Detecting (Absent) App-to-app authentication on cross-device short-distance channels

Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely cross-device app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious app-to-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set. We also discuss the impact of the problem in real scenarios by presenting two real case studies. At the end of the paper we reported limitations of our model along with future improvements

STATIC AND DYNAMIC ANALYSES FOR PROTECTING THE JAVA SOFTWARE EXECUTION ENVIRONMENT

In my thesis, I present three projects on which I have worked during my Ph.D. studies. All of them focus on software protection in the Java environment with static and dynamic techniques for control-flow and data-dependency analysis. More specifically, the first two works are dedicated to the problem of deserialization of untrusted data in Java. In the first, I present a defense system that was designed for protecting the Java Virtual Machine, along with the results that were obtained. In the second, I present a recent research project that aims at automatic generation of deserialization attacks, to help identifying them and increasing protection. The last discussed work concerns another branch of software protection: the authentication on short-distance channels (or the lack thereof) in Android APKs. In said work, I present a tool that was built for automatically identifying the presence of high-level authentication in Android apps. I thoroughly discuss experiments, limitations and future work for all three projects, concluding with general principles that bring these works together, and can be applied when facing related security issues in high-level software protection

Multifactor authentication using smartphone as token

Biometrics are a field of study with relevant developments in the last decade. Specifically, electrocardiogram (ECG) based biometrics are now deemed a reliable source of identification. One of the major advances in this technology was the improvements in off-the-person authentication, by requiring nothing more than dry electrodes or conductive fabrics to acquire an ECG signal in a non-intrusive way through the user’s hands. However, identification still has a relatively poor performance when using large user databases. In this dissertation we suggest using ECG authentication associated with a smartphone security token in order to improve performance and decrease the time required for the recognition. We develop this technique in a user authentication scenario for a Windows login. We developed our solution using both normal Bluetooth (BT) and Bluetooth Low Energy (BLE) technologies to preserve phone battery; also, we develop apps for Windows Phone and Android, due to limitations detected. Additionally, we took advantage of the Intel Edison’s mobility features to create a more versatile environment. Results proved our solution to be possible. We executed a series of tests, through which we observed an improvement in authentication times when compared to a simple ECG identification scenario. Also, ECG performance in terms of false-negatives and false-positives is also increased.A biometria é uma área de estudo que observou desenvolvimentos relevantes na última década. Em específico, a biometria baseada no eletrocardiograma (ECG) é atualmente considerada uma fonte de identificação confiável. Um dos maiores avanços nesta tecnologia consiste na evolução da autenticação off-the-person, que permite realizar a aquisição de sinal de forma não intrusiva usando as mãos do utilizador. Contudo, a identificação através deste método ainda apresenta uma performance relativamente baixa quando usada uma base de dados de dimensão acima das dezenas. Nesta dissertação sugerimos usar a autenticação ECG associada a um telemóvel a funcionar como security token com o objectivo de melhorar a performance e diminuir o tempo necessário para o reconhecimento. Para isso, desenvolvemos a nossa solução usando a tecnologia Bluetooth (BL) clássico, mas também Bluetooth Low Energy (BLE) para preservar a bateria do telemóvel; além disto, desenvolvemos as aplicações em Windows Phone e também Android, dadas as limitações que encontrámos. Para criar um ambiente mais versátil e móvel, usámos a recente plataforma Intel Edison. Os resultados obtidos provam que a nossa solução é viável. Executámos uma série de testes, nos quais observámos uma melhoria nos tempos associados à autenticação quando comparados com o cenário clássico de identificação por ECG. Adicionalmente, a performance do ECG no que diz respeito ao número de falsos-negativos e falsos-positivos apresentou também melhoria

Seamless Interactions Between Humans and Mobility Systems

As mobility systems, including vehicles and roadside infrastructure, enter a period of rapid and profound change, it is important to enhance interactions between people and mobility systems. Seamless human—mobility system interactions can promote widespread deployment of engaging applications, which are crucial for driving safety and efficiency. The ever-increasing penetration rate of ubiquitous computing devices, such as smartphones and wearable devices, can facilitate realization of this goal. Although researchers and developers have attempted to adapt ubiquitous sensors for mobility applications (e.g., navigation apps), these solutions often suffer from limited usability and can be risk-prone. The root causes of these limitations include the low sensing modality and limited computational power available in ubiquitous computing devices. We address these challenges by developing and demonstrating that novel sensing techniques and machine learning can be applied to extract essential, safety-critical information from drivers natural driving behavior, even actions as subtle as steering maneuvers (e.g., left-/righthand turns and lane changes). We first show how ubiquitous sensors can be used to detect steering maneuvers regardless of disturbances to sensing devices. Next, by focusing on turning maneuvers, we characterize drivers driving patterns using a quantifiable metric. Then, we demonstrate how microscopic analyses of crowdsourced ubiquitous sensory data can be used to infer critical macroscopic contextual information, such as risks present at road intersections. Finally, we use ubiquitous sensors to profile a driver’s behavioral patterns on a large scale; such sensors are found to be essential to the analysis and improvement of drivers driving behavior.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/163127/1/chendy_1.pd

