Showing papers by "Gene Tsudik published in 2017"

Authentication using pulse-response biometrics

Abstract: We propose a new biometric based on the human body's response to an electric square pulse signal, called pulse-response. We explore how this biometric can be used to enhance security in the context of two example applications: (1) an additional authentication mechanism in PIN entry systems, and (2) a means of continuous authentication on a secure terminal. The pulse-response biometric is effective because each human body exhibits a unique response to a signal pulse applied at the palm of one hand, and measured at the palm of the other. Using a prototype setup, we show that users can be correctly identified, with high probability, in a matter of seconds. This identification mechanism integrates well with other established methods and offers a reliable additional layer of security, either on a continuous basis or at login time. We build a proof-of-concept prototype and perform experiments to assess the feasibility of pulse-response as a practical biometric. The results are very encouraging, achieving accuracies of 100% over a static data set, and 88% over a data set with samples taken over several weeks.

Lightweight Swarm Attestation: A Tale of Two LISA-s

Abstract: In the last decade, Remote Attestation (RA) emerged as a distinct security service for detecting attacks on embedded devices, cyber-physical systems (CPS) and Internet of Things (IoT) devices. RA involves verification of current internal state of an untrusted remote hardware platform (prover) by a trusted entity (verifier). RA can help the latter establish a static or dynamic root of trust in the prover and can also be used to construct other security services, such as software updates and secure deletion. Various RA techniques with different assumptions, security features and complexities, have been proposed for the single-prover scenario. However, the advent of IoT brought about the paradigm of many interconnected devices, thus triggering the need for efficient collective attestation of a (possibly mobile) group or swarm of provers. Though recent work has yielded some initial concepts for swarm attestation, several key issues remain unaddressed, and practical realizations have not been explored. This paper's main goal is to advance swarm attestation by bringing it closer to reality. To this end, it makes two contributions: (1) a new metric, called QoSA: Quality of Swarm Attestation, that captures the information offered by a swarm attestation technique; this allows comparing efficacy of multiple protocols, and (2) two practical attestation protocols -- called LISAa and LISAs -- for mobile swarms, with different QoSA features and communication and computation complexities. Security of proposed protocols is analyzed and their performance is assessed based on experiments with prototype implementations.

HYDRA: hybrid design for remote attestation (using a formally verified microkernel)

Abstract: Remote Attestation (RA) allows a trusted entity (verifier) to securely measure internal state of a remote untrusted hardware platform (prover). RA can be used to establish a static or dynamic root of trust in embedded and cyber-physical systems. It can also be used as a building block for other security services and primitives, such as software updates and patches, verifiable deletion and memory resetting. There are three major types of RA designs: hardware-based, software-based, and hybrid, each with its own set of benefits and drawbacks.This paper presents the first hybrid RA design - called HYDRA - that builds upon formally verified software components that ensure memory isolation and protection, as well as enforce access control to memory and other resources. HYDRA obtains these properties by using the formally verified seL4 microkernel. (Until now, this was only attainable with purely hardware-based designs.) Using seL4 imposes fewer hardware requirements on the underlying microprocessor. Also, building upon a formally verified software component increases confidence in security of the overall design of HYDRA and its implementation. We instantiate HYDRA on two commodity hardware platforms and assess the performance and overhead of performing RA on such platforms via experimentation; we show that HYDRA can attest 10MB of memory in less than 250msec when using a Speck-based cryptographic checksum.

Don't Skype & Type!: Acoustic Eavesdropping in Voice-Over-IP

Abstract: Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, physical properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary's physical proximity to the victim, (ii) precise profiling of the victim's typing style and keyboard, and/or (iii) significant amount of victim's typed information (and its corresponding sounds) available to the adversary. This paper presents and explores a new keyboard acoustic eavesdropping attack that involves Voice-over-IP (VoIP), called Skype & Type (S&T), while avoiding prior strong adversary assumptions. This work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. As expected, VoIP software acquires and faithfully transmits all sounds, including emanations of pressed keystrokes, which can include passwords and other sensitive information. We show that one very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim's input -- keystrokes typed on the remote keyboard. Our results demonstrate that, given some knowledge on the victim's typing style and keyboard model, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. Furthermore, we demonstrate that S&T is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack. Finally, it applies to other popular VoIP software, such as Google Hangouts.

