skip to main content
10.1145/3589608.3593842acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
short-paper

Security Analysis of Access Control Policies for Smart Homes

Published: 24 May 2023 Publication History

Abstract

Ensuring security is crucial in smart home settings, where only authorized users should have access to home devices. Over the past decade, researchers have focused on developing access control policies and evaluating their efficacy in preventing unauthorized access. A new variant of Role-Based Access Control (RBAC), called Extended Generalized Role-Based Access Control (EGRBAC), has recently been introduced to capture the intricate user-device-context interactions that are prevalent in smart home environments. In this paper, we demonstrate that the task of analyzing administrative EGRBAC policies for security can be performed by reducing it to the security analysis of administrative RBAC policies. We also conducted a case study on a realistic smart home to prove the viability of our approach with respect of security requirements such as availability and privilege escalation.

Supplemental Material

MP4 File
Security is crucial in smart homes, where only authorized users should access devices. Extended Generalized Role-Based Access Control (EGRBAC) is a variant of Role-Based Access Control (RBAC) designed for smart homes. Our work shows that the analysis of some security properties relevant to administrative EGRBAC policies can be carried out through the security analysis of administrative policies for RBAC. We also conducted a case study in a realistic smart home to validate our approach's effectiveness.

References

[1]
Safwa Ameer, James Benson, and Ravi Sandhu. 2020. The EGRBAC Model for Smart Home IoT. In 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI). 457--462. https://doi.org/10.1109/IRI49571.2020.00076
[2]
Safwa Ameer, James Benson, and Ravi Sandhu. 2022. An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based Approach. Information, Vol. 13, 2 (2022), 60.
[3]
Bejarano Andrés, Fernández Alejandra, Jimeno Miguel, Salazar Augusto, and Wightman Pedro. 2016. Towards the Evolution of Smart Home Environments: A Survey. International Journal of Automation and Smart Technology, Vol. 6, 3 (2016). https://www.ausmt.org/index.php/AUSMT/article/view/1039
[4]
Diane Cook, G. Youngblood, E.O. III, K. Gopalratnam, S. Rao, A. Litvin, and F. Khawaja. 2003. MavHome: An agent-based smart home. Proceedings of the 1st IEEE International Conference on Pervasive Computing and Communications, PerCom 2003, 521--524. https://doi.org/10.1109/PERCOM.2003.1192783
[5]
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016a. Security Analysis of Emerging Smart Home Applications. 636--654. https://doi.org/10.1109/SP.2016.44
[6]
Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016b. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 531--548.
[7]
Anna Lisa Ferrara, P. Madhusudan, Truc Lam Nguyen, and Gennaro Parlato. 2014. VAC - Verifier of Administrative Role-based Access Control Policies. In CAV.
[8]
Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2012. Security Analysis of Role-Based Access Control through Program Verification. In IEEE Computer Security Foundation, Stephen Chong (Ed.). IEEE, 113--125.
[9]
Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2013. Policy Analysis for Self-administrated Role-Based Access Control. In TACAS. 432--447.
[10]
Anna Lisa Ferrara, Anna Cinzia Squicciarini, Cong Liao, and Truc L. Nguyen. 2017. Toward Group-Based User-Attribute Policies in Azure-Like Access Control Systems. In 31st Annual IFIP WG 11.3 Conference, DBSec 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10359). Springer, 349--361.
[11]
Victoria Haines, Val Mitchell, Catherine Cooper, and Martin Maguire. 2007. Probing user values in the home environment within a technology driven Smart Home project. Personal and Ubiquitous Computing, Vol. 11 (06 2007). https://doi.org/10.1007/s00779-006-0075-6
[12]
Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. 2018. Rethinking Access Control and Authentication for the Home Internet of Things ({{{{{{{{{{IoT}}}}}}}}}}). In 27th USENIX Security Symposium (USENIX Security 18). 255--272.
[13]
Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart Locks: Lessons for Securing Commodity Internet of Things Devices. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (Xi'an, China) (ASIA CCS '16). Association for Computing Machinery, New York, NY, USA, 461--472. https://doi.org/10.1145/2897845.2897886
[14]
Karthick Jayaraman, Mahesh V. Tripunitara, Vijay Ganesh, Martin C. Rinard, and Steve J. Chapin. 2013. Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies. ACM Trans. Inf. Syst. Secur., Vol. 15, 4 (2013), 18. https://doi.org/10.1145/2445566.2445570
