Many solutions have been proposed to curb unexpected behavior of automation apps installed on programmable IoT platforms by enforcing safety policies at runtime. However, all prior work addresses a weaker version of the actual problem due to a simpler, unrealistic threat model. These solutions are not general enough as they are heavily dependent on the installed apps and catered to specific IoT platforms. Here, we address a stronger version of the problem via a realistic threat model, where (i) undesired cyber actions can come from not only automation platform backends (e.g., SmartThings) but also close-sourced third-party services (e.g., IFTTT), and (ii) physical actions (e.g., user interactions) on devices can move the IoT system to an undesirable state. We propose a runtime mechanism, dubbed Maverick, which employs an app-independent, platform-agnostic mediator to enforce policies against all undesired cyber actions and applies corrective-actions to bring the IoT system back to a safe state from an unsafe state transition. Maverick is equipped with a policy language capable of expressing rich temporal invariants and an automated toolchain that includes a policy synthesizer and a policy analyzer for user assistance. We implemented Maverick in a prototype and showed its efficacy in both physical and virtual testbeds, incurring minimal overhead.

翻译：为遏制可编程物联网平台上自动化应用在运行时产生意外行为，学界已提出多种通过强制执行安全策略的解决方案。然而，由于现有工作均基于过于简化的、不切实际的威胁模型，其应对的仅是实际问题的弱化版本。这些解决方案普遍性不足，过度依赖已安装应用且仅适配特定物联网平台。本文针对现实威胁模型下问题的强化版本展开研究，其威胁模型包含以下特征：（i）恶意网络行为不仅可能来自自动化平台后端（如SmartThings），还可能来自闭源第三方服务（如IFTTT）；（ii）设备上的物理操作（如用户交互）可能将物联网系统迁移至非预期状态。我们提出名为Maverick的运行时机制，该机制采用应用无关、平台无关的中介器执行策略以对抗所有恶意网络行为，并通过施加修正动作将物联网系统从不安全状态转换恢复至安全状态。Maverick配备可表达丰富时序不变量的策略语言，并集成包含策略合成器与策略分析器的自动化工具链以辅助用户。我们通过原型系统实现Maverick，在物理与虚拟测试平台上验证其有效性，且系统开销极低。