Showing papers by "Gene Tsudik published in 2022"

Privacy-Friendly De-authentication with BLUFADE: Blurred Face Detection

Abstract: Ideally, secure user sessions should start and end with authentication and de-authentication phases, respectively. While the user must pass the former to start a secure session, the latter’s importance is often ignored or underestimated. Dangling or unattended sessions expose users to well-known Lunchtime Attacks. To mitigate this threat, the research community focused on automated de-authentication systems. Unfortunately, no single approach offers security, privacy, and usability. For instance, although facial recognition-based methods might be a good fit for security and usability, they violate user privacy by constantly recording the user and the surrounding environment.In this work, we propose BLUFADE, a fast, secure, and transparent de-authentication system that takes advantage of blurred faces to preserve user privacy. We obfuscate a webcam with a physical blur layer and use deep learning algorithms to perform face detection continuously. To assess BLUFADE‘s practicality, we collected two datasets formed by 30 recruited subjects (users) and thousands of physically blurred celebrity photos. The former was used to train and evaluate the deauthentication system performances, the latter to assess the privacy and to increase variance in training data. We show that our approach outperforms state-of-the-art methods in detecting blurred faces, achieving up to 95% accuracy. Furthermore, we demonstrate that BLUFADE effectively de-authenticates users up to 100% accuracy in under 3 seconds, while satisfying security, privacy, and usability requirements.

Vronicle: verifiable provenance for videos from mobile devices

Abstract: Demonstrating veracity of videos is a longstanding problem that has recently become more urgent and acute. It is extremely hard to accurately detect manipulated videos using content analysis, especially in the face of subtle, yet effective, manipulations, such as frame rate changes or skin tone adjustments. In this paper, we present Vronicle, a method for generating provenance information for videos captured by mobile devices and using that information to verify authenticity of videos. A key feature of Vronicle is the use of Trusted Execution Environments (TEEs) for video capture and post-processing. This aids in constructing fine-grained provenance information that allows the consumer to verify various aspects of the video, thereby defeating numerous fake-video creation methods. Another important feature is the use of fixed-function post-processing units that facilitate verification of provenance information. These units can be deployed in any TEE, either in the mobile device that captures the video or in powerful servers. We present a prototype of Vronicle, which uses ARM TrustZone and Intel SGX for on-device and server-side post-processing, respectively. Moreover, we introduce two methods (and prototype the latter) for secure video capture on mobile devices: one using ARM TrustZone, and another using Google SafetyNet, providing a trade-off between security and immediate deployment. Our evaluation demonstrates that: (1) Vronicle's performance is well-suited for non-real-time use-cases, and (2) offloading post-processing significantly improves Vronicle's performance, matching that of uploading videos to YouTube.

SCRAPS: Scalable Collective Remote Attestation for Pub-Sub IoT Networks with Untrusted Proxy Verifier

Abstract: Remote Attestation ( RA ) is a basic security mechanism that detects malicious presence on various types of computing components, e.g., IoT devices. In a typical IoT setting, RA involves a trusted Verifier that sends a challenge to an untrusted remote Prover , which must in turn reply with a fresh and authentic evidence of being in a trustworthy state. However, most current RA schemes assume a central Verifier , which represents a single point of failure. This feature is problematic when mutually suspicious stakeholders are involved. Further-more, scalability issues arise as the number of IoT devices ( Provers ) grows. Although some RA schemes allow peer Provers to act as Verifiers , they involve unrealistic (for IoT devices) requirements, such as time synchronization and synchronous communication. Moreover, they incur heavy memory, computation, and communication burdens, while not considering sleeping or otherwise disconnected devices. Motivated by the need to address these limitations, we construct S calable C ollective R emote A ttestation for P ub- S ub ( SCRAPS ), a novel collective RA scheme. It achieves scalability by outsourcing Verifier duties to a smart contract and mitigates DoS attacks against both Provers and Verifiers . It also removes the need for synchronous communication. Furthermore, RA evidence in SCRAPS is publicly verifiable, which significantly reduces the number of attestation evidence computations, thus lower-ing Prover burden. We report on SCRAPS prototype implemented over Hyperledger Sawtooth (a blockchain geared for IoT use-cases) and evaluate its performance, scalability, and security aspects.

