Workshop on Decentralized IoT Systems and Security (DISS) 2019
Farinaz Koushanfar (Professor and Henry Booker Faculty Scholar, Co-Founder and Co-Director, Center for Machine-Integrated Computing and Security, Jacobs School of Engineering, University of California, San Diego)Abstract
Alberto Sonnino, Michał Król, Argyrios Tasiopoulos and Ioannis PsarasAbstract
Recent developments in blockchains and edge computing allow deployment of decentralized shared economy platforms with utility token support, where tokens (in the form of altcoins) secure and reward useful work. However, the majority of the systems being developed, does not provide mechanisms to pair those who offer services (workers) and those who request them (clients), or rely on manual and insecure resolution. AStERISK bridges this gap allowing to perform sealed-bid auctions on blockchains, automatically determine the most optimal price for services, and assign clients to the most suitable workers. AStERISK allows workers to specify a minimal price for their work, and hide submitted bids as well the identity of the bidders without relying on any centralized party at any point. We provide a smart contract implementation of AStERISK and show how to deploy it within the Filecoin network, and perform an initial benchmark on Chainspace, an efﬁcient, new smart contract platform.
Nikos Fotiou, Vasilios A. Siris, Spyros Voulgaris, George C. Polyzos and Dmitrij LagutinAbstract
We address the limitations of existing information security solutions when applied to the cyber-physical world. In particular, we consider the case of Internet of Things (IoT) actuation and we argue that it is hard to secure such a process. To this end, we propose a “damage control” approach, where service time is divided into slots and users perform microservice transactions, paying essentially in advance for each one, corresponding to one service slot. Under these circumstances, in the case of service disruption, a user, in the worst case, may lose the amount of money that corresponds to a single micro-service transaction in a single time slot. We implement our solution by leveraging blockchain-based smart contracts, off-chain payments, and one-time Hash-based Message Authentication Code (HMAC) passwords. Our solution supports IoT devices with limited processing capabilities and which are not necessarily connected to the Internet. Moreover, with our solution, IoT devices do not interact directly with the blockchain. In fact, they are oblivious to the use of blockchain technology. They do not store any usersensitive information, neither are payments made to or is value stored on the devices.
Zhiyi Zhang, Vishrant Vasavada, Randy King and Lixia ZhangAbstract
Over the last few years, blockchain-based technologies have ﬂourished in many application areas. One of them is the creation of distributed ledgers where records of immutable objects are widely replicated for both transparency and availability. However, the Proof-of-Work (PoW) approach, a popular gating control that determines who can add new records into a ledger, is deemed infeasible for IoT devices with resource constraints.
In this paper, we present the design of DLedger, a private distributed ledger system designed for an experimental solar network developed by Operant Networks. DLedger records both individual customers’ solar energy production/consumption as well as all other noteworthy system events, such as certiﬁcate issuance and revocations. Compared to today’s centralized record keeping solutions, DLedger brings the beneﬁts of information transparency and availability to both customers and the system vendor. Operant’s solar network uses the Named Data Networking (NDN) protocol, based on which DLedger controls the addition of new records using a lightweight Proof-of-Authentication (PoA). PoA leverages the properties of NDN where (i) every entity in the system possesses a name and a digital certiﬁcate, and (ii) they share the same trust anchor and thus can authenticate each other. DLedger further leverages NDN’s data-centric design to keep the ledger synchronized in a truly distributed and efﬁcient manner.
Lanier Watkins, Shreya Aggarwal, Omotola Akeredolu, William H. Robinson and Aviel RubinAbstract
Medical Body Area Networks (MBAN) are created when Wireless Sensor Nodes are either embedded into the patient’s body or strapped onto it. MBANs are used to monitor the health of patients in real-time in their homes. Many cyber protection mechanisms exist for the infrastructure that interfaces with MBANs; however, not many effective cyber security mechanisms exist for MBANs. We introduce a low-overhead security mechanism for MBANs based on having nodes infer anomalous power dissipation in their neighbors to detect compromised nodes. Nodes will infer anomalous power dissipation in their neighbors by detecting a change in their packet send rate. After two consecutive violations, the node will “Tattle” on its neighbor to the gateway, which will alert the Telemedicine administrator and notify all other nodes to ignore the compromised node.
