SecuCode: Intrinsic PUF Entangled Secure Wireless Code Dissemination for Computational RFID Devices

The simplicity of deployment and perpetual operation of energy harvesting devices provides a compelling proposition for a new class of edge devices for the Internet of Things. In particular, Computational Radio Frequency Identification (CRFID) devices are an emerging class of battery-free, computational, sensing enhanced devices that harvest all of their energy for operation. Despite wireless connectivity and powering, secure wireless firmware updates remains an open challenge for CRFID devices due to: intermittent powering, limited computational capabilities, and the absence of a supervisory operating system. We present, for the first time, a secure wireless code dissemination (SecuCode) mechanism for CRFIDs by entangling a device intrinsic hardware security primitive Static Random Access Memory Physical Unclonable Function (SRAM PUF) to a firmware update protocol. The design of SecuCode: i) overcomes the resource-constrained and intermittently powered nature of the CRFID devices; ii) is fully compatible with existing communication protocols employed by CRFID devices in particular, ISO-18000-6C protocol; and ii) is built upon a standard and industry compliant firmware compilation and update method realized by extending a recent framework for firmware updates provided by Texas Instruments. We build an end-to-end SecuCode implementation and conduct extensive experiments to demonstrate standards compliance, evaluate performance and security.Comment: Accepted to the IEEE Transactions on Dependable and Secure Computin

Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. {\em Shared} hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10\% and 19\% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10\% to the best-performing 10\%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels

The STRS (shortness of breath, tremulousness, racing heart, and sweating): A brief checklist for acute distress with panic-like autonomic indicators; development and factor structure

Background: Peritraumatic response, as currently assessed by Posttraumatic Stress Disorder (PTSD) diagnostic criterion A2, has weak positive predictive value (PPV) with respect to PTSD diagnosis. Research suggests that indicators of peritraumatic autonomic activation may supplement the PPV of PTSD criterion A2. We describe the development and factor structure of the STRS (Shortness of Breath, Tremulousness, Racing Heart, and Sweating), a one page, two-minute checklist with a five-point Likert-type response format based on a previously unpublished scale. It is the first validated self-report measure of peritraumatic activation of the autonomic nervous system.\ud \ud Methods: We selected items from the Potential Stressful Events Interview (PSEI) to represent two latent variables: 1) PTSD diagnostic criterion A, and 2) acute autonomic activation. Participants (a convenience sample of 162 non-treatment seeking young adults) rated the most distressing incident of their lives on these items. We examined the factor structure of the STRS in this sample using factor and cluster analysis.\ud \ud Results: Results confirmed a two-factor model. The factors together accounted for 68% of the variance. The variance in each item accounted for by the two factors together ranged from 41% to 74%. The item loadings on the two factors mapped precisely onto the two proposed latent variables.\ud \ud Conclusion: The factor structure of the STRS is robust and interpretable. Autonomic activation signs tapped by the STRS constitute a dimension of the acute autonomic activation in response to stress that is distinct from the current PTSD criterion A2. Since the PTSD diagnostic criteria are likely to change in the DSM-V, further research is warranted to determine whether signs of peritraumatic autonomic activation such as those measured by this two-minute scale add to the positive predictive power of the current PTSD criterion A2. Additionally, future research is warranted to explore whether the four automatic activation items of the STRS can be useful as the basis for a possible PTSD criterion A3 in the DSM-V

Demonstration of Cyberattacks and Mitigation of Vulnerabilities in a Webserver Interface for a Cybersecure Power Router

Cyberattacks are a threat to critical infrastructure, which must be secured against them to ensure continued operation. A defense-in-depth approach is necessary to secure all layers of a smart-grid system and contain the impact of any exploited vulnerabilities. In this undergraduate thesis a webserver interface for smart-grid devices communicating over Modbus TCP was developed and exposed to SQL Injection attacks and Cross-Site Scripting attacks. Analysis was performed on Supply-Chain attacks and a mitigation developed for attacks stemming from compromised Content Delivery Networks. All attempted attacks were unable to exploit vulnerabilities in the webserver due to its use of input sanitization and access controls

A Novel Method for Decentralised Peer-to-peer Software License Validation Using Cryptocurrency Blockchain Technology

Protecting software copyright has been an issue since the late 1970’s, and software license validation has been a primary method employed in an attempt to minimise software piracy and protect software copyright. This paper presents a novel method for decentralised peer-to-peer software license validation using cryptocurrency blockchain technology to ameliorate software piracy, and to provide a mechanism for all software developers to protect their copyrighted works

Integrated Framework For Secure Distributed Management Of Duplicated Ipv6 Address Detection

Alamat bernegara auto-konfigurasi adalah ciri utama protokol IPv6, yang membolehkan tuan rumah untuk mengkonfigurasi alamat IP secara automatik tanpa perlu apa-apa perkhidmatan tambahan seperti; DHCPv6 Stateless address auto-configuration is the primary feature of IPv6 protocol, which allows hosts to configure IP addresses automatically without the need of any additional services such as; DHCPv