240 likes | 358 Views
Users, Devices, and Security. Nitesh Saxena Security and Privacy In Emerging Systems (SPIES) Lab University of Alabama at Birmingham saxena@cis.uab.edu http://spies.cis.uab.edu. Research Program Overview. Practical , Transformative and Interdisciplinary approaches to security
E N D
Users, Devices, and Security Nitesh Saxena Security and Privacy In Emerging Systems (SPIES) Lab University of Alabama at Birmingham saxena@cis.uab.edu http://spies.cis.uab.edu
Research Program Overview • Practical, Transformative and Interdisciplinary approaches to security • No short-term tinkering • Over $4M in total funding from NSF as well industry including Google (2 faculty research awards), Nokia, Cisco, RIM, Intel, and others • But, clearly, we are not done – please fund us and/or work with us • Integration of research with education • leadership of educational programs • UAB CFSM; NYU-Poly CyberSec • Main focus • Device-Centered Security • User-Centered Security
Device-Centered Security • Devices are ubiquitous • Attacks are becoming common • We need to protect our devices
User-Centered Security • Security of devices often relies upon users’ actions or decisions • Users make mistakes • Mistakes translate into attacks • We need to improve usability of security
The Problem How to bootstrap secure communication between Alice’s and Bob’s devices when they have • no prior context • no common trusted CA or TTP
Example Scenarios Common pairing examples: • Cell-phone headset (bluetooth) • Laptop access point (WiFi) • Cell-phone cell-phone (bluetooth)
Solution Idea Audio, Visual, Tactile A solution approach: • use auxiliary or out-of-band (OOB) channel • with minimal involvement from Alice and Bob
Research Challenges OOB channels are low-bandwidth Devices may be constrained in terms of interfaces User is constrained - Usability Multiple devices/users Sensor network initialization Group formation Internet Setting – secure VoIP Ohh! I cannot even pair my socks!
Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The Privacy Problem Good tags, Bad readers
Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The Cloning Problem Good readers, Bad tags Counterfeit!!
Relay Attack 1: Terrorist Fraud response query query query response response
Relay Attack 2: Mafia Fraud Picture courtesy: http://www.cl.cam.ac.uk/~sjm217/papers/usenix07bounding.pdf
NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Research Challenges • Very limited resources • a $0.03 tag can’t do much computationally • only and-or-xor operations might be feasible • has only ~2,000 gates for security operations • few bits to few bytes of memory • No user interfaces • Atypical usage model • Our approach – Contextual Security • Using sensor data to make informed security decisions
Tap-Wave-Rub: Smartphone Malware Defense • Distinguishes between malware and human initiated activity • OS looks for a human gesture, such as a simple wave in front of the phone, to authorize access • Gesture read through proximity sensor (or light sensor) • Specific use case: authorize outgoing calls • Premium rate malware • http://vimeo.com/60748327
Strong Password Authentication • Passwords suck! (to say it nicely) • But, we are stuck with them • How to improve the usability and security of passwords? • Password managers • Mobile Managers • Fault-tolerant Remote Managers http://spies.cis.uab.edu/research/strong-user-authentication/ http://spies.cis.uab.edu/research/fault-tolerant-distributed-security-services/
Intrusion-tolerant 2-Factor Authentication [K, h = H(p, s)] [K, s] 6. h == H(p, z xor r)? 2. c 1. c = Enck(r) 5. password, z 3. z= s xor r Improved security to offline dict attacks Phishing-resistant 4. Input password, z
Playful Security: Security can be fun! • Make security tasks fun and enjoyable for the users; entice them • Use extrinsic motivation • Hoping that users will better comply with them • Tom Sawyer Effect • Can be applied to many different problems • Device association • User authentication • CAPTCHAs http://vimeo.com/63842010 • http://students.cis.uab.edu/manar/newgames/ShapeGameOct28EC.html http://spies.cis.uab.edu/research/playful-security
Neuro Security • Neural signatures of user-centered security interactions via fMRI • Phishing attacks • Security warnings • http://vimeo.com/63838658 • Brain hacking via commercial BCI devices • Neural keylogger / screen scraper http://spies.cis.uab.edu/research/strong-user-authentication/ http://spies.cis.uab.edu/research/fault-tolerant-distributed-security-services/
Mobile PoS Security • Small businesses’ new love • Can smartphone malware compromise credit card info as the card is swiped? • What are the users’ risk, security and privacy perceptions of this technology compared to traditional PoS?
Acknowledgments • Students – the SPIES • Current grads : Manar Mohamed, AjayaNeupane, Babins Shrestha, MalihehShirvanian, Song Gao, DibyaMukhopadhyay, LutforRahman, AbhishekAnand • Past: Tzipora Halevi, Jonathan Voris, Niharika Sachdeva, Sai Teja Peddinti, Justin Lin, BorhanUddin, AmbarishKarole, Arun Kumar, Ramnath Prasad, Alexander Gallego • UAB Collaborators: Drs. Bangalore, Fidopiastis, Hasan, Kana, Schwebel, Sloan, Zhang • Other Collaborators More info: http://spies.cis.uab.edu Thanks!
Thanks! saxena@cis.uab.edu http://spies.cis.uab.edu