Privacy-from-Birth: Protecting Sensed Data from Malicious Sensors with VERSA

Abstract: With the growing popularity of the Internet-of-Things (IoT), massive numbers of specialized devices are deployed worldwide, in many everyday settings, including homes, offices, vehicles, public spaces, and factories. Such devices usually perform sensing and/or actuation. Many of them handle sensitive and personal data. If left unprotected, ambient sensing (e.g., of temperature, motion, audio, or video) can leak very private information. At the same time, some IoT devices use low-end computing platforms with few (or no) security features.There are many well-known techniques to secure sensed data, e.g., by authenticating communication end-points, encrypting data before transmission, and obfuscating traffic patterns. Such techniques protect sensed data from external adversaries, while assuming that the sensing device itself is secure. Meanwhile, both the scale and frequency of IoT-focused attacks are growing. This prompts a natural question: how to protect sensed data even if all software on the device is compromised? Ideally, in order to achieve this, sensed data must be protected from its genesis, i.e., from the time when a physical analog quantity is converted into its digital counterpart and becomes accessible to software. We refer to this property as PfB: Privacy-from-Birth.In this work, we formalize PfB and design Verified Remote Sensing Authorization (VERSA) – a provably secure and formally verified architecture guaranteeing that only correct execution of expected and explicitly authorized software can access and manipulate sensing interfaces, specifically, General Purpose Input/Output (GPIO), which is the usual boundary between analog and digital worlds on IoT devices. This guarantee is obtained with minimal hardware support and holds even if all device software is compromised. VERSA ensures that malware can neither gain access to sensed data on the GPIO-mapped memory nor obtain any trace thereof. VERSA formally verified and its open-sourced implementation targets resource-constrained IoT edge devices, commonly used for sensing. Experimental results show that PfB is both achievable and affordable for such devices.

Vronicle: verifiable provenance for videos from mobile devices

Abstract: An increasing number of mobile devices are incorporating cameras, allowing users to record videos at any time, anywhere. This opens up a wide variety of applications, most notably security-critical ones, where videos are used as evidence or include sensitive content. Examples of such applications include (but are not limited to): (i) citizen journalists recording important events (e.g., protests), (ii) courts using videos as evidence, and (iii) electronic legal contract-signing platforms using videos to identify signing users [1].

GAROTA: Generalized Active Root-Of-Trust Architecture (for Tiny Embedded Devices)

Abstract: Embedded (aka smart or IoT) devices are increasingly popular and becoming ubiquitous. Unsurprisingly, they are also attractive attack targets for exploits and malware. Low-end embedded devices, designed with strict cost, size, and energy limitations, are especially challenging to secure, given their lack of resources to implement sophisticated security services, available on higher-end computing devices. To this end, several tiny Roots-of-Trust (RoTs) were proposed to enable services, such as remote verification of device’s software state and run-time integrity. Such RoTs operate reactively : they can prove whether a desired action (e.g., software update or program execution) was performed on a specific device. However, they can not guarantee that a desired action will be performed, since malware controlling the device can trivially block access to the RoT by ignoring/discarding received commands and other trigger events. This is an important problem because it allows malware to effectively “brick” or incapaci-tate a potentially huge number of (possibly mission-critical) devices. : Generalized Active Root-Of-Trust Architecture. We believe that GAROTA is the first clean-slate design of an active RoT for low-end MCU-s. We show how GAROTA guarantees that even a fully software-compromised low-end MCU performs a desired action. We demonstrate its practicality by implementing GAROTA in the context of three types of applications where actions are triggered by: sensing hardware, network events and timers. We also formally specify and verify GAROTA functionality and properties.

Vronicle

Abstract: An increasing number of mobile devices are incorporating cameras, allowing users to record videos at any time, anywhere. This opens up a wide variety of applications, most notably security-critical ones, where videos are used as evidence or include sensitive content. Examples of such applications include (but are not limited to): (i) citizen journalists recording important events (e.g., protests), (ii) courts using videos as evidence, and (iii) electronic legal contract-signing platforms using videos to identify signing users [1].

Vronicle: verifiable provenance for videos from mobile devices

Abstract: An increasing number of mobile devices are incorporating cameras, allowing users to record videos at any time, anywhere. This opens up a wide variety of applications, most notably security-critical ones, where videos are used as evidence or include sensitive content. Examples of such applications include (but are not limited to): (i) citizen journalists recording important events (e.g., protests), (ii) courts using videos as evidence, and (iii) electronic legal contract-signing platforms using videos to identify signing users [1].

