Towards Practical Integrity in the Smart Home with HomeEndorser

Home automation in modern smart home platforms is often facilitated using trigger-action routines. While such routines enable flexible automation, they also lead to an instance of the integrity problem in these systems: untrusted third-parties may use platform APIs to modify the abstract home objects (AHOs) that privileged, high-integrity devices such as security cameras rely on (i.e., as triggers), thereby transitively attacking them. As most accesses to AHOs are legitimate, removing the permissions or applying naive information flow controls would not only fail to prevent these problems, but also break useful functionality. Therefore, this paper proposes the alternate approach of home abstraction endorsement, which endorses a proposed change to an AHO by correlating it with certain specific, preceding, environmental changes. We present the HomeEndorser framework, which provides a policy model for specifying endorsement policies for AHOs as changes in device states, relative to their location, and a platform-based reference monitor for mediating all API requests to change AHOs against those device states. We evaluate HomeEndorser on the HomeAssistant platform, finding that we can derive over 1000 policy rules for HomeEndorser to endorse changes to 6 key AHOs, preventing malice and accidents for less than 10% overhead for endorsement check microbenchmarks, and with no false alarms under realistic usage scenarios. In doing so, HomeEndorser lays the first steps towards providing a practical foundation for ensuring that API-induced changes to abstract home objects correlate with the physical realities of the user's environment.