forked from w3c/wot-security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
3622 lines (3490 loc) · 204 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" href="tablestyle.css">
<meta charset="utf-8" />
<title>Web of Things (WoT) Security and Privacy Guidelines</title>
<script class="remove" async="" src="https://www.w3.org/Tools/respec/respec-w3c"></script>
<script class="remove">
var respecConfig = {
specStatus: "ED"
, noRecTrack: "true"
, processVersion: 2017
, shortName: "wot-security"
, copyrightStart: 2017
, group: "wg/wot"
, lint: {
"no-unused-dfns": false
}
, wg: "Web of Things Working Group"
, wgURI: "https://www.w3.org/WoT/WG/"
, wgPublicList: "public-wot-wg"
, edDraftURI: "https://w3c.github.io/wot-security/"
, githubAPI: "https://api.github.com/repos/w3c/wot-security"
, issueBase: "https://www.github.com/w3c/wot-security/issues"
, editors: [
{
name: "Elena Reshetova"
, w3cid: "99327"
, company: "Intel Corp."
, companyURL: "https://www.intel.com/"
},
{
name: "Michael McCool"
, w3cid: "93137"
, company: "Intel Corp."
, companyURL: "https://www.intel.com/"
}
]
, otherLinks: [
{
key: "Contributors"
, data: [
{
value: "In the GitHub repository"
, href: "https://github.com/w3c/wot-security/graphs/contributors"
}
]
}
, {
key: "Repository",
data: [
{
value: "We are on GitHub",
href: "https://github.com/w3c/wot-security/"
}
, {
value: "File a bug",
href: "https://github.com/w3c/wot-security/issues"
}
, {
value: "Contribute",
href: "https://github.com/w3c/wot-security/pulls"
}
]
}
]
, localBiblio: {
"Ocf17": {
href: "https://openconnectivity.org/specs/OCF_Security_Specification_v1.0.0.pdf"
, title: "The OCF Security Specification, version 1.0.0"
, publisher: "OCF"
, date: "June 2017"
},
"Bel89": {
authors: ["S. Bellovin"]
, href: "https://cseweb.ucsd.edu/classes/sp99/cse227/ipext.pdf"
, title: "Security Problems in the TCP-IP Protocol Suite"
, publisher: "Computer Communication Review, Vol. 19, No. 2"
, pages: "32-48"
, date: "April 1989"
},
"Bel13": {
authors: ["S. Bellovin"]
, href: "https://csrc.nist.gov/csrc/media/events/workshop-on-improving-trust-in-the-online-marketpl/documents/presentations/bellovin_ca-workshop2013.pdf"
, title: "Web Security in the Real World"
, publisher: "Workshop on Improving Trust in the Online Marketplace, NIST"
, date: "April 2013"
},
"Ber14": {
authors: ["V. Bertocci"]
, href: "http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/"
, title: "Authentication Protocols, Web UX and Web API"
, date: "April 2014"
},
"Bru14": {
authors: ["C. Brubaker", "et al."]
, href: "https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf"
, title: "Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations"
, publisher: "IEEE Security Privacy"
, date: "2014"
, pages: "114-129"
},
"Dur13": {
authors: ["Z. Durumeric", "et al."]
, href: "https://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf"
, title: "Analysis of the HTTPS Certificate Ecosystem"
, publisher: "Proc. of the 2013 conference on Internet measurement conference"
, date: "October 2013"
},
"Ell00": {
authors: ["C. Ellison", "B. Schneier"]
, href: "https://www.schneier.com/paper-pki.pdf"
, title: "Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure"
, publisher: "Computer Security Journal, v 16, n 1,"
, date: "2000"
, pages: "1-7"
},
"Fu01": {
authors: ["K. Fu", "et al."]
, href: "https://pdos.csail.mit.edu/papers/webauth:sec10.pdf"
, title: "Dos and Don’ts of Client Authentication on the Web"
, publisher: "Proc. 10th USENIX Security Symposium"
, date: "August 2001"
},
"Geo12": {
authors: ["M. Georgiev", "et al."]
, href: "https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
, title: "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software"
, publisher: "Proc. of the 2012 ACM conference on Computer and communications security"
, date: "2012"
, pages: "38-49"
},
"Gol03": {
authors: ["O. Goldreich"]
, href: "http://www.wisdom.weizmann.ac.il/~oded/foc-sur01.html"
, title: "Cryptography and Cryptographic Protocols"
, publisher: "Distributed Computing, vol. 16"
, pages: "177-199"
, date: "2003"
},
"Gre14": {
authors: ["M. Green"]
, href: "https://blog.cryptographyengineering.com/2014/03/19/how-do-you-know-if-rng-is-working/"
, title: "How do you know if an RNG is working?"