Enabling Decentralised Identifiers and Verifiable Credentials for Constrained IoT Devices using OAuth-based Delegation
Dmitrij Lagutin, Yki Kortesniemi, Nikos Fotiou and Vasilios A. SirisAbstract
Decentralised identiﬁers (DIDs) and veriﬁable credentials (VCs) are upcoming standards for self-sovereign privacy preserving identiﬁers and authorisation, respectively. This focus on privacy can help improve many services and open up new business models, but using DIDs and VCs directly on constrained IoT devices can be problematic due to the management and resource overhead. This paper presents an OAuth-based method to delegate the processing and access policy management to the Authorisation Server thus allowing also systems with constrained IoT devices to beneﬁt from DIDs and VCs.
Vida Ahmadi Mehri, Dragos Ilie and Kurt TutschkuAbstract
IoT systems are increasingly composed out of ﬂexible, programmable, virtualised, and arbitrarily chained IoT elements and services using portable code. Moreover, they might be sliced, i.e. allowing multiple logical IoT systems (network + application) to run on top of a shared physical network and compute infrastructure. However, implementing and designing particularly security mechanisms for such IoT systems is challenging since a) promising technologies are still maturing, and b) the relationships among the many requirements, technologies and components are difﬁcult to model a-priori.
The aim of the paper is to deﬁne design cues for the security architecture and mechanisms of future, virtualised, arbitrarily chained, and eventually sliced IoT systems. Hereby, our focus is laid on the authorisation and authentication of user and host, as well as on code integrity in these virtualised systems. The design cues are derived from the design and implementation of a secure virtual environment for distributed and collaborative AI system engineering using so called AI pipelines. The pipelines apply chained virtual elements and services and facilitate the slicing of the system. The virtual environment is denoted for short as the virtual premise (VP). The use-case of the VP for AI design provides insight into the complex interactions in the architecture, leading us to believe that the VP concept can be generalised to the IoT systems mentioned above. In addition, the use-case permits to derive, implement, and test solutions. This paper describes the ﬂexible architecture of the VP and the design and implementation of access and execution control in virtual and containerised environments.
Nikolaos Sapountzis, Ruimin Sun and Daniela OliveiraAbstract
By 2018, it is no secret to the global networking community: Internet of Things (IoT) devices, usually controlled by IoT applications and applets, have dominated human lives. It has been shown that popular applet platforms (including If This Then That (IFTTT)) are susceptible to attacks that try to exﬁltrate private photos, leak user location, etc. As new attacks might show up very frequently, tracking them fast and in an efﬁcient and scalable manner is a daunting task due to the limited (e.g., memory, energy) resources at the IoT/mobile device and the large network size. Towards that direction, in this paper we propose a decentralized Dynamic Information Flow Tracking (DDIFT) framework that overcomes these challenges, better adapts to the IoT context, and further, is able to illuminate IoT applet attacks. In doing so, we leverage the synergy between: (i) a dynamic information ﬂow tracking module that considers the application of tags with different types along with provenance information and runs in the mobile device at a fast timescale, (ii) a forensics analysis module running in the cloud at a slow timescale, (iii) distributed optimization to optimize various functionalities of the above modules as well as their interaction. We show that our framework is able to detect IoT applet attacks with higher accuracy (on average 81% improvement for different URL upload attack scenarios) and decreases resource wastage (on average 71% less memory usage under different integrity attack scenarios) compared to traditional DIFT, opening new horizons for IoT privacy and security.
Prof. Virgil Gligor (CMU), Prof. Pekka Nikander (Aalto U.), Dr. Dmitrij Lagutin (Aalto U.), Dr. Michal Krol (UCL)Abstract