We Can Hear Your PIN Drop: An Acoustic Side-Channel Attack on ATM PIN Pads

Abstract: Personal Identification Numbers (PINs) are the most common user authentication method for in-person banking transactions at ATMs. The US Federal Reserve reported that, in 2018, PINs secured 31.4 billion transactions in the US, with an overall worth of US$ 1.19 trillion. One well-known attack type involves the use of cameras to spy on the ATM PIN pad during PIN entry. Countermeasures include covering the PIN pad with a shield or with the other hand while typing. Although this protects PINs from visual attacks, acoustic emanations from the PIN pad itself open the door for another attack type. In this paper, we show the feasibility of an acoustic side-channel attack (called $$\mathcal PinDrop$$ ) to reconstruct PINs by profiling acoustic signatures of individual keys of a PIN pad. We demonstrate the practicality of $$\mathcal PinDrop$$ via two sets of data collection experiments involving two commercially available metal PIN pad models and 58 participants who entered a total of 5,800 5-digit PINs. We simulated two realistic attack scenarios: (1) a microphone placed near the ATM (0.3 m away) and (2) a real-time attacker (with a microphone) standing in the queue at a common courtesy distance of 2 m. In the former case, we show that $$\mathcal PinDrop$$ recovers 96% of 4-digit, and up to 94% of 5-digits, PINs. Whereas, at 2 m away, it recovers up to 57% of 4-digit, and up to 39% of 5-digit PINs in three attempts. We believe that these results are both significant and worrisome.

CASU: Compromise Avoidance via Secure Update for Low-end Embedded Systems

Abstract: Guaranteeing runtime integrity of embedded system software is an open problem. Trade-offs between security and other priorities (e.g., cost or performance) are inherent, and resolving them is both challenging and important. The proliferation of runtime attacks that introduce malicious code (e.g., by injection) into embedded devices has prompted a range of mitigation techniques. One popular approach is Remote Attestation (ℛA), whereby a trusted entity (verifier) checks the current software state of an untrusted remote device (prover). RA yields a timely authenticated snapshot of prover state that verifier uses to decide whether an attack occurred.Current RA schemes require verifier to explicitly initiate ℛA, based on some unclear criteria. Thus, in case of prover’s compromise, verifier only learns about it late, upon the next ℛA instance. While sufficient for compromise detection, some applications would benefit from a more proactive, prevention-based approach. To this end, we construct CASU: Compromise Avoidance via Secure Updates. CASU is an inexpensive hardware/software co-design enforcing: (i) runtime software immutability, thus precluding any illegal software modification, and (ii) authenticated updates as the sole means of modifying software. In CASU, a successful ℛA instance serves as a proof of successful update, and continuous subsequent software integrity is implicit, due to the runtime immutability guarantee. This obviates the need for ℛA in between software updates and leads to unobtrusive integrity assurance with guarantees akin to those of prior ℛA techniques, with better overall performance.

Balancing Security and Privacy in Genomic Range Queries*

Abstract: Exciting recent advances in genome sequencing, coupled with greatly reduced storage and computation costs, make genomic testing increasingly accessible to individuals. Already today, one’s digitized DNA can be easily obtained from a sequencing lab and later used to conduct numerous tests by engaging with a testing facility. Due to the inherent sensitivity of genetic material and the often-proprietary nature of genomic tests, privacy is a natural and crucial issue. While genomic privacy received a great deal of attention within and outside the research community, genomic security has not been sufficiently studied. This is surprising since the usage of fake or altered genomes can have grave consequences, such as erroneous drug prescriptions and genetic test outcomes. Unfortunately, in the genomic domain, privacy and security (as often happens) are at odds with each other. In this paper, we attempt to reconcile security with privacy in genomic testing by designing a novel technique for a secure and private genomic range query protocol between a genomic testing facility and an individual user. The proposed technique ensures authenticity and completeness of user-supplied genomic material while maintaining its privacy by releasing only the minimum thereof. To confirm its broad usability, we show how to apply the proposed technique to a previously proposed genomic private substring matching protocol. Experiments show that the proposed technique offers good performance and is quite practical. Furthermore, we generalize the genomic range query problem to sparse integer sets and discuss potential use cases.

