SmartAuth User-Centered Authorization IoT Study

smartauth user centered authorization l.w
1 / 25
Embed
Share

Explore the challenges and solutions for user-centered authorization in the Internet of Things (IoT) context. Learn how SmartAuth aims to improve security, privacy, and usability while supporting cross-device scenarios.

  • SmartAuth
  • IoT
  • User-Centered
  • Authorization
  • Security
rayaanacharya
fjef Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. SmartAuth: User-Centered Authorization for the Internet of Things Yuan Tian1, Nan Zhang2, Yueh-Hsun Lin3, XiaoFeng Wang2, Blase Ur4, XianZheng Guo1 and Patrick Tague1 1Carnegie Mellon University 2Indiana University Bloomington 3Samsung 4University of Chicago 26th USENIX Security Symposium

  2. Smart-home apps improve quality of life

  3. Smart-home apps improve quality of life, but are risky

  4. Users have limited information about what is going on Install apps User Functionalities explained to the user

  5. Users have limited information about what is going on Smarthome Cloud Smarthome Hub Deploy apps Send notifications Send notifications Install apps User Functionalities explained to the user Operations that the app indeed perform

  6. Can we notify users about the most important information? This app doesn t need to control the lock! For behaviors related to functionality, we don t have to. We should notify them about unexpected behaviors.

  7. Challenges Security and privacy implications depend on context Same sensor in bedroom vs. outside has very different implications Behaviors in code cannot be mapped directly to high-level functionality in description Need to support cross-device scenarios

  8. Previous solutions will not work Solution Context aware Automatic Usabl Security e Manifest Permission No Yes No No Prompt Permission Yes No No No SmartAuth Yes Yes Yes Yes

  9. Redesign the authorization system Goals: Security and Privacy: Share minimum data and capabilities for desired functionality IoT specific: Cross-device, context-based, automatic control Usability: Assist user to make well-informed decisions, minimize user burdens Performance: Lightweight and compatible

  10. SmartAuth overview App Description App Source Code Content Inspector NLPe.g, [2] Policy Enforcer Program Analyzer Authorization creator Consistency Checker Security Policy [2] The Stanford Parser: A statistical parser

  11. An example program analyzer section("Bathroom humidity sensor") { input "bathroom", "capability.relativeHumidityMeasurement", title: "Which humidity sensor?" } if (shower.value.toInteger() > relHum) { coffee.on() }

  12. An example NLP and behavior correlation Description analysis Program analysis Entity : Switch Humidity sensor Lock Entity : Coffee machine Shower Context clue: Bathroom for the humidity sensor Coffee for the switch Condition: Taking a shower Condition: Humidity reading > threshold Triggers Triggers Action: Turn on the switch Unlock the door Action: Turn on the coffee machine

  13. Interface generation Match users mental models Less burden for users Alarm users about unexpected behaviors Survey users perspectives of installing smart-home apps Iterative design with pilot studies

  14. Enforcement

  15. Evaluation How effective is SmartAuth? How accurate is the policy extraction? How does SmartAuth impact users decisions? What is the performance overhead? How compatible is SmartAuth?

  16. Evaluation: Effectiveness of extracting policies Manual analysis to verify all the cases 3.9% false positives Limitations of NLP analysis No false negatives

  17. Evaluation: User study Between-subjects, in-lab study 100 participants split into two groups: SmartAuth Current SmartThings interface (manifest-style) Five pairs of similar apps Participant chooses one of the two One has unexpected privileges

  18. Example app pairs Lights off: Turn lights off when no motion or presence detected for a period of time Darken behind me: Turn your lights off after a period of no motion being observed

  19. SmartThing Interface Lights Off Darken Behind Me

  20. SmartAuth Interface Lights Off Darken Behind Me

  21. SmartThing VS SmartAuth

  22. Users make better decisions with SmartAuth

  23. Evaluation: Performance Pre-processing performance One-time cost to platform provider: 10.42 seconds per app on average Run-time enforcement:

  24. Evaluation: Compatibility Observe behaviors and debug information None of the apps crash In the extreme case, 3.3% of apps loss functionality when we block all remote access

  25. Summary Goal: Bridge semantic gap between what a user sees (app descriptions) and what an app s code actually does NLP to understand descriptions and code annotations Program analysis to understand code Match insights from NLP to program analysis Users much more likely to choose safer apps with SmartAuth Working with Samsung for deployment

Related


No related presentations.

More Related Content