A System Perspective to Privacy, Security and Resilience in Mobile Applications

Mobile applications have changed our life so much, but they also create problems related to privacy which is one of basic human rights. Protection (or security) of privacy is an important issue in mobile applications owing to the high likelihood of privacy violation nowadays. This thesis is devoted to a fundamental study on the privacy issue in mobile applications. The overall objective of the thesis is to advance our understanding of privacy and its relevant concepts in the context of mobile applications. There are three specific objectives with this thesis. Objective 1 is to have a more comprehensive understanding of the concepts of privacy, security and resilience (PSR for short) along with their relationship in the context of mobile applications. Objective 2 is to develop the principles of design of a mobile application system with a satisfactory PSR. Objective 3 is to develop a demonstration system (PSR demo for short) to illustrate how the principles of design can be applied. A salient approach was taken in this thesis, that is based on a general knowledge architecture called FCBPSS (F: function, C: context, B: behavior, P: principle. SS: state and structure). An analysis of literature was conducted first, resulting in a classification of various privacies against the FCPBSS architecture, followed by developing a theory of privacy, protection of privacy (security), and resilience of the system that performs protection of privacy, PSR theory for short. The principles of design of a mobile application system based on the PSR theory were then developed, which are expected to guide the practice of developing a mobile application for satisfactory privacy protection. Finally, a demonstration system, regarding the doctor booking for minimum waiting time and energy consumption, was developed to issue how the PSR theory and design principles work. The main contribution of this thesis is the development of the concept of PSR, especially the relationship among privacy (P), security (S), and resilience (R), and a set of design rules to develop a mobile application based on the PSR theory

BRAND PROTECTION FOR STEEL PACKAGING PRODUCTS

In recent years, the underground market of counterfeit products has grown into a global network, causing the raised concern of the general public and initiating a series of reforms in governmental regulations and policies worldwide. As the largest independent metal decorating business in the UK, Tinmasters is at the centre of these developments. The overall aim of this project was the development of a novel anti-counterfeiting technology that is compatible with Tinmasters’ manufacturing process, food contact/safe, and preferably overt, with a special focus on aesthetic appeal. A review of pre-existing technologies revealed a trend toward systems relying on the fast-growing capacity of wireless internet and smartphone devices. The latest anti-counterfeiting systems are track-and-trace enabled and offer user-based product authentication. The review narrowed the scope of the project to the development of a scheme for the creation of printable 2D codes,capable to store information that can be retrieved using a smartphone device. The core element of the feature is a trajectory of a 3D nonlinear dynamical system operating within its chaotic region, which is captured by the system’s “strange” attractor. These types of trajectories are known for their high complexity and thought, by many, to possess beauty. More importantly, they can be retrieved via a mechanism known as chaotic synchronisation. In order to create a printable code, a 3D chaotic trajectory is projected to two dimensions. The printed feature is captured by a smartphone camera and is subsequently processed in order to retrieve the trajectory. An almost equally important element of the feature is a frame, especially designed to address matters of alignment, perspective correction, and coordinate transformations. Aside form the main field of nonlinear dynamics, the proposed scheme makes use of concepts and methods from the fields of image processing, digital photography, and numerical analysis

Securing the software-defined networking control plane by using control and data dependency techniques

