Publications

1 2 3 6

Intelligence business: Trump must keep privacy protections for US firms

February 13, 2017

TheHill_Featured

Zachary K. Goldman poses questions for the Director of National Intelligence on information privacy, cybersecurity, and American businesses in The Hill.

Third-Party Cyber Risk & Corporate Responsibility

February 1, 2017

Judith H. Germano

Third parties are a significant source of cybersecurity vulnerabilities, yet there remains much work to be done in terms of how third-party risk is assessed and  controlled. This paper explains how properly understanding and addressing third-party cyber risk requires a proactive and comprehensive approach to enable parties on all sides to prevent harms and to prepare for and respond to incidents in a faster, better coordinated, less expensive and more effective manner.

Repeatable Reverse Engineering with the Platform for Architecture-Neutral Dynamic Analysis

January 6, 2017

Ryan J. Whelan, Timothy R. Leek, Joshua E. Hodosh, Patrick A. Hulin, and Brendan Dolan-Gavitt

Many problems brought on by faulty or malicious software code can be diagnosed through a reverse engineering technique known as dynamic analysis, in which analysts study software as it executes. Researchers at Lincoln Laboratory developed the Platform for Architecture-Neutral Dynamic Analysis to facilitate analyses that lead to profound insight into how software behaves.

Stressing Out: Bitcoin “Stress Testing”

December 19, 2016

Khaled Baqer, Danny Yuxing Huang, Damon McCoy, and Nicholas Weaver

In this paper, we present an empirical study of a recent spam campaign (a “stress test”) that resulted in a DoS attack on Bitcoin. The goal of our investigation being to understand the methods spammers used and impact on Bitcoin users.

FACID: A trust-based collaborative decision framework for intrusion detection networks

December 15, 2016

Carol J. Fung and Quanyan Zhu

Computer systems evolve to be more complex and vulnerable. Cyber attacks have also grown to be more sophisticated and harder to detect. Intrusion detection is the process of monitoring and identifying unauthorized system access or manipulation. It becomes increasingly difficult for a single intrusion detection system (IDS) to detect all attacks due to limited knowledge about attacks. Collaboration among intrusion detection devices can be used to gain higher detection accuracy and cost efficiency as compared to its traditional single host-based counterpart.

Proposed NY Cybersecurity Regulation: A Giant Leap Backward?

December 2, 2016

Forbes-CCS

Judith Germano

Mid-November marked the end of the comment period for New York’s “first in nation” proposed cybersecurity legislation for financial institutions. As the hot topic of the day, many regulators and government officials have felt compelled to take a stand on cybersecurity. It seems counterintuitive to set out to protect constituents by inaction. But the wrong type of action, including through inflexible and far-reaching state required mandates, only adds to the growing clamor of distractions about how companies should best secure their systems.

Guest Editorial: Special Issue on Secure and Trustworthy Computing

December 1, 2016

Ozgur Sinanoglu and Ramesh Karri

There is a growing concern regarding the trustworthiness and reliability of the hardware underlying all information systems on which modern society is reliant. Trustworthy and reliable semiconductor supply chain, hardware components, and platforms are essential to all critical infrastructures including financial, healthcare, transportation, and energy.

FPGA Trust Zone: Incorporating trust and reliability into FPGA designs

November 24, 2016

Vinayaka Jyothi, Manasa Thoonoli, Richard Stern, and Ramesh Karri

This paper proposes a novel methodology FPGA Trust Zone (FTZ) to incorporate security into the design cycle to detect and isolate anomalies such as Hardware Trojans in the FPGA fabric. Anomalies are identified using violation to spatial correlation of process variation in FPGA fabric. Anomalies are isolated using Xilinx Isolation Design Flow (IDF) methodology. FTZ helps identify and partition the FPGA into areas that are devoid of anomalies and thus, assists to run designs securely and reliably even in an anomaly-infected FPGA. FTZ also assists IDF to select trustworthy areas for implementing isolated designs and trusted routes. We demonstrate the effectiveness of FTZ for AES and RC5 designs on Xilinx Virtex-7 and Atrix-7 FPGAs.

Hardware Trojans: Lessons Learned after One Decade of Research

November 23, 2016

Kan Xiao, Domenic Forte, Yier Jin, Ramesh Karri, Swarup Bhunia, and Mark Mohammad Tehranipoor 

Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyber infrastructure.

