| 1. |
- Tsoupidi, Rodothea Myrsini
(författare)
-
Generating Optimized and Secure Binary Code
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The increased digitalization of modern societies has resulted in a proliferation of a broad spectrum of embedded devices, ranging from personal smartphones and heart pacemakers to large-scale industrial IoT systems. Since they often handle various sensitive data, these devices increasingly become the targets of cyberattacks that threaten the integrity of personal data, financial security, and sometimes even people’s safety.A common source of security vulnerabilities in computing systems is software. Nowadays, the vast majority of embedded software is written in high-level programming languages and compiled to low-level assembly code using general-purpose compilers. However, general-purpose compilers typically ignore security aspects and mainly focus on improving performance and reducing the code size. Meanwhile, the security-targeting compilers often produce code that is suboptimal with respect to performance. This security-performance gap is particularly detrimental for embedded devices that are usually battery-operated and hence, have stringent restrictions on memory size and power consumption.Among the most frequently carried out cyberattacks are code-reuse attacks. They insert data into the victim system via memory-corruption vulnerabilities to redirect the control flow and hijack the system. Automatic software diversification is an efficient mitigation approach against code-reuse attacks, however, it typically does not allow us to explicitly control of the introduced performance overhead.Another large class of attacks is side-channel attacks. Such attacks often target cryptographic implementations and aim at extracting the information about the processed data by recording side-channel information, such as the execution time or the power consumption of the victim system. Typically, protection against side-channel attacks relies on software-based mitigations, which may lead to high performance overhead. An attacker that attempts to hijack the victim system may use either or both of these attacks and hence, often multiple mitigations have to be combined together to protect a system.This dissertation proposes Secure-by-Construction Optimization (Sec-Opt), a constraint-based approach that combines performance goals with security mitigations. More specifically, SecOpt achieves performance-aware automatic code diversification against code-reuse attacks, while it generates highly-optimized code that preserves software mitigations against side-channel attacks. A key advantage of SecOpt is composability, namely the ability to combine conflicting mitigations and generate code that preserves these mitigations. In particular, SecOpt generates diverse code variants that are secure against side-channel attacks, therefore protecting against both code-reuse and side-channel attacks.SecOpt features unique characteristics compared to conventional compiler-based approaches, including performance-awareness and mitigation composability in a formal framework. Since the combined security and performance goals are especially important for resource-constrained systems, SecOpt constitutes a practical approach for optimizing performance- and security-critical code for embedded devices.
|
|
| 2. |
- Gülgün, Ziya, 1992-
(författare)
-
Physical Layer Security Issues in Massive MIMO and GNSS
- 2021
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Wireless communication technology has evolved rapidly during the last 20 years. Nowadays, there are huge networks providing communication infrastructures to not only people but also to machines, such as unmanned air and ground vehicles, cars, household appliances and so on. There is no doubt that new wireless communication technologies must be developed, that support the data traffic in these emerging, large networks. While developing these technologies, it is also important to investigate the vulnerability of these technologies to different malicious attacks. In particular, spoofing and jamming attacks should be investigated and new countermeasure techniques should be developed. In this context, spoofing refers to the situation in which a receiver identifies falsified signals, that are transmitted by the spoofers, as legitimate or trustable signals. Jamming, on the other hand, refers to the transmission of radio signals that disrupt communications by decreasing the signal-to-interference-and-noise ratio (SINR) on the receiver side. In this thesis, we analyze the effects of spoofing and jamming both on global navigation satellite system (GNSS) and on massive multiple-input multiple-output (MIMO) communications. GNSS is everywhere and used to provide location information. Massive MIMO is one of the cornerstone technologies in 5G. We also propose countermeasure techniques to the studied spoofing and jamming attacks. More specifically, in paper A we analyze the effects of distributed jammers on massive MIMO and answer the following questions: Is massive MIMO more robust to distributed jammers compared with previous generation’s cellular networks? Which jamming attack strategies are the best from the jammer’s perspective, and can the jamming power be spread over space to achieve more harmful attacks? In paper B, we propose a detector for GNSS receivers that is able to detect multiple spoofers without having any prior information about the attack strategy or the number of spoofers in the environment.
|
|
| 3. |
- Barbette, Tom, 1990-, et al.
