Research

Project: Securing Virtualization Configuration and Managing the Attack Surface
PI: Laurent Michel
Students: Waldemar Cruz, Fanghui Liu
Abstract: Virtualization provides a layer of abstraction between the operating system and the application stack. This layer delivers multiple benefits ranging from rapid deployment to task migration, load balancing and the ability to easily match hardware resources to evolving computational needs. It is often seen as a way to return to mainframe-style resource management.
Yet, the deployment of a large number of generally inter-connected virtual machines creates serious security challenges. Without proper processes for configuring, deploying and running the virtual machines, the organization is at risk of accidentally creating vulnerabilities throughout the infrastructure even though virtualization per se, can strengthen the security posture with better isolation as well as monitoring.
Date: 4/17/2017 – 12/31/2018
Status:
In-progress
Publications:
            Cruz W., Liu F., Michel L. (2018) Securely and Automatically Deploying Micro-services in an Hybrid Cloud Infrastructure. In: Hooker J. (eds) Principles and Practice of Constraint Programming. CP 2018. Lecture Notes in Computer Science, vol 11008. Springer, Cham

 

Project: Deployable Secure Inter-Domain Routing (DeSIDeR)
PI: Amir Herzberg
Students: Justin Furuness, Michael Pappas, Xingyu Wang
Abstract: From its inception, the Internet Inter-Domain Routing protocols, most notably BGP, have been vulnerable. These vulnerabilities are regularly abused for different illegitimate goals, and lots of research and standardization efforts were dedicated to securing inter-domain routing; however, so far, with quite limited impact and deployment.
In this project we will develop and experimentally deploy the Smart Validator. This is an improved Route Origin Validator, which will implement our proposals for improved security from [2, 1], as well as allow ‘safe’ experiments of RPKI deployments; let us mention two of the modes designed for experiments and safe deployment. The most basic mode would be the passive (learning) ROV deployment mode, allowing a network operator to evaluate the impact of different ROV deployment options, without actually blocking any BGP announcements. Once network operator is satisfied that the selected options would have desirable impact, he can switch to the safe ROV deployment mode, which will only block BGP announcements that appear to be ‘really invalid’ – deploying multiple heuristics to avoid false-positives, most notably, allowing BGP announcements which has been announced for sufficiently long period. The re- search will also utilize machine-learning techniques, to complement the RPKI data and improve the decision-making process. The code of the smart validator is based on the RIPE validator. We work closely with RIPE, so that our code will use and integrate with version 3 of their validator; we already received access to its early version.
As part of this project, we hope to be able to provide extensive, in-depth experiments of inter-domain routing security issues and of deployment and effectiveness of different security measures.
Date: 4/1/2018 – 12/31/2018
Status: In-progress

 

Project: Kleptography: Research to Prevent Private Key and Private Data Leakage
PI: Alexander Russell
Students: Saad Quader
Abstract: This project focuses on mitigating two serious security threats: intentional insertion of backdoors into cryptographic implementations or unintentionally faulty implementations of otherwise secure cryptographic tools. Either case can result in potential exposure of private keys and data. A particular danger in such cases—especially when cryptographic algorithms are actively subverted—is the possibility of systemic security breaches that can be exceptionally difficult to detect. This project pursues analysis and research to create a set of standards and, potentially, tests that allow a stakeholder to protect cryptographic algorithms, including key generation, against such leakage of secret keys and data. Preliminary research on this topic suggests the possibility of fairly general techniques that can protect existing cryptographic algorithms from “backdoors” and other security failings arising from hostile (or untrusted) algorithmic implementations.
In tandem with these efforts, the project will focus on the related challenge of safely delegating such delicate tasks as key generation, programming of HSMs, and data warehousing.
Date: 9/15/2016 – 12/31/2017
Status: Completed

 