MTRA: Multiple-tier remote attestation in IoT networks

Abstract: Large numbers of Internet of Things (IoT) devices are increasingly deployed in many aspects of modern life. Given their limited resources and computational power, verifying program integrity in such devices is a challenging issue. In this paper, we design MTRA, a Multiple-Tier Remote Attestation protocol, by exploiting differences in resources and computational power among various types of networked IoT devices. More powerful devices equipped with a Trusted Platform Module (TPM) are verified through trusted hardware while others are verified through software-based attestation. MTRA is a flexible means of program integrity verification for heterogeneous IoT devices.

Ditio: Trustworthy Auditing of Sensor Activities in Mobile & IoT Devices

Abstract: Mobile and Internet-of-Things (IoT) devices, such as smartphones, tablets, wearables, smart home assistants (e.g., Google Home and Amazon Echo), and wall-mounted cameras, come equipped with various sensors, notably camera and microphone. These sensors can capture extremely sensitive and private information. There are several important scenarios where, for privacy reasons, a user might require assurance about the use (or non-use) of these sensors. For example, the owner of a home assistant might require assurance that the microphone on the device is not used during a given time of the day. Similarly, during a confidential meeting, the host needs assurance that attendees do not record any audio or video. Currently, there are no means to attain such assurance in modern mobile and IoT devices. To this end, this paper presents Ditio, a system approach for auditing sensor activities. Ditio records sensor activity logs that can be later inspected by an auditor and checked for compliance with a given policy. It is based on a hybrid security monitor architecture that leverages both ARM's virtualization hardware and TrustZone. Ditio includes an authentication protocol for establishing a logging session with a trusted server and a formally verified companion tool for log analysis. Ditio prototypes on ARM Juno development board and Nexus 5 smartphone show that it introduces negligible performance overhead for both the camera and microphone. However, it incurs up to 17% additional power consumption under heavy use for the Nexus 5 camera.

When encryption is not enough: privacy attacks in content-centric networking

Abstract: Content-Centric Networking (CCN) is a network architecture for transferring named content from producers to consumers upon request. The name-to-content binding is cryptographically enforced with a digital signature generated by the producer. Thus, content integrity and origin authenticity are core features of CCN. In contrast, content confidentiality and privacy are left to the applications. The typically advocated approach for protecting sensitive content is to use encryption, i.e., restrict access to those who have appropriate decryption key(s). Moreover, content is typically encrypted once for identical requests, meaning that many consumers obtain the same encrypted content. From a privacy perspective, this is a step backwards from the "secure channel" approach in today's IP-based Internet, e.g., TLS or IPSec. In this paper, we assess the privacy pitfalls of this approach, particularly, when the adversary learns some auxiliary information about popularity of certain plaintext content. Merely by observing (or learning) the frequency of requested content, the adversary can learn which encrypted corresponds to which plaintext data. We evaluate this attack using a custom CCN simulator and show that even moderately accurate popularity information suffices for accurate mapping. We also show how the adversary can exploit caches to learn content popularity information. The adversary needs to know the content namespace in order to succeed. Our results show that encryption-based access control is insufficient for privacy in CCN. More extensive counter-measures (such as namespace restrictions and content replication) are needed to mitigate the attack.

Presence Attestation: The Missing Link in Dynamic Trust Bootstrapping

Abstract: Many popular modern processors include an important hardware security feature in the form of a DRTM (Dynamic Root of Trust for Measurement) that helps bootstrap trust and resists software attacks. However, despite substantial body of prior research on trust establishment, security of DRTM was treated without involvement of the human user, who represents a vital missing link. The basic challenge is: how can a human user determine whether an expected DRTM is currently active on her device? In this paper, we define the notion of "presence attestation", which is based on mandatory, though minimal, user participation. We present three concrete presence attestation schemes: sight-based, location-based and scene-based. They vary in terms of security and usability features, and are suitable for different application contexts. After analyzing their security, we assess their usability and performance based on prototype implementations.

