Biblio

In the cloud computing environment, a growing number of users share their own data files through cloud storage. However, there will be some security and privacy problems due to the reason that the cloud is not completely trusted, so it needs to be resolved by access control. Attribute-based encryption (ABE) and searchable encryption (SE) can solve fine-grained access control. At present, researchers combine the two to propose an attribute-based searchable encryption scheme and achieved remarkable results. Nevertheless, most of existing attribute-based searchable encryption schemes cannot resist online/offline keyword guessing attack. To solve the problem, we present an attribute-based (CP-ABE) searchable encryption scheme that supports trapdoor updating (CSES-TU). In this scheme, the data owner can formulate an access strategy for the encrypted data. Only the attributes of the data user are matched with the strategy can the effective trapdoor be generated and the ciphertext be searched, and that this scheme will update trapdoors at the same time. Even if the keywords are the same, new trapdoors will be generated every time when the keyword is searched, thus minimizing the damage caused by online/offline keyword guessing attack. Finally, the performance of the scheme is analyzed, and the proof of correctness and security are given at the same time.

While the standard language XACML is very expressive for specifying fine-grained access control policies, defects can get into XACML policies for various reasons, such as misunderstanding of access control requirements, omissions, and coding errors. These defects may result in unauthorized accesses, escalation of privileges, and denial of service. Therefore, quality assurance of XACML policies for real-world information systems has become an important issue. To address this issue, this paper presents a family of coverage criteria for XACML policies, such as rule coverage, rule pair coverage, decision coverage, and Modified Condition/Decision Coverage (MC/DC). To demonstrate the assurance levels of these coverage criteria, we have developed methods for automatically generating tests, i.e., access requests, to satisfy the coverage criteria using a constraint solver. We have evaluated these methods through mutation analysis of various policies with different levels of complexity. The experiment results have shown that the rule coverage is far from adequate for revealing the majority of defects in XACML policies, and that both MC/DC and decision coverage tests have outperformed the existing methods for testing XACML policies. In particular, MC/DC tests achieve a very high level of quality assurance of XACML policies.

Blömer et al. have presented a cloud architecture for enabling fine-grained cryptographic access control to data in the cloud. The architecture is intended to provide this service to large-scale orgnaizations. We revisit the cloud architecture, and enrich it with searchable encryption. In the process, we identify some shortcomings of Blömer et al.'s architecture, that prevent many cryptographic primitives from being implemented within the framework of the architecture. Subsequently, we propose fixes to these issues. As a result, we are able to propose a concrete instantiation of searchable encryption, in the form of Bost's $Σ$o$\phi$o$ς$ scheme, in Blömer et al.'s architecture. Moreover, with our fixes, other primitives can be adapted to the architecture as well.

This paper proposes a content-centric privacy (CCP) model that enables a privacy-preserving monitoring services in surveillance systems without cloud dependency. We design a simple yet powerful method that could not be obtained from a cloud-like system. The CCP model includes two key ideas: (1) the separation of the private data (i.e., target object images) from the public data (i.e., background images), and (2) the service authentication with the classification model. Deploying the CCP model over ICN enables the privacy central around the content itself rather than relying on a cloud system. Our preliminary analysis shows that the ICN-based CCP model can preserve privacy with respect to the W3 -privacy in which the private information of target object are decoupled from the queries and cameras.

Aiming at the increasing popularity of mobile terminals, a CP-ABE scheme adapted to lightweight decryption at the mobile end is proposed. The scheme has the function of supporting timely attributes revocation and policy hiding. Firstly, we will introduce the related knowledge of attribute base encryption. After that, we will give a specific CP-ABE solution. Finally, in the part of the algorithm analysis, we will give analysis performance and related security, and compare this algorithm with other algorithms.

Preventing unauthorized access to sensitive data is an exceedingly complex access control problem. In this keynote, I will break down the data breach problem and give insights into how organizations could and should do to reduce their risks. The talk will start with discussing the technical reasons behind some of the recent high-profile data breach incidents (e.g., in Equifax, Target), as well as pointing out the threats of inadvertent or accidental data leaks. Then, I will show that there are usually multiple points to stop data breach and give an overview of the relevant state-of-the-art solutions. I will focus on some of the recent algorithmic advances in preventing inadvertent data loss, including set-based and alignment-based screening techniques, outsourced screening, and GPU-based performance acceleration. I will also briefly discuss the role of non-technical factors (e.g., organizational culture on security) in data protection. Because of the cat-and-mouse-game nature of cybersecurity, achieving absolute data security is impossible. However, proactively securing critical data paths through strategic planning and placement of security tools will help reduce the risks. I will also point out a few exciting future research directions, e.g., on data leak detection as a cloud security service and deep learning for reducing false alarms in continuous authentication and the prickly insider-threat detection.