Project: Embedded System Authentication and New Authentication Techniques
PI: Marten van Dijk
Students: Syed Kamran Haider, Chenglu Jin, Tara John, Hoda Maleki
Abstract: The objective of this project is to develop higher-level password-less protocols and techniques for user and embedded system authentication. These new concepts will together form a new promising authentication framework. The project will produce a hardware authentication source that can be used to secure multiple Comcast devices. The source will be based on two technologies: physical unclonable function (PUFs) and fuzzy extractors (FEs). We will advance the realism of our prototype for use in Comcast applications. This maturation will ensure that the device can be securely reused for multiple services, that noise levels are correctable in a variety of operating conditions, and that the code is resistant to side-channel measurement.
The project will also examine current authentication methods and how they can be effectively combined to assure that only legitimate devices are granted privileged data. Authentication methods try to reliably learn the identity/environment with which one is communicating. This is a broad topic so we identify specific objectives and thrusts as follows: increasing security with many authentication factors, controlling memory leakage in SeL4, isolation guided by application behavior, irreversible logging and an overview which explains the connection between authentication and other disciplines (such as psychology).
Date: 5/1/2015 – 12/31/2017
Status: Completed
Publications:
            Nguyen, P. H., Sahoo, D. P.,Jin, C., Mahmood, K., Ruhrmair U., and van Dijk, M. “The Interpose PUF: Secure PUF Design against State-of-the-art Machine Learning Attacks”.Cryptography ePrint Archive.
            Jin, C., Herder, C., Ren, L., Nguyen, P. H., Fuller, B., Devadas, S., & van Dijk, M. (2017). FPGA implementation of a cryptographically-secure PUF based on learning parity with noise. Cryptography, 1(3), 23.
            Haider, S. K., Omar, H., Lebedev, I. A., Devadas, S., and van Dijk, M. “Leveraging Hardware Isolation for Process Level Access Control & Authentication”. SACMAT 2017: 133-141.
            Hogan, K., Maleki, H., Rahaeimehr, R., Canetti, R., van Dijk, M., Hennessey, J., Varia, M., and Zhang, H., “On the Universally Composable Security of OpenStack”, Cryptology ePrint Archive, Report 2018/602. http:// ePrint.iacr.org/. 2018.

 

Project: Big Data Solutions for Attack Forecasting
PI: Sanguthevar Rajasekaran
Students: Jagriti Das, Abdelrahman Ibrahim
Abstract: The objective of this project is to investigate past network attack conditions and other non-technical and geopolitical events to determine indicators that led to previous network attacks with the hope that predicative analysis can possibly predict when attacks will occur. A variety of datasets will be utilized to build predictive models. Examples include past network conditions, non-technical and geopolitical events, Netflow data, network performance data, results of third party network traffic analysis and social media feeds.
Date: 5/1/2015 – 12/31/2015
Status: Completed

 

Project: Securing Linux Software Compartments for Embedded Devices
PI: Laurent Michel
Students: Gregory Johnson
Abstract: The purpose of this project is to reconcile the wishes of customers and the security imperatives by hardening set-top-boxes and routers against attacks that exploit the weak protection conferred by default or simple Linux installation. These devices can no longer be assumed to be executing in a friendly environment and their inter-connectedness makes them highly susceptible to attacks. Specifically, the intent is to produce an architecture with low overhead containers for each application deployed on embedded devices that explicitly address issues of containers isolation, privileges escalation protection, rights restriction within and across containers, installation validation through cryptographic signatures and runtime validation of processes executing within the confines of container to catch code injections attempts and quickly identify and isolate attacked or compromised containers.
Date: 5/1/2015 – 12/31/2015
Status: Completed

 

Project: KuMdo: A Key Management Toolbox for Minimizing Business Risk
PI: Marten van Dijk
Students: Hoda Maleki, Murat Osmanoglu, Qiang Tang
Abstract: The main objective is to design KuMdo, a toolbox with attractive approaches to key management that reduce/mitigate the business risk caused by leaked/stolen keys and reduce the incentive (benefit) for economically motivated attackers to steal keys in the first place.
Date: 5/1/2015 – 12/31/2015
Status: Completed