Can We Make a Cake and Eat it Too? A Discussion of ICN Security and Privacy

Abstract: In recent years, Information-centric Networking (ICN) has received much attention from both academic and industry participants. ICN offers data-centric inter-networking that is radically different from today's host-based IP networks. Security and privacy features on today's Internet were originally not present and have been incrementally retrofitted over the last 35 years. As such, these issues have become increasingly important as ICN technology gradually matures towards real-world deployment. Thus, while ICN-based architectures (e.g., NDN, CCNx, etc.) are still evolving, it is both timely and important to explore ICN security and privacy issues as well as devise and assess possible mitigation techniques.This report documents the highlights and outcomes of the Dagstuhl Seminar 16251 on ``Information-centric Networking and Security.'' The goal of which was to bring together researchers to discuss and address security and privacy issues particular to ICN-based architectures. Upon finishing the three-day workshop, the outlook of ICN is still unclear. Many unsolved and ill-addressed problems remain, such as namespace and identity management, object security and forward secrecy, and privacy. Regardless of the fate of ICN, one thing is certain: much more research and practical experience with these systems is needed to make progress towards solving these arduous problems.

Closing the Floodgate with Stateless Content-Centric Networking

Abstract: Information-Centric Networking (ICN) is a recent paradigm that claims to mitigate some limitations of the current IP-based Internet architecture. The centerpiece of ICN is named and addressable content, rather than hosts or interfaces. Content-Centric Networking (CCN) is a prominent ICN instance that shares the fundamental architectural design with its equally popular academic sibling Named- Data Networking (NDN). CCN eschews source addresses and creates one-time virtual circuits for every content request (called an interest). As an interest is forwarded it creates state in intervening routers and the requested content back is delivered over the reverse path using that state. Although a stateful forwarding plane might be beneficial in terms of efficiency and resilience to certain types of attacks, this has not been decisively proven via realistic experiments. Since keeping per-interest state complicates router operations and makes the infrastructure susceptible to router state exhaustion attacks (e.g., there is currently no effective defense against Interest Flooding attacks), the value of the stateful forwarding plane in CCN should be re-examined. In this paper, we explore supposed benefits and various problems of the stateful forwarding plane. We then argue that its benefits are uncertain at best and it should not be a mandatory CCN feature. To this end, we propose a new stateless architecture for CCN that provides nearly all functionality of the stateful design without its headaches. We analyze performance and resource requirements of the proposed architecture via experiments.

Assentication: User Deauthentication and Lunchtime Attack Mitigation with Seated Posture Biometric

Abstract: Biometric techniques are often used as an extra security factor in authenticating human users. Numerous biometrics have been proposed and evaluated, each with its own set of benefits and pitfalls. Static biometrics (such as fingerprints) are geared for discrete operation, to identify users, which typically involves some user burden. Meanwhile, behavioral biometrics (such as keystroke dynamics) are well suited for continuous, and sometimes more unobtrusive, operation. One important application domain for biometrics is deauthentication, a means of quickly detecting absence of a previously authenticated user and immediately terminating that user's active secure sessions. Deauthentication is crucial for mitigating so called Lunchtime Attacks, whereby an insider adversary takes over (before any inactivity timeout kicks in) authenticated state of a careless user who walks away from her computer. Motivated primarily by the need for an unobtrusive and continuous biometric to support effective deauthentication, we introduce PoPa, a new hybrid biometric based on a human user's seated posture pattern. PoPa captures a unique combination of physiological and behavioral traits. We describe a low cost fully functioning prototype that involves an office chair instrumented with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa can be used in a typical workplace to provide continuous authentication (and deauthentication) of users. We experimentally assess viability of PoPa in terms of uniqueness by collecting and evaluating posture patterns of a cohort of users. Results show that PoPa exhibits very low false positive, and even lower false negative, rates. In particular, users can be identified with, on average, 91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several prominent biometric based deauthentication techniques.

