Abstract
Secure installation of Internet of Things (IoT) devices requires configuring access control correctly for each device. In order to enable correct configuration Manufacturer Usage Description (MUD) has been developed by Internet Engineering Task Force (IETF) to automate the protection of IoT devices by micro-segmentation using dynamic access control lists. The protocol defines a conceptually straightforward method to implement access control upon installation by providing a list of every authorized access for each device. This access control list may contain a few rules or hundreds of rules for each device. As a result, validating these rules is a challenge. In order to make the MUD standard more usable for developers, system integrators, and network operators, we report on an interactive system called MUD-Visualizer that visualizes the files containing these access control rules. We show that, unlike manual analysis, the level of the knowledge and experience does not affect the accuracy of the analysis when MUD-Visualizer is used, indicating that the tool is effective for all participants in our study across knowledge and experience levels.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
References
Andalibi, V., Kim, D., Camp, L.J.: Throwing MUD into the FOG: defending IoT and fog by expanding MUD to fog network. In: 2nd USENIX Workshop on Hot Topics in Edge Computing (HotEdge 19) (2019)
Andalibi, V., Lear, E., Kim, D., Camp, J.: On the Analysis of MUD-Files’ Interactions, Conflicts, and Configuration Requirements Before Deployment. In: 5th EAI International Conference on Safety and Security in Internet of Things, SaSeIoT. Springer (2021)
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 299–304. IEEE (2009)
Brooke, J.: SUS: A “Quick and Dirty” Usability. CRC Press (1996)
Dodson, D., et al.: Securing Small Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD). Tech. rep, National Institute of Standards and Technology (2019)
D’Orazio, C.J., Choo, K.K.R., Yang, L.T.: Data exfiltration from internet of things devices: iOS devices as case studies. IEEE Internet Things J. 4(2), 524–535 (2016)
Erbenich, V.I.P., Träder, D., Heinemann, A., Nural, M.: Phishing attack recognition by end-users: concepts for URL visualization and implementation. In: HAISA, pp. 179–188 (2019)
Hamza, A., Ranathunga, D., Gharakheili, H.H., Roughan, M., Sivaraman, V.: Clear as MUD: generating, validating and applying IoT behavioral profiles. In: Proceedings of the 2018 Workshop on IoT Security and Privacy, pp. 8–14. ACM (2018)
Henrich, J., Heine, S.J., Norenzayan, A.: Most people are not WEIRD. Nature 466(7302), 29–29 (2010)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: mirai and other botnets. Computer 50(7), 80–84 (2017)
Kolomeets, M., Chechulin, A., Kotenko, I., Saenko, I.: Access control visualization using triangular matrices. In: 2019 27th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 348–355 (2019). https://doi.org/10.1109/EMPDP.2019.8671578
Lear, E., Droms, R., Romascanu, D.: Manufacturer Usage Description Specification. RFC 8520 (2019). 10.17487/RFC8520. https://rfc-editor.org/rfc/rfc8520.txt
Lueth, K.L.: State of the IoT 2020: 12 billion IoT Connections, Surpassing non-IoT for the First Time. https://iot-analytics.com/state-of-the-iot-2020-12-billion-iot-connections-surpassing-non-iot-for-the-first-time
Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. Int. J. Hum. Comput. Stud. 63(1–2), 25–50 (2005)
Oliveira, D., Rosenthal, M., Morin, N., Yeh, K.C., Cappos, J., Zhuang, Y.: It’s the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 296–305 (2014)
O’Neill, M., et al.: Insecurity by design: today’s IoT device security problem. Engineering 2(1), 48–49 (2016)
Rajivan, P., Moriano, P., Kelley, T., Camp, L.J.: Factors in an End User Security Expertise Instrument. Information & Computer Security (2017)
Reeder, R.W., et al.: Expandable grids for visualizing and authoring computer security policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1473–1482 (2008)
Scott, J., Ophoff, J.: Investigating the knowledge-behaviour gap in mitigating personal information compromise. In: HAISA, pp. 236–245 (2018)
Smetters, D.K., Good, N.: How users use access control. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12 (2009)
Tanabe, R., et al.: Disposable botnets: examining the anatomy of IoT botnet infrastructure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)
Vaniea, K., Ni, Q., Cranor, L., Bertino, E.: Access control policy analysis and visualization tools for security professionals. In: SOUPS Workshop (USM), pp. 7–15 (2008)
Xu, T., Naing, H.M., Lu, L., Zhou, Y.: How do system administrators resolve access-denied issues in the real world? In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 348–361 (2017)
Yaqoob, I., et al.: The rise of ransomware and emerging security challenges in the internet of things. Comput. Networks 129, 444–458 (2017)
Acknowledgements
This research was supported in part by the National Science Foundation awards CNS 1565375 and CNS 1814518, as well as the grant #H8230-19-1-0310, Cisco Research Support, Google Research, and the Comcast Innovation Fund. Any opinions, findings, and conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, Cisco, Comcast, Google, nor Indiana University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Andalibi, V., Dev, J., Kim, D., Lear, E., Camp, L.J. (2021). Making Access Control Easy in IoT. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. Springer, Cham. https://doi.org/10.1007/978-3-030-81111-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-81111-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81110-5
Online ISBN: 978-3-030-81111-2
eBook Packages: Computer ScienceComputer Science (R0)