Walnut: A low-trust trigger-action platform

Trigger-action platforms are a new type of system that connect IoT devices with web services. For example, the popular IFTTT platform can connect Fitbit with Google Calendar to add a bedtime reminder based on sleep history. However, these platforms present confidentiality and integrity risks as they run on public cloud infrastructure and compute over sensitive user data. This paper describes the design, implementation, and evaluation of Walnut, a low-trust trigger-action platform that mimics the functionality of IFTTT, while ensuring confidentiality of data and correctness of computation, at a low resource cost. The key enabler for Walnut is a new two-party secure computation protocol that (i) efficiently performs strings substitutions, which is a common computation in trigger-action platform workloads, and (ii) replicates computation over heterogeneous trusted-hardware machines from different vendors to ensure correctness of computation output as long as one of the machines is not compromised. An evaluation of Walnut demonstrates its plausible deployability and low overhead relative to a non-secure baseline--3.6x in CPU and 4.3x in network for all but a small percentage of programs.