(författare)
-
A High-Speed Load-Balancer Design with Guaranteed Per-Connection-Consistency
- 2020
-
Ingår i: Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2020. - Santa Clara, CA, USA : USENIX Association. ; , s. 667-683
-
Konferensbidrag (refereegranskat)abstract
- Large service providers use load balancers to dispatch millions of incoming connections per second towards thousands of servers. There are two basic yet critical requirements for a load balancer: uniform load distribution of the incoming connections across the servers and per-connection-consistency (PCC), i.e., the ability to map packets belonging to the same connection to the same server even in the presence of changes in the number of active servers and load balancers. Yet, meeting both these requirements at the same time has been an elusive goal. Today's load balancers minimize PCC violations at the price of non-uniform load distribution.This paper presents Cheetah, a load balancer that supports uniform load distribution and PCC while being scalable, memory efficient, resilient to clogging attacks, and fast at processing packets. The Cheetah LB design guarantees PCC for any realizable server selection load balancing mechanism and can be deployed in both a stateless and stateful manner, depending on the operational needs. We implemented Cheetah on both a software and a Tofino-based hardware switch. Our evaluation shows that a stateless version of Cheetah guarantees PCC, has negligible packet processing overheads, and can support load balancing mechanisms that reduce the flow completion time by a factor of 2–3×.
|
|
| 4. |
- Barbette, Tom, 1990-, et al.
(författare)
-
Cheetah : A High-Speed Programmable Load-Balancer Framework with Guaranteed Per-Connection-Consistency
- 2022
-
Ingår i: IEEE/ACM Transactions on Networking. - : Institute of Electrical and Electronics Engineers (IEEE). - 1063-6692 .- 1558-2566. ; 30:1, s. 354-367
-
Tidskriftsartikel (refereegranskat)abstract
- Large service providers use load balancers to dispatch millions of incoming connections per second towards thousands of servers. There are two basic yet critical requirements for a load balancer: uniform load distribution of the incoming connections across the servers, which requires to support advanced load balancing mechanisms, and per-connection-consistency (PCC), i.e, the ability to map packets belonging to the same connection to the same server even in the presence of changes in the number of active servers and load balancers. Yet, simultaneously meeting these requirements has been an elusive goal. Today's load balancers minimize PCC violations at the price of non-uniform load distribution. This paper presents Cheetah, a load balancer that supports advanced load balancing mechanisms and PCC while being scalable, memory efficient, fast at processing packets, and offers comparable resilience to clogging attacks as with today's load balancers. The Cheetah LB design guarantees PCC for any realizable server selection load balancing mechanism and can be deployed in both stateless and stateful manners, depending on operational needs. We implemented Cheetah on both a software and a Tofino-based hardware switch. Our evaluation shows that a stateless version of Cheetah guarantees PCC, has negligible packet processing overheads, and can support load balancing mechanisms that reduce the flow completion time by a factor of 2-3 ×.
|
|
| 5. |
- Gisdakis, Stylianos
(författare)
-
Secure and Privacy Preserving Urban Sensing Systems
- 2014
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The emergence of resource-rich mobile devices and smart vehicles has paved the way for Urban Sensing. In this new paradigm, users sense their environment and become part of an unprecedented large-scale network of sensors, with extensive spatial and temporal coverage, that enables the collection and dissemination of real-time information, practically, from anywhere. Urban sensing can facilitate the deployment of innovative applications that can address the ever-growing concerns for citizens’ well-being. Nevertheless, the openness of such systems (ideally anyone can participate) and the richness of the data users contribute unavoidably raise significant concerns for both the security of urban sensing applications and the privacy of the participating users. In this thesis we consider different urban sensing application domains: vehicular communication networks, intelligent transportation systems and environmental monitoring applications. We begin with a detailed analysis of the security and privacy requirements of these applications domains. Our objective is to protect users from the system (by ensuring their anonymity and privacy) and urban sensing systems from malicious users (by holding malicious users accountable of their actions). This is not straight-forward; anonymity may tempt malicious user behavior, compromising the reliability of the entire urban sensing system.Towards that, we design and implement secure and privacy-preserving identity management systems that can accommodate these requirements. We demonstrate their efficiency, practicality, and scalability through extensive experimental evaluations. Furthermore, we formally evaluate formally their security and privacy preserving properties.