FADEWICH: Fast Deauthentication Over the Wireless Channel

Abstract: Both authentication and deauthentication are instrumental for preventing unauthorized access to computers and other resources. While there are obvious motivating factors for using strong authentication mechanisms, convincing users to deauthenticate is not straight-forward, since deauthentication is not considered mandatory. A user who leaves a logged-in workstation unattended (especially for a short time) is typically not inconvenienced in any way; in fact, the other way around - no annoying reauthentication is needed upon return. However, an unattended workstation is trivially susceptible to the well-known "lunchtime attack" by any nearby adversary who simply takes over the departed user's log-in session. At the same time, since deauthentication does not intrinsically require user secrets, it can, in principle, be made unobtrusive. To this end, this paper designs the first automatic user deauthentication system - FADEWICH - that does not rely on biometric-or behavior-based techniques (e.g., keystroke dynamics) and does not require users to carry any devices. It uses physical properties of wireless signals and the effect of human bodies on their propagation. To assess FADEWICH's feasibility and performance, extensive experiments were conducted with its prototype. Results show that it suffices to have nine inexpensive wireless sensors deployed in a shared office setting to correctly deauthenticate all users within six seconds (90% within four seconds) after they leave their workstation's vicinity. We considered two realistic scenarios where the adversary attempts to subvert FADEWICH and showed that lunchtime attacks fail.

Namespace Tunnels in Content-Centric Networks

Abstract: Content-Centric Networking (CCN) is a candidate next-generation Internet architecture that offers an alternative to the current IP-based model. CCN emphasizes scalable and efficient content distribution by making content explicitly named and addressable. It also offers some appealing privacy features, such as lack of source and destination addresses in packets. However, to be considered a fully viable Internet architecture, CCN must support private and anonymous communication that is at least on par with IP. Within this space, a VPN is an important and popular tool that enables users to communicate across insecure public networks as if they were connected over a private network. At present, VPN support is also absent from the repertoire of CCN research. To fill this void, we design, implement and evaluate CCVPN – a content-centric analog to IP-based VPNs of the current Internet architecture. To the best of our knowledge, CCVPN is the first such CCN-based design. Though functionally equivalent to IP-based VPNs, CCVPN offers better privacy due to unlinkability of encapsulated packets to the originating network. We analyze security of CCVPN and experimentally assess its performance.

Private Set Projections & Variants

Abstract: There are many realistic settings where two mutually suspicious parties need to share some specific information while keeping everything else private. Various privacy-preserving techniques (such as Private Set Intersection) have been proposed as general solutions. Based on timely real-world examples, this paper motivates the need for a new privacy tool, called Private Set Intersection with Projection (PSI-P). In it, Server has (at least) a two-attribute table and Client has a set of values. At the end of the protocol, based on all matches between Client's set and values in one (search) attribute of Server's database, Client should learn the set of elements corresponding to the second attribute, and nothing else. In particular the intersection of Client's set and the set of values in the search attribute must remain hidden. We construct several efficient (linear complexity) protocols that approximate privacy required by PSI-P and suffice in many practical scenarios. We also provide a new construction for PSI-P with full privacy, albeit it is slightly less efficient. Its key building block is a primitive called Existential Private Set Intersection (PSI-X) which yields a binary flag indicating whether the intersection of two private sets is empty or non-empty.

Pulse-Response: Exploring Human Body Impedance for Biometric Recognition

Abstract: Biometric characteristics are often used as a supplementary component in user authentication and identification schemes. Many biometric traits, both physiological and behavioral, offering a wider range of security and stability, have been explored. We propose a new physiological trait based on the human body’s electrical response to a square pulse signal, called pulse-response, and analyze how this biometric characteristic can be used to enhance security in the context of two example applications: (1) an additional authentication mechanism in PIN entry systems and (2) a means of continuous authentication on a secure terminal. The pulse-response biometric recognition is effective because each human body exhibits a unique response to a signal pulse applied at the palm of one hand and measured at the palm of the other. This identification mechanism integrates well with other established methods and could offer an additional layer of security, either on a continuous basis or at log-in time. We build a proof-of-concept prototype and perform experiments to assess the feasibility of pulse-response for biometric authentication. The results are very encouraging, achieving an equal error rate of 2% over a static dataset and 9% over a dataset with samples taken over several weeks. We also quantize resistance to attack by estimating individual worst-case probabilities for zero-effort impersonation in different experiments.

