Publications

How Biometric Authentication Poses New Challenges to Our Security and Privacy

July 20, 2017

Nasir Memon

The use of biometric data—an individual’s measurable physical and behavioral characteristics—isn’t new. Government and law enforcement agencies have long used it. … Using biometric data to access our personal devices is increasing as a way to get around the limitations of the commonly used password-based mechanism: it’s easier, more convenient, and (theoretically) more secure. But biometric data can also be stolen and used in malicious ways.

Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path

July 17, 2017

Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos

Virtual machines (VMs) that try to isolate untrusted code are widely used in practice. However, it is often possible to trigger zero-day flaws in the host Operating System (OS) from inside of such virtualized systems. In this paper, we propose a new security metric showing strong correlation between “popular paths” and kernel vulnerabilities. We verify that the OS kernel paths accessed by popular applications in everyday use contain significantly fewer security bugs than less-used paths. We then demonstrate that this observation is useful in practice by building a prototype system which locks an application into using only popular OS kernel paths. By doing so, we demonstrate that we can prevent the triggering of zero-day kernel bugs significantly better than three other competing approaches, and argue that this is a practical approach to secure system design.

Smartwatches Locking Methods: A Comparative Study

July 14, 2017

Toan Nguyen and Nasir Memon

Smartwatches are rapidly emerging to be the next generation of personal devices from the smartphone era due to their novel form factor and broad applications. However, their emergence also poses new challenges to securing user information. An important challenge is preventing unauthorized access to private information stored on the watch, for which a locking method is typically used. Due to smartwatches’ limited display, the performance of locking methods offered on smartwatches may su er from the fat- finger problem and is currently unknown. In this paper, we present the first study to evaluate different locking methods for smartwatches. We contribute to the ongoing research trend in authentication for smartwatches with a reference benchmark and interesting insights for future work.

New Me: Understanding Expert and Non-Expert Perceptions and Usage of the Tor Anonymity Network

July 14, 2017

Kevin Gallagher, Sameer Patil, Nasir Memon

Proper use of an anonymity system requires adequate understanding of how it functions. Yet, there is surprisingly little research that looks into user understanding and usage of anonymity software. Improper use stemming from a lack of sufficient knowledge of the system has the potential to lead to deanonymization, which may hold severe personal consequences for the user. We report on the understanding and the use of the Tor anonymity system. Via semistructured interviews with 17 individuals (6 experts and 11 non-experts) we found that experts and non-experts view, understand, and use Tor in notably different ways. Moreover, both groups exhibit behavior as well as gaps in understanding that could potentially compromise anonymity. Based on these findings, we provide several suggestions for improving the user experience of Tor to facilitate better user understanding of its operation, threat model, and limitations.

Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories

July 14, 2017

Trishank Karthik Kuppusamy, Vladimir Diaz and Justin Cappos

A popular community repository such as Docker Hub, PyPI, or RubyGems distributes tens of thousands of software projects to millions of users. The large number of projects and users make these repositories attractive targets for exploitation. After a repository compromise, a malicious party can launch a number of attacks on unsuspecting users, including rollback attacks that revert projects to obsolete and vulnerable versions. Unfortunately, due to the rapid rate at which packages are updated, existing techniques that protect against rollback attacks would cause each user to download 2–3 times the size of an average package in metadata each month, making them impractical to deploy.

In this work, we develop a system called Mercury that uses a novel technique to compactly disseminate version information while still protecting against rollback attacks. Due to a different technique for dealing with key revocation, users are protected from rollback attacks, even if the software repository is compromised. This technique is bandwidth-efficient, especially when delta compression is used to transmit only the differences between previous and current lists of version information. An analysis we performed for the Python community shows that once Mercury is deployed on PyPI, each user will only download metadata each month that is about 3.5% the size of an average package. Our work has been incorporated into the latest versions of TUF, which is being integrated by Haskell, OCaml, RubyGems, Python, and CoreOS, and is being used in production by LEAP, Flynn, and Docker.

Optimal impulse control of bi-virus SIR epidemics with application to heterogeneous Internet of Things

July 13, 2017

Vladislav Taynitskiy, Elena Gubar and Quanyan Zhu

With the emerging Internet of Things (IoT) technologies, malware spreading over increasingly connected networks becomes a new security concern. To capture the heterogeneous nature of the IoT networks, we propose a continuous-time Susceptible-Infected-Recovered (SIR) epidemic model with two types of malware for heterogeneous populations over a large network of devices. The malware control mechanism is to patch an optimal fraction of the infected nodes at discrete points in time, which leads to an impulse controller. We use the Pontryagin’s minimum principle for impulsive systems to obtain an optimal structure of the controller and use numerical experiments to demonstrate the computation of the optimal control and the controlled dynamics.

