Archive for the 'CS' Category
October 15th, 2017, by Tim Finin, posted in cybersecurity, Security
Penetration Testing a Simulated Automotive Ethernet Environment
11:00am Monday, 9 October 2017, ITE 346
The capabilities of modern day automobiles have far exceeded what Robert Bosch GmbH could have imagined when it proposed the Controller Area Network (CAN) bus back in 1986. Over time, drivers wanted more functionality, comfort, and safety in their automobiles creating a burden for automotive manufacturers. With these driver demands came many innovations to the in-vehicle network core protocol. Modern automobiles that have a video based infotainment system or any type of camera assisted functionality such as an Advanced Driver Assistance System (ADAS) use ethernet as their network backbone. This is because the original CAN specification only allowed for up to eight bytes of data per message on a bus rated at 1 Mbps. This is far less than the requirements of more advanced video-based automotive systems. The ethernet protocol allows for 1500 bytes of data per packet on a network rated for up to 100 Mbps. This led the automotive industry to adopt ethernet as the core protocol, overcoming most of the limitations posed by the CAN protocol. By adopting ethernet as the protocol for automotive networks, certain attack vectors are now available for black hat hackers to exploit in order to put the vehicle in an unsafe condition. This thesis will create a simulated automotive ethernet environment using the CANoe network simulation platform created by Vector. Then, a penetration test will be conducted on the simulated environment in order to discover attacks that pose a threat to automotive ethernet networks. These attacks will be from the perspective of an attacker will full access to the vehicle under test, and will cover all three sides of the Confidentiality, Integrity, Availability (CIA) triad. In conclusion, this thesis will propose several ethernet specific defense mechanisms that can be implemented in an automotive taxonomy to reduce the attack surface and allow for a safer end user experience.
October 8th, 2017, by Tim Finin, posted in cybersecurity, Mobile Computing, Pervasive Computing, RFID, Security
Attacks on Smart Cards, RFIDs and Embedded Systems
Prof. Keith Mayes
Royal Holloway University of London
10-11:00am Tuesday, 10 October 2017, ITE 325, UMBC
Smart Cards and RFIDs exist with a range of capabilities and are used in their billions throughout the world. The simpler devices have poor security, however, for many years, high-end smart cards have successfully been used in a range of systems such as banking, passports, mobile communication, satellite TV etc. Fundamental to their success is a specialist design to offer remarkable resistance to a wide range of attacks, including physical, side-channel and fault. This talk describes a range of known attacks and the countermeasures that are employed to defeat them.
Prof. Keith Mayes is the Head of the School of Mathematics and Information Security at Royal Holloway University of London. He received his BSc (Hons) in Electronic Engineering in 1983 from the University of Bath, and his PhD degree in Digital Image Processing in 1987. He is an active researcher/author with 100+ publications in numerous conferences, books and journals. His interests include the design of secure protocols, communications architectures and security tokens as well as associated attacks/countermeasures. He is a Fellow of the Institution of Engineering and Technology, a Founder Associate Member of the Institute of Information Security Professionals, a Member of the Licensing Executives Society and a member of the editorial board of the Journal of Theoretical and Applied Electronic Commerce Research (JTAER).
June 10th, 2017, by Tim Finin, posted in cybersecurity, Privacy, Security
The DC-Area Anonymity, Privacy, and Security Seminar (DCAPS) is a seminar for research on computer and communications anonymity, privacy, and security in the D.C. area. DCAPS meets to promote collaboration and improve awareness of work in the community. Seminars occur three times a year. It meets at different locations and has been hosted in the past by George Mason University, Georgetown University, George Washington University, University of Maryland, College park and UMBC. DCAPS meetings are free and open to anybody interested. To join the seminar mailing list, contact the organizer, Aaron Johnson, at aaron.m.johnson AT nrl.navy.mil.
March 14th, 2017, by Tim Finin, posted in Datamining, Machine Learning, Mobile Computing, Security
Prajit Kumar Das, Anupam Joshi and Tim Finin, App behavioral analysis using system calls, MobiSec: Security, Privacy, and Digital Forensics of Mobile Systems and Networks, IEEE Conference on Computer Communications Workshops, May 2017.