FUsing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned

Abstract: Remote Attestation (RA) allows a trusted entity (verifier) to securely measure internal state of a remote untrusted device (prover). RA can be used to establish a static or dynamic root of trust in embedded and cyber-physical systems. There are 3 types of RA designs: hardware-based, software-based, and hybrid, each with its own benefits and drawbacks. This paper presents the first hybrid RA design (HYDRA) that builds upon formally verified software components that ensure memory isolation and protection, as well as enforce memory access controls. HYDRA obtains these properties by using the formally verified seL4 microkernel. We instantiate HYDRA on a popular commodity platform and assess its performance via experiments; we show that HYDRA can attest 10MB of memory in less than 500msec. The paper also discusses the challenges facing development of HYDRA and the lessons learned.

ERASMUS: Efficient Remote Attestation via Self- Measurement for Unattended Settings

Abstract: Remote attestation (RA) is a popular means of detecting malware in embedded and IoT devices. RA is usually realized as an interactive protocol, whereby a trusted party -- verifier -- measures integrity of a potentially compromised remote device -- prover. Early work focused on purely software-based and fully hardware-based techniques, neither of which is ideal for low-end devices. More recent results have yielded hybrid (SW/HW) security architectures comprised of a minimal set of features to support efficient and secure RA on low-end devices. All prior RA techniques require on-demand operation, i.e, RA is performed in real time. We identify some drawbacks of this general approach in the context of unattended devices: First, it fails to detect mobile malware that enters and leaves the prover between successive RA instances. Second, it requires the prover to engage in a potentially expensive (in terms of time and energy) computation, which can be harmful for critical or real-time devices. To address these drawbacks, we introduce the concept of self-measurement where a prover device periodically (and securely) measures and records its own software state, based on a pre-established schedule. A possibly untrusted verifier occasionally collects and verifies these measurements. We present the design of a concrete technique called ERASMUS : Efficient Remote Attestation via Self-Measurement for Unattended Settings, justify its features and evaluate its performance. In the process, we also define a new metric -- Quality of Attestation (QoA). We argue that ERASMUS is well-suited for time-sensitive and/or safety-critical applications that are not served well by on-demand RA. Finally, we show that ERASMUS is a promising stepping stone towards handling attestation of multiple devices (i.e., a group or swarm) with high mobility.

Genomic Security (Lest We Forget)

Abstract: Genomic privacy has attracted much attention from the research community, because its risks are unique and breaches can lead to terrifying leakage of sensitive information. The less-explored topic of genomic security must address threats of digitized genomes being altered, which can have dire consequences in medical or legal settings.

Lights, Camera, Action! Exploring Effects of Visual Distractions on Completion of Security Tasks

Abstract: Human errors in performing security-critical tasks are typically blamed on the complexity of those tasks However, such errors can also occur because of (possibly unexpected) sensory distractions A sensory distraction that produces negative effects can be abused by the adversary that controls the environment Meanwhile, a distraction with positive effects can be artificially introduced to improve user performance

An Exploration of the Effects of Sensory Stimuli on the Completion of Security Tasks

Abstract: Ambient sensory distractions play a role in security-critical tasks that require human involvement. Adversarial control over human sensory input could broaden the attack surface. To shed light on this issue, a team conducted large-scale experiments that exposed subjects to unexpected audio and visual stimuli while they performed a security-critical task.

