Embed Size (px)
Citation preview
FlowFence:PracticalDataProtection forEmergingIoT ApplicationFrameworks
EarlenceFernandes,JustinPaupore,AmirRahmati,DanielSimionato,MauroConti,AtulPrakash
USENIXSecuritySymposium11August2016
EmergingIoT AppFrameworks
Wearables/QuantifiedSelf
ConnectedHealthcare
SmartHomes 2
ConsumerApp
• Unlockdooriffaceisrecognized• Home-ownercancheckactivity
fromInternet
• Appneedstocompute onsensitivedata toprovideusefulservice
• Buthasthepotential toleakdata
3
PublisherofSensitiveData
Sink
Source
Sink
Fernandesetal.,SecurityAnalysisofEmergingSmartHomeApplications,S&P2016
Howcanweenableappstocomputeonthesensitive datatheIoT generateswhile
mitigatingdataabuse?
ExistingIoT frameworksonlyhavepermissionbasedaccesscontrol
AndroidSensorAPI
GoogleFitAPI
SmarthomeAPI
• Permissionscontrolwhat dataanappcanaccess
• Permissionsdonot controlhowappsuse data,oncetheyhaveaccess
[SmartHomes]
[Wearables]
[QuantifiedSelf]
5
e.g.,capability.lockCodes inSmartThings(pincodes),FITNESS_BODY_READ scopeinGoogleFit(heartrate)
Instruction-LevelFlowAnalysisTechniques
6
DynamicTaintTracking+Finegranularity+Nodevelopereffort- Highcomputationaloverhead- Mayneedspecialh/wforacceleration- Implicitflowscanleakinformation- LimitedOS/Languageflexibility
StaticTaintTracking+Finegranularity+Nodevelopereffort- Implicitflowscanleakinformation- IPCandasync.codecanleakinformation
IoT devices(andhubs)haveconstrainedhardware
OSandLanguageDiversity;[SupportsRapidDevelopment]
FundamentalTrigger-ActionNatureofIoT apps=Lotsofasync.code
FlowFenceFlow-controlisafirst-classprimitive
7
FlowFence• Supportofdiversepublishersandconsumers of
data,withpublisherandconsumerflowpolicies• Allowsuseofexisting languages,tools,andOSes
Language-basedflowcontrol• Restructureapps toobeyflowrules• Developerdeclaresflows
Label-basedflowcontrol• Component-level informationtracking• Flowenforcementthroughlabelpolicies +
=
FlowFence Primitives–QuarantinedModulesandOpaqueHandles
8
ComputeFeatures
Bitmap
FeaturesofBitmap
ComputeFeaturesQuarantinedModule
Bitmap,Taint_Bitmap
OPAQUE_HANDLE(FeaturesofBitmap)
• Submit acomputationthatrunsinasandbox
• Allsensitivedata isavailableonlyinsandboxes
• Thecomputationrunswiththerightstoaccesssensitivebitmapdata
sandbox
FlowFence Primitives–QuarantinedModulesandOpaqueHandles
9
ComputeFeaturesQuarantinedModule
Bitmap
OPAQUE_HANDLE(FeaturesofBitmap)
sandbox
TrustedSink
• QuarantinedModulescanalsoaccessFlowFence-providedTrustedSinks• TrustedSinkscheckthetaintlabelsofthecalleragainstaflowpolicy
FaceRecognitionAppExample
10
Door.Open()
MainProgram M_features
M_report_recog
bitmap
featuresbitmap
features
doorstate• M_features:Takebitmapasinput
andcomputefeaturevectors
• M_report_recog:Takefeaturevectors,lookupDBofauthorizedfaces,unlockdooriffacepresent;Reportdoorstate
X
FlowFence – RefactoredApp
11Door.Open()
MainProgram(notaQM) QM_features
QM_report QM_recog
Tc
TrustedAPI(Sinks)
H1(F(Dc))
Dc,Tc
H1(F(Dc))Ds,Ts
Ts TcUTs
Ds,TsH1(F(Dc))
Tc→ Door.OpenTs → Door.Open
Ts → Internet
TaintLabelsandFlowPolicies
12
H1 {T1,T2, …} F(D1)
com.camera.publisher Taint_Camera
App_ID Label_Name
{Taint_Camera → UI,Taint_HeartR → Internet}
ExamplePolicy
• App_ID – uniqueapplicationidentifierontheunderlyingOS• Label_Name – well-knownstringthatidentifiesthetypeofdata
PublisherandConsumerFlowPolicies
13
PublisherPolicy ConsumerPolicy
D1→ S1
D1→ S2
D1→ S1
D1→ S3D1→ S1
AutomaticallyApproved
Prompt
{Publisher;Taint_Camera → UI}
{Consumer;Taint_Camera → Door.OpenTaint_DoorState → Door.OpenTaint_DoorState → Internet}
