Skip to main content
SpringerLink
Log in

Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In recent years, the design of effective authorization mechanisms for IoT and, in particular, for smart home applications has gained increasing attention from researchers and practitioners. However, very little attention is given to the performance evaluation of those authorization mechanisms. To fill this gap, this paper presents a thorough experimental evaluation of cloud- and edge-based access control mechanisms for smart home applications. We discuss the main architectural choices, namely (a) where the access control logic is deployed (in the cloud or the edge) and (b) how the attributes needed for policy evaluation are provided to the policy evaluation point and identify possible deployment models for cloud- and edge-based access control mechanisms. To study the impact of these choices on the performance of smart homes, we realized the identified deployment models within the IoT platforms offered by Amazon Web Services (AWS), namely AWS IoT and Greengrass, and empirically evaluate them using a smart lock system. Based on our experimental evaluation, we provide recommendations to both researchers and practitioners.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

Similar content being viewed by others

Notes

  1. https://www.amazon.com/key.

  2. https://www.sofialocks.com/it/smartlocks.

  3. http://mqtt.org/.

  4. It is worth noting that we do not consider the case where the access control logic is in the cloud and the attributes are retrieved from the edge since, according to our experience, it does not seem to offer advantages in terms of security and performance.

  5. https://docs.aws.amazon.com/iot/latest/developerguide/custom-authorizer.html.

  6. We chosen Raspberry Pi 3 Model B+ board as they provide capabilities and performances comparable to smart home hubs and are largely used in noncommercial smart home applications.

  7. This is because MQTT 3.1.1 does not support providing them in the header.

  8. https://aws.amazon.com/it/eclipse.

  9. A statement applies to a request if and only if the action and resource specified in the statement match the ones in the access request and the retrieved attributes satisfy the condition defined in the statement.

  10. When the function times out, the request is automatically denied by AWS. In our experiments, the limit of 15 seconds was never reached.

  11. Setting them with less memory as “on-demand”, briefly saturated the memory and CPU as the Greengrass Core spawns a different function almost for each concurrent request.

  12. https://www.antlr.org/.

  13. The AWS Greengrass service is not available in every region.

  14. https://www.hivemq.com/blog/mqtt5-essentials-part9-request-response-pattern.

  15. https://csrc.nist.gov/projects/lightweight-cryptography.

  16. https://docs.aws.amazon.com/iot/latest/developerguide/enhanced-custom-authentication.html.

  17. The Enhanced Custom Authentication is currently in public beta and only available in the US East-N. Virginia region.

References

  1. Ahmad, T., Morelli, U., Ranise, S., Zannone, N.: A lazy approach to access control as a service (ACaaS) for IoT: an AWS case study. In: Symposium on Access Control Models and Technologies, pp. 235–246. ACM (2018)

  2. Alonso, Á., Fernández, F., Marco, L., Salvachúa, J.: IAACaaS: IoT application-scoped access control as a service. Futur. Internet 9(4), 64 (2017)

    Article  Google Scholar 

  3. Alshehri, A., Sandhu, R.: Access control models for cloud-enabled internet of things: a proposed architecture and research agenda. In: International Conference on Collaboration and Internet Computing, pp. 530–538. IEEE (2016)

  4. Alshehri, A., Sandhu, R.: Access control models for virtual object communication in cloud-enabled IoT. In: International Conference on Information Reuse and Integration, pp. 16–25. IEEE (2017)

  5. Amazon web services: IoT Core. https://aws.amazon.com/iot-core/ (2020). Accessed 17 May 2020

  6. Armando, A., Ranise, S., Traverso, R., Wrona, K.: SMT-based enforcement and analysis of NATO content-based protection and release policies. In: International Workshop on Attribute Based Access Control, pp. 35–46. ACM (2016)