Software-defined networking (SDN) fundamentally changes how network and security practitioners design, implement, and manage their networks. SDN decouples the decision-making about traffic forwarding (i.e., the control plane) from the traffic being forwarded (i.e., the data plane). SDN also allows for network applications, or apps, to programmatically control network forwarding behavior and policy through a logically centralized control plane orchestrated by a set of SDN controllers. As a result of logical centralization, SDN controllers act as network operating systems in the coordination of shared data plane resources and comprehensive security policy implementation. SDN can support network security through the provision of security services and the assurances of policy enforcement. However, SDN’s programmability means that a network’s security considerations are different from those of traditional networks. For instance, an adversary who manipulates the programmable control plane can leverage significant control over the data plane’s behavior. In this dissertation, we demonstrate that the security posture of SDN can be enhanced using control and data dependency techniques that track information flow and enable understanding of application composability, control and data plane decoupling, and control plane insight. We support that statement through investigation of the various ways in which an attacker can use control flow and data flow dependencies to influence the SDN control plane under different threat models. We systematically explore and evaluate the SDN security posture through a combination of runtime, pre-runtime, and post-runtime contributions in both attack development and defense designs. We begin with the development a conceptual accountability framework for SDN. We analyze the extent to which various entities within SDN are accountable to each other, what they are accountable for, mechanisms for assurance about accountability, standards by which accountability is judged, and the consequences of breaching accountability. We discover significant research gaps in SDN’s accountability that impact SDN’s security posture. In particular, the results of applying the accountability framework showed that more control plane attribution is necessary at different layers of abstraction, and that insight motivated the remaining work in this dissertation. Next, we explore the influence of apps in the SDN control plane’s secure operation. We find that existing access control protections that limit what apps can do, such as role-based access controls, prove to be insufficient for preventing malicious apps from damaging control plane operations. The reason is SDN’s reliance on shared network state. We analyze SDN’s shared state model to discover that benign apps can be tricked into acting as “confused deputies”; malicious apps can poison the state used by benign apps, and that leads the benign apps to make decisions that negatively affect the network. That violates an implicit (but unenforced) integrity policy that governs the network’s security. Because of the strong interdependencies among apps that result from SDN’s shared state model, we show that apps can be easily co-opted as “gadgets,” and that allows an attacker who minimally controls one app to make changes to the network state beyond his or her originally granted permissions. We use a data provenance approach to track the lineage of the network state objects by assigning attribution to the set of processes and agents responsible for each control plane object. We design the ProvSDN tool to track API requests from apps as they access the shared network state’s objects, and to check requests against a predefined integrity policy to ensure that low-integrity apps cannot poison high-integrity apps. ProvSDN acts as both a reference monitor and an information flow control enforcement mechanism. Motivated by the strong inter-app dependencies, we investigate whether implicit data plane dependencies affect the control plane’s secure operation too. We find that data plane hosts typically have an outsized effect on the generation of the network state in reactive-based control plane designs. We also find that SDN’s event-based design, and the apps that subscribe to events, can induce dependencies that originate in the data plane and that eventually change forwarding behaviors. That combination gives attackers that are residing on data plane hosts significant opportunities to influence control plane decisions without having to compromise the SDN controller or apps. We design the EventScope tool to automatically identify where such vulnerabilities occur. EventScope clusters apps’ event usage to decide in which cases unhandled events should be handled, statically analyzes controller and app code to understand how events affect control plane execution, and identifies valid control flow paths in which a data plane attacker can reach vulnerable code to cause unintended data plane changes. We use EventScope to discover 14 new vulnerabilities, and we develop exploits that show how such vulnerabilities could allow an attacker to bypass an intended network (i.e., data plane) access control policy. This research direction is critical for SDN security evaluation because such vulnerabilities could be induced by host-based malware campaigns. Finally, although there are classes of vulnerabilities that can be removed prior to deployment, it is inevitable that other classes of attacks will occur that cannot be accounted for ahead of time. In those cases, a network or security practitioner would need to have the right amount of after-the-fact insight to diagnose the root causes of such attacks without being inundated with too much informa- tion. Challenges remain in 1) the modeling of apps and objects, which can lead to overestimation or underestimation of causal dependencies; and 2) the omission of a data plane model that causally links control and data plane activities. We design the PicoSDN tool to mitigate causal dependency modeling challenges, to account for a data plane model through the use of the data plane topology to link activities in the provenance graph, and to account for network semantics to appropriately query and summarize the control plane’s history. We show how prior work can hinder investigations and analysis in SDN-based attacks and demonstrate how PicoSDN can track SDN control plane attacks.Ope

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed

Robust Voice Liveness Detection and Speaker Verification Using Throat Microphones

While having a wide range of applications, automatic speaker verification (ASV) systems are vulnerable to spoofing attacks, in particular, replay attacks that are effective and easy to implement. Most prior work on detecting replay attacks uses audio from a single acousticmicrophone only, leading to difficulties in detecting high-end replay attacks close to indistinguishable from live human speech. In this paper, we study the use of a special body-conducted sensor, throat microphone (TM), for combined voice liveness detection (VLD) and ASV in order to improve both robustness and security of ASV against replay attacks.We first investigate the possibility and methods of attacking a TM-based ASV system, followed by a pilot data collection. Second, we study the use of spectral features for VLD using both single-channel and dualchannel ASV systems. We carry out speaker verification experiments using Gaussian mixture model with universal background model (GMM-UBM) and i-vector based systems on a dataset of 38 speakers collected by us. We have achieved considerable improvement in recognition accuracy, with the use of dual-microphone setup. In experiments with noisy test speech, the false acceptance rate (FAR) of the dual-microphone GMM-UBM based system for recorded speech reduces from 69.69% to 18.75%. The FAR of replay condition further drops to 0% when this dual-channel ASV system is integrated with the new dual-channel voice liveness detector.</p