In the light of mobile and ubiquitous computing, sharing sensitive information across different computer systems has become an increasingly prominent practice. This development entails a demand of access control measures that can protect data even after it has been transferred to a remote computer system. In order to address this problem, sophisticated usage control models have been developed. These models include a client side reference monitor (CRM) that continuously enforces protection policies on foreign data. However, it is still unclear how such a CRM can be properly protected in a hostile environment. The user of the data on the client system can influence the client's state and has physical access to the system. Hence technical measures are required to protect the CRM on a system, which is legitimately used by potential attackers. Existing solutions utilize Trusted Platform Modules (TPMs) to solve this problem by establishing an attestable trust anchor on the client. However, the resulting protocols have several drawbacks that make them infeasible for practical use. This work proposes a reference monitor implementation that establishes trust by using TPMs along with Intel SGX enclaves. First we show how SGX enclaves can realize a subset of the existing usage control requirements. Then we add a TPM to establish and protect a powerful enforcement component on the client. Ultimately this allows us to technically enforce usage control policies on an untrusted remote system.

In this paper, we propose an access control model featured with the efficient key update function in data outsourcing environment. Our access control is based on the combination of Ciphertext Policy - Attribute-based Encryption (CP-ABE) and Role-based Access Control (RBAC). The proposed scheme aims to improve the attribute and key update management of the original CP-ABE. In our scheme, a user's key is incorporated into the attribute certificate (AC) which will be used to decrypt the ciphertext encrypted with CP-ABE policy. If there is any change (update or revoke) of the attributes appearing in the key, the key in the AC will be updated upon the access request. This significantly reduces the overheads in updating and distributing keys of all users simultaneously compared to the existing CP-ABE based schemes. Finally, we conduct the experiment to evaluate the performance of our proposed scheme to show the efficiency of our proposed scheme.

Due to users' network flow requirement and usage amount nowadays, TCP/IP networks may face various problems. For one, users of video services may access simultaneously the same content, which leads to the host incurring extra costs. Second, although nearby nodes may have the file that a user wants to access, the user cannot directly verify the file itself. This issue will lead the user to connect to a remote host rather than the nearby nodes and causes the network traffic to greatly increase. Therefore, the named data network (NDN), which is based on data itself, was brought about to deal with the aforementioned problems. In NDN, all users can access a file from the nearby nodes, and they can directly verify the file themselves rather than the specific host who holds the file. However, NDN still has no complete standard and secure file transfer protocol to support the ciphertext transmission and the problem of the unknown potential receivers. The straightforward solution is that a sender uses the receiver's public key to encrypt a file before she/he sends the file to NDN nodes. However, it will limit the behavior of users and incur significant storage costs of NDN nodes. This paper presents a complete secure file transfer protocol, which combines the data re-encryption, satisfies the requirement of secure ciphertext transmission, solves the problem of the unknown potential receivers, and saves the significant storage costs of NDN nodes. The proposed protocol is the first one that achieves data confidentiality and solves the problem of the unknown potential receivers in NDN. Finally, we also provide formal security models and proofs for the proposed FTP-NDN.

With all the exciting benefits of IoT in healthcare - from mobile applications to wearable and implantable health gadgets-it becomes prominent to ensure that patients, their medical data and the interactions to and from their medical devices are safe and secure. The security and privacy is being breached when the mobile applications are mishandled or tampered by the hackers by performing reverse engineering on the application leading to catastrophic consequences. To combat against these vulnerabilities, there is need to create an awareness of the potential risks of these devices and effective strategies are needed to be implemented to achieve a level of security defense. In this paper, the benefits of healthcare IoT system and the possible vulnerabilities that may result are presented. Also, we propose to develop solutions against these vulnerabilities by protecting mobile applications using obfuscation and return oriented programming techniques. These techniques convert an application into a form which makes difficult for an adversary to interpret or alter the code for illegitimate purpose. The mobile applications use keys to control communication with the implantable medical devices, which need to be protected as they are the critical component for securing communications. Therefore, we also propose access control schemes using white box encryption to make the keys undiscoverable to hackers.

