自动识别权限过大的智能事物应用程序

2019 IEEE International Conference on Software Maintenance and Evolution (ICSME) Pub Date : 2019-09-01 DOI:10.1109/ICSME.2019.00037

Atheer Abu Zaid, Manar H. Alalfi, A. Miri

{"title":"自动识别权限过大的智能事物应用程序","authors":"Atheer Abu Zaid, Manar H. Alalfi, A. Miri","doi":"10.1109/ICSME.2019.00037","DOIUrl":null,"url":null,"abstract":"The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.","PeriodicalId":106748,"journal":{"name":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Automated Identification of Over-Privileged SmartThings Apps\",\"authors\":\"Atheer Abu Zaid, Manar H. Alalfi, A. Miri\",\"doi\":\"10.1109/ICSME.2019.00037\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.\",\"PeriodicalId\":106748,\"journal\":{\"name\":\"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-09-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICSME.2019.00037\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSME.2019.00037","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

SmartThings平台中的权限系统管理应用程序如何访问设备。该系统旨在通过强制应用程序通过其功能访问设备，从而保护设备免受第三方应用程序的攻击。系统中的设计缺陷导致应用程序被授予未经授权的权限。此漏洞对该平台及其用户构成了严重的安全挑战。在本文中，我们提出了一个自动化工具，可以识别智能事物应用程序中的过度特权漏洞。我们已经确定了常见的模式，并使用这些知识来设计我们的自动过度特权检测工具。我们已经对222个官方和第三方应用程序评估了我们的工具的有效性，我们发现大约5.5%的已定义设备被滥用，有76个已确定的过度特权实例。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Automated Identification of Over-Privileged SmartThings Apps

The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)

自引率

0.00%

发文量