research-article

Public Access

The HABAC Model for Smart Home IoT and Comparison to EGRBAC

Authors:

Ravi SandhuAuthors Info & Claims

SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

Pages 39 - 48

https://doi.org/10.1145/3445969.3450428

Published: 26 April 2021 Publication History

Abstract

In the near future IoT will be part of every home turning our houses into smart houses, in which we have multiple users with complex social relationships between them using the same smart devices. This requires sophisticated access control specification and enforcement models. Recently, several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. The majority of these models are built on role-based access control (RBAC) or attribute-based access control (ABAC) models which have had considerable traction in traditional non-IoT domains. In this paper, we introduce the smart home IoT attribute-based access control model (HABAC). HABAC is a dynamic and fine-grained model that is developed specifically to meet smart home IoT challenges. Currently it is not precisely clear what are the pros and cons of ABAC over RBAC in general, and in smart home IoT in particular. To this end we provide an analysis of HABAC relative to the previously published EGRBAC (extended generalized role based access control) model for smart home IoT. We compare the theoretical expressive power of these models by providing algorithms for converting an HABAC specification to EGRBAC and vice versa, and discuss the insights for practical deployment of these models resulting from these constructions. We conclude that a hybrid model combining ABAC and RBAC features may be the most suitable for smart home IoT, and likely more generally.

References

[1]

[n.d.]. Internet of things. https://en.wikipedia.org/wiki/Internet_of_things.

[2]

G. Ali, et al. 2019. Blockchain based permission delegation and access control in Internet of Things (BACI). Computers & Security (2019).

[3]

M. Alramadhan and K. Sha. 2017. An overview of access control mechanisms for internet of things. In ICCCN. IEEE.

[4]

S. Ameer, et al. 2020. The EGRBAC Model for Smart Home IoT. In 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI). IEEE.

[5]

O. Arias, et al. 2015. Privacy and security in internet of things and wearable devices. TMSCS (2015).

[6]

S. Bandara, et al. 2016. Access control framework for api-enabled devices in smart buildings. In APCC. IEEE.

[7]

E. Barka, et al. 2015. Securing the web of things with role-based access control. In C2SI. Springer.

[8]

B. Bezawada, et al. 2018. Securing Home IoT Environments with Attribute-Based Access Control. In ABAC'18. ACM.

[9]

S. Bhatt, et al. 2017. Access control model for AWS internet of things. In International Conference on Network and System Security .

[10]

S. Bhatt and R. Sandhu. 2020. ABAC-CC: Attribute-Based Access Control and Communication Control for Internet of Things. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies .

[11]

M. J. Covington, et al. 2000. Generalized role-based access control for securing future applications. Technical Report. Georgia Tech.

[12]

T. Denning, et al. 2013. Computer security and the modern home. Commun. ACM (2013).

[13]

S. Ding, et al. 2019. A novel attribute-based access control scheme using blockchain for IoT. IEEE Access (2019).

[14]

E. Fernandes, et al. 2016. Security analysis of emerging smart home applications. In SP. IEEE.

[15]

E. Fernandes, et al. [n.d.]. Flowfence: Practical data protection for emerging iot application frameworks. In USENIX Security 16 .

[16]

D. F. Ferraiolo, et al. 2001. Proposed NIST standard for role-based access control. TISSEC (2001).

[17]

J. Granjal, et al. 2015. Security for the internet of things: a survey of existing protocols and open research issues. IEEE Comm. Surv. & Tutorials (2015).

[18]

Z. Guoping and G. Wentao. 2011. The research of access control based on UCON in the internet of things. Journal of Software (2011).

[19]

M. Gupta, et al. 2019. Dynamic groups and attribute-based access control for next-generation smart cars. In Ninth ACM Conference on Data and Application Security and Privacy .

Digital Library

[20]

M. Gupta and R. Sandhu. 2018. Authorization framework for secure cloud assisted connected cars and vehicular internet of things. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies .

