HIP based mobility for Cloudlets

Computation offloading can be used to leverage the resources of nearby computers to ease the computational burden of mobile devices. Cloudlets are an approach, where the client's tasks are executed inside a virtual machine (VM) on a nearby computing element, while the client orchestrates the deployment of the VM and the remote execution in it. Mobile devices tend to move, and while moving between networks, their address is prone to change. Should a user bring their device close to a better performing Cloudlet host, migration of the original Cloudlet VM might also be desired, but their address is then prone to change as well. Communication with Cloudlets relies on the TCP/IP networking stack, which resolves address changes by terminating connections, and this seriously impairs the usefulness of Cloudlets in presence of mobility events. We surveyed a number of mobility management protocols, and decided to focus on Host Identity Protocol (HIP). We ported an implementation, HIP for Linux (HIPL), to the Android operating system, and assessed its performance by benchmarking throughput and delay for connection recovery during network migration scenarios. We found that as long as the HIPL hipfw-module, and especially the Local Scope Identifier (LSI) support was not used, the implementation performed adequately in terms of throughput. On the average, the connection recovery delays were tolerable, with an average recovery time of about 8 seconds when roaming between networks. We also found that with highly optimized VM synthesis methods, the recovery time of 8 seconds alone does not make live migration favourable over synthesizing a new VM. We found HIP to be an adequate protocol to support both client mobility and server migration with Cloudlets. Our survey suggests that HIP avoids some of the limitations found in competing protocols. We also found that the HIPL implementation could benefit from architectural changes, for improving the performance of the LSI support.Liikkuvassa tietojenkäsittelyssä laskennan ulkoistaminen on menetelmä, jolla voidaan käyttää ympäristössä olevien tietokoneiden resursseja keventämään mobiililaitteeseen kohdistuvaa laskennallista rasitusta. Cloudletit ovat eräs ratkaisu mobiililaskennan ulkoistamiseen, jossa laitteessa suoritettavia tehtäviä siirretään suoritettavaksi tietokoneessa ajettavaan virtuaalikoneeseen. Mobiililaite ohjaa virtuaalikoneen luomista ja siinä tapahtuvaa laskentaa verkon yli. Mobiililaitteen taipumus liikkua käyttäjänsä mukana aiheuttaa haasteita nykyisen TCP/IP protokollapinon joustavuudelle. Mobiililaitteen siirtyessä verkosta toiseen, on tyypillistä että sen IP-osoite vaihtuu. Mikäli mobiililaite siirtyy lähelle Cloudlet-isäntäkonetta, joka olisi resurssiensa ja tietoliikenneyhteyksiensä puolesta suotuisampi käyttäjän tarpeisiin, voi käyttäjän Cloudlet-virtuaalikoneen siirtäminen olla toivottavaa. Tällöin kuitenkin myös virtuaalikoneen osoite voi vaihtua. TCP/IP ratkaisee osoitteen vaihtumisen katkaisemalla yhteyden, mikä käyttäjien liikkuvuutta rajoittavana tekijänä tekee Cloudlet-ratkaisun käytöstä vähemmän houkuttelevaa. Tässä tutkielmassa tutustuimme joukkoon sopivaksi arvioimiamme liikkuvuutta tukevia protokollia, ja valitsimme niistä HIP -protokollan lähempää tarkastelua varten. Teimme HIP for Linux -protokollaohjelmistosta sovituksen Android-käyttöjärjestelmälle ja tutkimme sen soveltuvuutta liikkuvuuden tukemiseen mittaamalla sen avulla muodostetuilla yhteyksillä saavutettavia siirtonopeuksia sekä yhteyden palautumiseen kuluvaa aikaa osoitteenvaihdosten yhteydessä. Mikäli HIPL:in hipfw-moduuli, ja erityisesti sen LSI-tuki (IPv4-sovellusrajapinta) ei ollut käytössä, mittaustemme mukaan protokollatoteutus suoriutui Cloudlet-käyttöön riittävän hyvin siirtonopeuksien suhteen. Lisäksi yhteyksien palauttaminen osoitteenvaihdosten yhteydessä sujui siedettävässä ajassa, keskimäärin noin kahdeksassa sekunnissa. Hyvin optimoitujen Cloudlet-virtuaalikoneiden synteesimenetelmien vuoksi kahdeksan sekunnin toipumisaika yksinään ei tarjoa virtuaalikoneen siirtämisestä merkittävää etua uuden luomiseen nähden. HIP protokolla soveltuu yhteydenpitoon sekä mobiililaitteesta Cloudlet-isäntäkoneille, että Cloudlet-virtuaalikoneeseen; pienehkön kirjallisuuskatsauksen perusteella muita oleellisia protokollia hieman paremmin. Tunnistimme myös uudistamistarpeen HIPL-toteutuksen arkkitehtuurissa LSI-tuen suorituskyvyn parantamiseksi

