Roberta Cimorelli Belfiore
ABSTRACT
Ensuring security is crucial in smart home settings, where only authorized users should have access to home devices. Over the past decade, researchers have focused on developing access control policies and evaluating their efficacy in preventing unauthorized access. A new variant of Role-Based Access Control (RBAC), called Extended Generalized Role-Based Access Control (EGRBAC), has recently been introduced to capture the intricate user-device-context interactions that are prevalent in smart home environments. In this paper, we demonstrate that the task of analyzing administrative EGRBAC policies for security can be performed by reducing it to the security analysis of administrative RBAC policies. We also conducted a case study on a realistic smart home to prove the viability of our approach with respect of security requirements such as availability and privilege escalation.
Supplemental Material
- Safwa Ameer, James Benson, and Ravi Sandhu. 2020. The EGRBAC Model for Smart Home IoT. In 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI). 457--462. https://doi.org/10.1109/IRI49571.2020.00076Google Scholar
- Safwa Ameer, James Benson, and Ravi Sandhu. 2022. An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based Approach. Information, Vol. 13, 2 (2022), 60.Google ScholarCross Ref
- Bejarano Andrés, Fernández Alejandra, Jimeno Miguel, Salazar Augusto, and Wightman Pedro. 2016. Towards the Evolution of Smart Home Environments: A Survey. International Journal of Automation and Smart Technology, Vol. 6, 3 (2016). https://www.ausmt.org/index.php/AUSMT/article/view/1039Google Scholar
- Diane Cook, G. Youngblood, E.O. III, K. Gopalratnam, S. Rao, A. Litvin, and F. Khawaja. 2003. MavHome: An agent-based smart home. Proceedings of the 1st IEEE International Conference on Pervasive Computing and Communications, PerCom 2003, 521--524. https://doi.org/10.1109/PERCOM.2003.1192783Google Scholar
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016a. Security Analysis of Emerging Smart Home Applications. 636--654. https://doi.org/10.1109/SP.2016.44Google Scholar
- Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. 2016b. FlowFence: Practical Data Protection for Emerging IoT Application Frameworks. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 531--548.Google Scholar
- Anna Lisa Ferrara, P. Madhusudan, Truc Lam Nguyen, and Gennaro Parlato. 2014. VAC - Verifier of Administrative Role-based Access Control Policies. In CAV.Google Scholar
- Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2012. Security Analysis of Role-Based Access Control through Program Verification. In IEEE Computer Security Foundation, Stephen Chong (Ed.). IEEE, 113--125.Google Scholar
- Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2013. Policy Analysis for Self-administrated Role-Based Access Control. In TACAS. 432--447.Google Scholar
- Anna Lisa Ferrara, Anna Cinzia Squicciarini, Cong Liao, and Truc L. Nguyen. 2017. Toward Group-Based User-Attribute Policies in Azure-Like Access Control Systems. In 31st Annual IFIP WG 11.3 Conference, DBSec 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10359). Springer, 349--361.Google Scholar
- Victoria Haines, Val Mitchell, Catherine Cooper, and Martin Maguire. 2007. Probing user values in the home environment within a technology driven Smart Home project. Personal and Ubiquitous Computing, Vol. 11 (06 2007). https://doi.org/10.1007/s00779-006-0075-6Google ScholarDigital Library
- Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, and Blase Ur. 2018. Rethinking Access Control and Authentication for the Home Internet of Things ({{{{{{{{{{IoT}}}}}}}}}}). In 27th USENIX Security Symposium (USENIX Security 18). 255--272.Google Scholar
- Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart Locks: Lessons for Securing Commodity Internet of Things Devices. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (Xi'an, China) (ASIA CCS '16). Association for Computing Machinery, New York, NY, USA, 461--472. https://doi.org/10.1145/2897845.2897886Google ScholarDigital Library
- Karthick Jayaraman, Mahesh V. Tripunitara, Vijay Ganesh, Martin C. Rinard, and Steve J. Chapin. 2013. Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies. ACM Trans. Inf. Syst. Secur., Vol. 15, 4 (2013), 18. https://doi.org/10.1145/2445566.2445570Google ScholarDigital Library