[21]

W. He, et al. 2018. Rethinking access control and authentication for the home internet of things (IoT). In USENIX Security 18 .

[22]

K. Hill. 2013. Baby Monitor Hack Could Happen To 40,000 Other Foscam Users. https://www.forbes.com/sites/kashmirhill/2013/08/27/baby-monitor-hack-could-happen-to-40000-other-foscam-users/613ec55458b5 .

[23]

G. Ho, et al. 2016. Smart locks: Lessons for securing commodity internet of things devices. In ASIA CCS '16. ACM.

Digital Library

[24]

V. C. Hu, et al. 2015. Attribute-based access control. Comp. (2015).

[25]

X. Jin, et al. 2012. A unified attribute-based access control model covering DAC, MAC and RBAC. In IFIP Annual Conf. on Data and App. Sec.

Digital Library

[26]

J. Jindou, et al. 2012. Access control method for web of things based on role and sns. In CIT 2012. IEEE.

Digital Library

[27]

S. Kaiwen and Y. Lihua. 2014. Attribute-role-based hybrid access control in the internet of things. In APWeb. Springer.

[28]

F. Martinelli, et al. 2018. Too long, did not enforce: a qualitative hierarchical risk-aware data usage control model for complex policies in distributed environments. In CPSS '18. ACM.

Digital Library

[29]

B. Mitra, et al. 2016. A survey of role mining. Comput. Surveys (2016).

[30]

A. Mutsvangwa, et al. 2016. Secured access control architecture consideration for smart grids. In IEEE PES PowerAfrica .

[31]

O. Novo. 2018. Blockchain meets IoT: An architecture for scalable access management in IoT. IEEE IoT Journal (2018).

[32]

A. Ouaddah, et al. 2017a. Towards a novel privacy-preserving access control model based on blockchain technology in IoT. In Europe and MENA Coop. Adv. in Inf. and Comm. Tech. Springer.

[33]

A. Ouaddah, et al. 2017b. Access control in the Internet of Things: Big challenges and new opportunities. Comp. NW, Vol. 112 (2017).

Digital Library

[34]

J. Park. 2003. Usage control: A unified framework for next generation access control. Ph.D. Dissertation. George Mason University.

[35]

J. Park and R. Sandhu. 2002. Towards usage control models: beyond traditional access control. In SACMAT '02. ACM.

[36]

J. Qiu, et al. 2020. A survey on access control in the age of internet of things. IEEE Internet of Things Journal (2020).

[37]

S. Ravidas, et al. 2019. Access control in Internet-of-Things: A survey. Journal of Network and Computer Applications (2019).

[38]

R. Sandhu. 1998. Role-based access control. In Advances in computers. Vol. 46.

[39]

A. Tilley. 2016. How A Few Words to Apple's Siri Unlocked a Man's Front Door. http://www. forbes. com/sites/aarontilley/2016/09/21/apple-homekit-siri-security .

[40]

M. Tripunitara and N. Li. 2007. A theory for comparing the expressive power of access control models. Journal of Computer Security, Vol. 15 (02 2007), 231--272.

[41]

B. Ur, et al. 2013. The current state of access control for smart devices in homes. In HUPS .

[42]

Y. Xie, et al. 2015. Three-layers secure access control for cloud-based smart grids. In IEEE 82nd VTC2015-Fall. IEEE.

[43]

N. Ye, et al. 2014. An efficient authentication and access control scheme for perception layer of internet of things. Applied Math. & Inf. Sciences (2014).