|
|
| 6. |
- Jin, Hongyu
(författare)
-
Cooperative Privacy and Security for Mobile Systems
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The growing popularity of powerful mobile devices, along with increased computation and storage of computing infrastructure, opened possibilities for versatile mobile system applications. Users, leveraging sensing capabilities of the devices, can collect rich data and exchange the data with diverse Service Providers (SPs) or their close neighboring devices. Provision of such user status awareness to the involved system entities, can facilitate customized user experience for system participants.Nonetheless, the open and decentralized nature of mobile systems raise concerns on both security and privacy of users and the system infrastructure. Sensitive user data could be exposed to honest-but-curious entities, which can further process data to profile users. At the same time, compromised system entities can feed faulty data to disrupt system functionalities or mislead users. Such issues necessitate secure and privacy-enhancing mobile systems, while not compromising the quality of service the systems provide to their users. More specifically, the solutions should be efficient and scale as the system grows, and resilient to both external and internal adversaries. This thesis considers two mobile system instances: Location-based Services (LBSs) and Vehicle-to-Vehicle (V2V) safety applications. We address security and privacy in a cooperative manner, relying on cooperation among the users to protect themselves against the adversaries. Due to the reliance on peers, input from the peers should be examined, in order to ensure the reli- ability of the applications. We adapt pseudonymous authentication, designed for Vehicular Communication (VC) systems, and integrate it with LBSs. This protects user privacy and holds users accountable for their actions, which are non-repudiable. At the same time, our scheme prevents malicious nodes from aggressively passing on bogus data. We leverage redundancy of shared data from multiple cooperating nodes to detect potential conflicts. Any conflict triggers proactive checking on the data with the authoritative entity that reveals the actual misbehaving users. For V2V safety applications, we extend safety beacons, i.e., Cooperative Awareness Messages (CAMs), to share signature verification effort, for more efficient message verification. Similarly to the LBSs, redundancy of such piggybacked claims is also key for remedying malicious nodes that abuse this cooperative verification. In addition, the extended beacon format facilitates verification of event-driven messages, including Decentralized Environmental Notification Messages (DENMs), leveraging proactive authenticator distribution.We qualitatively and quantitatively evaluate achieved security and privacy protection. The latter is based on extensive simulation results. We propose a location privacy metric to capture the achieved protection for LBSs, taking into consideration the pseudonymous authentication. The performance of the privacy-enhancing LBS is experimentally evaluated with the help of an implementation on a small scale automotive computer testbed. We embed processing delays and queue management for message processing in simulations of V2V communication, to show scalability and efficiency of the resilient V2V communication scheme. The results confirm the resilience to both internal and external adversaries for the both systems.