, date: "March 2014"
},
"Gut02": {
authors: ["P. Gutman"]
, href: "https://www.cs.auckland.ac.nz/~pgut001/pubs/notdead.pdf"
, title: "PKI: It’s Not Dead, Just Resting"
, publisher: "IEEE Computer, vol. 35, no. 8"
, date: "Aug. 2002"
, pages: "41-49"
},
"Hea13": {
authors: ["M. Hearn"]
, href: "https://googleblog.blogspot.de/2013/02/an-update-on-our-war-against-account.html"
, title: "An update on our war against account hijackers"
, date: "Feb 2013"
},
"IETFACE": {
title: "IETF Authentication and Authorization for Constrained Environments (ACE)"
, href: "https://tools.ietf.org/wg/ace/"
},
"Iic15": {
authors: ["Industrial Internet Consortium"]
, href: "http://www.iiconsortium.org/IIRA.htm"
, title: "Industrial Internet Reference Architecture"
, date: "June 2015"
},
"IicRA17": {
authors: ["Industrial Internet Consortium"]
, href: "https://www.iiconsortium.org/IIRA.htm"
, title: "The Industrial Internet of Things Volume G1: Reference Architecture"
, publisher: "IIC:PUB:G1:V1.80:20170131"
, date: "Jan 2017"
},
"IicSF16": {
authors: ["Industrial Internet Consortium"]
, href: "https://www.iiconsortium.org/IISF.htm"
, title: "The Industrial Internet of Things Volume G4: Security Framework"
, publisher: "IIC:PUB:G4:V1.0:PB:20160926"
, date: "Sept 2016"
},
"ISF17": {
authors: ["IoT Security Foundation"]
, href: "https://iotsecurityfoundation.org/best-practice-guidelines/"
, title: "IoT Security Foundation Best Practice Guidelines"
, date: "May 2017"
},
"Jon14": {
authors: ["M. Jones"]
, href: "http://www.niso.org/sites/default/files/stories/2017-08/SP_Jones_JSON_isqv26no3.pdf"
, title: "A JSON-Based Identity Protocol Suite"
, publisher: "Information Standards Quarterly, vol. 26, no. 3"
, date: "2014"
, pages: "19–22"
},
"Ken03": {
authors: ["S. Kent", "L. Millet"]
, href: "https://www.nap.edu/read/10656/chapter/1"
, title: "Who Goes There? Authentication Through the Lens of Privacy"
, publisher: "The National Academies Press, Washington D.C."
, date: "2003"
},
"Lam04": {
authors: ["B. Lampson"]
, href: "https://pdfs.semanticscholar.org/6fe5/ba7a096e391d985e7818fef9d0f0636210a0.pdf"
, title: "Computer Security in the Real World"
, publisher: "IEEE Computer, vol. 37, no. 6"
, date: "June 2004"
, pages: "37-46"
},
"Loc05": {
authors: ["H. Lockhart"]
, href: "http://www.oracle.com/technetwork/testcontent/saml-084342.html"
, title: "Demystifying SAML"
, date: "May 2005"
},
"Mel15": {
authors: ["D. Melzer"]
, href: "https://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0615.pdf"
, title: "Securing the Industrial Internet of Things"
, date: "June 2015"
},
"Mic17": {
authors: ["Microsoft"]
, href: "https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture"
, title: "Internet of Things security architecture"
, publisher: "STRIDE threat model for IoT"
, date: "Jan 2017"
},
"Moo02": {
authors: ["T. Moors"]
, href: "https://www.csd.uoc.gr/~hy435/material/moors.pdf"
, title: "A critical review of End-to-end arguments in system design"
, publisher: "Proc. of the IEEE International Conference on Communications"
, date: "2002"
},
"Nis15": {
authors: ["NIST"]
, title: "Guide to Industrial Control Systems (ICS) Security"
, publisher: "NIST Special Publication 800-82"
},
"Oos10": {
authors: ["M. Oosdijk", "et al."]
