Access control in distributed file systems: design and realization on Pepys fs

This theis describes the Access Control Model realized for the novel Pepys distributed, Internet-wide, file-system. The model design has been widely inspired to various existing standards and best practices about access control and security in file-system access, but it also echoes peculiar basic principles characterizing the design of Pepys, as well as the ΠP protocol, over which Pepys itself relies. Technical details about how the model has been realized on a Linux port of Pepys are also provided

Access Control for the Pepys Internet-Wide File-System

This paper describes the Access Control Model realized for the novel Pepys distributed, Internet-wide, file-system. The model design has been widely inspired to various existing standards and best practices about access control and security in file-system access, but it also echoes peculiar basic principles characterizing the design of Pepys, as well as the ΠP protocol, over which Pepys itself relies. The paper also provides technical details about how the model has been realized on a Linux port of Pepys

Smartphone-based crowdsourcing for estimating the bottleneck capacity in wireless networks

Crowdsourcing enables the fine-grained characterization and performance evaluation of today׳s large-scale networks using the power of the masses and distributed intelligence. This paper presents SmartProbe, a system that assesses the bottleneck capacity of Internet paths using smartphones, from a mobile crowdsourcing perspective. With SmartProbe measurement activities are more bandwidth efficient compared to similar systems, and a larger number of users can be supported. An application based on SmartProbe is also presented: georeferenced measurements are mapped and used to compare the performance of mobile broadband operators in wide areas. Results from one year of operation are included

Analyzing and Securing Firmware for IoT Devices

Internet of Things (IoT) devices have rooted themselves in the everyday life of billions of people. While they automate and simplify many aspects of the users’ lives, the widespread usage of IoT devices constitutes a security concern for our modern society. Aside from the privacy and safety implications of having a smart door lock that could succumb to an Internet-based attack, or a smoke detector that an assailant could disable by connecting to it from a compromised light bulb, vulnerabilities in these devices have wider implications. Recent large-scale attacks have shown that the sheer number of Internet-connected IoT devices poses a severe threat to the Internet infrastructure. The most prominent example is represented by the Mirai botnet that, in 2016, compromised millions of devices and leveraged them in denial-of-service attacks to disrupt core Internet services and shut down websites. For these reasons, it is of crucial importance to assess the security of IoT devices. Analyzing and securing IoT devices present different and specific challenges than analyzing and securing traditional desktop computers. The main reason is that IoT devices are manufactured by a plethora of different vendors, which often use vendor-specific hardware and software (or firmware) for their products. Given the heterogeneity and widespread usage of IoT devices, we need novel, automated, and scalable solutions able to improve the security of these devices. During my Ph.D., I approached the problem of securing IoT devices from different angles and using different strategies, which I present in detail in this dissertation. First, I introduce the IoT landscape, with particular attention to the peculiarities that characterize embedded firmware. Then, I present in detail my work that advances the state of the art of firmware security. In particular, I present (i) BootStomp, a novel tool to find bugs in bootloaders for embedded devices, (ii) Karonte, a novel static analysis approach to track data flows across the different components of a firmware sample to precisely uncover security vulnerabilities, (iii) Bintrimmer, a tool that relies on a novel abstract domain (called Signedness-Agnostic Strided Interval) to perform code debloating on binaries, thus decreasing the attack surface that could be used by an attacker to harm end-users, and, finally, (iv) DiAne, a novel approach to fuzz IoT devices that leverages the logic of the device’s companion app (i.e., the application commonly used to interact with IoT devices). I evaluate the performance of the proposed approaches and show that the developed tools are effective in improving the security of firmware for IoT devices

Analyzing and Securing Firmware for IoT Devices

Internet of Things (IoT) devices have rooted themselves in the everyday life of billions of people. While they automate and simplify many aspects of the users’ lives, the widespread usage of IoT devices constitutes a security concern for our modern society. Aside from the privacy and safety implications of having a smart door lock that could succumb to an Internet-based attack, or a smoke detector that an assailant could disable by connecting to it from a compromised light bulb, vulnerabilities in these devices have wider implications. Recent large-scale attacks have shown that the sheer number of Internet-connected IoT devices poses a severe threat to the Internet infrastructure. The most prominent example is represented by the Mirai botnet that, in 2016, compromised millions of devices and leveraged them in denial-of-service attacks to disrupt core Internet services and shut down websites.For these reasons, it is of crucial importance to assess the security of IoT devices. Analyzing and securing IoT devices present different and specific challenges than analyzing and securing traditional desktop computers. The main reason is that IoT devices are manufactured by a plethora of different vendors, which often use vendor-specific hardware and software (or firmware) for their products. Given the heterogeneity and widespread usage of IoT devices, we need novel, automated, and scalable solutions able to improve the security of these devices.During my Ph.D., I approached the problem of securing IoT devices from different angles and using different strategies, which I present in detail in this dissertation. First, I introduce the IoT landscape, with particular attention to the peculiarities that characterize embedded firmware. Then, I present in detail my work that advances the state of the art of firmware security. In particular, I present (i) BootStomp, a novel tool to find bugs in bootloaders for embedded devices, (ii) Karonte, a novel static analysis approach to track data flows across the different components of a firmware sample to precisely uncover security vulnerabilities, (iii) Bintrimmer, a tool that relies on a novel abstract domain (called Signedness-Agnostic Strided Interval) to perform code debloating on binaries, thus decreasing the attack surface that could be used by an attacker to harm end-users, and, finally, (iv) DiAne, a novel approach to fuzz IoT devices that leverages the logic of the device’s companion app (i.e., the application commonly used to interact with IoT devices). I evaluate the performance of the proposed approaches and show that the developed tools are effective in improving the security of firmware for IoT devices

Access Control for the Pepys Internet-wide File-System

This paper describes the Access Control Model realized for the novel Pepys distributed, Internet-wide, file-system. The model design has been widely inspired to various existing standards and best practices about access control and security in file-system access, but it also echoes peculiar basic principles characterizing the design of Pepys, as well as the ΠP protocol, over which Pepys itself relies. The paper also provides technical details about how the model has been realized on a Linux port of Pepys. 1 Introduction on Pepys Pepys is an innovative distributed file-system born to meet the increasingly growing demand, from users, to always have their data available anywhere. Pepys is composed of a multitude of servers that, together, present a collection of files organized in trees or volumes. It uses a hierarchy of caching fil

Smartphone-based crowdsourcing for estimating the bottleneck capacity in wireless networks

Crowdsourcing enables the fine-grained characterization and performance evaluation of today?s large-scale networks using the power of the masses and distributed intelligence. This paper presents SmartProbe, a system that assesses the bottleneck capacity of Internet paths using smartphones, from a mobile crowdsourcing perspective. With SmartProbe measurement activities are more bandwidth efficient compared to similar systems, and a larger number of users can be supported. An application based on SmartProbe is also presented: georeferenced measurements are mapped and used to compare the performance of mobile broadband operators in wide areas. Results from one year of operation are included