  7. AWS: Amazon relational database service (RDS). https://aws.amazon.com/rds/ (2020). Accessed 17 May 2020

  8. AWS: AWS Lambda. https://aws.amazon.com/lambda/ (2020). Accessed 17 May 2020

  9. Bauer, E., Adams, R.: Service Quality of Cloud-Based Applications. Wiley (2013)

  10. Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. In: Proceedings of Workshop on Role-Based Access Control, pp. 21–30. ACM (2000)

  11. Bhatt, S., Patwa, F., Sandhu, R.: Access control model for AWS internet of things. In: International Conference on Network and System Security, pp. 721–736. Springer (2017)

  12. Bugeja, J., Jacobsson, A., Davidsson, P.: On privacy and security challenges in smart connected homes. In: 2016 European Intelligence and Security Informatics Conference (EISIC), pp. 172–175. IEEE (2016)

  13. Byers, C.C.: Architectural imperatives for fog computing: use cases, requirements, and architectural techniques for FOG-enabled IoT networks. IEEE Commun. Magaz. 55(8), 14–20 (2017)

    Article  Google Scholar 

  14. Celik, Z.B., Babun, L., Sikder, A.K., Aksu, H., Tan, G., McDaniel, P., Uluagac, A.S.: Sensitive information tracking in commodity IoT. In: USENIX Security Symposium, pp. 1687–1704 (2018)

  15. Colombo, P., Ferrari, E.: Access control enforcement within mqtt-based internet of things ecosystems. In: Symposium on Access Control Models and Technologies, pp. 223–234. ACM (2018)

  16. Crampton, J., Morisset, C., Zannone, N.: On missing attributes in access control: non-deterministic and probabilistic attribute retrieval. In: Symposium on Access Control Models and Technologies, pp. 99–109. ACM (2015)

  17. EMQ X platform: MQTT plugin. https://github.com/emqtt/mqtt-jmeter (2017). Accessed 21 Jun 2019

  18. Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: Symposium on Security and Privacy, pp. 636–654. IEEE (2016)

  19. Fernandes, E., Rahmati, A., Jung, J., Prakash, A.: Security implications of permission models in smart-home application frameworks. IEEE Secur. Priv. 15(2), 24–30 (2017)

    Article  Google Scholar 

  20. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)

    Article  Google Scholar 

  21. Fotiou, N., Machas, A., Polyzos, G.C., Xylomenos, G.: Access control as a service for the Cloud. J. Internet Serv. Appl. 6(1), 11 (2015)

    Article  Google Scholar 

  22. Fremantle, P., Aziz, B., Kopeckỳ, J., Scott, P.: Federated identity and access management for the internet of things. In: International Workshop on Secure Internet of Things, pp. 10–17. IEEE (2014)

  23. Fremantle, P., Kopeckỳ, J., Aziz, B.: Web API management meets the internet of things. In: European Semantic Web Conference, pp. 367–375. Springer (2015)

  24. Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800-162, NIST (2014)

  25. Gupta, M., Sandhu, R.: Authorization framework for secure cloud assisted connected cars and vehicular Internet of Things. In: Proceedings of Symposium on Access Control Models and Technologies, pp. 193–204 (2018)

  26. Gusmeroli, S., Piccione, S., Rotondi, D.: A capability-based security approach to manage access control in the internet of things. Math. Comput. Model. 58(5–6), 1189–1205 (2013)

    Article  Google Scholar 

  27. Hardt, D., et al.: The OAuth 2.0 authorization framework (2012)

  28. He, W., Golla, M., Padhi, R., Ofek, J., Dürmuth, M., Fernandes, E., Ur, B.: Rethinking access control and authentication for the home internet of things (IoT). In: USENIX Security Symposium, pp. 255–272. USENIX Association (2018)

  29. He, W., Martinez, J., Padhi, R., Zhang, L., Ur, B.: When smart devices are stupid: negative experiences using home smart devices. In: SafeThings Workshop (2019)

  30. Hemdi, M., Deters, R.: Using REST based protocol to enable ABAC within IoT systems. In: Annual Information Technology, Electronics and Mobile Communication Conference, pp. 1–7 (2016)

