TY - GEN
T1 - Towards Usable Security Analysis Tools for Trigger-Action Programming
AU - McCall, McKenna
AU - Zeng, Eric
AU - Shezan, Faysal Hossain
AU - Yang, Mitchell
AU - Bauer, Lujo
AU - Bichhawat, Abhishek
AU - Cobb, Camille
AU - Jia, Limin
AU - Tian, Yuan
N1 - Publisher Copyright:
© 2023 by The USENIX Association.All rights reserved.
PY - 2023
Y1 - 2023
N2 - Research has shown that trigger-action programming (TAP) is an intuitive way to automate smart home IoT devices, but can also lead to undesirable behaviors. For instance, if two TAP rules have the same trigger condition, but one locks a door while the other unlocks it, the user may believe the door is locked when it is not. Researchers have developed tools to identify buggy or undesirable TAP programs, but little work investigates the usability of the different user-interaction approaches implemented by the various tools. This paper describes an exploratory study of the usability and utility of techniques proposed by TAP security analysis tools. We surveyed 447 Prolific users to evaluate their ability to write declarative policies, identify undesirable patterns in TAP rules (anti-patterns), and correct TAP program errors, as well as to understand whether proposed tools align with users’ needs. We find considerable variation in participants’ success rates writing policies and identifying anti-patterns. For some scenarios over 90% of participants wrote an appropriate policy, while for others nobody was successful. We also find that participants did not necessarily perceive the TAP anti-patterns flagged by tools as undesirable. Our work provides insight into real smart-home users’ goals, highlights the importance of more rigorous evaluation of users’ needs and usability issues when designing TAP security tools, and provides guidance to future tool development and TAP research.
AB - Research has shown that trigger-action programming (TAP) is an intuitive way to automate smart home IoT devices, but can also lead to undesirable behaviors. For instance, if two TAP rules have the same trigger condition, but one locks a door while the other unlocks it, the user may believe the door is locked when it is not. Researchers have developed tools to identify buggy or undesirable TAP programs, but little work investigates the usability of the different user-interaction approaches implemented by the various tools. This paper describes an exploratory study of the usability and utility of techniques proposed by TAP security analysis tools. We surveyed 447 Prolific users to evaluate their ability to write declarative policies, identify undesirable patterns in TAP rules (anti-patterns), and correct TAP program errors, as well as to understand whether proposed tools align with users’ needs. We find considerable variation in participants’ success rates writing policies and identifying anti-patterns. For some scenarios over 90% of participants wrote an appropriate policy, while for others nobody was successful. We also find that participants did not necessarily perceive the TAP anti-patterns flagged by tools as undesirable. Our work provides insight into real smart-home users’ goals, highlights the importance of more rigorous evaluation of users’ needs and usability issues when designing TAP security tools, and provides guidance to future tool development and TAP research.
UR - http://www.scopus.com/inward/record.url?scp=85180333392&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85180333392&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85180333392
T3 - Proceedings of the 19th Symposium on Usable Privacy and Security, SOUPS 2023
SP - 301
EP - 320
BT - Proceedings of the 19th Symposium on Usable Privacy and Security, SOUPS 2023
PB - USENIX Association
T2 - 19th Symposium on Usable Privacy and Security, SOUPS 2023
Y2 - 7 August 2023 through 8 August 2023
ER -