, href: "https://tnc2011.terena.org/getfile/696"
, title: "Provisioning scenarios in identity federations"
, publisher: "Surfnet Research Paper"
, date: "2010"
},
"Owa17": {
authors: ["OWASP"]
, href: "https://www.owasp.org/index.php/Threat_Risk_Modeling"
, title: "Threat Risk Modeling"
, publisher: "OWASP"
, date: "Jan 2017"
},
"Sch14": {
authors: ["B. Schneier"]
, href: "https://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/"
, title: "The Internet of Things Is Wildly Insecure — And Often Unpatchable"
, publisher: "Wired"
, date: "Jan. 2014"
},
"Sch99": {
authors: ["B. Scheier", "A. Shostack"]
, href: "https://www.schneier.com/paper-smart-card-threats.pdf"
, title: "Breaking Up Is Hard To Do: Modeling Security Threats for Smart Cards"
, publisher: "USENIX Workshop on Smart Card Technology, USENIX Press"
, date: "1999"
, pages: "175-185"
},
"Yeg11": {
authors: ["S. Yegge"]
, href: "https://plus.google.com/+RipRowan/posts/eVeouesvaVX"
, title: "Stevey's Google Platforms Rant"
, publisher: "Blog"
, date: "Oct. 2011"
},"ITUx1500": {
authors: ["ITU-T SG17"]
, href: "https://www.itu.int/rec/T-REC-X.1500"
, title: "ITU-T Rec. X.1500 Overview of cybersecurity information exchange"
, publisher: "International Telecommunication Union"
, date: "Apr 2011"
},
"ITUx1520": {
authors: ["ITU-T SG17"]
, href: "https://www.itu.int/rec/T-REC-X.1520"
, title: "ITU-T Rec. X.1520 Common vulnerabilities and exposures"
, publisher: "International Telecommunication Union"
, date: "Jan 2014"
},
"ITUx1524": {
authors: ["ITU-T SG17"]
, href: "https://www.itu.int/rec/T-REC-X.1524"
, title: "ITU-T Rec. X.1524 Common weakness enumeration"
, publisher: "International Telecommunication Union"
, date: "March 2012"
},
"Owa17": {
authors: ["OWASP"]
, href: "https://www.owasp.org/index.php/Threat_Risk_Modeling"
, title: "Threat Risk Modeling"
, publisher: "OWASP"
, date: "Jan 2017"
},
"Owa18": {
authors: ["OWASP"]
, href: "https://www.owasp.org/index.php/Web_Service_Security_Testing_Cheat_Sheet"
, title: "Web Service Security Testing"
, publisher: "OWASP"
, date: "Aug 2018"
},
"FuzzCoAP": {
href: "https://github.com/bsmelo/fuzzcoap"
, title: "FuzzCoAP - Fuzzing for Robustness and Security Testing of CoAP Servers"
},
"Wfuzz": {
href: "http://www.edge-security.com/wfuzz.php"
, title: "Wfuzz. The web application Bruteforcer"
},
"Snyk": {
href: "https://snyk.io/"
, title: "A developer-first solution that automates finding and fixing vulnerabilities in your dependencies"
},
"OWASP-Dependency-Check": {
href: "https://www.owasp.org/index.php/OWASP_Dependency_Check"
, title: "OWASP Dependency Check"
},
"w3af": {
href: "http://w3af.org/"
, title: "Web Application Attack and Audit Framework"
},
"Burp": {
href: "https://portswigger.net/burp"
, title: "Burp Suite Web vulnerability scanner"
},
"Protecode": {
href: "https://www.synopsys.com/software-integrity/security-testing/software-composition-analysis.html"
, title: "Black Duck Software Composition Analysis"
},
"PeachPit-COAP": {
href: "https://www.peach.tech/wp-content/uploads/CoAP_DataSheet.pdf"
, title: "CoAP Peach Pit User Guide"
},
"wapiti": {
href: "http://wapiti.sourceforge.net/"
, title: "Wapiti - The web-application vulnerability scanner"
},
"Coverity": {
href: "https://community.synopsys.com/s/article/Coverity-Tutorial-Introduction-to-Coverity"
, title: "Coverity Tutorial: Introduction to Coverity"
},
"Klocwork": {
href: "https://www.roguewave.com/products-services/klocwork"
, title: "Klocwork. Faster delivery of secure, reliable, and conformant code"
},
"Checkmarx": {
href: "https://www.checkmarx.com/"
, title: "Checkmarx project page"
},
"CoverityOnline": {
href: "https://scan.coverity.com"
, title: "Coverity online scanning service"
},
"Wireshark": {
href: "https://www.wireshark.org/"
, title: "Wireshark project page"
},
"tcpdump": {
href: "https://www.tcpdump.org/"
, title: "tcpdump and libpcap project page"
},
"exploit-db": {
href: "https://www.exploit-db.com/"
, title: "Exploit database project page"
},
"WATOBO": {
href: "http://watobo.sourceforge.net/index.html"
, title: "WATOBO. The Web Application Toolbox"
},
"Nikto": {
href: "https://cirt.net/Nikto2"
, title: "Nikto web server scanner"
},
"Yeg11": {
authors: ["S. Yegge"]
, href: "https://plus.google.com/+RipRowan/posts/eVeouesvaVX"
, title: "Stevey's Google Platforms Rant"
, publisher: "Blog"
, date: "Oct. 2011"
},
"SDO": {
href: "https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/intel-secure-device-onboard-product-brief.pdf"
, title: "Intel® Secure Device Onboard"
, publisher: "Intel"
, date: "2017"
},
"ISO-IEC-2382": {
href: "https://www.iso.org/obp/ui/#iso:std:iso-iec:2382:ed-1:v1:en",
title: "Information technology — Vocabulary",
publisher: "ISO",
date: "2015"
},
"ISO-IEC-27000": {
href: "https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en",
title: "Information technology — Security techniques — Information security management systems — Overview and vocabulary",
publisher: "ISO",
date: "2018"
},
"ISO-IEC-29100": {
href: "https://www.iso.org/obp/ui/#iso:std:iso-iec:29100:ed-1:v1:en",
title: "Information technology — Security techniques — Privacy framework",
publisher: "ISO",
date: "2011"
}
}
};
</script>
</head>
<body>
<section id="abstract">
<p>
This document provides non-normative guidance on Web of Things (WoT) security and privacy.