Strategic Trust in Cloud-Enabled Cyber-Physical Systems with an Application to Glucose Control

July 11, 2017

Jeffrey Pawlick and Quanyan Zhu

Advances in computation, sensing, and networking have led to interest in the Internet of things (IoT) and cyberphysical systems (CPS). Developments concerning the IoT and CPS will improve critical infrastructure, vehicle networks, and personal health products. Unfortunately, these systems are vulnerable to attack. Advanced persistent threats (APTs) are a class of long-term attacks in which well-resourced adversaries infiltrate a network and use obfuscation to remain undetected. In a CPS under APTs, each device must decide whether to trust other components that may be compromised. In this paper, we propose a concept of trust (strategic trust) that uses game theory to capture the adversarial and strategic nature of CPS security. Specifically, we model an interaction between the administrator of a cloud service, an attacker, and a device that decides whether to trust signals from the vulnerable cloud. Our framework consists of a simultaneous signaling game and the FlipIt game. The equilibrium outcome in the signaling game determines the incentives in the FlipIt game. In turn, the equilibrium outcome in the FlipIt game determines the prior probabilities in the signaling game. The Gestalt Nash equilibrium (GNE) characterizes the steady state of the overall macro-game. The novel contributions of this paper include proofs of the existence, uniqueness, and stability of the GNE. We also apply GNEs to strategically design a trust mechanism for a cloud-assisted insulin pump. Without requiring the use of historical data, the GNE obtains a risk threshold beyond which the pump should not trust messages from the cloud. Our framework contributes to a modeling paradigm called games-of-games.

How Biometric Authentication Poses New Challenges to Our Security and Privacy

July 11, 2017

Nasir Memon

Discusses the challenges that face biometric authentication in the areas of privacy and network security. The use of biometric data — an individual’s measurable physical and behavioral characteristics — isn’t new. Government and law enforcement agencies have long used it. The Federal Bureau of Investigation (FBI) has been building a biometric recognition database; the U.S. Department of Homeland Security is sharing its iris and facial recognition of foreigners with the FBI. But the use of biometric data by consumer goods manufacturers for authentication purposes has skyrocketed in recent years. For example, Apple’s iPhone allows users to scan their fingerprints to unlock the device, secure mobile bill records, and authenticate payments. Lenovo and Dell are companies that leverage fingerprints to enable users to sign onto their computers with just a swipe. Using biometric data to access our personal devices is increasing as a way to get around the limitations of the commonly used password-based mechanism: it’s easier, more convenient, and (theoretically) more secure. But biometric data can also be stolen and used in malicious ways. Capturing fingerprints at scale isn’t as easy as lifting a credit card or Social Security number, but experience and history tells us that once something is used extensively, criminals will figure out how to misuse and monetize it.

IllusionPIN: Shoulder-Surfing Resistant Authentication Using Hybrid Images

July 11, 2017

Athanasios Papadopoulos, Toan Nguyen, Emre Durmus and Nasir Memon.

We address the problem of shoulder-surfing attacks on authentication schemes by proposing IllusionPIN (IPIN), a PIN-based authentication method that operates on touchscreen devices. IPIN uses the technique of hybrid images to blend two keypads with different digit orderings in such a way, that the user who is close to the device is seeing one keypad to enter her PIN, while the attacker who is looking at the device from a bigger distance is seeing only the other keypad. The user’s keypad is shuffled in every authentication attempt since the attacker may memorize the spatial arrangement of the pressed digits. To reason about the security of IllusionPIN, we developed an algorithm which is based on human visual perception and estimates the minimum distance from which an observer is unable to interpret the keypad of the user.We tested our estimations with 84 simulated shoulder-surfing attacks from 21 different people. None of the attacks was successful against our estimations. In addition, we estimated the minimum distance from which a camera is unable to capture the visual information from the keypad of the user. Based on our analysis, it seems practically almost impossible for a surveillance camera to capture the PIN of a smartphone user when IPIN is in use.

