Editorial Notes
A corrigendum was issued for this article on January 9, 2019. You can download the corrigendum from the supplemental material section of this citation page.
ABSTRACT
In this paper, we introduce DeadBolt, a new security framework for managing IoT network access. DeadBolt hides all of the devices in an IoT deployment behind an access point that implements deny-by-default policies for both incoming and outgoing traffic. The DeadBolt AP also forces high-end IoT devices to use remote attestation to gain network access; attestation allows the devices to prove that they run up-to-date, trusted software. For lightweight IoT devices which lack the ability to attest, the DeadBolt AP uses virtual drivers (essentially, security-focused virtual network functions) to protect lightweight device traffic. For example, a virtual driver might provide network intrusion detection, or encrypt device traffic that is natively cleartext. Using these techniques, and several others, DeadBolt can prevent realistic attacks while imposing only modest performance costs.
Supplemental Material
Available for Download
Corrigendum to "DeadBolt: Securing IoT Deployments," by Ko et al., Proceedings of the Applied Networking Research Workshop 2018.
- Apache Software Foundation. Apache Benchmark, 2018. https://httpd.apache.org/docs/2.4/programs/ab.html.Google Scholar
- Berger, S., Cáceres, R., Goldman, K. A., Perez, R., Sailer, R., and van Doorn, L. vTPM: Virtualizing the Trusted Platform Module. In Proceedings of USENIX Security (2006), pp. 305--320. Google ScholarDigital Library
- Betts, D., and Lamos, B. Internet of Things security architecture, June 14, 2018. Microsoft Azure documentation. https://azure.microsoft.com/en-us/documentation/articles/iot-security-architecture/.Google Scholar
- Brasser, F., Mahjoub, B. E., Sadeghi, A. R., Wachsmann, C., and Koeberl, P. TyTAN: Tiny trust anchor for tiny devices. In Proceedings of ACM/EDAC/IEEE Design Automation Conference (2015), pp. 1--6. Google ScholarDigital Library
- Bregman, D. Smart home intelligence: The eHome that learns. International Jounrnal of Smart Home, 4 (October 2010), 35--46.Google Scholar
- Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented Programming Without Returns. In Proceedings of CCS (2010), pp. 559--572. Google ScholarDigital Library
- Cisco. Snort, 2018. https://www.snort.org/.Google Scholar
- Cowan, C., Wagle, F., Pu, C., Beattie, S., and Walpole, J. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. In Proceedings of the DARPA Information Survivability Conference and Exposition (2000), vol. 2, pp. 119--129.Google Scholar
- CRIU. A project to implement checkpoint/restore functionality for Linux, 2018. http://criu.org.Google Scholar
- Dang, H.-V. Analysis of CVE-2013-2028, May 23, 2013. https://github.com/danghvu/nginx-1.4.0.Google Scholar
- Dang, T. H., Maniatis, P., and Wagner, D. The Performance Cost of Shadow Stacks and Stack Canaries. In Proceedings of ASIA CCS (2015), pp. 555--566. Google ScholarDigital Library
- DierKs, T. and Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.2, August 2008. https://tools.ietf.org/html/rfc5246/.Google Scholar
- Dixon, C., Mahajan, R., Agarwal, S., Brush, A. J., Lee, B., Saroiu, S., and Bahl, P. An Operating System for the Home. In Proceedings of NSDI (2012), pp. 337--352. Google ScholarDigital Library
- FreeRADIUS Server Project. FreeRADIUS, 2018. https://freeradius.org/.Google Scholar
- Garret, M. GRUB2 with TPM2 support, March 23, 2016. https://github.com/mjg59/grub.Google Scholar
- Gisbert, H. M., and Ripoll, I. On the Effectiveness of NX, SSP, Re-newSSP, and ASLR against Stack Buffer Overflows. In Proceedings of the IEEE International Symposium on Network Computing and Applications (2014), pp. 145--152. Google ScholarDigital Library
- Goldman, K. IBM's TPM 2.0 TSS, May 29, 2018. https://sourceforge.net/projects/ibmtpm20tss/.Google Scholar
- Goldman, K. IBM's TPM Attestation Client and Server, June 15, 2018. https://sourceforge.net/projects/ibmtpm20acs/.Google Scholar
- Goodin, D. Crypto weakness in smart LED lightbulbs exposes WiFi passwords. Ars Technica (July 7, 2014). http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wifi-passwords/.Google Scholar
- Goodin, D. Record-breaking DDoS reportedly delivered by > 145k hacked cameras. Ars Technica (September 28, 2016). http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/.Google Scholar
- Google. Google Safe Browsing APIs, 2018. https://developers.google.com/safe-browsing/.Google Scholar
- Industrial Internet Consortium (IIC). Industrial Internet of Things Volume G4: Security Framework, 2016. https://www.iiconsortium.org/pdf/nCPUBG4V1.00PB.pdf.Google Scholar
- iPerf. iPerf: The ultimate speed test tool for TCP, UDP and SCTP, 2018. https://iperf.fr/.Google Scholar