Attribute-Based Access Control (ABAC), a promising alternative to traditional models of access control, has gained significant attention in recent academic literature. This attention has lead to the creation of a number of ABAC models including our previous contribution, Hierarchical Group and Attribute-Based Access Control (HGABAC). However, to date few complete solutions exist that provide both an ABAC model and architecture that could be implemented in real life scenarios. This work aims to advance progress towards a complete ABAC solution by introducing Hierarchical Group Attribute Architecture (HGAA), an architecture to support HGABAC and close the gap between a model and real world implementation. In addition to HGAA we also present an attribute certificate specification that enables users to provide proof of attribute ownership in a pseudonymous and off-line manner, as well as an update to the Hierarchical Group Policy Language (HGPL) to support our namespace for uniquely identifying attributes across disparate security domains. Details of our HGAA implementation are given and a preliminary analysis of its performance is discussed as well as directions for future work.

We argue on the need for a dedicated medium access control (MAC) for Vehicular VLC (V-VLC). The huge unlicensed spectrum that can support high throughput applications and the intrinsic security due to the LOS requirement make visible light a viable candidate for use in vehicular communications. In some first research work, the directionality of V-VLC has been considered and an initial conclusion was that the small collision domain leads to negligible interference and, thus, dedicated mechanisms for medium access are unnecessary. However, in a more realistic simulation setup using the Luxembourg mobility model, we are able to show that, in certain geographical areas, the number of transmitters seen at a single receiver can easily grow up to 30. Considering packet transmissions, the interference-induced packet loss can be substantial, reaching up to 13 % during rush hours. We thus make the case that this packet loss should be mitigated with a dedicated MAC for coordinated access control in V-VLC.

Cloud offers flexible and cost effective storage for big data but the major challenge is access control of big data processing. CP-ABE is a desirable solution for data access control in cloud. However, in CP-ABE the access policy may leak user's private information. To address this issue, Hidden Policy CP-ABE schemes proposed but those schemes still causing data leakage problem because the access policies are partially hidden and create more computational cost. In this paper, we propose a New Hidden Policy Ciphertext Policy Attribute Based Encryption (HP-CP-ABE) to ensure Big Data Access Control with Privacy-preserving Policy in Cloud. In proposed method, we used Multi Secret Sharing Scheme(MSSS) to reduce the computational overhead, while encryption and decryption process. We also applied mask technique on each attribute in access policy and embed the access policy in ciphertext, to protect user's private information from access policy. The security analysis shows that HP-CP-ABE is more secure and preserve the access policy privacy. Performance evaluation shows that our schemes takes less computational cost than existing scheme.

Complex embedded systems often contain hard to find vulnerabilities which, when exploited, have potential to cause severe damage to the operating environment and the user. Given that threats and vulnerabilities can exist within any layer of the complex eco-system, OEMs face a major challenge to ensure security throughout the device life-cycle To lower the potential risk and damage that vulnerabilities may cause, OEMs typically perform application threat analysis and security modelling. This process typically provides a high level guideline to solving security problems which can then be implemented during design and development. However, this concept presents issues where new threats or unknown vulnerability has been discovered. To address this issue, we propose a policy-based security modelling approach, which utilises a configurable policy engine to apply new policies that counter serious threats. By utilising this approach, the traditional security modelling approaches can be enhanced and the consequences of a new threat greatly reduced. We present a realistic use case of connected car, applying several attack scenarios. By utilising STRIDE threat modelling and DREAD risk assessment model, adequate policies are derived to protect the car assets. This approach poses advantages over the standard approach, allowing a policy update to counter a new threat, which may have otherwise required a product redesign to alleviate the issue under the traditional approach.

Information Centric Networking (ICN) has been regarded as an ideal architecture for the next-generation network to handle users' increasing demand for content delivery with in-network cache. While making better use of network resources and providing better delivery service, an effective access control mechanism is needed due to wide dissemination of contents. However, in the existing solutions, making cache-enabled routers or content providers authenticate users' requests causes high computation overhead and unnecessary delay. Also, straightforward utilization of advanced encryption algorithms increases the opportunities for DoS attacks. Besides, privacy protection and service accountability are rarely taken into account in this scenario. In this paper, we propose a secure, efficient, and accountable access control framework, called SEAF, for ICN, in which authentication is performed at the network edge to block unauthorized requests at the very beginning. We adopt group signature to achieve anonymous authentication, and use hash chain technique to greatly reduce the overhead when users make continuous requests for the same file. Furthermore, the content providers can affirm the service amount received from the network and extract feedback information from the signatures and hash chains. By formal security analysis and the comparison with related works, we show that SEAF achieves the expected security goals and possesses more useful features. The experimental results also demonstrate that our design is efficient for routers and content providers, and introduces only slight delay for users' content retrieval.

