Turnstile: Hybrid Information Flow Control Framework for Managing Privacy in Internet-of-Things Applications

Kumseok Jung, Mohanna Shahrad, Gargi Mitra, and Karthik Pattabiraman, To appear in the ACM European Conference on Computer Systems (EuroSys), 2026. (Acceptance Rate: 19.5%). [PDF | Talk] (Code) Artifacts Available, Functional and Results Reproduced.

Abstract: General awareness in privacy management has increased over the last decade, from consumers, companies, to governments. While cloud and mobile applications have taken steps forward in improving privacy management, the Internet-of- Things (IoT) domain has been behind in this aspect. Managing privacy in IoT applications is challenging, firstly because IoT applications handle data whose privacy implications change dynamically based on the information it contains. Second, the fragmented nature of the IoT ecosystem makes it difficult to apply a solution end-to-end. To provide a solution to privacy management in IoT, we design and implement Turnstile, a hybrid information flow control (IFC) framework. It identifies privacy-sensitive code paths through static taint analysis, and then integrates a dynamic information flow tracking (DIFT) mechanism into the application via selective code instrumentation. We evaluated Turnstile using 61 third-party IoT applications, and show that it can be an effective solution for managing the privacy of IoT applications.