Program Analysis of Commodity IoT Applications for Security and Privacy: Challenges and Opportunities

Recent advances in Internet of Things (IoT) have enabled myriad domains such as smart homes, personal monitoring devices, and enhanced manufacturing. IoT is now pervasive---new applications are being used in nearly every conceivable environment, which leads to the adoption of device-based interaction and automation. However, IoT has also raised issues about the security and privacy of these digitally augmented spaces. Program analysis is crucial in identifying those issues, yet the application and scope of program analysis in IoT remains largely unexplored by the technical community. In this paper, we study privacy and security issues in IoT that require program-analysis techniques with an emphasis on identified attacks against these systems and defenses implemented so far. Based on a study of five IoT programming platforms, we identify the key insights that result from research efforts in both the program analysis and security communities and relate the efficacy of program-analysis techniques to security and privacy issues. We conclude by studying recent IoT analysis systems and exploring their implementations. Through these explorations, we highlight key challenges and opportunities in calibrating for the environments in which IoT systems will be used.Comment: syntax and grammar error are fixed, and IoT platforms are updated to match with the submissio

Program Analysis for Security and Privacy Report on the WS PASSWORD at ECOOP’06

Abstract. Software security has become more important than ever. Unfortunately, still now, the security of a software system is almost always retrofitted to an afterthought. When security problems arise, understanding and correcting them can be very challenging. On the one hand, the program analysis research community has created numerous static and dynamic analysis tools for performance optimization and bug detection in object-oriented programs. On the other hand, the security and privacy research community has been looking for solutions to automatically detect security problems, privacy violations, and access-control requirements of object-oriented programs. The purpose of the First Program Analysis for Security and Safety Workshop Discussion (PASSWORD 2006), co-located with the Twentieth European Conference on Object-Oriented Programming (ECOOP 2006), was to bring together members of the academic and industrial communities interested in applying analysis, testing, and verification to security and privacy problems, and to encourage program analysis researchers to see the applicability of their work to security and privacy—an area of research that still needs a lot of exploration. This paper summarizes the discussions and contributions of the PASSWORD workshop.