Protection of security-critical services, such as access-control reference monitors, is an important requirement in the modern era of distributed systems and services. The threat arises from hosting the service on a single server for a lengthy period of time, which allows the attacker to periodically enumerate the vulnerabilities of the service with respect to the server's configuration and launch targeted attacks on the service. In our work, we design and implement an efficient solution based on the moving "target" defense strategy, to protect security-critical services against such active adversaries. Specifically, we focus on implementing our solution for protecting the reference monitor service that enforces access control for users requesting access to sensitive resources. The key intuition of our approach is to increase the level of difficulty faced by the attacker to compromise a service by periodically moving the security-critical service among a group of heterogeneous servers. For this approach to be practically feasible, the movement of the service should be efficient and random, i.e., the attacker should not have a-priori information about the choice of the next server hosting the service. Towards this, we describe an efficient Byzantine fault-tolerant leader election protocol that achieves the desired security and performance objectives. We built a prototype implementation that moves the access control service randomly among a group of fifty servers within a time range of 250-440 ms. We show that our approach tolerates Byzantine behavior of servers, which ensures that a server under adversarial control has no additional advantage of being selected as the next active server.

The Software Defined Networks (SDN) paradigm, often referred to as a radical new idea in networking, promises to dramatically simplify network management by enabling innovation through network programmability. However, notable security issues, such as app-to-control threats, remain a significant concern that impedes SDN from being widely adopted. To cope with those app-to-control threats, this paper proposes a solution to securely deploy valid network applications while protecting the SDN controller against the injection of the malicious application. This problem is mitigated by proposing a novel SDN architecture, dubbed SENAD, which splits the well-known SDN controller into: (1) a data plane controller (DPC), and (2) an application plane controller (APC), to secure this latter by design. The role of the DPC is dedicated for interpreting the network rules into OpenFlow entries and maintaining the communication with the data plane. The role of the APC, however, is to provide a secured runtime for deploying the network applications, including authentication, access control, resource isolation, control, and monitoring applications. We show that this approach can easily shield against any deny of service, caused for instance by the resource exhaustion attack or the malicious command injection, that is caused by the co-existence of a malicious application on the controller's runtime. The evaluation of our architecture shows that the packet\_in messages take less than 5 ms to be delivered from the data plane to the application plane on the long range.

Healthcare is traditionally a data-intensive domain, where physicians needs complete and updated anamnesis of their patients to take the best medical decisions. Dematerialization of the medical documents and the consequent health information systems to share electronic health records among healthcare providers are paving the way to an effective solution to this issue. However, they are also paving the way of non-negligible privacy issues that are limiting the full application of these technologies. Encryption is a valuable means to resolve such issues, however the current schemes are not able to cope with all the needs and challenges that the cloud-based sharing of electronic health records imposes. In this work we have investigated the use of a novel scheme where encryption is combined with biometric authentication, and defines a preliminary solution.

Due to the proliferation of Internet-of-Things (IoT) environments, humans working with heterogeneous, smart objects in public IoT environments become more popular than ever before. This situation often requires to establish trust relationships between a user and a smart object for their secure interactions, but without the presence of prior interactions. In this work, we are interested in how a smart object can grant an access right to a human user in the absence of any prior knowledge in which some users may be malicious aiming to breach security goals of the IoT system. To solve this problem, we propose a trust-aware, role-based access control system, namely TARAS, which provides adaptive authorization to users based on dynamic trust estimation. In TARAS, for the initial trust establishment, we take a multidisciplinary approach by adopting the concept of I-sharing from psychology. The I-sharing follows the rationale that people with similar roles and traits are more likely to respond in a similar way. This theory provides a powerful tool to quickly establish trust between a smart object and a new user with no prior interactions. In addition, TARAS can adaptively filter malicious users out by revoking their access rights based on adaptive, dynamic trust estimation. Our experimental results show that the proposed TARAS mechanism can maximize system integrity in terms of correctly detecting malicious or benign users while maximizing service availability to users particularly when the system is fine-tuned based on the identified optimal setting in terms of an optimal trust threshold.

Ciphertext-policy attribute-based encryption (CP-ABE) has been proposed to enable fine-grained access control on encrypted data for cloud storage service. In the context of CP-ABE, since the decryption privilege is shared by multiple users who have the same attributes, it is difficult to identify the original key owner when given an exposed key. This leaves the malicious cloud users a chance to leak their access credentials to outsourced data in clouds for profits without the risk of being caught, which severely damages data security. To address this problem, we add the property of traceability to the conventional CP-ABE. To catch people leaking their access credentials to outsourced data in clouds for profits effectively, in this paper, we first propose two kinds of non-interactive commitments for traitor tracing. Then we present a fully secure traceable CP-ABE system for cloud storage service from the proposed commitment. Our proposed commitments for traitor tracing may be of independent interest, as they are both pairing-friendly and homomorphic. We also provide extensive experimental results to confirm the feasibility and efficiency of the proposed solution.

