24 research outputs found

    India’s “Aadhaar” Biometric ID: Structure, Security, and Vulnerabilities

    Get PDF
    India\u27s Aadhaar is the largest biometric identity system in history, designed to help deliver subsidies, benefits, and services to India\u27s 1.4 billion residents. The Unique Identification Authority of India (UIDAI) is responsible for providing each resident (not each citizen) with a distinct identity - a 12-digit Aadhaar number - using their biometric and demographic details. We provide the first comprehensive description of the Aadhaar infrastructure, collating information across thousands of pages of public documents and releases, as well as direct discussions with Aadhaar developers. Critically, we describe the first known cryptographic issue within the system, and discuss how a workaround prevents it from being exploitable at scale. Further, we categorize and rate various security and privacy limitations and the corresponding threat actors, examine the legitimacy of alleged security breaches, and discuss improvements and mitigation strategies

    CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomware

    Get PDF
    In 2021, the largest US pipeline system for refined oil products suffered a 6-day shutdown due to a ransomware attack [1]. In 2023, the sensitive systems of the US Marshals Service were attacked by a ransomware [2]. One of the most effective ways to fight ransomware is to extract the secret keys. The challenge of detecting and identifying cryptographic primitives has been around for over a decade. Many tools have been proposed, but the vast majority of them use templates or signatures, and their support for different operating systems and processor architectures is rather limited; neither have there been enough tools capable of extracting the secret keys. In this paper, we present CipherTrace, a generic and automated system to detect and identify the class of cipher algorithms in binary programs, and additionally, locate and extract the secret keys and cryptographic states accessed by the cipher. We focus on product ciphers, and evaluate CipherTrace using four standard cipher algorithms, four different hashing algorithms, and five of the most recent and popular ransomware specimens. Our results show that CipherTrace is capable of fully dissecting Fixed S-Box block ciphers (e.g. AES and Serpent) and can extract the secret keys and other cryptographic artefacts, regardless of the operating system, implementation, or input- or key-size, and without using signatures or templates. We show a significant improvement in performance and functionality compared to the closely related works. CipherTrace helps in fighting ransomware, and aids analysts in their malware analysis and reverse engineering efforts

    Recent Trends in Communication Networks

    Get PDF
    In recent years there has been many developments in communication technology. This has greatly enhanced the computing power of small handheld resource-constrained mobile devices. Different generations of communication technology have evolved. This had led to new research for communication of large volumes of data in different transmission media and the design of different communication protocols. Another direction of research concerns the secure and error-free communication between the sender and receiver despite the risk of the presence of an eavesdropper. For the communication requirement of a huge amount of multimedia streaming data, a lot of research has been carried out in the design of proper overlay networks. The book addresses new research techniques that have evolved to handle these challenges

    Control-Theoretical Perspective in Feedback-Based Systems Testing

    Get PDF
    Self-Adaptive Systems (SAS) and Cyber-Physical Systems (CPS) have received significant attention in recent computer engineering research. This is due to their ability to improve the level of autonomy of engineering artefacts. In both cases, this autonomy increase is achieved through feedback. Feedback is the iteration of sens- ing and actuation to respectively acquire knowledge about the current state of said artefacts and steer them toward a desired state or behaviour. In this thesis we dis- cuss the challenges that the introduction of feedback poses on the verification and validation process for such systems, more specifically, on their testing. We highlight three types of new challenges with respect to traditional software testing: alteration of testing input and output definition, and intertwining of components with different nature. Said challenges affect the ways we can define different elements of the test- ing process: coverage criteria, testing set-ups, test-case generation strategies, and oracles in the testing process. This thesis consists of a collection of three papers and contributes to the definition of each of the mentioned testing elements. In terms of coverage criteria for SAS, Paper I proposes the casting of the testing problem, to a semi-infinite optimisation problem. This allows to leverage the Scenario Theory from the field of robust control, and provide a worst-case probabilistic bound on a given performance metric of the system under test. For what concerns the definition of testing set-ups for control-based CPS, Paper II investigates the implications of the use of different abstractions (i.e., the use of implemented or emulated compo- nents) on the significance of the testing. The paper provides evidence that confutes the common assumption present in previous literature on the existence of a hierar- chy among commonly used testing set-ups. Finally, regarding the test-case gener- ation and oracle definition, Paper III defines the problem of stress testing control- based CPS software. We contribute to the generation and identification of stress test cases for such software by proposing a novel test case parametrisation. Leveraging the proposed parametrisation we define metamorphic relations on the expected be- haviour of the system under test. We use said relations for the development of stress testing approach and sanity checks on the testing results