[15]
Somesh Jha, Ninghui Li, Mahesh V. Tripunitara, Qihua Wang, and William H. Winsborough. 2008. Towards Formal Verification of Role-Based Access Control Policies. IEEE Trans. Dependable Sec. Comput., Vol. 5, 4 (2008), 242--255. https://doi.org/10.1109/TDSC.2007.70225
[16]
David Leake, Ana Maguitman, and Thomas Reichherzer. 2006. Cases, Context, and Comfort: Opportunities for Case-Based Reasoning in Smart Homes. Lecture Notes in Computer Science, Vol. 4008, 109--131. https://doi.org/10.1007/11788485_7
[17]
Ninghui Li and Mahesh V. Tripunitara. 2004. Security analysis in role-based access control. In 9th ACM SACMAT. ACM, 126--135. https://doi.org/10.1145/990036.990058
[18]
W.L. Ruzzo M.H. Harrison and J.D. Ullman. 1999. Protection in Operating Systems. Communications of the ACM Trans. Inf. Syst. Secur., Vol. 2, 1 (1999), 105--135. https://doi.org/10.1145/300830.300839
[19]
Philipp Morgner, Stephan Mattejat, and Zinaida Benenson. 2016. All your bulbs are belong to us: Investigating the current state of security in connected lighting systems. arXiv preprint arXiv:1608.03732 (2016).
[20]
M.J. Moyer and M. Abamad. 2001. Generalized role-based access control. In Proceedings 21st International Conference on Distributed Computing Systems. 391--398. https://doi.org/10.1109/ICDSC.2001.918969
[21]
Chris Nugent, Dewar Finlay, Richard Davies, Haiying Wang, Huiru Zheng, Josef Hallberg, Kåre Synnes, and Maurice Mulvenna. 2007. homeML -- An Open Standard for the Exchange of Data Within Smart Environments, Vol. 4541. 121--129. https://doi.org/10.1007/978-3-540-73035-4_13
[22]
Temitope Oluwafemi, Tadayoshi Kohno, Sidhant Gupta, and Shwetak Patel. 2013. Experimental Security Analyses of {Non-Networked} Compact Fluorescent Lamps: A Case Study of Home Automation Security. In LASER 2013 (LASER 2013). 13--24.
[23]
Aafaf Ouaddah, Hajar Mousannif, Anas Abou Elkalam, and Abdellah Ait Ouahman. 2017. Access control in the Internet of Things: Big challenges and new opportunities. Computer Networks, Vol. 112 (2017), 237--262.
[24]
Silvio Ranise, Anh Tuan Truong, and Alessandro Armando. 2012. Boosting Model Checking to Analyse Large ARBAC Policies. In Security and Trust Management - 8th International Workshop, STM. 273--288. https://doi.org/10.1007/978-3-642-38004-4_18
[25]
Amit Sasturkar, Ping Yang, Scott D. Stoller, and C. R. Ramakrishnan. 2006. Policy Analysis for Administrative Role Based Access Control. In 19th IEEE Computer Security Foundations Workshop, (CSFW-19) 2006. 124--138. https://doi.org/10.1109/CSFW.2006.22
[26]
Mehrnoosh Shakarami and Ravi Sandhu. 2021. Role-Based Administration of Role-Based Smart Home IoT. In Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems (Virtual Event, USA) (SAT-CPS '21). Association for Computing Machinery, New York, NY, USA, 49--58. https://doi.org/10.1145/3445969.3450426
[27]
Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, and Mikhail I. Gofman. 2007. Efficient policy analysis for administrative role based access control. In Proc. of the 2007 ACM Conference on Computer and Comm. Security, CCS. ACM, 445--455. https://doi.org/10.1145/1315245.1315300
[28]
Blase Ur, Jaeyeon Jung, and Stuart Schechter. 2013. The current state of access control for smart devices in homes. In Workshop on Home Usable Privacy and Security (HUPS), Vol. 29. 209--218.

Index Terms

  1. Security Analysis of Access Control Policies for Smart Homes

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SACMAT '23: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies
    May 2023
    218 pages
    ISBN:9798400701733
    DOI:10.1145/3589608
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 May 2023

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. access control
    2. automated security analysis
    3. smart homes

    Qualifiers

    • Short-paper

    Data Availability

    Security is crucial in smart homes, where only authorized users should access devices. Extended Generalized Role-Based Access Control (EGRBAC) is a variant of Role-Based Access Control (RBAC) designed for smart homes. Our work shows that the analysis of some security properties relevant to administrative EGRBAC policies can be carried out through the security analysis of administrative policies for RBAC. We also conducted a case study in a realistic smart home to validate our approach's effectiveness. https://dl.acm.org/doi/10.1145/3589608.3593842#sacmat47sp.mp4

    Funding Sources

    • European Union ? Next Generation EU - PNRR MUR

    Conference

    SACMAT '23
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 177 of 597 submissions, 30%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 128
      Total Downloads
    • Downloads (Last 12 months)43
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media