- Somesh Jha, Ninghui Li, Mahesh V. Tripunitara, Qihua Wang, and William H. Winsborough. 2008. Towards Formal Verification of Role-Based Access Control Policies. IEEE Trans. Dependable Sec. Comput., Vol. 5, 4 (2008), 242--255. https://doi.org/10.1109/TDSC.2007.70225Google ScholarDigital Library
- David Leake, Ana Maguitman, and Thomas Reichherzer. 2006. Cases, Context, and Comfort: Opportunities for Case-Based Reasoning in Smart Homes. Lecture Notes in Computer Science, Vol. 4008, 109--131. https://doi.org/10.1007/11788485_7Google ScholarCross Ref
- Ninghui Li and Mahesh V. Tripunitara. 2004. Security analysis in role-based access control. In 9th ACM SACMAT. ACM, 126--135. https://doi.org/10.1145/990036.990058Google ScholarDigital Library
- W.L. Ruzzo M.H. Harrison and J.D. Ullman. 1999. Protection in Operating Systems. Communications of the ACM Trans. Inf. Syst. Secur., Vol. 2, 1 (1999), 105--135. https://doi.org/10.1145/300830.300839Google ScholarDigital Library
- Philipp Morgner, Stephan Mattejat, and Zinaida Benenson. 2016. All your bulbs are belong to us: Investigating the current state of security in connected lighting systems. arXiv preprint arXiv:1608.03732 (2016).Google Scholar
- M.J. Moyer and M. Abamad. 2001. Generalized role-based access control. In Proceedings 21st International Conference on Distributed Computing Systems. 391--398. https://doi.org/10.1109/ICDSC.2001.918969Google ScholarCross Ref
- Chris Nugent, Dewar Finlay, Richard Davies, Haiying Wang, Huiru Zheng, Josef Hallberg, Kåre Synnes, and Maurice Mulvenna. 2007. homeML -- An Open Standard for the Exchange of Data Within Smart Environments, Vol. 4541. 121--129. https://doi.org/10.1007/978-3-540-73035-4_13Google Scholar
- Temitope Oluwafemi, Tadayoshi Kohno, Sidhant Gupta, and Shwetak Patel. 2013. Experimental Security Analyses of {Non-Networked} Compact Fluorescent Lamps: A Case Study of Home Automation Security. In LASER 2013 (LASER 2013). 13--24.Google Scholar
- Aafaf Ouaddah, Hajar Mousannif, Anas Abou Elkalam, and Abdellah Ait Ouahman. 2017. Access control in the Internet of Things: Big challenges and new opportunities. Computer Networks, Vol. 112 (2017), 237--262.Google ScholarDigital Library
- Silvio Ranise, Anh Tuan Truong, and Alessandro Armando. 2012. Boosting Model Checking to Analyse Large ARBAC Policies. In Security and Trust Management - 8th International Workshop, STM. 273--288. https://doi.org/10.1007/978-3-642-38004-4_18Google Scholar
- Amit Sasturkar, Ping Yang, Scott D. Stoller, and C. R. Ramakrishnan. 2006. Policy Analysis for Administrative Role Based Access Control. In 19th IEEE Computer Security Foundations Workshop, (CSFW-19) 2006. 124--138. https://doi.org/10.1109/CSFW.2006.22Google ScholarDigital Library
- Mehrnoosh Shakarami and Ravi Sandhu. 2021. Role-Based Administration of Role-Based Smart Home IoT. In Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems (Virtual Event, USA) (SAT-CPS '21). Association for Computing Machinery, New York, NY, USA, 49--58. https://doi.org/10.1145/3445969.3450426Google ScholarDigital Library
- Scott D. Stoller, Ping Yang, C. R. Ramakrishnan, and Mikhail I. Gofman. 2007. Efficient policy analysis for administrative role based access control. In Proc. of the 2007 ACM Conference on Computer and Comm. Security, CCS. ACM, 445--455. https://doi.org/10.1145/1315245.1315300Google ScholarDigital Library
- Blase Ur, Jaeyeon Jung, and Stuart Schechter. 2013. The current state of access control for smart devices in homes. In Workshop on Home Usable Privacy and Security (HUPS), Vol. 29. 209--218.Google Scholar
Index Terms
- Security Analysis of Access Control Policies for Smart Homes
Recommendations
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Authentication-enabled attribute-based access control for smart homes
AbstractSmart home technologies constantly bring significant convenience to our daily lives. Unfortunately, increased security risks accompany this convenience. There can be severe consequences when unauthorized or malicious users gain access to smart ...
A flexible hierarchical access control mechanism enforcing extension policies
Some specific information or resources only can be accessed by authorized users. Discretionary access control DAC, mandatory access control MAC, and role-based access control RBAC are three main classes of access control policies. MAC and RBAC are more ...
Comments