Internet of Things devices can now be found everywhere, including in our households in the form of Smart Home networks. Despite their ubiquity, their security is unsatisfactory, as demonstrated by recent attacks. The IETF's MUD standard has as goal to simplify and automate the secure deployment of end devices in networks. A MUD file contains a device specific description of allowed network activities (e.g., allowed IP ports or host addresses) and can be used to configure for example a firewall. A major weakness of MUD is that it is not expressive enough to describe traffic patterns representing device interactions, which often occur in modern Smart Home platforms. In this article, we present a new language for describing such traffic patterns. The language allows writing device profiles that are more expressive than MUD files and take into account the interdependencies of traffic connections. We show how these profiles can be translated to efficient code for a lightweight firewall leveraging NFTables to block non-conforming traffic. We evaluate our approach on traffic generated by various Smart Home devices, and show that our system can accurately block unwanted traffic while inducing negligible latency.

翻译：物联网设备现已遍布各处，包括以智能家居网络形式存在于家庭中。尽管这些设备无处不在，但近期攻击事件表明其安全性仍不尽如人意。IETF制定的MUD标准旨在简化和自动化终端设备在网络中的安全部署。MUD文件包含设备允许的网络活动（如允许的IP端口或主机地址）的特定描述，可用于配置防火墙等安全机制。MUD的主要缺陷在于其表达能力不足以描述代表设备交互的流量模式，而这类交互在现代智能家居平台中十分常见。本文提出一种用于描述此类流量模式的新语言。该语言允许编写比MUD文件更具表达能力的设备配置文件，能够考虑流量连接的相互依赖关系。我们演示了如何将这些配置文件转化为针对轻量级防火墙的高效代码，并利用NFTables阻断不符合规则的流量。通过对多种智能家居设备产生的流量进行实验评估，结果表明该系统能够精准阻断恶意流量，同时仅引入可忽略的延迟。