Designing networked objects to achieve reasonable security

Markel, Zane A

Author(s)

Markel, Zane A

DownloadFull printable version (887.8Kb)

Other Contributors

Technology and Policy Program.

Advisor

David D. Clark.

Terms of use

MIT theses are protected by copyright. They may be viewed, downloaded, or printed from this source but further reproduction or distribution in any format is prohibited without written permission. http://dspace.mit.edu/handle/1721.1/7582

Metadata

Show full item record

Abstract

To maximize the value of the Internet of Things (IoT), developers need to build devices that balance security with features, cost, and usability, relative to the threats that their particular devices will face. However, many IoT devices have thus far failed to achieve this balance. Various organizations have published copious security frameworks to help developers. Of these, frameworks that focus on desirable outcome metrics remain theoretically desirable yet infeasible to use in practice. The other frameworks, which focus on some aspect of the development process itself, are widely used despite a lack of methods for determining their utility. This work introduces six criteria useful for evaluating and comparing these process-based frameworks. Applying them to multiple security frameworks, we find that these frameworks often derive from inflexible conceptions of security, limiting the ability of developers to to vary their security designs. Even when developers are given options, they lack the tools necessary to balance security with other tradeoffs respective to the situations their products will be used in. To begin to address these shortcomings, we propose the Processes for Reasonably Secure Design (PRSD), a novel process-based security framework that helps developers comprehensively and systematically consider the security threats an IoT device may introduce to its surroundings, options for mitigating those threats, and the tradeoffs between those options. To demonstrate its worth, we apply it in multiple case studies. Further, using the six criteria, we evaluate PRSD and find that, in addition to providing useful and novel guidance, it has practical qualities that could make it suitable for many real development efforts.

Description

Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.

This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.

Cataloged from student-submitted PDF version of thesis.

Includes bibliographical references (pages 89-99).

Date issued

2017

URI

http://hdl.handle.net/1721.1/111236

Department

Massachusetts Institute of Technology. Engineering Systems Division; Massachusetts Institute of Technology. Institute for Data, Systems, and Society; Technology and Policy Program

Publisher

Massachusetts Institute of Technology

Keywords

Institute for Data, Systems, and Society., Engineering Systems Division., Technology and Policy Program.

Collections

Graduate Theses