TY - GEN
T1 - Sensitive information tracking in commodity IoT
AU - Celik, Z. Berkay
AU - Babun, Leonardo
AU - Sikder, Amit K.
AU - Aksu, Hidayet
AU - Tan, Gang
AU - McDaniel, Patrick
AU - Uluagac, A. Selcuk
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Broadly defined as the Internet of Things (IoT), the growth of commodity devices that integrate physical processes with digital connectivity has had profound effects on society-smart homes, personal monitoring devices, enhanced manufacturing and other IoT applications have changed the way we live, play, and work. Yet extant IoT platforms provide few means of evaluating the use (and potential avenues for misuse) of sensitive information. Thus, consumers and organizations have little information to assess the security and privacy risks these devices present. In this paper, we present SAINT, a static taint analysis tool for IoT applications. SAINT operates in three phases; (a) translation of platform-specific IoT source code into an intermediate representation (IR), (b) identifying sensitive sources and sinks, and (c) performing static analysis to identify sensitive data flows. We evaluate SAINT on 230 SmartThings market apps and find 138 (60%) include sensitive data flows. In addition, we demonstrate SAINT on IOTBENCH, a novel open-source test suite containing 19 apps with 27 unique data leaks. Through this effort, we introduce a rigorously grounded framework for evaluating the use of sensitive information in IoT apps-and therein provide developers, markets, and consumers a means of identifying potential threats to security and privacy.
AB - Broadly defined as the Internet of Things (IoT), the growth of commodity devices that integrate physical processes with digital connectivity has had profound effects on society-smart homes, personal monitoring devices, enhanced manufacturing and other IoT applications have changed the way we live, play, and work. Yet extant IoT platforms provide few means of evaluating the use (and potential avenues for misuse) of sensitive information. Thus, consumers and organizations have little information to assess the security and privacy risks these devices present. In this paper, we present SAINT, a static taint analysis tool for IoT applications. SAINT operates in three phases; (a) translation of platform-specific IoT source code into an intermediate representation (IR), (b) identifying sensitive sources and sinks, and (c) performing static analysis to identify sensitive data flows. We evaluate SAINT on 230 SmartThings market apps and find 138 (60%) include sensitive data flows. In addition, we demonstrate SAINT on IOTBENCH, a novel open-source test suite containing 19 apps with 27 unique data leaks. Through this effort, we introduce a rigorously grounded framework for evaluating the use of sensitive information in IoT apps-and therein provide developers, markets, and consumers a means of identifying potential threats to security and privacy.
UR - http://www.scopus.com/inward/record.url?scp=85060373043&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85060373043&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 1687
EP - 1704
BT - Proceedings of the 27th USENIX Security Symposium
PB - USENIX Association
T2 - 27th USENIX Security Symposium
Y2 - 15 August 2018 through 17 August 2018
ER -