Users Defined Policy Enforcement with Cross-App Interaction Discovery in IoT Platforms

The Internet of Things platforms have been widely developed to better assist users to design, control, and monitor their smart home system. These platforms provide a programming interface and allows users to install a variety of IoT apps that published by third-party. As users could obtain the IoT apps from unvetted sources, a malicious app could be installed to perform unexpected behaviors that violating users’ security and safety, such as open the door when no motion detected. Additionally, prior research shows that due to the lack of access control mechanisms, even the benign IoT apps can cause severe security and safety risks by interact with each other in unanticipated ways. To address such threats, an improved access control system is needed to detect and monitor unexpected behaviors from IoT apps. In this paper, we provide a dynamic policy enforcement system for IoT that detects IoT behaviors and defines policies based on users’ expectation. The system relies on code analysis to identify single app behaviors and discover all potential cross-app interactions with configured devices. Discovered behaviors are displayed to users through app user interface and allow users to specify policy rules to restrict unwanted behaviors. Code instrumentation will be applied to guard apps actions and collect apps information at runtime. A policy enforcement module in the system will collect and enforce users specified policies at runtime by block actions that violate the policy. We implement the system with benign and malicious apps on SmartThings platform and shows that our system can effectively identify cross-app interactions and correctly enforce policy violations.