What Is Cyber Collateral Damage? And Why Does It Matter?

November 15, 2016

Lawfare-CCS

Zachary K. Goldman and Sasha Romanosky

What happens when the consequences of a cyberattack are not physical? What happens when a digital missile destroys or corrupts data in a manner that is not intended by the person launching a lawful cyberattack? Current legal and policy frameworks for assessing collateral damage do not squarely address the matter (or at least they do not do so publicly)—and that needs to change.

You Can Yak but You Can’t Hide: Localizing Anonymous Social Network Users

November 14, 2016

Minhui Xue, Cameron Ballard, Kelvin Liu, Carson Nemelka,  Yanqiu Wu, Keith Ross, and Haifeng Qian

The recent growth of anonymous social network services – such as 4chan, Whisper, and Yik Yak – has brought online anonymity into the spotlight. For these services to function properly, the integrity of user anonymity must be preserved. If an attacker can determine the physical location from where an anonymous message was sent, then the attacker can potentially use side information (for example, knowledge of who lives at the location) to de-anonymize the sender of the message.

Security engineering of nanostructures and nanomaterials

November 7, 2016

Davood Shahrjerdi, Bayan Nasri, Darren Armstrong, Abduallah Alharbi, Ramesh Karri

Proliferation of electronics and their increasing connectivity pose formidable challenges for information security. At the most fundamental level, nanostructures and nanomaterials offer an unprecedented opportunity to introduce new approaches to securing electronic devices. First, we discuss engineering nanomaterials, (e.g., carbon nanotubes (CNTs), graphene, and layered transition metal dichalcogenides (TMDs)) to make unclonable cryptographic primitives.

CamoPerturb: secure IC camouflaging for minterm protection

November 7, 2016

Muhammad YasinBodhisatwa Mazumdar, Ozgur Sinanoglu, and Jeyavijayan Rajendran

This paper presents CamoPerturb, a countermeasure to thwart the decamouflaging attack by integrating logic perturbation with IC camouflaging. CamoPerturb, contrary to all the existing camouflaging schemes, perturbs the functionality of the given design minimally, i.e., adds/removes one minterm, rather than camouflaging the design.

Decision and Game Theory for Security: 7th International Conference, GameSec 2016

November 4, 2016

Quanyan Zhu, Tansu Alpcan, Emmanouil Panaousis, Milind Tambe, and William Casey

This book constitutes the refereed proceedings of the 7th International Conference on Decision and Game Theory for Security, GameSec 2016, held in New York, NY, USA, in November 2016.

A Compact Implementation of Salsa20 and Its Power Analysis Vulnerabilities

November 1, 2016

Bodhisatwa Mazumdar, Sk. Subidh Ali, and Ozgur Sinanoglu

In this article, the authors present a compact implementation of the Salsa20 stream cipher that is targeted towards lightweight cryptographic devices such as radio-frequency identification (RFID) tags.

A Dual Perturbation Approach for Differential Private ADMM-Based Distributed Empirical Risk Minimization

October 28, 2016

Tao Zhang and Quanyan Zhu

In this paper, the authors develop a privacy-preserving method to a class of regularized empirical risk minimization (ERM) machine learning problems.

A Comparative Security Analysis of Current and Emerging Technologies

October 27, 2016

Chandra K.H. Suresh, Bodhisatwa Mazumdar, Sk Subidh Ali, and Ozgur Sinanoglu

In this article, the authors offer a security analysis of nanoelectromechanical systems (NEMS) and carbon nanotube (CNT). They highlight the key technology-specific features of these post-CMOS technologies that can inform the design of secure systems.

Power-side-channel analysis of carbon nanotube FET based design

October 24, 2016

Chandra K. H. Suresh, Bodhisatwa Mazumdar, Sk Subidh Ali and Ozgur Sinanoglu

Continuous scaling of CMOS technology beyond sub-nanometer region has aggravated short-channel effects, resulting in increased leakage current and high power densities. Furthermore, elevated leakage current and power density render CMOS based security-critical applications vulnerable to power-side-channel attacks. Carbon Nanotubes (CNT) is a promising alternative to CMOS technology.