Internet of Things devices can now be found everywhere, including in our households in the form of Smart Home networks. Despite their ubiquity, their security is unsatisfactory, as demonstrated by recent attacks. The IETF's MUD standard has as goal to simplify and automate the secure deployment of end devices in networks. A MUD file contains a device specific description of allowed network activities (e.g., allowed IP ports or host addresses) and can be used to configure for example a firewall. A major weakness of MUD is that it is not expressive enough to describe traffic patterns representing device interactions, which often occur in modern Smart Home platforms. In this article, we present a new language for describing such traffic patterns. The language allows writing device profiles that are more expressive than MUD files and take into account the interdependencies of traffic connections. We show how these profiles can be translated to efficient code for a lightweight firewall leveraging NFTables to block non-conforming traffic. We evaluate our approach on traffic generated by various Smart Home devices, and show that our system can accurately block unwanted traffic while inducing negligible latency.

翻译：物联网设备现已遍布各处，包括以智能家居网络形式进入我们的家庭。尽管其普遍存在，但近期攻击表明其安全性仍不理想。IETF的MUD标准旨在简化并自动化网络中终端设备的安全部署。MUD文件包含设备特定允许网络活动描述（例如允许的IP端口或主机地址），可用于配置防火墙等。MUD的主要缺陷在于其表达力不足以描述代表设备交互的流量模式，而这在现代智能家居平台中普遍存在。本文提出一种描述此类流量模式的新语言。该语言可编写比MUD文件更具表达力的设备配置文件，并考虑流量连接间的相互依赖关系。我们展示了如何将这些配置文件转换为轻量级防火墙的高效代码，利用NFTables阻断不合规流量。通过对多种智能家居设备生成流量的评估，证明该系统能精确阻断异常流量，同时引入可忽略的延迟。