PaPrica-PS: Fine-Grained, Dynamic Access Control Policy Enforcement for Pub/Sub Systems

High-volume publish/subscribe (pub/sub) systems include collections of hardware and software components such as IoT sensors and the protocols that connect them. Many of these have heretofore lacked robust security and privacy controls by default despite there being significant security, safety, and privacy implications driving the need to control access to the data they generate and manage.

Examples of such pub/sub-based systems are those which power critical systems from smart buildings and factories to full city-wide device networks. In this project, we are developing a fine-grained access control model and enforcement mechanism to address this gap. Our proposed FGAC model builds upon Attribute-Based Access Control (ABAC) defining access rules based on the MQTT protocol message “topics”, attributes of the subscribers and publishers to those topics, as well as ephemeral and per-message context information.

Our framework is platform-agnostic and we implement the prototype for our experiments based on an off-the-shelf open source MQTT pub/sub system without altering the base code of that server itself.