Deriving event data sharing in IoT systems using formal modelling and analysis

Abstract The increasing presence and utilisation of IoT systems raises many fundamental security and privacy issues that require robust approaches in understanding the behaviour of IoT systems and tackling those issues. In previous works, we demonstrated how some of the security and privacy questions in IoT systems could be answered by means of using federated identity management and authorisation frameworks, such as OAuth, intelligent gateways and personal cloud systems. In this paper, we take these works into a more fundamental level by formally modelling and analysing the OAuthing personal cloud-based IoT system. We demonstrate that this exercise reveals how data is shared across the system, and therefore how security and privacy guarantees can be established at a fundamental level.