V'CER: Efficient Certificate Validation in Constrained Networks

Abstract: We address the challenging problem of efficient trust establishment in constrained networks , i.e., networks that are com-posed of a large and dynamic set of (possibly heterogeneous) devices with limited bandwidth, connectivity, storage, and computational capabilities. Constrained networks are an in-tegral part of many emerging application domains, from IoT meshes to satellite networks. A particularly difficult challenge is how to enforce timely revocation of compromised or faulty devices. Unfortunately, current solutions and techniques cannot cope with idiosyncrasies of constrained networks, since they mandate frequent real-time communication with centralized entities, storage and maintenance of large amounts of revocation information, and incur considerable bandwidth overhead. To address the shortcomings of existing solutions, we design V’CER, a secure and efficient scheme for certificate validation that augments and benefits a PKI for constrained networks. V’CER utilizes unique features of Sparse Merkle Trees (SMTs) to perform lightweight revocation checks, while enabling collaborative operations among devices to keep them up-to-date when connectivity to external authorities is limited. V’CER can complement any PKI scheme to increase its flexibility and applicability, while ensuring fast dissemination of validation information independent of the network routing or topology. V’CER requires under 3KB storage per node covering 10 6 certificates. We developed and deployed a prototype of V’CER on an in-orbit satellite and our large-scale simulations demonstrate that V’CER decreases the number of requests for updates from external authorities by over 93%, when nodes are intermittently

Thermal (and Hybrid Thermal/Audio) Side-Channel Attacks on Keyboard Input

Abstract: To date, there has been no systematic investigation of thermal profiles of keyboards, and thus no efforts have been made to secure them. This serves as our main motivation for constructing a means for password harvesting from keyboard thermal emanations. Specifically, we introduce Thermanator : a new post-factum insider attack based on heat transfer caused by a user typing a password on a typical external (plastic) keyboard. We conduct and describe a user study that collected thermal residues from 30 users entering 10 unique passwords (both weak and strong) on 4 popular commodity keyboards. Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry. However, the thermal residue side-channel lacks information about password length, duplicate key-presses, and key-press ordering. To overcome these limitations, we leverage keyboard acoustic emanations and combine the two to yield AcuTherm , the first hybrid side-channel attack on keyboards. AcuTherm significantly reduces password search without the need for any training on the victim’s typing. We report results gathered for many representative passwords based on a user study involving 19 subjects. The takeaway of this work is three-fold: (1) using plastic keyboards to enter secrets (such as passwords and PINs) is even less secure than previously recognized, (2) post-factum thermal imaging attacks are realistic, and (3) hybrid (multiple side-channel) attacks are both realistic and effective.

Casu

Abstract: Guaranteeing runtime integrity of embedded system software is an open problem. Trade-offs between security and other priorities (e.g., cost or performance) are inherent, and resolving them is both challenging and important. The proliferation of runtime attacks that introduce malicious code (e.g., by injection) into embedded devices has prompted a range of mitigation techniques. One popular approach is Remote Attestation (RA), whereby a trusted entity (verifier) checks the current software state of an untrusted remote device (prover). RA yields a timely authenticated snapshot of prover state that verifier uses to decide whether an attack occurred.

SEDIMENT: An IoT-device-centric Methodology for Scalable 5G Network Security

Abstract: Advances in wireless networking, such as 5G, continue to enable the vision of the Internet of Things (IoT), where everything is connected, and much data is collected by IoT devices and made available to interested parties (i.e., application servers). However, events such as botnet attacks (e.g., [1]) demonstrate that there are important challenges in this evolution.In this paper we consider the problem of scalable and secure data publication from IoT devices, with included mechanisms that help towards device attacks prevention and detection. We propose SEDIMENT, a system and methodology which look more specifically at problems that arise in a network with a broad variety of devices, some of which have limited resources and some of which were designed for a less hostile environment. SEDIMENT uses a combination of software root of trust, remote attestation and resource-efficient cryptography, to build a system that scales across heterogeneous computing platforms. It allows for devices that range from battery-powered devices that are intended to operate for long periods up to server-class machines without power constraints. SEDIMENT provides a secure application layer that can be used for common communication paradigms such as publish-subscribe while following zero-trust principles in both protecting the end hosts from the network and other end hosts, as well as protecting the network from the end hosts.