150 likes | 482 Views
OVERVIEW OF RESEARCH ACTIVITIES IN SPROUT. GENE TSUDIK Chancellor’s Professor of Computer Science g ene.tsudik@uci.edu http://sprout.ics.uci.edu. Research Topics. Cyber-Physical Systems / Embedded Systems Security Remote Attestation of Embedded Devices Usable Security & Privacy
E N D
OVERVIEW OF RESEARCH ACTIVITIES IN SPROUT • GENE TSUDIK • Chancellor’sProfessor of Computer Science • gene.tsudik@uci.edu • http://sprout.ics.uci.edu
Research Topics • Cyber-Physical Systems / Embedded Systems Security • Remote Attestation of Embedded Devices • Usable Security & Privacy • Private Cloud Database Querying • Security and Privacy in Next-Generation Internet • Content-Centric (CCN) and Named-Data (NDN) Networking • Privacy in Social Networks • Stylometricanalysis of contributed content • Cryptographic techniques for OSN privacy • Genomic Privacy • New Biometric Identification Techniques
Widening Range of CPS & Specialized/Embedded Devices Smartphones SmartCards Connected devices Sensors and Actuators RFIDs Industrial systems Appliances
Already here or coming soon… • Smart watches (Samsung, Apple) • Smart glasses (Google Glass) • Smart pills • Smart footwear • Smart garments • Body-area networks tying them together • All of these have been, or soon will be, hacked…
Why? • e.g., • Default PINs or passwords • Wide-open communication • Buggy software • HW/FW/SW trojansand malware
Notable Attacks Stuxnet [1] (also DUQU) Infected controlling windows machines Changed parameters of the PLC (programmable logic controller) used in centrifuges of Iranian nuclear reactors Attacks against automotive controllers [2] Internal controller-area network (CAN) Exploitation of one subsystem (e.g., bluetooth)allows access to critical subsystems (e.g., braking) Medical devices Insulin pumps hack [3] Implantable cardiac defibrillator [4] And, even toilets… [5] Most effective CPS attacks are remote infestations, not physical attacks [1] W32.Stuxnet Dossier,Symantec 2011 [2] Comprehensive Experimental Analyses of Automotive Attack Surfaces,USENIX 2011 [3] Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System, Blackhat2011 [4] Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses, S&P 2008 • [5] http://www.usatoday.com/story/tech/2013/08/06/smart-toilet-hack/2622723/
What can we do about it? Prevention? Detection? Disinfection? Detection Remote Attestation
Remote Attestation • If Prover is infected, Malware lies about software state of Prover • Need to have guarantees that Prover is not lying VERIFIER (remote!) PROVER 1. Generate Challenge 2. Send Challenge 3. Compute Memory “checksum” based on Challenge 4. Send Response 5. Verify Response
Remote Attestation Prior work: Popular research topic Can bootstrap other services (e.g., code update, data erasure) Many publications and even some deployed systems Two main approaches: Secure hardware-based (e.g., TPM) – uses OTS components Expensive for low-end devices such as sensors/actuators Software-based (aka time-based) – uses custom checksums Does not support network setting (i.e., Prover assumed not remote) Alternative: Hybrid sw/hw – our research Also considering swarms or networks of embedded devices
Stylometric Privacy Lots of websites exist based on (or rely on) contributed content Yelp, Tripadvisor, Twitter, Amazon, Expedia One person can operate multiple accounts on same or multiple sites Stylometry– captures how a person writes; simple feature extraction Linkability– ability to link sets of writings authored by same person Good: Can be used by site operators to identify trolls and criminals Bad: Can be used by evil entities to track dissidentsand critics We show that linkability is easy for moderately prolific authors, on review sites (such as Yelp) and even on micro-blogging sites (such as Twitter) Linkability works across sites with different purposes (Twitter-Yelp) Designing tool to aid authors to evade linkability
Genomic Privacy Whole-Genome Sequencing (WGS) is rapidly becoming cheaper Will reach ubiquitous affordability (ca. $100) in 5-10 years Imagine your entire digitized genome on your smartphone The future Personal Genomics Personal peer-to-peer applications, Personalized Medicine, etc. Privacy is a paramount concern: a leaked genome is a curse Need efficient cryptographic techniques to support applications and maintain ever-lasting privacy Our work: paternity+ancestry testing, pattern search Genodroid app
Impact of Sensory Distractions on Human Security Tasks • Computers and other computer-like devices are ubiquitous • Used for security-critical tasks every day • PIN and password entry, Bluetooth pairing, CAPTCHA entry, etc. • We don’t live in a sterile lab-like environment • Distractions are everywhere: audio, visual, olfactory, tactile • Does this cause or increase failures? • Does this slow us down? • Can sensory distractions help us? • First unattended study of effects of noise on Security Task completion • ca. 150 subjects, 5 stimuli • Unexpected results: faster completion times and fewer errors • Currently experimenting with visual distractions • Planning on studying hybrid and tactile distractions
Privacy in OSNs OSNs work on-line only; consider LinkedIn What if Alice and Bob are LinkedIn members who are in physical proximity to each other, and: No Internet access at all (plane, ship, remote location) Poor or expensive Internet access (conference, hotel?) Or they simply don’t trust the OSN or ISP Need secure techniques for Alice and Bob to “discover” each other based on common connections/interests and mutual proximity UnLinked– a nifty smartphone app that allows private proximity-based mutual discovery for LinkedIn members LinkedIn remains oblivious wrt off-line interactions LinkedIn benefits from UnLinkedsince members meet (and connect later) in previously unchartered settings
Novel Biometric Techniques • Biometric valuable for identification and/or authentication • Static: iris scans, fingerprints, wrist vein patterns, palm geometry, face-prints, ear shape • Challenge-based: voice, writing, typing • All have various problems with accuracy, stability, forgery-resistance • PULSE-RESPONSE BIOMETRIC: • Weak electric pulse signal applied to the palm of one hand. • Biometric is captured by measuring response in the other hand. • Can be used as static, continuous or challenge-based • Very promising results from initial discrete and stability measurements • Can be used in continuous (e.g., conductive keyboard) or discrete mode (e.g., ATM w/conductive PIN pad)
Thank you! Time for questions