The Web of Things is descriptive, not prescriptive,
and so is generally designed to support the security models and mechanisms of the systems it describes,
not introduce new ones.
However, a WoT System also has its own unique assets, such as a Scripting API and Thing Descriptions, that
need to be protected and also have security and privacy implications.
</p><p>
We define the general security requirements for a Web of Things (WoT) System using a threat model.
The WoT threat model defines the main security stakeholders, security-relevant assets,
possible attackers, attack surfaces,
and finally threats for a WoT System.
Using this generic WoT threat model for guidance,
it should be possible to select a specific set of security objectives for a concrete WoT System implementation.
We provide several examples using common scenarios based on home, enterprise, and industrial use cases.
We also provide more general suggestions for the design and deployment of a secure WoT System.
All recommendations are linked to the corresponding WoT threats in the generic woT threat model in order to
facilitate understanding of why they are needed.
</p><p>
It is not the intention of this document to limit the set of security mechanisms that can be used to
secure a WoT System.
In particular, while we provide examples and recommendations based on the best available practices in the industry,
this document contains informative statements only.
Specific normative security aspects of the WoT specification are defined in the corresponding normative WoT documents
for each WoT building block.
</p>
<p class="ednote">
This content should be consistent with the summaries in the
Security sections of other WoT documents, in particular the
[[WoT-Architecture11]] and [[WoT-Thing-Description11]]
documents.
</p>
</section>
<section id="sotd">
<p class="ednote" title="The W3C WoT WG is asking for feedback">
Please contribute to this draft using the <a href="https://github.com/w3c/wot-security/issues">GitHub Issue</a> feature of the <a href="https://github.com/w3c/wot-security/">WoT Security and Privacy Considerations</a> repository.
</p>
</section>
<section>
<h1>Introduction</h1>
<p>
Security and privacy are crucial requirements for Web of Things.
Using WoT-based technologies must not put security or privacy at risk,
including the
integrity of a system or the confidentiality of personal information,
nor allow WoT systems to be used to attack other systems,
among other concerns.
This document wants to help implementors and stakeholders in fulfilling
these important requirements and provides guidelines for
secure and privacy-respecting deployments.
</p>
<p>
Definition-wise, this document uses the [[WoT-Architecture11]] as well as the ISO definitions for security [[ISO-IEC-27000]] and privacy ([[ISO-IEC-2382]], [[ISO-IEC-29100]]).
The informative guidelines defined here accompany the other deliverables published by the WoT Working Group.
</p>
<section id="related-documents">
<h2>Related W3C Documents</h2>
<p>
For a general discussion of best practices for developing secure WoT Systems,
as well as a set of suggested combinations of authentication mechanisms
and secured protocols,
see the <a href="https://github.com/w3c/wot-security-best-practices/">WoT
Security Best Practices</a> document.
</p>
<p>For detailed Web of Things specifications, please refer to the following:</p>
<ul>
<li>the [[WoT-Usecases]] document,</li>
<li>the [[WoT-Architecture11]] document,</li>
<li>the [[WoT-Thing-Description11]] document,</li>
<li>the [[WoT-Discovery]] document,</li>
<li>the [[WoT-Binding-Templates]] document, and</li>
<li>the [[WoT-Scripting-API]] document.</li>
</ul>
<p>Other information on the Web of Things can be found on the WoT web site at
<a href="https://www.w3.org/WoT/">https://www.w3.org/WoT/</a>.</p>
</section>
<section>
<h2>
Document Outline
</h2>
<p>
<!-- TODO: Revisit document overview -->
The rest of this document is structured as follows:
<ul>
<li>
Section [[[#wot-device-lifecycle]]] first explains the process by which things are incorporated into a WoT system and the security-related considerations that go along with it.
</li>
<li>
Section [[[#requirements]]] then derives a number of security-related requirements from these considerations and formulates a Threat Model, illustrated by three different scenarios.
</li>
<li>
Section [[[#wot-privacy]]] elaborates on privacy considerations and provides specific guidelines and recommendations.
</li>
<li>
Security aspects related to onboarding are discussed in section [[[#security-provisioning-onboarding-and-maintenance]]].
</li>
<li>
Section [[[#references-to-existing-security-best-practices]]] conducts a review of existing security best practices.
</li>
<li>
Possible mitigations for the threats previously described are presented in section [[[#security-mitigations]]].
</li>
<li>
Section [[[#examples-of-wot-security-configurations]]] gives a number of examples for security configurations in different scenarios.
</li>
<li>
Finally, section [[[#e-security-validation]]] provides guidance for testing and the evaluation of security and privacy considerations.
</li>
<li>
<!-- TODO: Should the terminology be moved to the beginning of the document? -->
Additional terminology used throughout the document is introduced in section [[[#e-terminology]]].
