Open rebeccc opened 4 years ago
Reviewer: Rick Sear Review Type: Critical
Currently, the security model surrounding IoT is abstract and poorly understood. This survey seeks to provide a detailed list of existing tech and its security properties, as well as a concrete framework to analyze the security of IoT.
This survey covers several middlewares in depth, and methodically analyzes a matrix consisting of the CIA+ security model against the 3 identified "theaters" of IoT security vulnerabilities.
Reviewer: Reese Jones Review Type: Critical
Problems Being Solved:
The paper is a discussion of the current model of Security surrounding the IoT. In its current state, the model of discussing security of the Internet of Things is poor and does not do a good enough job of approaching security concerns across the domain. The authors propose a new framework by which security of the IoT can be more effectively discussed and analyzed.
Important Areas:
The important areas of discussion within the paper are the different security domains within the internet of things, as broken down into three areas: Hardware, Network, and Cloud/Server-Side. Within each of the areas, the authors discuss security concerns using the CIA+ model of threat assessment.
Questions:
Critiques:
Reviewer: Tuhina Dasgupta
Review Type: Critical
Problem: Security in IoT is a hotly discussed topic that is still misunderstood. This survey paper provides a detailed list of current security technologies and a framework through which to analyze the security of devices.
Important areas:
The paper covers several topics including middlewares, CIA+ model, as well as security concerns in the areas of HW, Network, and the Cloud. The paper also analyses several middlewares using the CIA+ model.
Questions:
-Why is Arduino middleware not secure though it's not connected to the internet? Are all middlewares still possible security concerns though they aren't true IoTs?
-Not sure if this will be covered in the presentation but I hope the nuanced difference between some of the security challenges is explained (ie Authentication v Access Control)
Critiques: -Some of the security requirements could be combined which would make the paper shorter and more readable. -In Section 5,6 the sw doesn't need to be explained in such depth. I think it would have sufficed to direct the reader to external resources (documentation). -The security concerns in Edge COmouting were skipped over which seems like an oversight.
This is a survey paper. It is doing an analysis of security problems/threats for IoT devices. It's specifically concerned with "middleware" which seems to mean just a sort of hardware or software suite used for IoT programming.
Everyone is aware that IoT has security problems, but this paper really examines them in detail. They purpose a matrix of problems, with CIA+ (confidentiality, integrity, authentication, access control, non-repudiation) on one axis, and ABC (device, network, cloud) on the other. Each of the squares in the matrix represents a class of attacks that is more dangerous with IoT than with standard devices.
Then they go on to analyze many of the most commonly used middleware solutions, and evaluate whether or not they are secure on these 15 axises.
1) Isn't leaving off analysis of the "non-secured" systems kinda missing the point? Aren't these the ones that need the most analysis? 2) Why is attestation so hard? 3) Are some of this requirements very hard? It seems like 3 categories of attacks are left unanswered in table 2?
As the internet of things continues to grow, securing new types of internet connected devices will be paramount to their successful use. Several publications have researched this, and this paper serves as a survey of other publications about the topic.
The paper uses a matrix model to describe potential threats to IoT devices at all levels from the physical hardware to the cloud or server that controls them. The model is set up such that each level of the IoT system is analyzed for all of the CIA+ security practices with examples of security flaws for each cell. The paper then goes on to talk about a number of middleware devices for IoT and briefly talks about how each one could make the IoT more secure.
1) What level of the original matrix model would middleware fall under? The paper calls it software with that works between the applications and the operating system, but has no matrix section about software.
2) Is more secure middleware the best way to secure IoT? Wouldn't focusing on the devices themselves or the cloud infrastructure have more of an impact on IoT security?
3) Would securing middleware be a scalable solution to IoT security?
@searri, Rick Sear, Critical: Most Arduinos don't connect to the Internet, so how does the security model change? What bad things can be done with a non-connected device? How many of these other middlewares apply to devices which largely aren't online?
@reesealanj, Reese Jones, Critical: Why are the security challenges of "Authentication" and "Access Control" separate, they seem to me as though they could be roughly conflated to be the same thing.
@tuhinadasgupta, Tuhina Dasgupta, Critical: Not sure if this will be covered in the presentation but I hope the nuanced difference between some of the security challenges is explained.
@Others, Gregor Peach, Comprehension: Why is attestation so hard?
@RyanFisk2, Ryan Fisk, Comprehension: Is more secure middleware the best way to secure IoT? Wouldn't focusing on the devices themselves or the cloud infrastructure have more of an impact on IoT security?
Shared concerns/questions:
Thanks for the questions, all, I'll make sure I address each as much as I can!