Using IFTTT to Express and Enforce UCON Obligations

  • Antonio La Marra
  • Fabio Martinelli
  • Paolo Mori
  • Athanasios RizosEmail author
  • Andrea Saracino
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11879)


If This Then That (IFTTT) is a free and widely used web-based platform where it is possible to create applet chains (Applets) of simple conditional statements that combine different web and smart services. In this paper we propose a methodology to express Usage Control (UCON) obligations in such a way that they can contain valid data in order to trigger such applet chains. The obligations that follow the response of access requests coming from UCON, become a trigger to the IFTTT platform and this enables a more abstract and non application specific mixture of them without each one losing their abstract structure. We will present the architecture and workflow of our approach, also together with a couple of use cases and the evaluation of an implementation of UCON together with a real IFTTT Applet.


Access Control IFTTT Internet of Things Obligations Usage Control XACML 


  1. 1.
    Carniani, E., D’Arenzo, D., Lazouski, A., Martinelli, F., Mori, P.: Usage control on cloud systems. Future Gen. Comput. Syst. 63(C), 37–55 (2016). Scholar
  2. 2.
    Chadwick, D., Lischka, M.: Obligation standardization. In: W3C Workshop on Access Control Application Scenarios, pp. 1–5 (2009).
  3. 3.
    Collina, M., Corazza, G.E., Vanelli-Coralli, A.: Introducing the QEST broker: scaling the IoT by bridging MQTT and REST. In: 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications - (PIMRC), pp. 36–41, September 2012.
  4. 4.
    Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: Desprez, F., Getov, V., Priol, T., Yahyapour, R. (eds.) Grids. P2P and Services Computing, pp. 133–146. Springer, Heidelberg (2010). Scholar
  5. 5.
    Demchenko, Y., Koeroo, O., de Laat, C., Sagehaug, H.: Extending XACML authorisation model to support policy obligations handling in distributed application. In: Proceedings of the 6th International Workshop on Middleware for Grid Computing, MGC 2008, pp. 5:1–5:6. ACM, New York (2008).
  6. 6.
    Faiella, M., Martinelli, F., Mori, P., Saracino, A., Sheikhalishahi, M.: Collaborative attribute retrieval in environment with faulty attribute managers. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 296–303, August 2016.
  7. 7.
    La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Improving MQTT by inclusion of usage control. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 545–560. Springer, Cham (2017). Scholar
  8. 8.
    La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Introducing usage control in MQTT. In: Katsikas, S.K., et al. (eds.) SECPRE 2017, CyberICPS 2017. LNCS, vol. 10683, pp. 35–43. Springer, Cham (2018). Scholar
  9. 9.
    Lazouski, A., Martinelli, F., Mori, P.: Survey: usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010). Scholar
  10. 10.
    Lazouski, A., Martinelli, F., Mori, P., Saracino, A.: Stateful data usage control for Android mobile devices. Int. J. Inf. Secur. 1–25 (2016). Scholar
  11. 11.
    Marra, A.L., Martinelli, F., Mori, P., Saracino, A.: Implementing usage control in internet of things: a smart home use case. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 1056–1063, August 2017.
  12. 12.
    Martinelli, F., Mori, P.: On usage control for GRID systems. Future Gen. Comput. Syst. 26(7), 1032–1042 (2010). Scholar
  13. 13.
    Nadkarni, A., Enck, W., Jha, S., Staddon, J.: Policy by Example: An Approach for Security Policy Specification. arXiv preprint arXiv:1707.03967 (2017)
  14. 14.
    OASIS Standard: eXtensible Access Control Markup Language (XACML) Version 3.0, January 2013.
  15. 15.
    Ovadia, S.: Automate the Internet with “If This Then That” (IFTTT). Behav. Soc. Sci. Libr. 33(4), 208–211 (2014). Scholar
  16. 16.
    Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies, SACMAT 2002, pp. 57–64. ACM, New York (2002).
  17. 17.
    Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). Scholar
  18. 18.
    Surbatovich, M., Aljuraidan, J., Bauer, L., Das, A., Jia, L.: Some recipes can do more than spoil your appetite: analyzing the security and privacy risks of IFTTT recipes. In: Proceedings of the 26th International Conference on World Wide Web, WWW 2017, pp. 1501–1510. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland (2017).
  19. 19.
    Vorapojpisut, S.: A lightweight framework of home automation systems based on the IFTTT model. JSW 10(12), 1343–1350 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Antonio La Marra
    • 1
  • Fabio Martinelli
    • 1
  • Paolo Mori
    • 1
  • Athanasios Rizos
    • 1
    • 2
    Email author
  • Andrea Saracino
    • 1
  1. 1.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly
  2. 2.Department of Computer ScienceUniversity of PisaPisaItaly

Personalised recommendations