CSE Colloquium: Building practical security systems for the post-app smart home

Zoom link: https://psu.zoom.us/j/96868799949?pwd=N3E0Y0tnSXRNWlFPNWhiby9Oc1N2Zz09

Abstract: Modern end-user computing platforms such as smartphones (e.g., Android and iOS) and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular third-party functionality that is often manifested in applications, or apps . Thus, for the last decade, designing security systems to analyze apps (especially those developed for Android) for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate the need to move away from IoT apps for security analysis , as IoT apps may not be representative of the home automation in real homes, and moreover, as they may be unavailable for analysis or instrumentation in the near future.

In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoT apps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative to IoT apps for security analysis that is representative of automation usage in the wild. To this end, I will describe Helion, a system that generates natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes. I will demonstrate how Helion leverages the naturalness in user-driven automation programs, along with statistical language modeling techniques, to generate valid scenarios that are useful for security analysis. Second, I will motivate the need to improve the state of security analysis of mobile companion apps, which often form the weakest link in IoT ecosystems, by systematically and rigorously evaluating the security analyses targeted at them. To this end, I will describe a framework for automatically evaluating static program analysis-based security systems using mutation testing, culminating in several security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Third, I will discuss our recent efforts in building system-level defenses that are independent of the visibility or mutability of IoT apps . Particularly, I will describe the design of endorsement checks for protecting shared home automation variables (e.g., the user’s presence) without relying on the analysis of IoT apps. Finally, I will conclude the talk by describing the lessons learned from our work, as well as by highlighting challenges and opportunities for future research in home automation security.  

Biography: Adwait Nadkarni is an Assistant Professor in the Department of Computer Science , and director of the Secure Platforms Lab (SPL) at William & Mary . Prof. Nadkarni’s primary research domain is security and privacy, with a focus on emerging platforms, and the areas of operating systems and software security. Prior to joining William & Mary, Prof. Nadkarni earned his Bachelor of Engineering (BE) in Computer Engineering from the University of Mumbai in July 2011, followed by his Ph.D. and M.S. in Computer Science from the Computer Science Department at the North Carolina State University in May 2017 and December 2012 respectively, both with Dr. William Enck . At NC State, Prof. Nadkarni was a founding member of the Wolfpack Security and Privacy Research (WSPR) Lab , and served as its Lead Graduate Student until May 2017.in 2016.