IoTCOM combines static analysis with lightweight formal methods to automatically infer relevant specifications of IoT apps in an analyzable formal specification language and check them as a whole for interaction threats. IoTCOM has proven to be highly effective at detecting a broad spectrum of interaction threats triggered through cyber and physical channels, many of which were previously unknown. The contributions of this work are:

1. Classification of interaction threats between IoT apps. We identify and rigorously define seven classes of multi-app interaction threats between IoT apps over physical and cyber channels both within and among apps.

2. Formal model of IoT systems. We develop a formal specification of IoT systems, respecting cyber and physical channels and representing the behavior of IoT apps apropos the detection of safety and security vulnerabilities. We construct this specification as a reusable Alloy~\cite{AlloyBook} module to which all extracted app models conform.

3. Automated analysis. We show how to exploit the power of our formal abstractions by building a modular model extractor that uses static analysis techniques to automatically extract the precise behavior of IoT apps into a trimmed Behavioral Rule Graph, respecting the logical conditions that impact the behavior of the app rules, which is then captured in a format amenable to formal analysis.

4. Experiments. We evaluate the performance of IoTCOM against real-world apps developed for multiple IoT platforms (SmartThings and IFTTT), corroborating IoTCOM's ability in effective compositional analysis of IoT apps interaction vulnerabilities in the order of minutes. We make research artifacts, including the entire Alloy specifications, and the experimental data available to the research and education community.

IoTCOM comprises two components: Behavior Rule Extractor and Formal Analyzer. The Behavior Rule Extractor performs static analysis and applies novel graph abstraction for extracting the behavior of IoT apps. The Formal Analyzer utilizes bounded model checking for identifying potential safety and security violations.

To evaluate the accuracy of IoTCOM and compare it against other state-of-the-art techniques, we used the IoTMAL suite of benchmarks. We also developed 3 bundles (Bundle4 - Bundle6) contain violations involve physical channels. IoTCOM effectively detects all of the violations (100% precision) with fewer false positives (92.8% recall). The following table represents the accuracy of IoTCOM in comparison with IoTSAN and SOTERIA.

We evaluated the capability of IoTCOM to identify violations in real-world IoT apps. We conducted our analysis on numerous bundles of IoT apps from both SmartThings and IFTTT. The following diagrams represent two samples of violations that have been detected by IoTCOM. Fig.1 illustrates a chain of 3 Groovy apps, performing unintended behavior. This violation shows an infinite actuation loop. For detecting this violation, interactions over the luminance physical and scheduling APIs (i.e. runIn) should be recognized. Figure 2 presents another violation that involves an IFTTT Applet and Groovy Apps. A precise control flow analysis is required for identifying this violation.

Alloy Counterexamples for the case studies in Figures 1-3

In this part, we evaluates the verification time required by IoTCOM and IoTSAN. Where IoTSAN manually specifies the initial configuration for each app in the bundle as part of the model. But IoTCOM does not require specification of a single initial configuration, instead exhaustively checking all configurations that fall within the scope of the app model. To perform a fair comparison between the two approaches, we generated initial configurations for 11 bundles of apps and converted them into~a~format supported by IoTSAN. We then ran the two techniques considering all valid initial configurations to avoid missing~any~violation.

Overall, the timing results show that IoTCOM reduces the violation detection time by 92.1% on average and by as much as 99.5%, and is able to effectively perform safety/security violation detection of bundles of real-world apps in just a few minutes (on an ordinary laptop), confirming that the presented technology is indeed feasible in practice for real-world~usage.

1. Static analysis implementation

2. Benchmark apps: contains all benchmark apps that have been used for evaluating IoTCOM. All individual Apps and Bundle1-Bundle3 are obtained from IoTMAL, while Bundle4 - Bundle6 have been developed to show violations that involve interactions over physical channels.

3. Policies: Alloy definitions for the Safety and Security Properties

4. IoTAppModel and IoTChannelMapping : Alloy Specifications for modeling IoT apps and mapping IoT channels

5. Real-world Apps: list of bundles used in RQ2 and RQ3 and Alloy models for 3732 apps used for constructing the 622 bundles.

6. MotivatingExample: includes Ally models for the apps in the motivating example and the property for generating the counterexample. To do so, download the Zip file, unzip it, then open main.als in the Alloy Analyzer (we used alloy4.2.jar)

7. Case studies demonstrated in RQ2: contains Alloy models of each bundle and the definitions of the violated property. README file shows the instructions for regenerate RQ2 results each model to generate the violations.

8. Additional IFTTT Apps: includes 2000+ IFTTT json applets used for constructing app bundles

9. Alloy Model Files Generated from Additional IFTTT Apps: contains 937 Alloy model files.