Many solutions have been proposed to curb unexpected behavior of automation
apps installed on programmable IoT platforms by enforcing safety policies at
runtime. However, all prior work addresses a weaker version of the actual
problem due to a simpler, unrealistic threat model. These solutions are not
general enough as they are heavily dependent on the installed apps and catered
to specific IoT platforms. Here, we address a stronger version of the problem
via a realistic threat model, where (i) undesired cyber actions can come from
not only automation platform backends (e.g., SmartThings) but also
close-sourced third-party services (e.g., IFTTT), and (ii) physical actions
(e.g., user interactions) on devices can move the IoT system to an undesirable
state. We propose a runtime mechanism, dubbed Maverick, which employs an
app-independent, platform-agnostic mediator to enforce policies against all
undesired cyber actions and applies corrective-actions to bring the IoT system
back to a safe state from an unsafe state transition. Maverick is equipped with
a policy language capable of expressing rich temporal invariants and an
automated toolchain that includes a policy synthesizer and a policy analyzer
for user assistance. We implemented Maverick in a prototype and showed its
efficacy in both physical and virtual testbeds, incurring minimal overhead.Comment: 13 pages, full version with material cut from version accepted at ACM
WiSec 202