Showing papers by "Tadayoshi Kohno published in 2009"

Vanish: increasing data privacy with self-destructing data

Abstract: Today's technical and legal landscape presents formidable challenges to personal data privacy First, our increasing reliance on Web services causes personal data to be cached, copied, and archived by third parties, often without our knowledge or control Second, the disclosure of private data has become commonplace due to carelessness, theft, or legal actions Our research seeks to protect the privacy of past, archived data -- such as copies of emails maintained by an email provider -- against accidental, malicious, and legal attacks Specifically, we wish to ensure that all copies of certain data become unreadable after a userspecified time, without any specific action on the part of a user, and even if an attacker obtains both a cached copy of that data and the user's cryptographic keys and passwords This paper presents Vanish, a system that meets this challenge through a novel integration of cryptographic techniques with global-scale, P2P, distributed hash tables (DHTs) We implemented a proof-of-concept Vanish prototype to use both the million-plus-node Vuze Bit-Torrent DHT and the restricted-membership OpenDHT We evaluate experimentally and analytically the functionality, security, and performance properties of Vanish, demonstrating that it is practical to use and meets the privacy-preserving goals described above We also describe two applications that we prototyped on Vanish: a Firefox plugin for Gmail and other Web sites and a Vanishing File application

A spotlight on security and privacy risks with future household robots: attacks and lessons

Abstract: Future homes will be populated with large numbers of robots with diverse functionalities, ranging from chore robots to elder care robots to entertainment robots. While household robots will offer numerous benefits, they also have the potential to introduce new security and privacy vulnerabilities into the home. Our research consists of three parts. First, to serve as a foundation for our study, we experimentally analyze three of today's household robots for security and privacy vulnerabilities: the WowWee Rovio, the Erector Spykee, and the WowWee RoboSapien V2. Second, we synthesize the results of our experimental analyses and identify key lessons and challenges for securing future household robots. Finally, we use our experiments and lessons learned to construct a set of design questions aimed at facilitating the future development of household robots that are secure and preserve their users' privacy.

A comprehensive study of frequency, interference, and training of multiple graphical passwords

Abstract: Graphical password systems have received significant attention as one potential solution to the need for more usable authentication, but nearly all prior work makes the unrealistic assumption of studying a single password. This paper presents the first study of multiple graphical passwords to systematically examine frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical passwords, and patterns of access while training multiple graphical passwords. We find that all of these factors significantly impact the ease of authenticating using multiple facial graphical passwords. For example, participants who accessed four different graphical passwords per week were ten times more likely to completely fail to authenticate than participants who accessed a single password once per week. Our results underscore the need for more realistic evaluations of the use of multiple graphical passwords, have a number of implications for the adoption of graphical password systems, and provide a new basis for comparing proposed graphical password systems.

Neurosecurity: security and privacy for neural devices.

Abstract: An increasing number of neural implantable devices will become available in the near future due to advances in neural engineering. This discipline holds the potential to improve many patients' lives dramatically by offering improved—and in some cases entirely new—forms of rehabilitation for conditions ranging from missing limbs to degenerative cognitive diseases. The use of standard engineering practices, medical trials, and neuroethical evaluations during the design process can create systems that are safe and that follow ethical guidelines; unfortunately, none of these disciplines currently ensure that neural devices are robust against adversarial entities trying to exploit these devices to alter, block, or eavesdrop on neural signals. The authors define “neurosecurity”—a version of computer science security principles and methods applied to neural engineering—and discuss why neurosecurity should be a critical consideration in the design of future neural devices.

