Hardening the internet of things: Toward designing access control for resource-constrained IOT devices
Abstract
The rapid expansion of Internet-of-Things (IoT) devices has brought with it a growing range of security and privacy concerns. While IoT manufacturers often point to the limited resources of embedded devices as a barrier to implementing strong security measures, the inherently monolithic design of many IoT devices presents an opportunity to apply structured access control models, such as role-based and mandatory access control. This work explores the potential of Linux security modules, specifically TOMOYO and CaitSith, as viable tools for enforcing access control in IoT environments. Despite their capabilities, these modules remain underutilized and underexplored in academic literature. In this study, we design and implement a practical access control framework for a Linux-based IoT gateway, aiming to minimize its attack surface by restricting device behavior to only what is necessary. We assess the effectiveness of our approach through empirical testing, including a network penetration test, and demonstrate how such controls can enhance the security posture of resource-constrained IoT devices.
Explore the full research article on the ACM Digital Library.