System calls provide an interface to the services made available by an operating system. As a result, any functionality provided by a software application eventually reduces to a set of fixed system calls. Since system calls have been used in literature, to analyze program behavior we made an assumption that analyzing the patterns in calls made by a mobile application would provide us insight into its behavior. In this paper, we present our preliminary study conducted with 534 mobile applications and the system calls made by them. Due to a rising trend of mobile applications providing multiple functionalities, our study concluded, mapping system calls to functional behavior of a mobile application was not straightforward. We use Weka tool and manually annotated application behavior classes and system call features in our experiments to show that using such features achieves mediocre F1-measure at best, for app behavior classification. Thus leading to the conclusion that system calls were not sufficient features for app behavior classification.
February 27th, 2017, by Tim Finin, posted in Mobile Computing, Privacy, Security
Context-Dependent Privacy and Security Management on Mobile Devices
10:00am Tuesday, 27 February, 2017
Security and privacy of mobile devices is a challenging research domain. A prominent aspect of this research focuses on discovering software vulnerabilities for mobile operating systems and mobile apps. The other aspect of research focuses on user privacy and using feedback, generates privacy profiles for controlling data privacy. Profile based or role-based security can be restrictive as they require prior definition of such roles or profiles. As a result, it is better to use attribute-based access control and let the attributes define granularity of policy definition. This problem may thus be defined as, a security and privacy personalization problem. A critical issue in the process of capturing personalized policy is one of creating a system that is adaptive and knows when user’s preferences have been captured. Presented in this work you will learn about Mithril, a framework for capturing user access control policies that are fine-grained, context-sensitive and are represented using Semantic Web technologies and thereby manages access control decisions for user data on mobile devices. Violation metric has been used in this work as a measure to determine system state. A hierarchical context ontology has been used to define fine-grained access control policies and simplifying the process of policy modification for a user. A secondary goal of this research was to determine behavioral traits of mobile applications with a goal to detect outlier applications. Some preliminary research on this topic will also be discussed.
November 8th, 2016, by Tim Finin, posted in cybersecurity, Ebiquity, Mobile Computing, Policy, Privacy
In this week’s ebiquity meeting (11:30 8 Nov. 2016) Prajit Das will present his work on capturing policies for fine-grained access control on mobile devices.
As of 2016, there are more mobile devices than humans on earth. Today, mobile devices are a critical part of our lives and often hold sensitive corporate and personal data. As a result, they are a lucrative target for attackers, and managing data privacy and security on mobile devices has become a vital issue. Existing access control mechanisms in most devices are restrictive and inadequate. They do not take into account the context of a device and its user when making decisions. In many cases, the access granted to a subject should change based on context of a device. Such fine-grained, context-sensitive access control policies have to be personalized too. In this paper, we present the Mithril system, that uses policies represented in Semantic Web technologies and captured using user feedback, to handle access control on mobile devices. We present an iterative feedback process to capture user specific policy. We also present a policy violation metric that allows us to decide when the capture process is complete.
May 24th, 2016, by Tim Finin, posted in cloud computing, cybersecurity, Privacy, Security, Semantic Web
Vaishali Narkhede, Karuna Pande Joshi, Tim Finin, Seung Geol Choi, Adam Aviv and Daniel S. Roche, Managing Cloud Storage Obliviously
, International Conference on Cloud Computing, IEEE Computer Society, June 2016.
Consumers want to ensure that their enterprise data is stored securely and obliviously on the cloud, such that the data objects or their access patterns are not revealed to anyone, including the cloud provider, in the public cloud environment. We have created a detailed ontology describing the oblivious cloud storage models and role based access controls that should be in place to manage this risk. We have developed an algorithm to store cloud data using oblivious data structure defined in this paper. We have also implemented the ObliviCloudManager application that allows users to manage their cloud data by validating it before storing it in an oblivious data structure. Our application uses role-based access control model and collection based document management to store and retrieve data efficiently. Cloud consumers can use our system to define policies for storing data obliviously and manage storage on untrusted cloud platforms even if they are unfamiliar with the underlying technology and concepts of oblivious data structures.