- Jonathan Corbet. TCP Connection Repair, May 1, 2012. https://lwn.net/Articles/495304/.Google Scholar
- Kelley, S. DNSMasq: Network Services for Small Network, March 18, 2018. http://www.thekelleys.org.uk/dnsmasq/doc.html.Google Scholar
- Kopytov, A. sysbench: Scriptable database and system performance benchmark, May 3, 2018. https://github.com/akopytov/sysbench.Google Scholar
- Kuppusamy, T. K., Torres-Arias, S., Diaz, V., and Cappos, J. Diplomat: Using Delegations to Protect Community Repositories. In Proceedings of NSDI (2016), pp. 567--581. Google ScholarDigital Library
- Lear, E., Droms, R., and Romascanu, D. Manufacturer Usage Description Specification, June 4, 2018. IETF Draft. https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/.Google Scholar
- Lee, J. Smart factory systems. Informatik-Spektrum 38 (2015), 230--235.Google ScholarCross Ref
- Malinen, J. hostapd and wpa_supplicant, January 12, 2013. https://w1.fi/.Google Scholar
- MinnowBoard.org Foundation. Minnowboard, 2018. https://minnowboard.org/.Google Scholar
- NGINX Inc. Welcome to NGINX Wiki!, 2017. https://www.nginx.com/resources/wiki/.Google Scholar
- Noorman, J., Agten, P., Daniels, W., Strackx, R., Herrewege, A. V., Huygens, C., Preneel, B., Verbauwhede, I., and Piessens, F. Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base. In Proceedings of USENIX Security (2013), pp. 479--498. Google ScholarDigital Library
- Parrot SA. Parrot AR Drone 2.0 Elite Edition, 2018. https://www.parrot.com/global/drones/parrot-ardrone-20-elite-edition.Google Scholar
- Robles, J. R., and Kim, T.-H. Review: Context Aware Tools for Smart Home Development. International Journal of Smart Home, 1 (2010), 1--11.Google Scholar
- Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security (TISSEC) 15, 1 (March 2012). Google ScholarDigital Library
- Safford, D., Kasatkin, D., et al. Integrity Measurement Architecture (IMA), 2018. https://sourceforge.net/p/linux-ima/wiki/Home/.Google Scholar
- Schneier, B. Security Risks of Embedded Systems, January 9, 2014. Schneier on Security blog. https://www.schneier.com/blog/archives/2014/01/securityrisks9.html.Google Scholar
- Shodan. Shodan IoT Search Engine, 2018. https://www.shodan.io/.Google Scholar
- Simpson, A. K., Roesner, F., and Kohno, T. Securing vulnerable home IoT devices with an in-hub security manager, January 2017. University of Washington. Technical Report UW-CSE-17-01-01.Google Scholar
- SmartThings. SmartThings Developer Documentation: Overview of Device Handlers, 2018. http://docs.smartthings.com/en/latest/device-type-developers-guide/overview.html.Google Scholar
- Spec Sensors. Gas Sensors for the Internet of Things, 2018. https://www.spec-sensors.com/.Google Scholar
- Standard Performance Evaluation Corporation. SPEC CPU 2006, January 9, 2018. https://www.spec.org/cpu2006/.Google Scholar
- Trend Micro. Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware, September 25, 2014. https://blog.trendmicro.com/trendlabs-security-intelligence/bash-vulnerability-shellshock-exploit-emerges-in-the-wild-leads-to-flooder/.Google Scholar
- VN Security. Analysis of NGINX 1.3.9/1.4.0 Stack Buffer Overflow and x64 Exploitation, May 21, 2013. http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html.Google Scholar
- Williams-King, D., Gobieski, G., Williams-King, K., Blake, J. P., Yuan, X., Colp, P., Zheng, M., Kemerlis, V. P., Yang, J., and Aiello, W. Shuffler: Fast and deployable continuous code re-randomization. In Proceedings of OSDI (2016), pp. 367--382. Google ScholarDigital Library
- XEN. Unstable development version, June 9, 2018. http://xenbits.xensource.com/xen-unstable.hg.Google Scholar
- Yu, T., Sekar, V., Seshan, S., Agarwal, Y., and Xu, C. Handling a Trillion (Unfixable) Flaws on a Billion Devices: Rethinking Network Security for the Internet-of-Things. In Proceedings of HotNets (2015). Google ScholarDigital Library
- Zamora-Izqierdo, M. A., Santa, J., and Gomez-Skarmeta, A. F. An Integral and Networked Home Automation Solution for Indoor Ambient Intelligence. IEEE Pervasive Computing, 4 (2010), 66--77. Google ScholarDigital Library
Index Terms
- DeadBolt: Securing IoT Deployments
Recommendations
SecureSense
Constrained Application Protocol (CoAP) has become the de-facto web standard for the IoT. Unlike traditional wireless sensor networks, Internet-connected smart thing deployments require security. CoAP mandates the use of the Datagram TLS (DTLS) protocol ...
SμV - the security microvisor: a virtualisation-based security middleware for the internet of things
Middleware '17: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference: Industrial TrackThe Internet of Things (IoT) creates value by connecting digital processes to the physical world using embedded sensors, actuators and wireless networks. The IoT is increasingly intertwined with critical industrial processes, yet contemporary IoT ...
Comments