DataSharingMechanismsinCurrentIoT Frameworks
• PollingInterface• Appchecksfornewdata
• CallbackInterface• Appiscalledwhennewdataavailable
• DeviceIndependence• E.g.,manytypesofheartratesensorsproduce“heartbeat”data• Consumersshouldonlyneedtospecify“what” datatheywant,withoutspecifying“how”
14
AndroidSensorAPI
GoogleFitAPI
SmarthomeAPI[SmartHomes]
[Wearables]
[QuantifiedSelf]
Key-ValueStore–PollingInterface/DeviceIndependence
15
QM_1
T1
CAM_BITMAP QM_2
T1T1
write(…) read(…)
DeclaredoutsideaQM
Data
• Eachappgetsasingle Key-ValueStore• Anappcanonlywritetoitsown Key-ValueStore• AppscanreadfromanyKey-ValueStore• Keysarepublicinformation becauseconsumersneedtoknowaboutthem
EventChannels–CallbackInterface/DeviceIndependence
16
QM_1
T1
Channel_Cam
Channel_2
QM_2
T1QM_3
T1
fireEvent(…)
subscribe(QM_2,Channel_Cam)
DeclaredoutsideaQM
Data
Data
• Appscandeclarestaticallyincode,theirintendedchannels• Onlytheowner ofachannelcanfireanevent• Channelnameispublicinformation
FlowFence Implementation
• IoT Architectures• Cloud• Hub
17
“Hub”
• isolatedProcess =trueforsandboxes• Supportsnativecode
EvaluationOverview• Whatistheoverheadonamicro-levelintermsofcomputationandmemory?
18
• CanFlowFence supportrealIoT appssecurely?Ported3ExistingIoT Apps: SmartLights,FaceDoor,HeartRateMonitor
Requiredaddinglessthan140linesperapp;FlowFence isolatesflows
• WhatistheimpactofFlowFence onmacro-performance?FaceDoor RecognitionLatency 5%averageincrease
HeartRateMonitor Throughput 0.2fpsreductiononaverage
SmartLights end-to-endlatency +110ms onaverage
Per-SandboxMemoryOverhead 2.7MB
QMCallLatency 92ms
DataTransferb/wintoSandbox 31.5MB/s
ComparabletoIoT deviceopsoverwide-area-network,e.g.,Nest,SmartThings
Nestcampeakbandwidthis1.2Mb/s
PortingIoT AppstoFlowFence
19
App Data SecurityRisk OriginalLoC FlowFence LoC FlowRequest
SmartLights Canleaklocationinformation 118 193 Loc → Switch
FaceDoor Canleakimagesofpeople 322 456
Cam→ Lock,Doorstate → Lock,Doorstate → Net
HeartRateMon Canleakimagesandheartrate 257 346 Cam→ UI
SmartLights,FaceDoor – 2days ofportingefforteach,HeartMon – 1day ofportingeffort
Macro-performanceofPortedApps
20
SmartLights End-To-EndLatency
Baseline 160ms (SD=69.9)
FlowFence 270ms (SD =96.1)
FaceDoor RecognitionLatency(612x816pixels)
HeartRateMon Throughput
Throughputw/oImageProcessing 23.0(SD=0.7)fps 22.9(SD=0.7)fps
Throughputw/ImageProcessing 22.9(SD=0.7)fps 22.7(SD=0.7)fps
Baseline 811ms (SD=37.1)
FlowFence 937ms (SD=60.4)
FaceDoor EnrollLatency
Summary• EmergingIoT AppFrameworksonlysupportpermission-basedaccesscontrol:Maliciousappscanstealsensitivedataeasily• FlowFence explicitlyembedscontrolanddataflowswithinappstructure;Developersmustsplittheirappsinto:• SetofcommunicatingQuarantinedModules withtheunitofcommunicationbeingOpaqueHandles– tainttracked,opaquerefstodata
• Non-sensitivecodethatorchestratesQMexecution• FlowFence supportspublisherandconsumer flowpoliciesthatenablebuildingsecureIoT apps• Weported3 existingIoT appsin5days;Eachapprequiredadding<140LoC• Macro-performancetests onportedappsindicateFlowFence overheadisreasonable:e.g.,4.9%latencyoverhead torecog.aface&unlockadoor
21
22
FlowFence:PracticalDataProtectionforEmergingIoTApplicationFrameworks
https://iotsecurity.eecs.umich.edu EarlenceFernandes
• EmergingIoT AppFrameworksonlysupportpermission-basedaccesscontrol:Maliciousappscanstealsensitivedataeasily• FlowFence explicitlyembedscontrolanddataflowswithinappstructure;Developersmustsplittheirappsinto:• SetofcommunicatingQuarantinedModules withtheunitofcommunicationbeingOpaqueHandles– tainttracked,opaquerefstodata