  31. Hernández-Ramos, J.L., Jara, A.J., Marin, L., Skarmeta, A.F.: Distributed capability-based access control for the internet of things. J. Internet Serv. Inf. Secur. 3(3/4), 1–16 (2013)

    Google Scholar 

  32. Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., Wagner, D.: Smart locks: Lessons for securing commodity internet of things devices. In: Asia Conference on Computer and Communications Security, pp. 461–472. ACM (2016)

  33. Hu, V.C., Scarfone, K.: Guidelines for access control system evaluation metrics. NISTIR 7874, NIST (2012)

  34. IoT& Greengrass, A.: Greengrass group. https://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html (2021). Accessed 5 Feb 2021

  35. Jeffrey, C.: Lockstate 6i/6000i update. https://www.techspot.com/news/70588-lockstate-accidentally-bricks-hundreds-locks-through-failed-firmware.html (2017). Accessed 21 Jun 2019

  36. Kim, J.E., Boulos, G., Yackovich, J., Barth, T., Beckel, C., Mosse, D.: Seamless integration of heterogeneous devices and access control in smart homes. In: International Conference on Intelligent Environments, pp. 206–213. IEEE (2012)

  37. King, N.: Smart home—a definition. Intertek Research and Testing Center pp. 1–6 (2003)

  38. Morelli, U., Ranise, S.: Assisted authoring, analysis and enforcement of access control policies in the cloud. In: International Conference on ICT Systems Security and Privacy Protection, pp. 296–309. Springer (2017)

  39. Morisset, C., Ravidas, S., Zannone, N.: On attribute retrieval in ABAC. In: Foundations and Practice of Security, LNCS, vol. 12056, pp. 225–241. Springer (2019)

  40. Morisset, C., Willemse, T.A., Zannone, N.: Efficient extended abac evaluation. In: Symposium on Access Control Models and Technologies, pp. 149–160. ACM (2018)

  41. Nakamura, Y., Zhang, Y., Sasabe, M., Kasahara, S.: Exploiting smart contracts for capability-based access control in the internet of things. Sensors 20(6), 1793 (2020)

    Article  Google Scholar 

  42. Neisse, R., Steri, G., Baldini, G.: Enforcement of security policy rules for the internet of things. In: International Conference on Wireless and Mobile Computing, Networking and Communications, pp. 165–172. IEEE (2014)

  43. Ouaddah, A., Mousannif, H., Elkalam, A.A., Ouahman, A.A.: Access control in the internet of things: big challenges and new opportunities. Comput. Netw. 112, 237–262 (2017)

    Article  Google Scholar 

  44. Paci, F., Squicciarini, A., Zannone, N.: Survey on access control for community-centered collaborative systems. ACM Comput. Surv. 51(1), 1–6 (2018)

    Article  Google Scholar 

  45. Parks associates: technology convergence and the smart home. https://www.parksassociates.com/report/technology-convergence-and-the-smart-home (2019)

  46. Ravidas, S., Karkhanis, P., Dajsuren, Y., Zannone, N.: An authorization framework for cooperative intelligent transport systems. In: Emerging Technologies for Authorization and Authentication, LNCS, vol. 11967, pp. 16–34. Springer (2019)

  47. Ravidas, S., Ray, I., Zannone, N.: Handling incomplete information in policy evaluation using attribute similarity. In: International Conference on Trust, Privacy and Security in Intelligent Systems and Applications, pp. 79–88. IEEE (2020)

  48. Ravidas, S., Lekidis, A., Paci, F., Zannone, N.: Access control in internet-of-things: a survey. J. Netw. Comput. Appl. 144, 79–101 (2019)

    Article  Google Scholar 

  49. Rotondi, D., Piccione, S.: Managing access control for things: a capability based approach. In: BodyNets, pp. 263–268 (2012)

  50. Salonikias, S., Mavridis, I., Gritzalis, D.: Access control issues in utilizing fog computing for transport infrastructure. In: International Conference on Critical Information Infrastructures Security, pp. 15–26. Springer (2015)

