TAPShield : Securing Trigger-Action Platforms against Strong Attackers

Moazen, Mojtaba; Paladi, Nicolae; Ahsan, Adnan Jamil; Balliu, Musard

TAPShield : Securing Trigger-Action Platforms against Strong Attackers

Mark

; Ahsan, Adnan Jamil and Balliu, Musard (2025) 10th IEEE European Symposium on Security and Privacy, Euro S and P 2025 p.60-77

Abstract: Automation apps enable seamless connection of IoT devices and services to provide useful functionality for end-users. Apps are typically executed on cloud-based Trigger-Action Platforms (TAPs) such as IFTTT and Node-RED, supporting both single- and multi-tenant models. Such models raise security and privacy concerns in the face of cloud attackers and malicious app makers, resulting in massive and uncontrolled exfiltration of sensitive user data.To address these concerns, we design TAPShield, an architecture that uses confidential computing and language-level sandboxing to protect user data against untrustworthy TAPs and malicious apps. TAPShield targets JavaScript-driven TAPs built on the Node.js environment and uses trusted execution... (More); Automation apps enable seamless connection of IoT devices and services to provide useful functionality for end-users. Apps are typically executed on cloud-based Trigger-Action Platforms (TAPs) such as IFTTT and Node-RED, supporting both single- and multi-tenant models. Such models raise security and privacy concerns in the face of cloud attackers and malicious app makers, resulting in massive and uncontrolled exfiltration of sensitive user data.To address these concerns, we design TAPShield, an architecture that uses confidential computing and language-level sandboxing to protect user data against untrustworthy TAPs and malicious apps. TAPShield targets JavaScript-driven TAPs built on the Node.js environment and uses trusted execution environments implemented with Intel SGX to protect against cloud attackers. It further uses language-level sandboxes such as vm2 and SandTrap to protect against malicious apps. We implement TAPShield for two popular TAPs, Node-RED and IFTTT, and report on the security, performance, and compatibility trade-offs on a range of real-world apps. Our results show clear security benefits with acceptable performance overhead, while adhering to existing development practices of production-scale TAPs.
(Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/20c965d2-677d-4682-8d64-fcc2d390b523

author

Moazen, Mojtaba ; Paladi, Nicolae ^LU

; Ahsan, Adnan Jamil and Balliu, Musard

organization

Secure and Networked Systems

publishing date

2025

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

Information Systems

keywords

Confidential Computing, Language-Level Sandboxing, Trigger-Action Platform

host publication

Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025

pages

18 pages

publisher

IEEE - Institute of Electrical and Electronics Engineers Inc.

conference name

10th IEEE European Symposium on Security and Privacy, Euro S and P 2025

conference location

Venice, Italy

conference dates

2025-06-30 - 2025-07-04

external identifiers

scopus:105016187467

ISBN

9798331594930

DOI

10.1109/EuroSP63326.2025.00013

language

English

LU publication?

yes

id

20c965d2-677d-4682-8d64-fcc2d390b523

date added to LUP

2025-11-11 13:58:56

date last changed

2025-11-11 13:58:56

@inproceedings{20c965d2-677d-4682-8d64-fcc2d390b523,
  abstract     = {{<p>Automation apps enable seamless connection of IoT devices and services to provide useful functionality for end-users. Apps are typically executed on cloud-based Trigger-Action Platforms (TAPs) such as IFTTT and Node-RED, supporting both single- and multi-tenant models. Such models raise security and privacy concerns in the face of cloud attackers and malicious app makers, resulting in massive and uncontrolled exfiltration of sensitive user data.To address these concerns, we design TAPShield, an architecture that uses confidential computing and language-level sandboxing to protect user data against untrustworthy TAPs and malicious apps. TAPShield targets JavaScript-driven TAPs built on the Node.js environment and uses trusted execution environments implemented with Intel SGX to protect against cloud attackers. It further uses language-level sandboxes such as vm2 and SandTrap to protect against malicious apps. We implement TAPShield for two popular TAPs, Node-RED and IFTTT, and report on the security, performance, and compatibility trade-offs on a range of real-world apps. Our results show clear security benefits with acceptable performance overhead, while adhering to existing development practices of production-scale TAPs.</p>}},
  author       = {{Moazen, Mojtaba and Paladi, Nicolae and Ahsan, Adnan Jamil and Balliu, Musard}},
  booktitle    = {{Proceedings - IEEE 10th European Symposium on Security and Privacy, Euro S and P 2025}},
  isbn         = {{9798331594930}},
  keywords     = {{Confidential Computing; Language-Level Sandboxing; Trigger-Action Platform}},
  language     = {{eng}},
  pages        = {{60--77}},
  publisher    = {{IEEE - Institute of Electrical and Electronics Engineers Inc.}},
  title        = {{TAPShield : Securing Trigger-Action Platforms against Strong Attackers}},
  url          = {{http://dx.doi.org/10.1109/EuroSP63326.2025.00013}},
  doi          = {{10.1109/EuroSP63326.2025.00013}},
  year         = {{2025}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

TAPShield : Securing Trigger-Action Platforms against Strong Attackers