[44]

G. Zhang and J. Tian. 2010. An extended role based access control model for the Internet of Things. In 2010 ICINA. IEEE.

Cited By

Ahsan MPathan A(2025)A Comprehensive Survey on the Requirements, Applications, and Future Challenges for Access Control Models in IoT: The State of the ArtIoT10.3390/iot60100096:1(9)Online publication date: 24-Jan-2025
https://doi.org/10.3390/iot6010009
Bertolissi CFernandez MThuraisingham B(2024)Category-Based Administrative Access Control PoliciesACM Transactions on Privacy and Security10.1145/369819928:1(1-35)Online publication date: 28-Sep-2024
https://dl.acm.org/doi/10.1145/3698199
Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Show More Cited By

Recommendations

Enabling Multi-user Controls in Smart Home Devices
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

The Internet of Things (IoT) devices have expanded into many aspects of everyday life. As these smart home devices grow more popular, security concerns increase. Researchers have modeled the privacy and security threats for smart home devices, but have ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
An authorization mechanism for a relational database system

A multiuser database system must selectively permit users to share data, while retaining the ability to restrict data access. There must be a mechanism to provide protection and security, permitting information to be accessed only by properly authorized ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

April 2021

116 pages

ISBN:9781450383196

DOI:10.1145/3445969

Program Chairs:
Maanak Gupta
Tennessee Technological University, USA
,
Mahmoud Abdelsalam
Manhattan College, USA
,
Sudip Mittal
University of North Carolina Wilmington, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF (National Science Foundation)

Conference

CODASPY '21

Sponsor:

SIGSAC

CODASPY '21: Eleventh ACM Conference on Data and Application Security and Privacy

April 28, 2021

Virtual Event, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
441
Total Downloads

Downloads (Last 12 months)138
Downloads (Last 6 weeks)30

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ahsan MPathan A(2025)A Comprehensive Survey on the Requirements, Applications, and Future Challenges for Access Control Models in IoT: The State of the ArtIoT10.3390/iot60100096:1(9)Online publication date: 24-Jan-2025
https://doi.org/10.3390/iot6010009
Bertolissi CFernandez MThuraisingham B(2024)Category-Based Administrative Access Control PoliciesACM Transactions on Privacy and Security10.1145/369819928:1(1-35)Online publication date: 28-Sep-2024
https://dl.acm.org/doi/10.1145/3698199
Ameer SPraharaj LSandhu RBhatt SGupta M(2024)ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control ModelACM Transactions on Privacy and Security10.1145/367114727:3(1-36)Online publication date: 17-Jun-2024
https://dl.acm.org/doi/10.1145/3671147
Mawla TGupta MAmeer SSandhu R(2024)The $$\mathrm {ACAC_{D}}$$ model for mutable activity control and chain of dependencies in smart and connected systemsInternational Journal of Information Security10.1007/s10207-024-00881-523:5(3283-3310)Online publication date: 20-Jul-2024
https://doi.org/10.1007/s10207-024-00881-5
Ameer SBenson JSandhu R(2023)Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321629720:5(4032-4051)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3216297
Ameer SBenson JSandhu R(2022)An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based ApproachInformation10.3390/info1302006013:2(60)Online publication date: 25-Jan-2022
https://doi.org/10.3390/info13020060
Mawla TGupta MSandhu RDietrich SChowdhury OTakabi D(2022)BlueSky: Activity Control: A Vision for "Active" Security Models for Smart Collaborative SystemsProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535017(207-216)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535017
Shakarami MBenson JSandhu R(2022)Scenario-Driven Device-to-Device Access Control in Smart Home IoT2022 IEEE 4th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA)10.1109/TPS-ISA56441.2022.00035(217-228)Online publication date: Dec-2022
https://doi.org/10.1109/TPS-ISA56441.2022.00035
Dragonas VKallergis DTsoumanis GOikonomou K(2022)On Utilizing Unused Slots In Topology-Transparent TDMA MAC Policies for Ad Hoc Networks2022 Global Information Infrastructure and Networking Symposium (GIIS)10.1109/GIIS56506.2022.9937029(57-61)Online publication date: 26-Sep-2022
https://doi.org/10.1109/GIIS56506.2022.9937029
Praharaj LAmeer SGupta MSandhu R(2022)Attributes Aware Relationship-based Access Control for Smart IoT Systems2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC56439.2022.00021(72-81)Online publication date: Dec-2022
https://doi.org/10.1109/CIC56439.2022.00021
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten