analysis to inform deployments

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://www.amazon.com/key.

https://www.sofialocks.com/it/smartlocks.

http://mqtt.org/.

It is worth noting that we do not consider the case where the access control logic is in the cloud and the attributes are retrieved from the edge since, according to our experience, it does not seem to offer advantages in terms of security and performance.

https://docs.aws.amazon.com/iot/latest/developerguide/custom-authorizer.html.

We chosen Raspberry Pi 3 Model B+ board as they provide capabilities and performances comparable to smart home hubs and are largely used in noncommercial smart home applications.

This is because MQTT 3.1.1 does not support providing them in the header.

https://aws.amazon.com/it/eclipse.

A statement applies to a request if and only if the action and resource specified in the statement match the ones in the access request and the retrieved attributes satisfy the condition defined in the statement.

When the function times out, the request is automatically denied by AWS. In our experiments, the limit of 15 seconds was never reached.

Setting them with less memory as “on-demand”, briefly saturated the memory and CPU as the Greengrass Core spawns a different function almost for each concurrent request.

https://www.antlr.org/.

The AWS Greengrass service is not available in every region.

https://www.hivemq.com/blog/mqtt5-essentials-part9-request-response-pattern.

https://csrc.nist.gov/projects/lightweight-cryptography.

https://docs.aws.amazon.com/iot/latest/developerguide/enhanced-custom-authentication.html.

The Enhanced Custom Authentication is currently in public beta and only available in the US East-N. Virginia region.

Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: A lazy approach to access control as a service (ACaaS) for IoT: an AWS case study. In: Symposium on Access Control Models and Technologies, pp. 235–246. ACM (2018)

Alonso, Á., Fernández, F., Marco, L., Salvachúa, J.: IAACaaS: IoT application-scoped access control as a service. Futur. Internet 9(4), 64 (2017)CrossRef

Alshehri, A., Sandhu, R.: Access control models for cloud-enabled internet of things: a proposed architecture and research agenda. In: International Conference on Collaboration and Internet Computing, pp. 530–538. IEEE (2016)

Alshehri, A., Sandhu, R.: Access control models for virtual object communication in cloud-enabled IoT. In: International Conference on Information Reuse and Integration, pp. 16–25. IEEE (2017)

Amazon web services: IoT Core. https://aws.amazon.com/iot-core/ (2020). Accessed 17 May 2020

Armando, A., Ranise, S., Traverso, R., Wrona, K.: SMT-based enforcement and analysis of NATO content-based protection and release policies. In: International Workshop on Attribute Based Access Control, pp. 35–46. ACM (2016)

AWS: Amazon relational database service (RDS). https://aws.amazon.com/rds/ (2020). Accessed 17 May 2020

AWS: AWS Lambda. https://aws.amazon.com/lambda/ (2020). Accessed 17 May 2020

Bauer, E., Adams, R.: Service Quality of Cloud-Based Applications. Wiley (2013)

10.

Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. In: Proceedings of Workshop on Role-Based Access Control, pp. 21–30. ACM (2000)

11.

Bhatt, S., Patwa, F., Sandhu, R.: Access control model for AWS internet of things. In: International Conference on Network and System Security, pp. 721–736. Springer (2017)

12.

Bugeja, J., Jacobsson, A., Davidsson, P.: On privacy and security challenges in smart connected homes. In: 2016 European Intelligence and Security Informatics Conference (EISIC), pp. 172–175. IEEE (2016)

13.

Byers, C.C.: Architectural imperatives for fog computing: use cases, requirements, and architectural techniques for FOG-enabled IoT networks. IEEE Commun. Magaz. 55(8), 14–20 (2017)CrossRef

14.

Celik, Z.B., Babun, L., Sikder, A.K., Aksu, H., Tan, G., McDaniel, P., Uluagac, A.S.: Sensitive information tracking in commodity IoT. In: USENIX Security Symposium, pp. 1687–1704 (2018)

15.

Colombo, P., Ferrari, E.: Access control enforcement within mqtt-based internet of things ecosystems. In: Symposium on Access Control Models and Technologies, pp. 223–234. ACM (2018)

16.

Crampton, J., Morisset, C., Zannone, N.: On missing attributes in access control: non-deterministic and probabilistic attribute retrieval. In: Symposium on Access Control Models and Technologies, pp. 99–109. ACM (2015)

17.

EMQ X platform: MQTT plugin. https://github.com/emqtt/mqtt-jmeter (2017). Accessed 21 Jun 2019

18.

Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: Symposium on Security and Privacy, pp. 636–654. IEEE (2016)

19.

Fernandes, E., Rahmati, A., Jung, J., Prakash, A.: Security implications of permission models in smart-home application frameworks. IEEE Secur. Priv. 15(2), 24–30 (2017)CrossRef

20.

Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRef

21.

Fotiou, N., Machas, A., Polyzos, G.C., Xylomenos, G.: Access control as a service for the Cloud. J. Internet Serv. Appl. 6(1), 11 (2015)CrossRef

22.

Fremantle, P., Aziz, B., Kopeckỳ, J., Scott, P.: Federated identity and access management for the internet of things. In: International Workshop on Secure Internet of Things, pp. 10–17. IEEE (2014)

23.

Fremantle, P., Kopeckỳ, J., Aziz, B.: Web API management meets the internet of things. In: European Semantic Web Conference, pp. 367–375. Springer (2015)

24.

Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800-162, NIST (2014)

25.

Gupta, M., Sandhu, R.: Authorization framework for secure cloud assisted connected cars and vehicular Internet of Things. In: Proceedings of Symposium on Access Control Models and Technologies, pp. 193–204 (2018)

26.

Gusmeroli, S., Piccione, S., Rotondi, D.: A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 58(5–6), 1189–1205 (2013)CrossRef

27.

Hardt, D., et al.: The OAuth 2.0 authorization framework (2012)

28.

He, W., Golla, M., Padhi, R., Ofek, J., Dürmuth, M., Fernandes, E., Ur, B.: Rethinking access control and authentication for the home internet of things (IoT). In: USENIX Security Symposium, pp. 255–272. USENIX Association (2018)

29.

He, W., Martinez, J., Padhi, R., Zhang, L., Ur, B.: When smart devices are stupid: negative experiences using home smart devices. In: SafeThings Workshop (2019)

30.

Hemdi, M., Deters, R.: Using REST based protocol to enable ABAC within IoT systems. In: Annual Information Technology, Electronics and Mobile Communication Conference, pp. 1–7 (2016)

31.

Hernández-Ramos, J.L., Jara, A.J., Marin, L., Skarmeta, A.F.: Distributed capability-based access control for the internet of things. J. Internet Serv. Inf. Secur. 3(3/4), 1–16 (2013)

32.

Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., Wagner, D.: Smart locks: Lessons for securing commodity internet of things devices. In: Asia Conference on Computer and Communications Security, pp. 461–472. ACM (2016)

33.

Hu, V.C., Scarfone, K.: Guidelines for access control system evaluation metrics. NISTIR 7874, NIST (2012)

34.

IoT& Greengrass, A.: Greengrass group. https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html (2021). Accessed 5 Feb 2021

35.

Jeffrey, C.: Lockstate 6i/6000i update. https://www.techspot.com/news/70588-lockstate-accidentally-bricks-hundreds-locks-through-failed-firmware.html (2017). Accessed 21 Jun 2019

36.

Kim, J.E., Boulos, G., Yackovich, J., Barth, T., Beckel, C., Mosse, D.: Seamless integration of heterogeneous devices and access control in smart homes. In: International Conference on Intelligent Environments, pp. 206–213. IEEE (2012)

37.

King, N.: Smart home—a definition. Intertek Research and Testing Center pp. 1–6 (2003)

38.

Morelli, U., Ranise, S.: Assisted authoring, analysis and enforcement of access control policies in the cloud. In: International Conference on ICT Systems Security and Privacy Protection, pp. 296–309. Springer (2017)

39.

Morisset, C., Ravidas, S., Zannone, N.: On attribute retrieval in ABAC. In: Foundations and Practice of Security, LNCS, vol. 12056, pp. 225–241. Springer (2019)

40.

Morisset, C., Willemse, T.A., Zannone, N.: Efficient extended abac evaluation. In: Symposium on Access Control Models and Technologies, pp. 149–160. ACM (2018)

41.

Nakamura, Y., Zhang, Y., Sasabe, M., Kasahara, S.: Exploiting smart contracts for capability-based access control in the internet of things. Sensors 20(6), 1793 (2020)CrossRef

42.

Neisse, R., Steri, G., Baldini, G.: Enforcement of security policy rules for the internet of things. In: International Conference on Wireless and Mobile Computing, Networking and Communications, pp. 165–172. IEEE (2014)

43.

Ouaddah, A., Mousannif, H., Elkalam, A.A., Ouahman, A.A.: Access control in the internet of things: big challenges and new opportunities. Comput. Netw. 112, 237–262 (2017)CrossRef

44.

Paci, F., Squicciarini, A., Zannone, N.: Survey on access control for community-centered collaborative systems. ACM Comput. Surv. 51(1), 1–6 (2018)CrossRef

45.

Parks associates: technology convergence and the smart home. https://www.parksassociates.com/report/technology-convergence-and-the-smart-home (2019)

46.

Ravidas, S., Karkhanis, P., Dajsuren, Y., Zannone, N.: An authorization framework for cooperative intelligent transport systems. In: Emerging Technologies for Authorization and Authentication, LNCS, vol. 11967, pp. 16–34. Springer (2019)

47.

Ravidas, S., Ray, I., Zannone, N.: Handling incomplete information in policy evaluation using attribute similarity. In: International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, pp. 79–88. IEEE (2020)

48.

Ravidas, S., Lekidis, A., Paci, F., Zannone, N.: Access control in internet-of-things: a survey. J. Netw. Comput. Appl. 144, 79–101 (2019)CrossRef

49.

Rotondi, D., Piccione, S.: Managing access control for things: a capability based approach. In: BodyNets, pp. 263–268 (2012)

50.

Salonikias, S., Mavridis, I., Gritzalis, D.: Access control issues in utilizing fog computing for transport infrastructure. In: International Conference on Critical Information Infrastructures Security, pp. 15–26. Springer (2015)

51.

Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Foundations of Security Analysis and Design, pp. 137–196. Springer (2000)

52.

Scoca, V., Aral, A., Brandic, I., De Nicola, R., Uriarte, R.B.: Scheduling latency-sensitive applications in edge computing. In: International Conference on Cloud Computing and Services Science, pp. 158–168. SciTePress (2018)

53.

Seitz, L., Selander, G., Gehrmann, C.: Authorization framework for the internet-of-things. In: 2013 IEEE 14th International Symposium on” A World of Wireless, Mobile and Multimedia Networks”(WoWMoM), pp. 1–6. IEEE (2013)

54.

Services, A.W.: AWS greengrass. https://aws.amazon.com/greengrass/ (2020). Accessed 17 May 2020

55.

Standard, O.: eXtensible access control markup language (XACML) version 3.0 (2013)

56.

Tärneberg, W., Chandrasekaran, V., Humphrey, M.: Experiences creating a framework for smart traffic control using AWS IoT. In: International Conference on Utility and Cloud Computing, pp. 63–69. ACM (2016)

57.

Tian, Y., Zhang, N., Lin, Y.H., Wang, X., Ur, B., Guo, X., Tague, P.: Smartauth: user-centered authorization for the internet of things. In: USENIX Security Symposium, pp. 361–378. USENIX Association (2017)

58.

Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)CrossRef

59.

Ur, B., Jung, J., Schechter, S.: Intruders versus intrusiveness: teens’ and parents’ perspectives on home-entryway surveillance. In: International Joint Conference on Pervasive and Ubiquitous Computing, pp. 129–139. ACM (2014)

60.

Ur, B., Jung, J., Schechter, S.: The current state of access control for smart devices in homes. In: Workshop on Home Usable Privacy and Security (2013)

61.

Xu, X., Huang, S., Feagan, L., Chen, Y., Qiu, Y., Wang, Y.: EAaaS: Edge analytics as a service. In: International Conference on Web Services, pp. 349–356. IEEE (2017)

62.

Ye, M., Jiang, N., Yang, H., Yan, Q.: Security analysis of internet-of-things: a case study of august smart lock. In: 2017 IEEE conference on computer communications workshops (INFOCOM WKSHPS), pp. 499–504. IEEE (2017)

63.

Zeng, E., Mare, S., Roesner, F.: End user security and privacy concerns with smart homes. In: Symposium on Usable Privacy and Security, pp. 65–80. USENIX Association (2017)

Titel: Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system
verfasst von: Tahir Ahmad
Umberto Morelli
Silvio Ranise
Nicola Zannone
Publikationsdatum: 02.07.2021
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 2/2022
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-021-00558-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2022

Topology-hiding garbled circuits without universal circuits

Authenticated logarithmic-order supersingular isogeny group key exchange

ISM-AC: an immune security model based on alert correlation and software-defined networking

Automated benchmark network diversification for realistic attack simulation with application to moving target defense

The Agent Web Model: modeling web hacking for reinforcement learning

A novel malicious remote administration tool using stealth and self-defense techniques

Premium Partner