Swiftmend: Data Synchronization in Open mHealth Applications with Restricted Connectivity

Open mHealth applications often include mobile devices and cloud services with replicated data between components. These replicas need periodical synchronization to remain consistent. However, there are no guarantee of connectivity to networks which do not bill users on the quantity of data usage. This thesis propose Swiftmend, a system with synchronization that minimize the quantity of I/O used on the network. Swiftmend includes two reconciliation algorithms; Rejuvenation and Regrowth. The latter utilizes the efficiency of the Merkle tree data structure to reduce the I/O. Merkle trees can sum up the consistency of replicas into compact fingerprints. While the first reconciliation algorithm, Rejuvenation simply inspects the entire replica to identify consistency. Regrowth is shown to produce less quantity of I/O than Rejuvenation when synchronizing replicas. This is due to the compact fingerprints

Context-aware real-time assistant architecture for pervasive healthcare

The aging population in many countries brings into focus rising healthcare costs and pressure on conventional healthcare services. Pervasive healthcare has emerged as a viable solution capable of providing a technology-driven approach to alleviate such problems by allowing healthcare to move from the hospital-centred care to self-care, mobile care, and at-home care. The state-of-the-art studies in this field, however, lack a systematic approach for providing comprehensive pervasive healthcare solutions from data collection to data interpretation and from data analysis to data delivery. In this thesis we introduce a Context-aware Real-time Assistant (CARA) architecture that integrates novel approaches with state-of-the-art technology solutions to provide a full-scale pervasive healthcare solution with the emphasis on context awareness to help maintaining the well-being of elderly people. CARA collects information about and around the individual in a home environment, and enables accurately recognition and continuously monitoring activities of daily living. It employs an innovative reasoning engine to provide accurate real-time interpretation of the context and current situation assessment. Being mindful of the use of the system for sensitive personal applications, CARA includes several mechanisms to make the sophisticated intelligent components as transparent and accountable as possible, it also includes a novel cloud-based component for more effective data analysis. To deliver the automated real-time services, CARA supports interactive video and medical sensor based remote consultation. Our proposal has been validated in three application domains that are rich in pervasive contexts and real-time scenarios: (i) Mobile-based Activity Recognition, (ii) Intelligent Healthcare Decision Support Systems and (iii) Home-based Remote Monitoring Systems