The concept of Internet of Things (IoT) has received considerable attention and development in recent years. There have been significant studies on access control models for IoT in academia, while companies have already deployed several cloud-enabled IoT platforms. However, there is no consensus on a formal access control model for cloud-enabled IoT. The access-control oriented (ACO) architecture was recently proposed for cloud-enabled IoT, with virtual objects (VOs) and cloud services in the middle layers. Building upon ACO, operational and administrative access control models have been published for virtual object communication in cloud-enabled IoT illustrated by a use case of sensing speeding cars as a running example. In this paper, we study AWS IoT as a major commercial cloud-IoT platform and investigate its suitability for implementing the afore-mentioned academic models of ACO and VO communication control. While AWS IoT has a notion of digital shadows closely analogous to VOs, it lacks explicit capability for VO communication and thereby for VO communication control. Thus there is a significant mismatch between AWS IoT and these academic models. The principal contribution of this paper is to reconcile this mismatch by showing how to use the mechanisms of AWS IoT to effectively implement VO communication models. To this end, we develop an access control model for virtual objects (shadows) communication in AWS IoT called AWS-IoT-ACMVO. We develop a proof-of-concept implementation of the speeding cars use case in AWS IoT under guidance of this model, and provide selected performance measurements. We conclude with a discussion of possible alternate implementations of this use case in AWS IoT.

One of the biggest challenges for the Internet of Things (IoT) is to bridge the currently fragmented trust domains. The traditional PKI model relies on a common root of trust and does not fit well with the heterogeneous IoT ecosystem where constrained devices belong to independent administrative domains. In this work we describe a distributed trust model for the IoT that leverages the existing trust domains and bridges them to create end-to-end trust between IoT devices without relying on any common root of trust. Furthermore we define a new cryptographic primitive, denoted as obligation chain designed as a credit-based Blockchain with a built-in reputation mechanism. Its innovative design enables a wide range of use cases and business models that are simply not possible with current Blockchain-based solutions while not experiencing traditional blockchain delays. We provide a security analysis for both the obligation chain and the overall architecture and provide experimental tests that show its viability and quality.

Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

Healthcare Internet of Things (HIoT) is transforming healthcare industry by providing large scale connectivity for medical devices, patients, physicians, clinical and nursing staff who use them and facilitate real-time monitoring based on the information gathered from the connected things. Heterogeneity and vastness of this network provide both opportunity and challenges for information collection and sharing. Patient-centric information such as health status and medical devices used by them must be protected to respect their safety and privacy, while healthcare knowledge should be shared in confidence by experts for healthcare innovation and timely treatment of patients. In this paper an overview of HIoT is given, emphasizing its characteristics to those of Big Data, and a security and privacy architecture is proposed for it. Context-sensitive role-based access control scheme is discussed to ensure that HIoT is reliable, provides data privacy, and achieves regulatory compliance.

Despite corporate cyber intrusions attracting all the attention, privacy breaches that we, as ordinary users, should be worried about occur every day without any scrutiny. Smartphones, a household item, have inadvertently become a major enabler of privacy breaches. Smartphone platforms use permission systems to regulate access to sensitive resources. These permission systems, however, lack the ability to understand users’ privacy expectations leaving a significant gap between how permission models behave and how users would want the platform to protect their sensitive data. This dissertation provides an in-depth analysis of how users make privacy decisions in the context of Smartphones and how platforms can accommodate user’s privacy requirements systematically. We first performed a 36-person field study to quantify how often applications access protected resources when users are not expecting it. We found that when the application requesting the permission is running invisibly to the user, they are more likely to deny applications access to protected resources. At least 80% of our participants would have preferred to prevent at least one permission request. To explore the feasibility of predicting user’s privacy decisions based on their past decisions, we performed a longitudinal 131-person field study. Based on the data, we built a classifier to make privacy decisions on the user’s behalf by detecting when the context has changed and inferring privacy preferences based on the user’s past decisions. We showed that our approach can accurately predict users’ privacy decisions 96.8% of the time, which is an 80% reduction in error rate compared to current systems. Based on these findings, we developed a custom Android version with a contextually aware permission model. The new model guards resources based on user’s past decisions under similar contextual circumstances. We performed a 38-person field study to measure the efficiency and usability of the new permission model. Based on exit interviews and 5M data points, we found that the new system is effective in reducing the potential violations by 75%. Despite being significantly more restrictive over the default permission systems, participants did not find the new model to cause any usability issues in terms of application functionality.