  51. Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Foundations of Security Analysis and Design, pp. 137–196. Springer (2000)

  52. Scoca, V., Aral, A., Brandic, I., De Nicola, R., Uriarte, R.B.: Scheduling latency-sensitive applications in edge computing. In: International Conference on Cloud Computing and Services Science, pp. 158–168. SciTePress (2018)

  53. Seitz, L., Selander, G., Gehrmann, C.: Authorization framework for the internet-of-things. In: 2013 IEEE 14th International Symposium on” A World of Wireless, Mobile and Multimedia Networks”(WoWMoM), pp. 1–6. IEEE (2013)

  54. Services, A.W.: AWS greengrass. https://aws.amazon.com/greengrass/ (2020). Accessed 17 May 2020

  55. Standard, O.: eXtensible access control markup language (XACML) version 3.0 (2013)

  56. Tärneberg, W., Chandrasekaran, V., Humphrey, M.: Experiences creating a framework for smart traffic control using AWS IoT. In: International Conference on Utility and Cloud Computing, pp. 63–69. ACM (2016)

  57. Tian, Y., Zhang, N., Lin, Y.H., Wang, X., Ur, B., Guo, X., Tague, P.: Smartauth: user-centered authorization for the internet of things. In: USENIX Security Symposium, pp. 361–378. USENIX Association (2017)

  58. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)

    Article  Google Scholar 

  59. Ur, B., Jung, J., Schechter, S.: Intruders versus intrusiveness: teens’ and parents’ perspectives on home-entryway surveillance. In: International Joint Conference on Pervasive and Ubiquitous Computing, pp. 129–139. ACM (2014)

  60. Ur, B., Jung, J., Schechter, S.: The current state of access control for smart devices in homes. In: Workshop on Home Usable Privacy and Security (2013)

  61. Xu, X., Huang, S., Feagan, L., Chen, Y., Qiu, Y., Wang, Y.: EAaaS: Edge analytics as a service. In: International Conference on Web Services, pp. 349–356. IEEE (2017)

  62. Ye, M., Jiang, N., Yang, H., Yan, Q.: Security analysis of internet-of-things: a case study of august smart lock. In: 2017 IEEE conference on computer communications workshops (INFOCOM WKSHPS), pp. 499–504. IEEE (2017)

  63. Zeng, E., Mare, S., Roesner, F.: End user security and privacy concerns with smart homes. In: Symposium on Usable Privacy and Security, pp. 65–80. USENIX Association (2017)

Download references

Author information

Authors and Affiliations

  1. Security and Trust Unit, Fondazione Bruno Kessler, Trento, Italy

    Tahir Ahmad, Umberto Morelli & Silvio Ranise

  2. DIBRIS, University of Genova, Genova, Italy

    Tahir Ahmad

  3. Security Group, Eindhoven University of Technology, Eindhoven, the Netherlands

    Nicola Zannone

Authors
  1. Tahir Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Umberto Morelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicola Zannone
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tahir Ahmad.

Ethics declarations

Funding

There has been no significant financial support for this work that could have influenced its outcome.

Conflict of interest

The authors do not have conflicts of interest associated with this publication.

Availability of data and material

The data used in this study are available at https://drive.google.com/file/d/1Yco70Zv_FRvqYhlxf5ezeInCr8-CI1tS.

Code availability

The code that supports the findings of this study is available at https://drive.google.com/file/d/1Yco70Zv_FRvqYhlxf5ezeInCr8-CI1tS.

Authors’ contribution

TA helped in conceptualization, methodology, validation, investigation, writing—original draft preparation. UM contributed to software, validation, investigation, writing—reviewing and editing. SR helped in supervision. NZ was involved in methodology, validation, writing—reviewing and editing.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ahmad, T., Morelli, U., Ranise, S. et al. Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system. Int. J. Inf. Secur. 21, 379–408 (2022). https://doi.org/10.1007/s10207-021-00558-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-021-00558-3

Keywords

Search

Navigation