|
|
| 7. |
- Khodaei, Mohammad
(författare)
-
The Key to Intelligent Transportation Systems: Identity and Credential Management for Secure and Privacy-Preserving Vehicular Communication Systems
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Vehicular Communication (VC) systems can greatly enhance road safety and transportation efficiency and enable a variety of applications providing traffic efficiency, environmental hazards, road conditions and infotainment. Vehicles are equipped with sensors and radars to sense their surroundings and external environment, as well as with an internal Controller Area Network (CAN) bus. Hence, vehicles are becoming part of a large-scale network, the so-called Internet of Vehicles (IoV). Deploying such a large-scale VC system cannot materialize unless the VC systems are secure and do not expose their users’ privacy. On the one hand, vehicles could be compromised or their sensors become faulty, thus disseminating erroneous information across the network. Therefore, participating vehicles should be held accountable for their actions and credentials (their Long Term Certificates (LTCs) and their pseudonyms) can be efficiently revoked and disseminated in a timely manner throughout a large-scale (multi-domain) VC system. On the other hand, user privacy is at stake: according to standards, vehicles should disseminate spatio-temporal information frequently, e.g., location and velocity. Due to the openness of the wireless communication, an observer can eavesdrop the vehicular communication to infer users’ sensitive information, and possibly profile users based on different attributes, e.g., trace their commutes and identify home/work locations. The objective is to secure the communication, i.e., prevent malicious or compromised entities from affecting the system operation, and ensure user privacy, i.e., keep users anonymous to any external observer but also for security infrastructure entities and service providers. This is not very straightforward because accountability and privacy, at the same time, appear contradictory. In this thesis, we first focus on the identity and credential management infrastructure for VC systems, taking security, privacy, and efficiency into account. We begin with a detailed investigation and critical survey of the standardization and harmonization efforts, along with industrial projects and proposals. We point out the remaining challenges to be addressed in order to build a central building block of secure and privacy-preserving VC systems, a Vehicular Public-Key Infrastructure (VPKI). Towards that, we provide a secure and privacy-preserving VPKI design that improves upon existing proposals in terms of security and privacy protection and efficiency. More precisely, our scheme facilitates multi-domain operations in VC systems and enhances user privacy, notably preventing linking of pseudonyms based on timing information and offering increased protection in the presence of honest-but-curious VPKI entities. We further extensively evaluate the performance, i.e., scalability, efficiency, and robustness, of the full-blown implementation of our VPKI for a large-scale VC deployment. We provide tangible evidence that it is possible to support a large area of vehicles by investing in modest computing resources for the VPKI entities. Our results confirm the efficiency, scalability and robustness of our VPKI.As a second main contribution of this thesis, we focus on the distribution of Certificate Revocation Lists (CRLs) in VC systems. The main challenges here lie exactly in (i) crafting an efficient and timely distribution of CRLs for numerous anonymous credentials, pseudonyms, (ii) maintaining strong privacy for vehicles prior to revocation events, even with honest-but-curious system entities, (iii) and catering to computation and communication constraints of on-board units with intermittent connectivity to the infrastructure. Relying on peers to distribute the CRLs is a double-edged sword: abusive peers could "pollute" the process, thus degrading the timely CRLs distribution. We propose a vehicle-centric solution that addresses all these challenges and thus closes a gap in the literature. Our scheme radically reduces CRL distribution overhead: each vehicle receives CRLs corresponding only to its region of operation and its actual trip duration. Moreover, a "fingerprint" of CRL ‘pieces’ is attached to a subset of (verifiable) pseudonyms for fast CRL ‘piece’ validation (while mitigating resource depletion attacks abusing the CRL distribution). Our experimental evaluation shows that our scheme is efficient, scalable, dependable, and practical: with no more than 25 KB/s of traffic load, the latest CRL can be delivered to 95% of the vehicles in a region (15x15 KM) within 15s, i.e., more than 40 times faster than the state-of-the-art. Overall, our scheme is a comprehensive solution that complements standards and can catalyze the deployment of secure and privacy-protecting VC systems. As the third main contribution of the thesis, we focus on enhancing location privacy protection: vehicular communications disclose rich information about the vehicles and their whereabouts. Pseudonymous authentication secures communication while enhancing user privacy. To enhance location privacy, cryptographic mix-zones were proposed to facilitate vehicles covertly transition to new ephemeral credentials. The resilience to (syntactic and semantic) pseudonym linking (attacks) highly depends on the geometry of the mix-zones, mobility patterns, vehicle density, and arrival rates. Our experimental results show that an eavesdropper could successfully link 73% of pseudonyms (during non-rush hours) and 62% of pseudonyms (during rush hours) after vehicles change their pseudonyms in a mix-zone. To mitigate such inference attacks, we present a novel cooperative mix-zone scheme that enhances user privacy regardless of the vehicle mobility patterns, vehicle density, and arrival rate to the mix-zone. A subset of vehicles, termed relaying vehicles, are selected to be responsible for emulating non-existing vehicles. Such vehicles cooperatively disseminate decoy traffic without affecting safety-critical operations: with 50% of vehicles as relaying vehicles, the probability of linking pseudonyms (for the entire interval) drops from 68% to 18%. On average, this imposes 28 ms extra computation overhead, per second, on the Roadside Units (RSUs) and 4.67 ms extra computation overhead, per second, on the (relaying) vehicle side; it also introduces 1.46 KB/sec extra communication overhead by (relaying) vehicles and 45 KB/sec by RSUs for the dissemination of decoy traffic. Thus, user privacy is enhanced at the cost of low computation and communication overhead.