May 8th, 2016, by Tim Finin, posted in cybersecurity, Machine Learning, Security
Vehicles can be considered as a specialized form of Cyber Physical Systems with sensors, ECU’s and actuators working together to produce a coherent behavior. With the advent of external connectivity, a larger attack surface has opened up which not only affects the passengers inside vehicles, but also people around them. One of the main causes of this increased attack surface is because of the advanced systems built on top of old and less secure common bus frameworks which lacks basic authentication mechanisms. To make such systems more secure, we approach this issue as a data analytic problem that can detect anomalous states. To accomplish that we collected data flowing between different components from real vehicles and using a Hidden Markov Model, we detect malicious behaviors and issue alerts, while a vehicle is in operation. Our evaluations using single parameter and two parameters together provide enough evidence that such techniques could be successfully used to detect anomalies in vehicles. Moreover our method could be used in new vehicles as well as older ones.
April 18th, 2016, by Tim Finin, posted in IoT, Policy, Semantic Web
Prajit Kumar Das, Sandeep Nair, Nitin Kumar Sharma, Anupam Joshi, Karuna Pande Joshi, and Tim Finin, Context-Sensitive Policy Based Security in Internet of Things
, 1st IEEE Workshop on Smart Service Systems
, co-located with IEEE Int. Conf. on Smart Computing, St. Louis, 18 May 2016.
According to recent media reports, there has been a surge in the number of devices that are being connected to the Internet. The Internet of Things (IoT), also referred to as Cyber-Physical Systems, is a collection of physical entities with computational and communication capabilities. The storage and computing power of these devices is often limited and their designs currently focus on ensuring functionality and largely ignore other requirements, including security and privacy concerns. We present the design of a framework that allows IoT devices to capture, represent, reason with, and enforce information sharing policies. We use Semantic Web technologies to represent the policies, the information to be shared or protected, and the IoT device context. We discuss use-cases where our design will help in creating an “intelligent” IoT device and ensuring data security and privacy using context-sensitive information sharing policies.
April 3rd, 2016, by Tim Finin, posted in cybersecurity, Ontologies, OWL, RDF, Security, Semantic Web
Policies For Oblivious Cloud Storage
Using Semantic Web Technologies
10:30am, Monday, 4 April 2016, ITE 346, UMBC
Consumers want to ensure that their enterprise data is stored securely and obliviously on the cloud, such that the data objects or their access patterns are not revealed to anyone, including the cloud provider, in the public cloud environment. We have created a detailed ontology describing the oblivious cloud storage models and role based access controls that should be in place to manage this risk. We have also implemented the ObliviCloudManager application that allows users to manage their cloud data using oblivious data structures. This application uses role based access control model and collection based document management to store and retrieve data efficiently. Cloud consumers can use our system to define policies for storing data obliviously and manage storage on untrusted cloud platforms, even if they are not familiar with the underlying technology and concepts of the oblivious data structure.
March 27th, 2016, by Tim Finin, posted in cybersecurity, Machine Learning, Mobile Computing, Security
Down the rabbit hole: An Android system call study
Prajit Kumar Das
10:30 am, Monday, March 28, 2016 ITE 346
App permissions and application sandboxing are the fundamental security mechanisms that protects user data on mobile platforms. We have worked on permission analytics before and come to a conclusion that just studying an app’s requested access rights (permissions) isn’t enough to understand potential data breaches. Techniques like privilege escalation have been previously used to gain further access to user and her data on mobile platforms like Android. Static code analysis and dynamic code execution may be studied to gather further insight into an app’s behavior. However, there is a need to study such a behavior at the lowest level of code execution and that is system calls. The system call is the fundamental interface between an application and the Linux kernel. In our current project, we are studying system calls made by apps for gathering a better understanding of their behavior.
March 19th, 2016, by Tim Finin, posted in Programming
Introduction to Microservices Architecture
10:30am , Monday, March 21, 2016 ITE 346
Microservices is a new style of software architecture that relies on separately deployed loosely coupled components. Advantages of this architectural style are faster development cycles, better system resilience, smoother and easier scalability, and less friction with continuous deployment. In his talk Vlad Korolev will give overview of the architecture. Will show the way how to get started. And share personal experiences and gotchas encountered on several microservices based projects.