</li>
</ul>
</p>
</section>
</section>
<section id="wot-device-lifecycle">
<h1 id="e-wot-device-lifecycle">Lifecycle of a WoT Device</h1>
<figure id="wot-lifecycle">
<img src="images/WoT_lifecycle_diagram.png"
width="100%"
title="WoT Device Lifecycle"/>
<figcaption>WoT Device Lifecycle</figcaption>
</figure>
<p>The lifecycle of a WoT Device is similar to the lifecycles of other IoT devices and services.
It may in fact be identical if a WoT Thing Description is being used simply to describe an existing device
implemented using another standard.
However,
for discussion purposes we will use the generic lifecycle shown in <a href="#wot-lifecycle"></a>
which includes the following states:
<ul>
<li><strong>Manufactured:</strong> The WoT Device has been manufactured by an OEM.
It might have a WoT runtime present that enables single or multi-tenant users
or it might only have network interfaces exposed present that are compatible with a WoT description.
From the Manufactured state, based on the deployment scenario, the device can transition to either of two states:
the Installation/Commissioning state or the Security Provisioning state.</li>
<li><strong>Installation/Commissioning:</strong> A WoT Device has been installed into its intended deployment environment
by a system provider or system integrator and any necessary SW configuration has been performed.
In practice this state may be combined with or reordered with the Security Provisioning state.</li>
<li><strong>Security Provisioning:</strong> A WoT Device is provisioned with the security metadata and credentials needed
during its Operational state.
The exact set of necessary credentials will vary based on the WoT Device's deployment model and choice of security mechanisms.
The document <cite>The State-of-the-Art and Challenges for the Internet of Things Security</cite> [[RFC8576]]
refers to this stage as "Bootstrapping".</li>
<li><strong>Operational:</strong> The default operational state of WoT Devices.
Devices in this state are fully ready to communicate over WoT interfaces and satisfy their deployment's operational roles.
From the Operational state a device can return to the Manufactured state
if it is fully decommissioned and security de-provisioned
(link E in <a href="#wot-lifecycle"></a>).
It is also possible to perform only a partial reset of a device,
if it only requires re-installation and recommissioning without security re-provisioning
(link D in <a href="#wot-lifecycle"></a>).
It is also possible that only security re-provisioning is needed
without re-installation and re-commissioning (link C in <a href="#wot-lifecycle"></a>).</li>
<li><strong>Maintenance and Security Update:</strong>
A state that is entered when the device's software or configuration needs to be updated.
This is an optional state that can be activated remotely or locally (link A in <a href="#wot-lifecycle"></a>)
on a WoT Device depending on the deployment model and overall setup.
This state can be required to maintain security,
for example to patch SW vulnerabilities or perform security-related configuration updates,
such as key revocation or certificate refresh.
After maintenance or updates are done,
the device normally returns to the Operational state (link B in <a href="#wot-lifecycle"></a>). </li>
</ul>
The scope of this document only covers the Security Provisioning, Operational and Maintenance and Security
Update States of a WoT Device.
</p>
</section>
<section id="requirements">
<h1>Requirements</h1>
<section>
<h2>General</h2>
<p>
In general using the WoT approach should "do no harm": the security of any protocols should be maintained.
The Web of Things does not introduce new security mechanisms,
but should preserve the functionality and security of existing mechanisms.
We also have the following requirements:
<ul>
<li><strong>Exposing:</strong>
When exposing a TD, especially via the Scripting API,
it should be possible to use best practices for security,
including maintaining the integrity of the TD and delivering it only to authorized recipients.</li>
<li><strong>Consuming:</strong>
A consumed TD should accurately reflect the actual security status of the device it describes.</li>
<li><strong>Protocols:</strong>
The WoT can potentially apply to many protocols but to limit scope in this
discussion we will focus on the needs of HTTP(S), CoAP(S), and MQTT(S).</li>
</ul>
</p>
</section>
<section id="wot-threat-model">
<h2>Threat Model</h2>
<p>
Due to the large diversity of devices, use cases,
deployment scenarios and requirements for WoT Things,
it is impossible to define a single WoT threat model that would fit every case.
Instead we describe here an overall WoT threat model framework that can be adjusted
by OEMs or other WoT System users or providers based on their concrete security requirements.
This framework gives a set of possible threats that implementers should
consider, but which may or may not apply to their WoT System.
</p>
<p>
When selecting suitable mitigations to the WoT threats described, it is important to consider various
criteria that might increase the risk level for a particular WoT architecture, such as handing
privacy-sensitive data, physical safety of individuals or the surrounding environment, high
availability requirements, and so forth.
In addition threat mitigations will always be limited by the capabilities of underlying
devices, their list of supported security protocols, processes isolation capabilities, etc.
</p>
<section id="wot-threat-model-stakeholders">
<h3>WoT Primary Stakeholders</h3>
<p>This section lists the primary WoT stakeholders.</p>
<table>
<tr>
<th>Stakeholder</th>
<th>Description</th>
<th>Security goals</th>
<th>Edge cases</th>
</tr><tr>
<th><dfn data-lt="device manufacturer|device manufacturers|manufacturer|oem">
Device Manufacturer</dfn> (OEM)</th>
<td>
Producer of the HW device.