|
|
| 8. |
- Vattaparambil Sudarsan, Sreelakshmi, 1996-
(författare)
-
Digital Power of Attorney for Authorization in Industrial Cyber-Physical Systems
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Since ancient times, there has been a practice to authorize individuals that we trust. Today, we grant credentials and privileges digitally, making authorization a crucial part of security control and extending its use cases beyond people and web applications. Authorization plays an important role in emerging technologies such as the Internet of Things (IoT) and Cyber-Physical Systems (CPS), and there is a trend toward intelligent devices such as autonomous vehicles that are capable of executing tasks on our behalf. However, there are challenges in facilitating this evolution. Industrial use cases with many devices, contractors, subcontractors, and other parties need to maintain trust by sub-granting in one or many steps to define a trust chain. Ultimately Industrial CPS and semi-autonomous devices should be authorized to work as agents with defined credentials on behalf of their contractor. This would enable them to function self-sufficiently at a target site or network for a set amount of time.The scope of this thesis is a new way of authorization known as the Digital Power of Attorneys. Traditionally, Power of Attorney is a legal document that is used for granting a person's authority to a trusted individual to act/work (e.g., running a business) on behalf of the first person. The objective of this thesis is to develop digital Power of Attorney based authorization for Cyber-Physical Systems and the Internet of Things. This technique enables devices (agents) such as autonomous or semi-autonomous devices to work/act on behalf of human beings (principals), even if he/she is not available online. The literature study includes both academic concepts and industrial authorization solutions, protocols, and standards such as OAuth, UMA, GNAP, and ACE. PoA based authorization is inspired by the concept of proxy signatures by warrants and developed for industrial use, both as stand-alone libs and as extensions to existing standard protocols. The major standards that we propose to be extended with the PoA based authorization are IETF standards OAuth and ACE. In this way, the work in this thesis is highly correlated with the IETF. In addition to the academic papers on PoA based authorization and its applications, this thesis includes IETF Internet-Drafts as part of the standardization process of the PoA based authorization technique. The development of PoA based authorization technique begins with designing a Proof-of-Concept based on the gaps identified in existing authorization techniques. For implementation in current networks, different ways of providing PoA-based authorization are explored. First, by extending the OAuth protocol as a new OAuth grant type to add the principal entity to the OAuth protocol that can delegate the client. Second, by extension of the ACE framework, which adds a notion of PoA based delegation to ACE. Third, by implementing an open-source library that can be downloaded and used independently by each entity to interpret the PoA. These approaches address the PoA interpretation challenges and enable every entity being part of the process to use and verify PoAs.This thesis defines the architecture, protocol flow, and PoA structure of the proposed authorization technique and demonstrates its implementation in several use cases such as zero touch-device onboarding and delegation of smart devices in a mining station. Furthermore, possible security threats and vulnerabilities of the proposed system are thoroughly analyzed using different approaches such as threat modeling, risk assessment, and exploiting the system in the context of different attack scenarios.