Proactive Defense Against Physical Denial of Service Attacks using Poisson Signaling Games

July 10, 2017

Jeffrey Pawlick and Quanyan Zhu

While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, distributed denial-of-service (DDoS) attacks overload the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch “physical” denial-of-service attacks (PDoS) in which IoT devices overflow the “physical bandwidth” of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. In order to model the recruitment of bots, we develop a “Poisson signaling game,” a signaling game with an unknown number of receivers, which have varying abilities to detect deception. Then we analyze two different mechanisms (legal and economic) to deter botnet recruitment. Equilibrium results indicate that 1) defenders can bound botnet activity, and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for proactive PDoS defense.

A Factored MDP Approach to Optimal Mechanism Design for Resilient Large-Scale Interdependent Critical Infrastructures

July 5, 2017

Linan Huang, Juntao Chen and Quanyan Zhu

Enhancing the security and resilience of interdependent infrastructures is crucial. In this paper, we establish a theoretical framework based on Markov decision processes(MDPs) to design optimal resiliency mechanisms for interdependent infrastructures. We use MDPs to capture the dynamics of the failure of constituent components of an infrastructure and their cyber-physical dependencies. Factored MDPs and ap- proximate linear programming are adopted for an exponentially growing dimension of both state and action spaces. Under our approximation scheme, the optimally distributed policy is equivalent to the centralized one. Finally, case studies in a large-scale interdependent system demonstrate the effectiveness of the control strategy to enhance the network resilience to cascading failures.

Efficient Detection for Malicious and Random Errors in Additive Encrypted Computation

July 3, 2017

Nektarios Georgios Tsoutsos and Michail Maniatakos

Although data confidentiality is the primary security objective in additive encrypted computation applications, such as the aggregation of encrypted votes in electronic elections, ensuring the trustworthiness of data is equally important. And yet, integrity protections are generally orthogonal to additive homomorphic encryption, which enables efficient encrypted computation, due to the inherent malleability of homomorphic ciphertexts. Since additive homomorphic schemes are founded on modular arithmetic, our framework extends residue numbering to support fast modular reductions and homomorphic syndromes for detecting random errors inside homomorphic ALUs and data memories. In addition, our methodology detects malicious modifications of memory data, using keyed syndromes and block cipher-based integrity trees, which allow preserving the homomorphism of ALU operations, while enforcing non-malleability of memory data. Compared to traditional memory integrity protections, our tree-based syndrome generation and updating is parallelizable for increased efficiency, while requiring a small Trusted Computing Base for secret key storage and block cipher operations. Our evaluation shows more than 99.999% detection rate for random ALUs errors, as well as 100% detection rate of single bit-flips and clustered multiple bit upsets, for a runtime overhead between 1.2% and 5.5%, and a small area penalty.

Cyber– Physical Systems Security and Privacy

June 30, 2017

Guest Editors: Michail Maniatakos, Ramesh Karri and Alvaro A. Cardenas

During the past decade, several catch-phrases have been used to emphasize the increasing importance of cyber–physical systems (CPS) in our everyday life: Internet-of-Things, Internet-of-Everything, Smart-Cities, Smart-X, Intelligent-X, etc. All such systems, in their core, consist of networked computing (cyber) devices continuously interacting with the physical world. From fitness trackers and smart thermostats, to traffic light control and smart-grid devices, CPS have increased efficiency, enabled interesting applications and introduced major technological advancements. At the same time, due to their criticality, CPS have become a lucrative target for malicious actors. The wide deployment of CPS, as well as the increasing complexity of the underlying computing devices has increased the attack surface allowing a plethora of cyberattacks. The end-goal of the adversaries can be on the privacy side (e.g., leaking customer information), on the security side (e.g., causing a blackout), or both. Power and area constraints, as well as real-time requirements of CPS are limiting the defense capabilities of the computing devices.

SafetyNets: Verifiable Execution of Deep Neural Networks on an Untrusted Cloud

June 30, 2017

Zahra Ghodsi, Tianyu Gu and Siddharth Garg

Inference using deep neural networks is often outsourced to the cloud since it is a computationally demanding task. However, this raises a fundamental issue of trust. How can a client be sure that the cloud has performed inference correctly? A lazy cloud provider might use a simpler but less accurate model to reduce its own computational load, or worse, maliciously modify the inference results sent to the client. We propose SafetyNets, a framework that enables an untrusted server (the cloud) to provide a client with a short mathematical proof of the correctness of inference tasks that they perform on behalf of the client. Specifically, SafetyNets develops and implements a specialized interactive proof (IP) protocol for verifiable execution of a class of deep neural networks, i.e., those that can be represented as arithmetic circuits. Our empirical results on three- and four-layer deep neural networks demonstrate the run-time costs of SafetyNets for both the client and server are low. SafetyNets detects any incorrect computations of the neural network by the untrusted server with high probability, while achieving state-of-the-art accuracy on the MNIST digit recognition (99.4%) and TIMIT speech recognition tasks (75.22%).