    Intelligent Circuits and Systems

    Get PDF
    ICICS-2020 is the third conference initiated by the School of Electronics and Electrical Engineering at Lovely Professional University that explored recent innovations of researchers working for the development of smart and green technologies in the fields of Energy, Electronics, Communications, Computers, and Control. ICICS provides innovators to identify new opportunities for the social and economic benefits of society.  This conference bridges the gap between academics and R&D institutions, social visionaries, and experts from all strata of society to present their ongoing research activities and foster research relations between them. It provides opportunities for the exchange of new ideas, applications, and experiences in the field of smart technologies and finding global partners for future collaboration. The ICICS-2020 was conducted in two broad categories, Intelligent Circuits & Intelligent Systems and Emerging Technologies in Electrical Engineering

    Verbesserrung der Datenflussüberwachung für Datennutzungskontrollsysteme

    Get PDF
    This thesis provides a new, hybrid approach in the field of Distributed Data Usage Control (DUC), to track the flow of data inside applications. A combination between static information flow analysis and dynamic data flow tracking enables to track selectively only those program locations that are actually relevant for a flow of data. This ensures the portability of a monitored application with low performance overhead. Beyond that, DUC systems benefit from the present approach as it reduces overapproximation in data flow tracking, and thus, provides a more precise result to enforce data usage restrictions.Diese Thesis liefert einen neuartigen hybriden Ansatz auf dem Gebiet von Distributed Data Usage Control (DUC), um den Datenfluss innerhalb einer Anwendung zu überwachen. Eine Kombination aus statischer Informationsflussanalyse und dynamischer Datenflussüberwachung ermöglicht die selektive, modulare Überwachung derjenigen Programmstellen, welche tatsächlich relevant für einen Datenfluss sind. Dadurch wird die Portabilität einer zu überwachenden Anwendung, bei geringem Performance Overhead, sichergestellt. DUC Systeme profitieren vom vorliegenden Ansatz vor allem dadurch, dass Überapproximation bei der Datenflussüberwachung reduziert wird, und somit ein präziseres Ergebnis für die Durchsetzung von Datennutzungsrestriktionen vorliegt

    GIS in Healthcare

    Get PDF
    The landscape of healthcare is dynamic, gradually becoming more complicated with factors beyond simple supply and demand. Similar to the diversity of social, political and economic contexts, the practical utilization of healthcare resources also varies around the world. However, the spatial components of these contexts, along with aspects of supply and demand, can reveal a common theme among these factors. This book presents advancements in GIS applications that reveal the complexity of and solutions for a dynamic healthcare landscape

    Towards enhancing responsibility and accountability in humanitarian action: Understanding the subjective factors that influence evaluation of humanitarian actions and the implementation of the recommendations made

    Get PDF
    When specialists in the evaluation of humanitarian action meet they often complain that “evaluations tell us nothing new”. Can this complaint be justified and, if so, can any additional insights into the reasons be discovered? An analysis and comparison is made of the recommendations arising from the evaluations of the humanitarian response to two major forced displacements and two natural disasters. The comparison is used to identify the extent to which recommendations made in the evaluation of the earlier of each pair were repeated in the subsequent evaluations. An analysis of the subjective influences reported as impinging upon nine of the earliest evaluations of humanitarian actions is made. A series of 22 elite interviews with staff of humanitarian organisations and independent consultants directly involved in the evaluation of humanitarian action reveals the continuing influence of these ‘subjective’ factors and indicates of a lack of confidence in the evaluation process as a tool for institutional learning. The roles of agency and structure in the subjective influences impinging on the evaluation of humanitarian action are analysed and recommendations made for the improvement of the evaluation/learning cycle
    corecore