Enforcing Access Controls In Iot Networks

The MQTT (Message Queuing Telemetry Transport) protocol has become the main protocol for managing messages on Internet of Things (IoT). In earlier papers, we defined a highly expressive ABAC (Attribute-Based Access Control) model for regulating MQTT-based IoT communications. Our model allows us to express various types of contextual security rules, (temporal security rules, content-based security rules, rules based on the frequency of events etc.). These rules regulate not only publications and subscriptions but also distribution of messages to subscribers. In this paper we present an access control enforcement system based on our model. Our system is built according to the XACML architecture standard. The Policy Enforcement Point (PEP) is written in Python and acts as a proxy between the nodes and the MQTT broker. It intercepts MQTT requests and transfer them to the Policy Decision Point (PDP). RDF and SHACL are used to represent security rules and more generally any knowledge contained in the Policy Information System (PIP). We conduct some experiments that show that our solution is viable in terms of performances.