 

Project: Supply Chain Management
PI: Marten van Dijk
Students: Chenglu Jin, Hoda Maleki, Reza Rahaeimehr
Abstract: The objective of this project is to develop an approach to manage supply chain using RFIDs without the need to communicate with a centralized database. In other words no RFID reader needs to be online and is even allowed to be offline all the time. In the proposed approach, the databases are distributed towards the RFID tags themselves, which each store their own trace with additional information that identifies readers, timestamps corresponding to the readers, and random bits for detection of cloned RFID tags etc. At the consumer end-point the device is activated and reads out the RFID tag and communicates its memory content to the centralized authority.
Date: 5/1/2015 – 12/31/2015
Status: Completed
Publications:
            van Dijk, M., Jin, C., Maleki, H., Nguyen, P. H. and Rahaeimehr, R. “Weak-Unforgeable Tags for Secure Supply Management”, 22nd International Conference on Financial Cryptography and Data Security (FC 2018)
            Maleki, H., Rahaeimehr, R., Jin, C. and van Dijk, M. “New clone-detection approach for RFID-based supply chains.” Hardware Oriented Security and Trust (HOST), 2017 IEEE International Symposium on. IEEE, 2017.
            Maleki, H., Rahaeimehr, R. and van Dijk, M. “SoK: A Survey of Clone Detection Approaches in RFID-based Supply Chains”, Workshop on Attacks and Solutions in Hardware Security (ASHES 2017, co-located with CCS 2017).

 

Project: Innovative RFID-enabled Supply Chain Management and Traceability for Comcast Products
PI: Mark Tehranipoor
Students: Kun Yang
Abstract: There are two areas that we target in this project: Supply Chain Management and Traceability and Monitoring Location of STBs. Our main objective is to provide a full-fledged solution to Comcast that addresses the security and management issues of their entire supply chain (i.e., during distribution and while with end users). In this project, we will substantially build on the prior scheme proposed by the authors so that it can address Comcast’s supply chain problems. The authors propose one type of tailing mechanism to detect counterfeit goods with cloned tags by writing random numbers to tags as they pass through a supply chain and verifying tail (composed of random numbers) divergence between genuine and cloned tags over time.
Date: 1/1/2015-7/31/2015
Status: Completed
Publications:
            Kun Yang, Domenic Forte, and Mark Tehranipoor. 2018. ReSC: An RFID-Enabled Solution for Defending IoT Supply Chain. ACM Trans. Des. Autom. Electron. Syst. 23, 3, Article 29 (February 2018), 27 pages.
            Yang K., Forte D., Tehranipoor M. (2015) ReSC: RFID-Enabled Supply Chain Management and Traceability for Network Devices. In: Mangard S., Schaumont P. (eds) Radio Frequency Identification. RFIDSec 2015. Lecture Notes in Computer Science, vol 9440.
            Kun Yang, Domenic Forte, and Mark M. Tehranipoor. 2015. Protecting Endpoint Devices in IoT Supply Chain. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD ’15). IEEE Press, Piscataway, NJ, USA, 351-356.
            Kun Yang, Domenic Forte, and Mark M. Tehranipoor. “UCR: An unclonable chipless RFID tag”, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

Other Publications:

            Tauhidur Rahman, Domenic Forte, Jim Fahrny, and Mohammad Tehranipoor. 2014. ARO-PUF: an aging-resistant ring oscillator PUF design. In Proceedings of the conference on Design, Automation & Test in Europe (DATE ’14). European Design and Automation Association, 3001 Leuven, Belgium, Belgium, Article 69, 6 pages.
            F. Tehranipoor, N. Karimian, P.A. Wortman, A. Haque, J. Fahrny, and J.A. Chandy, “Exploring Methods of Authentication for the Internet of Things,” in Internet of Things: Challenges, Advances, and Applications, ed. By Q.F. Hassan, A.u.R. Khan, and S.A. Madani, 2018.