Implements the WoT runtime on the device,
defines Things that the device provides, and generates TDs for these Things.</td>
<td>
Don't want the devices they make to be used in any form of attack
(due to loss of reputation and possible legal consequences in some countries).
Want to satisfy the security requirements of <a>System users</a>
and <a>System providers</a> to maximize HW sales.</td>
<td></td>
</tr><tr>
<th><dfn data-lt="system provider|system providers">
System Provider</dfn><br/> or
<dfn data-lt="system integrator|system integrators">
System Integrator</dfn><br/> or
<dfn data-lt="system installer|system installers">
System Installer</dfn></th>
<td>
Uses devices from <a>OEM</a>s to build various WoT end solutions
specific to particular WoT use case(s).
An <a>OEM</a> might simultaneously be a System Provider,
although System Providers might also
define new TDs or modify TDs provided by other entities (<a>OEM</a>s).
System Providers
might use the WoT scripting API and runtime to implement their solution
or might do a full reflash of the device to install their own software stack.
A System Provider's scripts and their configuration data might require
confidentiality and/or integrity.
A System Integrator/Installer is similar to a System Provider but tends to
reuse rather than create new technology.
</td>
<td>Don't want their WoT System to be a target of any attacks
(loss of reputation, possible legal consequences in some countries).
Want to satisfy security requirements of System users for better sales.
Don't want security to interfere with usability for better sales
(usability vs. security).
<!-- Is "DOS resistance" a defined term? If so, where are they defined, and do we need links? -->
Want their WoT System to be robust and be resistant to DoS attacks.
Want to hide their proprietary scripts and other relevant data from other parties.
</td>
<td>
There might be several independent system providers (tenants) on a single HW device.
In that case isolation between them is required while (perhaps) sharing
user preferences and identification.
</td>
</tr><tr>
<th><dfn data-lt="system user|system users">System User</dfn></th>
<td>
These might be physical users (e.g. John and his family in their smart home)
or abstract users (e.g. the company running a factory).
The primary characteristic of this stakeholder is the need to use
the WoT System to obtain some functionality.
System Users entrust WoT Systems with their data
(video streams from home cameras or factory plans) or physical capabilities
in the surrounding environment (put lights on in a room or start a machine on the factory line).
They might differ in their access to the WoT System
and transferred data (for example, they might only be able to configure
certain parts of the network or only use it as it is).
</td>
<!-- TODO: Are Data confidentiality and Data integrity defined terms? If so, where are they defined... in requirements? Should they be marked with links? -->
<td>
Don't want their data to be exposed to any other System User,
<a>System Provider</a> or <a>OEM</a> unless intended (Data Confidentiality).
Don't want their data to be modified unless intended (Data Integrity).</td>
<td>Access to user data might be configurable based not only on "who"
is the entity accessing the data (access control subject),
but also his/her/its role,
type of access, or time and context.</td>
</tr><tr>
<th><dfn data-lt="system owner|system owners">System Owner</dfn></th>
<td>
An entity that provisions a Thing with the security root of trust
and sets up the initial policies on who can provision/update/remove scripts
to/from the WoT runtimes, if such model is supported.
Any of the above stakeholders can be the System Owner depending on the
concrete setup.
A WoT System might have a number of independent System Owners,
each with their own set of provisioned certificates and/or credentials.
Underlying IoT protocol suites may also have their own notion of ownership.
</td>
<td>
Want to have a full control over their own provisioned security credentials,
including their integrity and confidentiality.
</td>
<td></td>
</tr><tr>
<th><dfn data-lt="system maintainer|system maintainers">System Maintainer</dfn></th>
<td>
This is an optional stakeholder.
It administers a WoT System on behalf of a <a>System Provider</a>
or <a>System User</a>
</td>
<td>
Needs to have enough access to the WoT System to perform its duties.
Should have minimal (ideally none) access to the data of other stakeholders.
</td>
<td></td>
</tr>
</table>
</section>
<section id="wot-threat-model-assets">
<h3>Assets</h3>
<p>This section lists all WoT Assets that are important from a security point of view.</p>
<table>
<tr>
<th>Asset</th>
<th>Description</th>
<th>Who should have access<br/>(Trust Model)</th>
<th>Attack Points</th>
</tr><tr>
<th><dfn data-lt="thing descriptions|td|tds">
Thing Description</dfn> (TD)</th>
<td>Access Control policies for TDs and the resources it describes are part of TDs.
They are managed using a discretionary access control model
(the owner of a TD sets the AC policy).
Some contents of TDs might be privacy sensitive and therefore should not be shared without a specific need.
The integrity of TDs is crucial for the correct operation of a WoT System.