|
|
| 9. |
- Zhang, Kewei
(författare)
-
Secure GNSS-based Positioning and Timing : Distance-Decreasing attacks, fault detection and exclusion, and attack detection with the help of opportunistic signals
- 2021
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- With trillions of devices connected in large scale systems in a wired or wireless manner, positioning and synchronization become vital. Global Navigation Satellite System (GNSS) is the first choice to provide global coverage for positioning and synchronization services. From small mobile devices to aircraft, from intelligent transportation systems to cellular networks, and from cargo tracking to smart grids, GNSS plays an important role, thus, requiring high reliability and security protection. However, as GNSS signals propagate from satellites to receivers at distance of around 20 000 km, the signal power arriving at the receivers is very low, making the signals easily jammed or overpowered. Another vulnerability stems from that civilian GNSS signals and their specifications are publicly open, so that anyone can craft own signals to spoof GNSS receivers: an adversary forges own GNSS signals and broadcasts them to the victim receiver, to mislead the victim into believing that it is at an adversary desired location or follows a false trajectory, or adjusts its clock to a time dictated by the adversary. Another type of attack is replaying GNSS signals: an adversary transmits a pre-recorded GNSS signal stream to the victim receiver, so that the receiver calculates an erroneous position and time. Recent incidents reported in press show that the GNSS functionalities in a certain area, e.g., Black Sea, have been affected by cyberattacks composed of the above-mentioned attack types. This thesis, thus, studies GNSS vulnerabilities and proposes detection and mitigation methods for GNSS attacks, notably spoofing and replay attacks. We analyze the effectiveness of one important and powerful replay attack, the so-called Distance-decreasing (DD) attacks that were previously investigated for wireless communication systems, on GNSS signals. DD attacks are physical layer attacks, targeting time-of-flight ranging protocols, to shorten the perceived as measured distance between the transmitter and receiver. The attacker first transmits an adversary-chosen data bit to the victim receiver before the signal arrives at the attacker; upon receipt of the GNSS signal, the attacker estimates the data bit based on the early fraction of the bit period, and then switches to transmitting the estimate to the victim receiver. Consequently, the DD signal arrives at the victim receiver earlier than the genuine GNSS signals would have, which in effect shortens the pseudorange measurement between the sender (satellite) and the victim receiver, consequently, affecting the calculated position and time of the receiver. We study how the DD attacks affect the bit error rate (BER) of the received signals at the victim, and analyze its effectiveness, that is, the ability to shorten pseudorange measurements, on different GNSS signals. Several approaches are considered for the attacker to mount a DD attack with high probability of success (without being detected) against a victim receiver, for cryptographically unprotected and protected signals. We analyze the tracking output of the DD signals at the victim receiver and propose a Goodness of Fit (GoF) test and a Generalized Likelihood Ratio Test (GLRT) to detect the attacks. The evaluation of the two tests shows that they are effective, with the result being perhaps more interesting when considering DD attacks against Galileo signals that can be cryptographically protected. Moreover, this thesis investigates the feasibility of validating the authenticity of the GNSS signals with the help of opportunistic signals, which is information readily available in modern communication environments, e.g., 3G, 4G and WiFi. We analyze the time synchronization accuracy of different technologies, e.g., Network Time Protocol (NTP), WiFi and local oscillator, as the basis for detecting a discrepancy with the GNSS-obtained time. Two detection approaches are proposed and one testbench is designed for the evaluation. A synthesized spoofing attack is used to verify the effectiveness of the approaches. Beyond attack detection, we develop algorithms to detect and exclude faulty signals, namely the Clustering-based Solution Separation Algorithm (CSSA) and the Fast Multiple Fault Detection and Exclusion (FM-FDE). They both utilize the redundant available satellites, more than the minimum a GNSS receiver needs for position and time offset calculation. CSSA adopts data clustering to group subsets of positions calculated with different subsets of available satellites. Basically, these positions, calculated with subsets not containing any faulty satellites, should be close to each other, i.e., in a dense area; otherwise they should be scattered. FM-FDE is a more efficient algorithm that uses distances between positions, calculated with fixed-size subsets, as test statistics to detect and exclude faulty satellite signals. As the results show, FM-FDE runs faster than CSSA and other solution-separation fault detection and exclusion algorithms while remaining equally effective.
|
|
