Expat: Expectation-based policy analysis and enforcement for appified smart-home platforms

Moosa Yahyazadeh, Proyash Podder, Endadul Hoque, Omar Chowdhury

Research output: Chapter in Book/Entry/PoemConference contribution

27 Scopus citations


This paper focuses on developing a security mechanism geared towards appified smart-home platforms. Such platforms often expose programming interfaces for developing automation apps that mechanize different tasks among smart sensors and actuators (e.g., automatically turning on the AC when the room temperature is above 80°F). Due to the lack of effective access control mechanisms, these automation apps can not only have unrestricted access to the user's sensitive information (e.g., the user is not at home) but also violate user expectations by performing undesired actions. As users often obtain these apps from unvetted sources, a malicious app can wreak havoc on a smart-home system by either violating the user's security and privacy, or creating safety hazards (e.g., turning on the oven when no one is at home). To mitigate such threats, we propose Expat which ensures that user expectations are never violated by the installed automation apps at runtime. To achieve this goal, Expat provides a platform-agnostic, formal specification language Uei for capturing user expectations of the installed automation apps' behavior. For effective authoring of these expectations (as policies) in Uei, Expat also allows a user to check the desired properties (e.g., consistency, entailment) of them; which due to their formal semantics can be easily discharged by an SMT solver. Expat then enforces Uei policies in situ with an inline reference monitor which can be realized using the same app programming interface exposed by the underlying platform. We instantiate Expat for one of the representative platforms, OpenHAB, and demonstrate it can effectively mitigate a wide array of threats by enforcing user expectations while incurring only modest performance overhead.

Original languageEnglish (US)
Title of host publicationSACMAT 2019 - Proceedings of the 24th ACM Symposium on Access Control Models and Technologies
PublisherAssociation for Computing Machinery
Number of pages12
ISBN (Electronic)9781450367530
StatePublished - May 28 2019
Externally publishedYes
Event24th ACM Symposium on Access Control Models and Technologies, SACMAT 2019 - Toronto, Canada
Duration: Jun 3 2019Jun 6 2019

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT


Conference24th ACM Symposium on Access Control Models and Technologies, SACMAT 2019


  • Appified smart-home platforms
  • Inline reference monitoring
  • IoT security
  • Policy enforcement

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems


Dive into the research topics of 'Expat: Expectation-based policy analysis and enforcement for appified smart-home platforms'. Together they form a unique fingerprint.

Cite this