Orientador: Michele Nogueira LimaCoorientador: Ricardo T. MacedoDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 23/03/2020Inclui referências: p. 69-74Área de concentração: Ciência da ComputaçãoResumo: A Internet das Coisas (IoT) visa conectar objetos à Internet para prestar serviços inovadores, como por exemplo, o monitoramento da saúde através de dispositivos vestíveis conectados. Entretanto, devido à natureza crítica dos dados transportados pela IoT somado a escassez recursos, ela vem sendo alvo de ataques que causam impactos como a comercialização e a divulgação indevida de dados privados. Em 2018 estes ataques geraram um custo médio global de US3,86milho~es.Osataquesside−channelbaseadosnotraˊfegosondamdadoscomoosintervalosentrepacotes,otamanhodospacotes,astaxasdebits,entreoutros,comoobjetivodeinferirinformac\co~espessoaisquecomprometemodireitodeprivacidadedosusuaˊriosdaIoT.Nocontextodeseguranc\cacomputacional,estesdadossa~odenominadosvazamentosside−channel,poisrevelaminformac\co~esapartirdedadosobservadosporumcanalmarginalaoquedefatoesta~opassandoasinformac\co~esalmejadas.Naliteratura,existemtrabalhosqueapresentamformasderealizarestetipodeataqueeteˊcnicasdedefesa.Entretanto,ospoucostrabalhosconsideramosataquesside−channelbaseadosnotraˊfegodaIoT,ignoramascaracterıˊsticascontidasnatemporizac\ca~odotraˊfegoderedesemfiooudeixampotenciaisvulnerabilidadesemaberto.Estetrabalhoapresentaumestudosobreosataquesside−channelqueanalisamosvazamentostemporaisemitidospelastransmisso~esdeumaredeIoT,comoostemposderesposta,osintervalosentreasmensagenseosinstantesdeenvioerecebimentodemensagens,paraavaliarosimpactosdestesataquesnaprivacidadedosusuaˊrios.Aleˊmdisso,apresentaomecanismoFISHER(doingle^s:adeFensemechanIsmagainstSide−cHannElAttacksbasedoninteRnetofthingstrafficTiming)deDefesaContraAtaquesSide−ChannelbaseadosnaTemporizac\ca~odoTraˊfegodaIoT.OmecanismoFISHERatuacomoumservic\covirtualeseguedoismoˊdulosparatestarasvulnerabilidadeseoprotegerdeprivacidadedosdados.Omoˊdulodetestedevulnerabilidadeidentificaosvazamentostemporaisexpostosatraveˊsdasteˊcnicasdeidentificac\ca~odedispositivosempregadaspelosataqueseiniciaoprocessodedefesa.Omoˊdulodeprotec\ca~odeprivacidadeimplementaasduasteˊcnicassupracitadasemsincroniaparamascararosvazamentostemporais,masdiferentedaliteratura,pretende−seanalisaroestadodarede.Oestudoconduzidoapresentaumaavaliac\ca~odedesempenhosobreosataquesside−channelbaseadosnaTemporizac\ca~odoTraˊfegodaIoT,considerandodiferentescenaˊriosexperimentais.Osresultadosapontamareleva^nciadestesataques,poisfoipossıˊvelinferirinformac\co~essensıˊveiscomoosdiferentesdispositivoseosseussensoresembarcados,considerandoapenasosinstantesdeenviodasmensagenseostemposderespostageradospelotraˊfegoderede.Emseguida,omecanismofoiavaliadoconsiderandoocultarestesvazamentosrelacionadosaˋtemporizac\ca~odotraˊfego.Osresultadosrevelamaeficie^nciadasteˊcnicasempregadaspelosmoˊdulosaoreduzindoaprecisa~odasinfere^nciasimplementadapelosataques.Palavras−chave:InternetdasCoisas.VazamentosTemporais.AtaquesSide−Channel.PrivacidadeAbstract:TheInternetofThings(IoT)aimstoconnectobjectstotheInternettoprovideinnovativeservices,suchashealthmonitoringthroughconnectedwearabledevices.However,duetothecriticalnatureofthedatatransportedbytheIoTplusthescarcityofresources,ithasbeenthetargetofattacksthatcauseimpactssuchasthecommercializationandimproperdisclosureofprivatedata.In2018theseattacksgeneratedanaverageglobalcostof3.86 million. Traffic-based side-channel attacks poll data such as the intervals between packets, the size of the packets, and the bit rates, among others, to infer personal information that compromises IoT users' privacy rights. In the context of computational security, these data are called side-channel leaks, as they reveal information from data observed by a marginal channel to which the desired information is passing. The works that present ways to carry out this type of attack and defense techniques in the literature. However, few studies consider side-channel attacks based on IoT traffic, ignore the characteristics contained in the timing of wireless network traffic, or leave potential vulnerabilities open. This work presents a study on the impacts of side-channel attacks on users' privacy. The attacks analyze temporal leaks emitted by the transmissions of an IoT network, such as the response times, the intervals between the messages, and the moments of sending and receiving messages. Also, it presents the FISHER mechanism (from English: the deFense mechanIsm against Side-cHannEl Attacks based on inteRnet of things traffic Timing) for Defense Against Side-Channel Attacks based on IoT Traffic Timing. The FISHER mechanism acts as a virtual service and follows two modules to test vulnerabilities and protect users' data privacy. The vulnerability test module identifies the temporal leaks through the device identification techniques and initiates the defense process. The privacy protection module implements the two techniques above in sync to analyze the state of the network and mask the time leaks, unlike the literature. The conducted study presents a performance evaluation on side-channel attacks based on IoT Traffic Timing, considering different experimental scenarios. The results point out the relevance of these attacks since it was possible to infer sensitive information such as the different devices and their embedded sensors, considering only the moments of sending messages and the response times generated by the network traffic. Then, the mechanism evaluation considered hiding these leaks related to traffic timing. The results reveal the efficiency of the techniques of the modules by reducing the accuracy of the inferences implemented by the attacks. Keywords: Internet of Things; Time Leaks; Side-Chanel Attack; Privacy