Securing Personal IoT Platforms through Systematic Analysis and Design

Our homes, hospitals, cities, and industries are being enhanced with devices that have computational and networking capabilities. This emerging network of connected devices, or Internet of Things (IoT), promises better safety, enhanced management of patients, improved energy efficiency, and optimized manufacturing processes. Although there are many such benefits, security vulnerabilities in these systems can lead to user dissatisfaction (e.g., from random bugs), privacy violation (e.g., from stolen information), monetary loss (e.g., denial-of-service attacks or ``ransomware''), or even loss of life (e.g., from malicious actors manipulating critical processes in a hospital). Security design flaws may manifest at several layers of the IoT software/hardware stack. This work focuses on design flaws that arise in IoT platforms---software systems that manage devices, data analysis results and control logic. Specifically, we show that empirical security-oriented analyses of personal IoT platforms lead to: (1) an understanding of design flaws that can be leveraged in long-range and device-independent attacks; (2) the development of security mechanisms that limit the potential for these attacks. Concretely, we contribute empirical analyses for two categories of personal IoT platforms---Hub-Based (Samsung SmartThings), and Cloud-First (If-This-Then-That). Our analyses reveal overprivilege as a main enabler for attacks, and we propose a set of information flow control techniques (FlowFence and Decoupled-IFTTT) to manage privilege better in these platforms, therefore reducing the potential for attacks.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/137083/1/earlence_1.pd

Securing emerging IoT systems through systematic analysis and design

The Internet of Things (IoT) is growing very rapidly. A variety of IoT systems have been developed and employed in many domains such as smart home, smart city and industrial control, providing great benefits to our everyday lives. However, as IoT becomes increasingly prevalent and complicated, it is also introducing new attack surfaces and security challenges. We are seeing numerous IoT attacks exploiting the vulnerabilities in IoT systems everyday. Security vulnerabilities may manifest at different layers of the IoT stack. There is no single security solution that can work for the whole ecosystem. In this dissertation, we explore the limitations of emerging IoT systems at different layers and develop techniques and systems to make them more secure. More specifically, we focus on three of the most important layers: the user rule layer, the application layer and the device layer. First, on the user rule layer, we characterize the potential vulnerabilities introduced by the interaction of user-defined automation rules. We introduce iRuler, a static analysis system that uses model checking to detect inter-rule vulnerabilities that exist within trigger-action platforms such as IFTTT in an IoT deployment. Second, on the application layer, we design and build ProvThings, a system that instruments IoT apps to generate data provenance that provides a holistic explanation of system activities, including malicious behaviors. Lastly, on the device layer, we develop ProvDetector and SplitBrain to detect malicious processes using kernel-level provenance tracking and analysis. ProvDetector is a centralized approach that collects all the audit data from the clients and performs detection on the server. SplitBrain extends ProvDetector with collaborative learning, where the clients collaboratively build the detection model and performs detection on the client device

SPOT on life skills: a model life skills curriculum for middle school students with disabilities

School-based occupational therapy practitioners (OTPs) have distinct expertise in providing occupation-based interventions. OTPs are called to employ these skills to improve postsecondary outcomes (employment, independent living, postsecondary education) of students with disabilities, as a result of the rising rate of students with disabilities served under the Individuals with Disabilities Education Act (IDEA 2004) surmounting 14% of all public school students in the United States in 2017-2018, and only marginal increases in otherwise poor postschool outcomes of students with disabilities, (U.S. Department of Education, 2019; Test, et al., 2009). The domains of practice in which OTs support clients include activities of daily living, instrumental activities of daily living, rest/sleep, education, work, play, leisure, and social participation (American Occupational Therapy Association, 2014). These are all domains that are relevant to transition planning for adolescents with disabilities, however, current evidence suggests that OTs do not play a significant role in providing transition-based services to school aged youth across the United States (Mankey, 2011). Utilizing Kolb’s experiential learning theory and current research evidence, it is evident that the lack of a widely recognized life skills curriculum, lack of training on the use of occupation-based interventions, and limited use of occupation-based interventions by OTs in middle schools, are negatively impacting the life skills development of students with disabilities. In response, the author created SPOT on Life Skills, an evidence-based theory-driven model for a middle school life skills curriculum. The curriculum will be delivered by an interdisciplinary team including an occupational therapist, a special education teacher, and a speech and language pathologist, who will collaborate together and with the students and their families. The curriculum model will consist of a multifaceted intervention approach including self-care and independent living skills training, social skills training, work readiness, and a work-based experience to increase student independence and improve long-term transition outcomes (Test et al., 2009). The intention of the program, beyond exposing students to a variety of life skills, is to increase OT’s involvement in transition planning and use of occupation-based interventions in the middle school setting. It is anticipated that SPOT on Life Skills, will influence stakeholders to advocate for life skills/transition programming utilizing collaborative occupation-based practices

Inform to Perform: Using Domain Analysis to Explore Amateur Athlete Information Resources and Behaviour

Sporting information has been relatively unexamined in library and information science (LIS) literature with most research concentrating on collection management or archival functions. User studies in LIS have covered some aspects of outdoor recreation and hobbies, but only one study has been found explicitly researching amateur athletes. This project builds contributes a definition of sport as an information domain and an exploratory user study of amateur athletes. The research takes a socio-cognitive approach and uses domain analysis linked to serious leisure, information communication chain and information behaviour theories to provide the research context. These foundational theories are used to define sport as an information domain more formally, noting both degrees of specialisation within it and intersections with related disciplines. Four domain analysis approaches are then used to illustrate the potential of the approach for researching different dimensions within the domain. Three of these approaches involve desk research into different aspects of amateur sport information. By discussing the role of documents, computer science and discourses in sport these approaches show that sport is a multi-faceted and interdisciplinary domain with many topics of interest for the information researcher and practitioner. The fourth approach is a user study of athlete information behaviour that collected data on information sources, tasks and attitudes via an online questionnaire