MAVERICK: An App-independent and Platform-agnostic Approach to Enforce Policies in IoT Systems at Runtime

Safety and security issues in programmable IoT systems are still a pressing problem. Many solutions have been proposed to curb unexpected behavior of automation apps installed on IoT platforms by enforcing safety and security policies at runtime. However, all prior work addresses a weaker version of the actual problem as they consider a simple threat model, which is far from the reality. Moreover, these solutions are heavily dependent on the installed apps and catered to specific IoT platforms, which can unfortunately result in inaccurate runtime enforcement of policies. In this paper, we address a stronger version of the problem by considering a realistic threat model, where (i) undesired cyber actions (e.g., lock()/unlock()) can come from not only automation platform backends (e.g., SmartThings) but also close-sourced thirdparty services (e.g., IFTTT), and (ii) physical actions (e.g., user interactions) on devices can move the IoT system to an unsafe state. We propose a runtime mechanism, dubbed Maverick, which employs an app-independent, platform-agnostic mediator to enforce policies against all undesired cyber actions and applies corrective-actions to bring the IoT system back to a safe state if it ever transitions to an unsafe state. To assist users for writing policies, Maverick is equipped with a policy language capable of expressing rich temporal invariants and an automated toolchain that includes a policy synthesizer and a policy analyzer. We implemented Maverick in a prototype and showed its efficacy in both physical and virtual testbeds where it incurred minimal overhead.