Routing and Mobility on IPv6 over LoWPAN

The IoT means a world-wide network of interconnected objects based on standard communication protocols. An object in this context is a quotidian physical device augmented with sensing/actuating, processing, storing and communication capabilities. These objects must be able to interact with the surrounding environment where they are placed and to cooperate with neighbouring objects in order to accomplish a common objective. The IoT objects have also the capabilities of converting the sensed data into automated instructions and communicating them to other objects through the communication networks, avoiding the human intervention in several tasks. Most of IoT deployments are based on small devices with restricted computational resources and energy constraints. For this reason, initially the scientific community did not consider the use of IP protocol suite in this scenarios because there was the perception that it was too heavy to the available resources on such devices. Meanwhile, the scientific community and the industry started to rethink about the use of IP protocol suite in all IoT devices and now it is considered as the solution to provide connectivity between the IoT devices, independently of the Layer 2 protocol in use, and to connect them to the Internet. Despite the use of IP suite protocol in all devices and the amount of solutions proposed, many open issues remain unsolved in order to reach a seamless integration between the IoT and the Internet and to provide the conditions to IoT service widespread. This thesis addressed the challenges associated with the interconnectivity between the Internet and the IoT devices and with the security aspects of the IoT. In the interconnectivity between the IoT devices and the Internet the problem is how to provide valuable information to the Internet connected devices, independently of the supported IP protocol version, without being necessary accessed directly to the IoT nodes. In order to solve this problem, solutions based on Representational state transfer (REST) web services and IPv4 to IPv6 dual stack transition mechanism were proposed and evaluated. The REST web service and the transition mechanism runs only at the border router without penalizing the IoT constrained devices. The mitigation of the effects of internal and external security attacks minimizing the overhead imposed on the IoT devices is the security challenge addressed in this thesis. Three different solutions were proposed. The first is a mechanism to prevent remotely initiated transport level Denial of Service attacks that avoids the use of inefficient and hard to manage traditional firewalls. It is based on filtering at the border router the traffic received from the Internet and destined to the IoT network according to the conditions announced by each IoT device. The second is a network access security framework that can be used to control the nodes that have access to the network, based on administrative approval, and to enforce security compliance to the authorized nodes. The third is a network admission control framework that prevents IoT unauthorized nodes to communicate with IoT authorized nodes or with the Internet, which drastically reduces the number of possible security attacks. The network admission control was also exploited as a management mechanism as it can be used to manage the network size in terms of number of nodes, making the network more manageable, increasing its reliability and extending its lifetime.A IoT (Internet of Things) tem suscitado o interesse tanto da comunidade académica como da indústria, uma vez que os campos de aplicação são inúmeros assim como os potenciais ganhos que podem ser obtidos através do uso deste tipo de tecnologia. A IoT significa uma rede global de objetos ligados entre si através de uma rede de comunicações baseada em protocolos standard. Neste contexto, um objeto é um objeto físico do dia a dia ao qual foi adicionada a capacidade de medir e de atuar sobre variáveis físicas, de processar e armazenar dados e de comunicar. Estes objetos têm a capacidade de interagir com o meio ambiente envolvente e de cooperar com outros objetos vizinhos de forma a atingirem um objetivo comum. Estes objetos também têm a capacidade de converter os dados lidos em instruções e de as comunicar a outros objetos através da rede de comunicações, evitando desta forma a intervenção humana em diversas tarefas. A maior parte das concretizações de sistemas IoT são baseados em pequenos dispositivos autónomos com restrições ao nível dos recursos computacionais e de retenção de energia. Por esta razão, inicialmente a comunidade científica não considerou adequado o uso da pilha protocolar IP neste tipo de dispositivos, uma vez que havia a perceção de que era muito pesada para os recursos computacionais disponíveis. Entretanto, a comunidade científica e a indústria retomaram a discussão acerca dos benefícios do uso da pilha protocolar em todos os dispositivos da IoT e atualmente é considerada a solução para estabelecer a conetividade entre os dispositivos IoT independentemente do protocolo da camada dois em uso e para os ligar à Internet. Apesar do uso da pilha protocolar IP em todos os dispositivos e da quantidade de soluções propostas, são vários os problemas por resolver no que concerne à integração contínua e sem interrupções da IoT na Internet e de criar as condições para a adoção generalizada deste tipo de tecnologias. Esta tese versa sobre os desafios associados à integração da IoT na Internet e dos aspetos de segurança da IoT. Relativamente à integração da IoT na Internet o problema é como fornecer informação válida aos dispositivos ligados à Internet, independentemente da versão do protocolo IP em uso, evitando o acesso direto aos dispositivos IoT. Para a resolução deste problema foram propostas e avaliadas soluções baseadas em web services REST e em mecanismos de transição IPv4 para IPv6 do tipo pilha dupla (dual stack). O web service e o mecanismo de transição são suportados apenas no router de fronteira, sem penalizar os dispositivos IoT. No que concerne à segurança, o problema é mitigar os efeitos dos ataques de segurança internos e externos iniciados local e remotamente. Foram propostas três soluções diferentes, a primeira é um mecanismo que minimiza os efeitos dos ataques de negação de serviço com origem na Internet e que evita o uso de mecanismos de firewalls ineficientes e de gestão complexa. Este mecanismo filtra no router de fronteira o tráfego com origem na Internet é destinado à IoT de acordo com as condições anunciadas por cada um dos dispositivos IoT da rede. A segunda solução, é uma framework de network admission control que controla quais os dispositivos que podem aceder à rede com base na autorização administrativa e que aplica políticas de conformidade relativas à segurança aos dispositivos autorizados. A terceira é um mecanismo de network admission control para redes 6LoWPAN que evita que dispositivos não autorizados comuniquem com outros dispositivos legítimos e com a Internet o que reduz drasticamente o número de ataques à segurança. Este mecanismo também foi explorado como um mecanismo de gestão uma vez que pode ser utilizado a dimensão da rede quanto ao número de dispositivos, tornando-a mais fácil de gerir e aumentando a sua fiabilidade e o seu tempo de vida

Securing the Next Generation Web

With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found