Throughput maximization of large-scale secondary networks over licensed and unlicensed spectra

June 29, 2017

Manjesh K. Hanawal, Yezekael Hayel and Quanyan Zhu.

Throughput of a mobile ad hoc network (MANET) operating on an unlicensed spectrum can increase if nodes can also transmit on a (shared) licensed spectrum. However, the transmissions on the licensed spectrum has to be limited to avoid degradation of quality of service (QoS) to primary users (PUs). We address the problem of how the nodes of a MANET or secondary users (SUs) should spread their transmissions on both licensed and unlicensed spectra to maximize network throughput, and characterize ‘throughput gain’ achieved in such spectrum sharing systems. We show that the gain can be significant and is increasing in the density of the SUs. The primary and secondary users are modeled as two independent Poisson point processes and their performance is evaluated using techniques from stochastic geometry.

IoT-enabled Distributed Cyber-attacks on Transmission and Distribution Grids.

June 22, 2017

Yury Dvorkin and Siddharth Garg

The Internet of things (IoT) will make it possible to interconnect and simultaneously control distributed electrical loads. Various technical and regulatory concerns have been raised that IoT-operated loads are being deployed without appropriately considering and systematically addressing potential cyber-security challenges. Hence, one can envision a hypothetical scenario when an ensemble of IoT-controlled loads can be hacked with malicious intentions of compromising operations of the electrical grid. Under this scenario, the attacker would use geographically distributed IoT-controlled loads to alternate their net power injections into the electrical grid in such a way that may disrupt normal grid operations.
This paper presents a modeling framework to analyze grid impacts of distributed cyber-attacks on IoT-controlled loads. This framework is used to demonstrate how a hypothetical distributed cyber-attack propagates from the distribution electrical grid, where IoT-controlled loads are expected to be installed, to the transmission electrical grid. The techno-economic interactions between the distribution and transmission electrical grids are accounted for by means of bilevel optimization. The case study is carried out on the modified versions of the 3-area IEEE Reliability Test System (RTS) and the IEEE 13-bus distribution feeder. Our numerical results demonstrate that the severity of such attacks depends on the penetration level of IoT-controlled loads and the strategy of the attacker.

ObfusCADe: Obfuscating Additive Manufacturing CAD Models Against Counterfeiting: Invited

June 22, 2017

Nikhil Gupta, Fei Chen,Nektarios Georgios Tsoutsos and Michail Maniatakos

As additive manufacturing (AM) becomes more pervasive, its supply chains shift towards distributed business models that heavily rely on cloud resources. Despite its countless benefits, this paradigm raises significant concerns about the trustworthiness of the globalized process, as there exist several classes of cybersecurity attacks that can undermine its security guarantees. In this work, we focus on the protection of the intellectual property (IP) of 3D designs, and introduce ObfusCADe, which is a novel protection method against counterfeiting, by embedding special features in CAD models. The introduced features interfere with the integrity of the design, effectively restricting high quality manufacturing to only a unique set of processing settings and conditions; under all other conditions, the printed artifact suffers from poor quality, premature failures and/or malfunctions.

Security as a Service for Cloud-Enabled Internet of Controlled Things under Advanced Persistent Threats: A Contract Design Approach

June 21, 2017

Juntao Chen and Quanyan Zhu

In this paper, we aim to establish a holistic framework that integrates the cyber-physical layers of a cloud-enabled Internet of Controlled Things (IoCT) through the lens of contract theory. At the physical layer, the device uses cloud services to operate the system. The quality of cloud services is unknown to the device, and hence the device designs a menu of contracts to enable a reliable and incentive-compatible service. Based on the received contracts, the cloud service provider (SP) serves the device by determining its optimal cyber defense strategy. A contract-based FlipCloud game is used to assess the security risk and the cloud quality of service (QoS) under advanced persistent threats. The contract design approach creates a pricing mechanism for on-demand security as a service for cloud-enabled IoCT. By focusing on high and low QoS types of cloud SPs, we find that the contract design can be divided into two regimes (regimes I and II) with respect to the provided cloud QoS. Specifically, the physical devices whose optimal contracts are in regime I always request the best possible cloud security service. In contrast, the device only asks for a cloud security level that can stabilize the system when the optimal contracts lie in regime II. We illustrate the obtained results via case studies of a cloud-enabled smart home.