</td>
<td>TD owner: full access<br/>
Others: read only for minimal required part.</td>
<td>Storage on thing itself, cloud storage, in-transfer (network) including TD updates.</td>
</tr><tr>
<th><dfn data-lt="system user data">System User Data</dfn></th>
<td>This includes all data that is produced or processed by the elements of a WoT System,
i.e. sensor readings and their states, user configurations and preferences, actuator commands,
video/audio streams, etc. Can be highly privacy sensitive and confidential.</td>
<td>Different <a>System Users</a> might have different levels of
access to this data based on the use case. In some cases (like user preferences or settings)
the partial access to this asset is also needed by a <a>System Provider</a>.
Non-authorized access must be minimized since access even to a small amount of information
(for example the last timestamp when a door lock API was used) might have severe
privacy concerns (this example would allow an attacker to detect when the owner is away
from his house).
Security mechanisms should be flexible to configure and might also need to include RBAC.<br/>
Others: should have no access unless specifically allowed</td>
<td>Storage on the device itself, remote solution provider storage (Cloud or other),
in-transfer (network)</td>
</tr><tr>
<th><dfn data-lt="system provider scripts|system provider script">
System Provider Data</dfn>
<td>This includes both WoT scripts and any WoT configuration data produced and owned by a
<a>System Provider</a>. It also includes Exposed Things, i.e.
run-time representations of scripts running inside a WoT Runtime.
<a>System providers</a> might have Intellectual Property (IP) in their scripts,
making them highly confidential.
Protocol Bindings might be part of System Provider Data,
if a WoT Device has a single System Provider that
installs and configures WoT Runtime and Protocol Bindings.
However, these can be also provided and confgured by the OEM,
and the same Protocol Bindings could be used by
multiple System Providers on the same device. </td>
<td><a>System Provider</a>: full access<br/>
Others: no access</td>
<td>Storage on the device itself, runtime memory representation,
in-transfer only for initial provisioning and script updates
</td>
</tr><tr>
<th><dfn data-lt="thing resource">
WoT Thing Resources</dfn><br/> and
<dfn data-lt="wot infrastructure resource">
WoT Infrastructure Resources</dfn></th>
<td>Resources should only be used for legitimate purposes and be available when required.</td>
<td><a>System User</a>, <a>System Provider</a></td>
<!-- TODO: "WoT Interface" is a term for the network API of a Thing
defined in the WoT architecture document. How do we refer to these,
and can we link to their definitions? -->
<td>WoT Interface</td>
</tr><tr>
<th><dfn>WoT Controlled Environment</dfn></th>
<td>WoT Devices that have actuator capabilities are able to affect the physical environment
around them.
Such capability must only be used by authorized entities and for legitimate purposes.
An actuator capability also implies a possible safety risk.</td>
<td><a>System User</a>, <a>System Provider</a> and whoever is explicitly authorized by them to control the environment. </td>
<td>WoT Interface</td>
</tr><tr>
<th><dfn>WoT Behavior Metrics</dfn></th>
<td>Indirectly transmitted information (metadata) that represents measurements of
a WoT System's behavior from which other information can be inferred, such as user presence.
For example, the amount of communication between different things,
the APIs used, distribution of communication over time, etc.</td>
<td>It should not be possible to collect/identify indirectly transferable information</td>
<td>In-transfer data and usage of WoT Interface</td>
</tr><tr>
<th><dfn>WoT Basic Security Metadata</dfn></th>
<td>All required security metadata (keys, certificates etc.) that might be provisioned
to the WoT Device in order to be able to perform various security-related operations,
such as authenticating another device or WoT Consumer in the WoT System,
authenticating remote authorization service in case the access control to WoT interfaces is done using tokens, etc.</td>
<td> Manager Thing (if present in WoT Runtime) - an entity that can implement script lifecycle management operations, WoT Runtime </td>
<td> On device storage, in-transfer including provisioning and updates of security metadata.
</td>
</tr>
</table>
<p>The term <dfn>Thing Data</dfn> can be used to refer to either
<a>System User Data</a> or <a>System Provider Data</a>.</p>
<p>If a WoT System supports dynamic installation of scripts
inside WoT runtime, the following assets are added:</p>
<table>
<tr>
<th>Asset</th>
<th>Description</th>
<th>Who should have access?</br>(Trust Model)</th>
<th>Attack Points</th>
</tr><tr>
<th><dfn>WoT Script Security Metadata</dfn></th>
<td>Defines who can provision, install, update, and remove scripts and other
<a>System Provider Data</a> inside a WoT runtime.</td>
<td><a>System Provider</a>, <a>System Maintainer</a></td>
<td>WoT Script Management Interface</td>
</tr>
</table>
<p>If a WoT System allows co-existence of different independent <a>System Providers</a> (tenants)
on a single physical device, the following assets are added:</p>
<table>
<tr>
<th>Asset</th>
<th>Description</th>
<th>Who should have access?</br>(Trust Model)</th>
<th>Attack Points</th>
</tr><tr>
<th><dfn>WoT Runtime Isolation Policies</dfn></th>
<td>Access control policies for isolating co-existing system providers on the device.