Mitigating On-Path Adversaries in Content-Centric Networks

Abstract: Content-Centric Networking (CCN) is a recently proposed Internet paradigm that focuses on scalable, secure and efficient content distribution. The main abstraction is named and addressable content. A consumer requests desired named content by generating a so-called interest, which is then routed by the network towards an in-network cached copy, or the authoritative producer, of that content. Since all CCN content must be signed by its producer, consumers and routers can cryptographically verify its correctness, authenticity, and integrity. Thus, in principle, attacks that introduce fake (poisoned) content can be detected. However, verifying content signatures is optional for CCN routers, detection of fake content only implies presence of a malicious upstream entity. A major outstanding problem in CCN is how to react to such attacks, determine their source(s), and re-route interests accordingly.,,,,In this work, we construct a technique based on efficient per-hop packet integrity checks. Routers share secrets with neighboring routers and use them to verify and generate efficient per-hop packet authenticators. An on-path attacker that tampers with content in transit is quickly detected by downstream routers. Moreover, an on-path attacker that hijacks a namespace is discoverable. Our experimental assessment indicates that the proposed technique incurs very low per-packet overhead. Furthermore, since our approach is not CCN-specific, it can be applied to IP-based networks as well.

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel)

Abstract: Remote Attestation (RA) allows a trusted entity (verifier) to securely measure internal state of a remote untrusted hardware platform (prover). RA can be used to establish a static or dynamic root of trust in embedded and cyber-physical systems. It can also be used as a building block for other security services and primitives, such as software updates and patches, verifiable deletion and memory resetting. There are three major classes of RA designs: hardware-based, software-based, and hybrid, each with its own set of benefits and drawbacks. This paper presents the first hybrid RA design, called HYDRA, that builds upon formally verified software components that ensure memory isolation and protection, as well as enforce access control to memory and other resources. HYDRA obtains these properties by using the formally verified seL4 microkernel. (Until now, this was only attainable with purely hardware-based designs.) Using seL4 requires fewer hardware modifications to the underlying microprocessor. Building upon a formally verified software component increases confidence in security of the overall design of HYDRA and its implementation. We instantiate HYDRA on two commodity hardware platforms and assess the performance and overhead of performing RA on such platforms via experimentation; we show that HYDRA can attest 10MB of memory in less than 500msec when using a Speck-based message authentication code (MAC) to compute a cryptographic checksum over the memory to be attested.

Probabilistic and Considerate Attestation of IoT Devices against Roving Malware.

Abstract: Remote Attestation (RA) is a popular means of detecting malware presence (or verifying its absence) on embedded and IoT devices. It is especially relevant to low-end devices that are incapable of protecting themselves against infection. Malware that is aware of ongoing or impending attestation and aims to avoid detection can relocate itself during computation of the attestation measurement. In order to thwart such behavior, prior RA techniques are either noninterruptible or explicitly forbid modification of storage during measurement computation. However, since the latter can be a time-consuming task, this curtails availability of device’s other (main) functions, which is especially undesirable, or even dangerous, for devices with timeand/or safety-critical missions. In this paper, we propose SMARM , a light-weight technique, based on shuffled measurements, as a defense against roving malware. In SMARM , memory is measured in a randomized and secret order. This does not impact device’s availability – the measurement process can be interrupted, even by malware, which can relocate itself at will. We analyze various malware behaviors and show that, while malware can escape detection in a single attestation instance, it is highly unlikely to avoid eventual detection.

Lights, Camera, Action! Exploring Effects of Visual Distractions on Completion of Security Tasks

Abstract: Human errors in performing security-critical tasks are typically blamed on the complexity of those tasks. However, such errors can also occur because of (possibly unexpected) sensory distractions. A sensory distraction that produces negative effects can be abused by the adversary that controls the environment. Meanwhile, a distraction with positive effects can be artificially introduced to improve user performance. The goal of this work is to explore the effects of visual stimuli on the performance of security-critical tasks. To this end, we experimented with a large number of subjects who were exposed to a range of unexpected visual stimuli while attempting to perform Bluetooth Pairing. Our results clearly demonstrate substantially increased task completion times and markedly lower task success rates. These negative effects are noteworthy, especially, when contrasted with prior results on audio distractions which had positive effects on performance of similar tasks. Experiments were conducted in a novel (fully automated and completely unattended) experimental environment. This yielded more uniform experiments, better scalability and significantly lower financial and logistical burdens. We discuss this experience, including benefits and limitations of the unattended automated experiment paradigm.