• Non-sensitivecodethatorchestratesQMexecution• FlowFence supportspublisherandconsumer flowpoliciesthatenablebuildingsecureIoT apps• Weported3 existingIoT appsin5days;Eachapprequiredadding<140LoC• Macro-performancetests onportedappsindicateFlowFence overheadisreasonable:e.g.,4.9%latencyoverhead torecog.aface&unlockadoor
FlowFence Primitives–QuarantinedModulesandOpaqueHandles
23
QuarantinedModule
OpaqueHandleT (data)(data,T)
• AnOpaqueHandledoesnotrevealinformationabout:• RawData• DataType• TaintLabel• DataSize• Exceptionstonon-QMcode
• Adeveloper-written QuarantinedModule(QM)runsinasandbox andcomputesonsensitivedata
• Sandboxcontrolsthewaysinwhichdatacanenterandexit;FlowFenceoffersKey-ValueStoreandEventChannels fordatasharing
TrustedSink
Over-tainting
• Poorappdecomposition• Developershouldrefactorapptomoreaccuratelyreflectflows• FlowFence onlytaintsQMs;notcompleteappcode
• PoisonPillattacksduetomaliciouspublisher• PublishersmustdefineTaintBoundTMc wheneveraKVstoreoreventchanneliscreatedforthatstoreorchannel• PublisherscannotaddtaintsbeyondTMc• Consumerscancheckthetaintbound,andthendecidewhethertheywanttointeractwiththatpublisher• TMc cannotbemodifiedonceset
24
SideChannels
• Besteffortatclosingsomesidechannels(e.g.,KVstorekeysandeventchannelnameswhicharedeclaredoutsideaQMatinstalltime),butwedonothandleallsidechannels
• Forexample,timetoreturnhandlecanbemodulatedbysensitivedata• CanmakeQMsreturnimmediatelyandthenexecuteasync.w.r.t.caller• SimilartoLIO[61]• Timingchannelscanalsobeboundedusingpredictivetechniques[72]
25
ChallengesinApplyingTaint-basedFlowControl
ImplicitFlows[Security]
Time/SpaceOverhead[Efficiency]
ConcurrencyAttacks[Security]
NewLanguages/NoRapidDev.WithTools[IoT-specific,Practicality]
DiverseProducers/Consumers[IoT-specific,Practicality,Security]
26
TaintDroid,DTA++,DyTAN,…
Amandroid,FlowDroid,…
Jif,JFlow,…
ExistingProblemswhileapplyingDynamic&StaticFlowAnalysis
27
if (sensitive_data == 0x1) {var = ‘A’
} else if (sensitive_date == 0x2) {var = ‘B’
} ImplicitFlows[3]
Specializedhardwareforacceleration[2]
Time/SpaceOverhead[1]
Missflows duetomultithreading/events[4]
[1]Pauporeetal.,HotOS’15[2]Ruwase etal.,SPAA’08[3]Sarwar etal.,SECRYPT’13[4]Myersetal.,POPL’99
subscribe(dev, callback)
IoT-specificChallengesinapplyingDynamic/StaticInformationFlowAnalysis
• Asynchronous,multithreadedandevent-basedenvironment
• DiversePublishersandConsumers(datalabelsnotknownapriori)
• OSandLanguagediversity
28
subscribe(dev, callback) Languagebasedtechniquesmaynotapplydirectly
Wedon’tknowwhichdevicesarepresentinanygivenIoT configuration(andhencewhichtypesofdata)
SometechniquestakeadvantageofOS/Languagestructure
ExistingandIoT-specificproblemswithapplyingDynamic/StaticInstruction-levelFlowAnalyses
• Instruction-levelTaintTracking• TaintingappcodeorOSleadstocomputationalandspaceoverhead [1]– IoT devices/hubsareoftenconstrained/low-poweredwithoutspecialhardware
• Requiresknowledgeoftaintlabelsbeforehand– IoT hasdiversedevicetypes;Wedonotknowwhichtaintlabelsareflowingthroughaprogrambeforehand
• StaticAnalysesandLanguagetechniques• ImplicitFlows [2],IPCs,Asynchronouscode(whichiscommoninIoT appsi.e.,Trigger-Actionprogrammingisubiquitous [3])cancauseunder-tainting
• Developersmustusespecialized languagesrestrictingflexibility
• RelianceonparticularlanguageorOSstructureforsecurity• IoT exhibitsOSandlanguagediversity
29
[1]Pauporeetal.,HotOS’15[2]Sarwar etal.,SECRYPT’13[3]Uretal.,CHI’14,CHI’16