Not required if a simple baseline policy of "full isolation" is applied
to different WoT Runtimes running scripts from different System providers.
It might be required if some level of data sharing between them is needed. </td>
<td><a>System Provider</a>, <a>System Maintainer</a></td>
<td>Storage on the thing itself, remote storage (if they are backed up to a remote storage),
in-transfer for initial provisioning and policy updates</td>
</tr>
</table>
</section>
<section id="wot-threat-adversaries">
<h3>Adversaries</h3>
<p>The following adversaries are in-scope for the WoT threat model: </p>
<table>
<tr>
<th>Persona</th>
<th>Motivation</th>
<th>Attacker type</th>
</tr><tr>
<th><dfn>Network Attacker</dfn></th>
<td>Unauthorized access or modification of any stakeholder's asset over the network.
Denial of service. Inferring of non-public or privacy sensitive information.
Taking control of the network component of a WoT System. Reasons: money, fame etc.</td>
<td>Network attack: an attacker has network access to a WoT System,
is able to use WoT Interface, perform Man-in-the-Middle (MitM) attacks,
drop, delay, reorder, re-play, and inject messages.
This attacker type also includes a passive network attacker, where an attacker is only able to passively
observe the WoT System traffic.</td>
</tr><tr>
<th><dfn data-lt="malicious authorized solution user|malicious authorized solution users|malicious authorized users">
Malicious Authorized User</dfn></th>
<td>Unauthorized access of private data of any other stakeholder (eavesdropping).
Unauthorized modification of data of any stakeholder
(modification of sensor data, or script modification).
Obtaining higher privileges than originally intended by the <a>System Owner</a>
(for example, a hotel guest trying to control overall hotel lighting).</td>
<td>Local physical access, WoT Consumer interface (smartphone, web interface, washing machine interface, etc.)</td>
</tr><tr>
<th><dfn data-lt="malicious unauthorized solution user|malicious unauthorized solution users|malicious unauthorized users">
Malicious Unauthorized User</th>
<td>Similar to <a>Malicious Authorized User</a>,
but with no prior access to the WoT System
(examples: guests in a house, guests in a factory).
Denial of service attacks on WoT System.
</td>
<td>Limited local physical network access, can use proximity factor</td>
</tr><tr>
<th><dfn>Malware Developer</dfn></th>
<td>Unauthorized access or modification of any stakeholder's asset.
Denial of service attacks on WoT System.
Taking control of WoT System network components.
Reasons: money, fame etc.</td>
<td>Unprivileged software adversary:
application intentionally gets installed or code injected into
WoT Consumer (user's smartphone, browser, etc.)
or in WoT runtime itself using available WoT Interfaces</td>
</tr>
</table>
<p>The general term <dfn data-lt="malicious users">Malicious User</dfn> may be used to refer to either a
<a>Malicious Authorized User</a> or a <a>Malicious Unauthorized User</a>.</p>
<p>If a WoT System allows the co-existence of different independent System providers (tenants)
on a single physical device, the following adversaries are added:</p>
<table>
<tr>
<th>Persona</th>
<th>Motivation</th>
<th>Attacker Type</th>
</tr><tr>
<th><dfn>Malicious System Provider</dfn></td>
<td>Tries to get access or modify other <a>System Provider Data</a>,
tries to access or modify <a>System User Data</a> from another solution provider.</td>
<td>Unprivileged software adversary:
<a>System provider scripts</a> running on the same HW device, but inside a different WoT runtime</td>
</tr>
</table>
<p>The following adversaries are out of scope of the WoT threat model:</p>
<table>
<tr>
<th>Persona</th>
<th>Motivation</th>
<th>Attacker Type</th>
</tr><tr>
<th><dfn>Malicious OEM</dfn></th>
<td>Intentionally installs HW, firmware or other lower SW level backdoors,
rootkits etc.
in order to get unauthorized access to WoT assets or affect WoT System in any form</td>
<td>Local physical access, privileged access</td>
</tr><tr>
<th><dfn>Careless OEM</dfn></th>
<td>In order to reduce production costs substitutes security validated original
HW parts with low quality unvalidated replacement parts potentially impacting security.</td>
<td>Local physical access, privileged access</td>
</tr><tr>
<th><dfn>Careless System Provider</dfn></th>
<td>In order to reduce solution deployment costs utilizes low quality SW,
performs poor testing, misconfigures hardware or software,
TDs and/or access control policies.</td>
<td>Local physical access, privileged access</td>
</tr><tr>
<th><dfn>Non-WoT End Point Attacker</dfn></th>
<td>Tries to get authorized access/modify any asset stored at non-WoT end points
(Cloud, non-WoT Devices etc.) Reasons: monetary, fame etc.</td>
<td>Remote or local attack</td>
</tr>
</table>
</section>
<section id="wot-threat-model-attack-surfaces">
<h3 id="e-wot-threat-model-attack-surfaces">Attack Surfaces</h3>
<p>In order to correctly define WoT attack surfaces one needs to determine the system's