EPC RFID tag security weaknesses and defenses: passport cards, enhanced drivers licenses, and beyond

Abstract: EPC (Electronic Product Code) tags are industry-standard RFID devices poised to supplant optical barcodes in many applications. We explore the systemic risks and challenges created by the increasingly common use of EPC for security applications. As a central case study, we examine the recently issued United States Passport Card and Washington State "enhanced drivers license" (WA EDL), both of which incorporate Gen-2 EPC tags. We measure multiple weaknesses, including susceptibility to cloning, extended read ranges, and the ability to remotely kill a WA EDL. We study the implications of these vulnerabilities to overall system security, and offer suggestions for improvement. We demonstrate anti-cloning techniques for off-the-shelf EPC tags, overcoming practical challenges in a previous proposal to co-opt the EPC "kill" command to achieve tag authentication. Our paper fills a vacuum of experimentally grounded evaluation of and guidance for security applications for EPC tags not just in identity documents, but more broadly in the authentication of objects and people.

Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default

Abstract: Today's Internet architecture makes no deliberate attempt to provide identity privacy--IP addresses are, for example, often static and the consistent use of a single IP address can leak private information to a remote party. Existing approaches for rectifying this situation and improving identity privacy fall into one of two broad classes: (1) building a privacy-enhancing overlay layer (like Tor) that can run on top of the existing Internet or (2) research into principled but often fundamentally different new architectures. We suggest a middle-ground: enlisting ISPs to assist in improving the identity privacy of users in a manner compatible with the existing Internet architecture, ISP best practices, and potential legal requirements.

Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks

Abstract: We present Privacy Scope, a new system that tracks the movement of sensitive user data as it flows through off-the-shelf applications. Privacy Scope uses application-level dynamic taint analysis, implemented with dynamic binary translation tools, to let users run applications in their own environment while pinpointing information leaks, even when the sensitive data is encrypted. The system is made possible by techniques we developed for accurate and efficient tainting. Semantic-aware instruction-level tainting handles special cases and is critical to avoid taint explosion or loss. Function summaries provide an interface to handle taint propagation within the kernel and reduce the overhead of instruction-level tracking. On-demand instrumentation enables fast loading of large applications. Together, these techniques let us run on large, multi-threaded, networked applications and precisely track where information goes. In tests on Internet Explorer, Yahoo! Messenger, and Windows Notepad, Privacy Scope generated no false positives and instrumented fewer than 5% of the executed instructions.

Experiences Building Security Applications on DHTs

Abstract: In the recent past we introduced two new security applications built on peer-to-peer systems and distributed hashtables (DHTs). First, we designed Adeona [18], which leverages DHTs to provide a privacy-preserving laptop tracking solution. Second, we designed the Vanish [10] selfdestructing data system, which uses DHTs to protect against retroactive attacks on archived data in the cloud. Both systems exploit intuitive properties of DHTs that dierentiate them from centralized solutions: e.g., complete or partial decentralization, giant scale, and geographic distribution. We implemented and made publicly available research prototypes of both Adeona and Vanish; the Adeona prototype uses OpenDHT as its underlying DHT and the Vanish prototype uses the Vuze DHT. While the properties of DHTs make them a tempting environment for new security-based systems, existing DHTs were never designed to support security or privacy applications, and such applications therefore stress DHTs in new ways. This paper provides a retrospective from our collective experience both designing and prototyping the two DHT-based security/privacy applications, and operating and designing deployed DHTs (OpenDHT and Vuze). We discuss limitations and vulnerabilities of modern DHTs for security applications and propose very simple defenses that — perhaps surprisingly — greatly raise the bar for existing DHTs against certain privacy attacks. We also advocate for a hybrid approach that combines the best of both decentralized DHTs and centralized services for new security applications. Our goal is to inform the design of future DHTs and to strengthen the applicability of existing DHTs for supporting applications such as Adeona and Vanish.

Are Patched Machines Really Fixed

Abstract: Updating and patching has become a ubiquitous part of software maintenance, with particular importance to security. It's especially crucial when the systems in question perform vital functions and security compromises might yield drastic consequences. Unfortunately, updates intended to remediate security problems are sometimes incomplete, are flawed, or introduce new vulnerability themselves. The authors present several examples of such instances in a widely used electronic voting system, a device for which security is critical. A central lesson of the study is that evaluating a system's security by examining changes between revisions is insufficient; you must evaluate and analyze the system as a whole.