Biblio

Point-of-care diagnostics are a key technology for various safety-critical applications from providing diagnostics in developing countries lacking adequate medical infrastructure to fight infectious diseases to screening procedures for border protection. Digital microfluidics biochips are an emerging technology that are increasingly being evaluated as a viable platform for rapid diagnosis and point-of-care field deployment. In such a technology, processing errors are inherent. Cyber-physical digital biochips offer higher reliability through the inclusion of automated error recovery mechanisms that can reconfigure operations performed on the electrode array. Recent research has begun to explore security vulnerabilities of digital microfluidic systems. This paper expands previous work that exploits vulnerabilities due to implicit trust in the error recovery mechanism. In this work, a discriminative data mining approach is introduced to identify frequent bioassay operations that can be cyber-physically attested for runtime security protection.

Hardware information flow analysis detects security vulnerabilities resulting from unintended design flaws, timing channels, and hardware Trojans. These information flow models are typically generated in a general way, which includes a significant amount of redundancy that is irrelevant to the specified security properties. In this work, we propose a property specific approach for information flow security. We create information flow models tailored to the properties to be verified by performing a property specific search to identify security critical paths. This helps find suspicious signals that require closer inspection and quickly eliminates portions of the design that are free of security violations. Our property specific trimming technique reduces the complexity of the security model; this accelerates security verification and restricts potential security violations to a smaller region which helps quickly pinpoint hardware security vulnerabilities.

Information flow security has been considered as a critical requirement on complicated component-based software. The recent efforts on the compositional information flow analyses were limited on the expressiveness of security lattice and the efficiency of compositional enforcement. Extending these approaches to support more general security lattices is usually nontrivial because the compositionality of information flow security properties should be properly treated. In this work, we present a new extension of interface automaton. On this interface structure, we propose two refinement-based security properties, adaptable to any finite security lattice. For each property, we present and prove the security condition that ensures the property to be preserved under composition. Furthermore, we implement the refinement algorithms and the security condition decision procedure. We demonstrate the usability and efficiency of our approach with in-depth case studies. The evaluation results show that our compositional enforcement can effectively reduce the verification cost compared with global verification on composite system.

Microfluidics is an interdisciplinary science focusing on the development of devices and systems that process low volumes of fluid for applications such as high throughput DNA sequencing, immunoassays, and entire Labs-on-Chip platforms. Microfluidic diagnostic technology enables these advances by facilitating the miniaturization and integration of complex biochemical processing through a microfluidic biochip [1]. This approach tightly couples the biochemical operations, sensing system, control algorithm, and droplet-based biochip. During the process the status of a droplet is monitored in real-time to detect operational errors. If an error has occurred, the control algorithm dynamically reconfigures to allow recovery and rescheduling of on-chip operations. During this recovery procedure the droplet that is the source of the error is discarded to prevent the propagation of the error and the operation is repeated. Threats to the operation of the microfluidics biochip include (1) integrity: an attack can modify control electrodes to corrupt the diagnosis, and (2) privacy: what can a user/operator deduce about the diagnosis? It is challenging to describe both these aspects using existing models; as Figure 1 depicts there are multiple security domains, Unidirectional information flows shown in black indicate undesirable flows, the bidirectional black arrows indicate desirable, but possibly corrupted, information flows, and the unidirectional red arrows indicate undesirable information flows. As with Stuxnet, a bidirectional, deducible information flow is needed between the monitoring security domain and internal security domain (biochip) [2]. Simultaneously, the attacker and the operators should receive a nondeducible information flow. Likewise, the red attack arrows should be deducible to the internal domain. Our current security research direction uses the novel approach of Multiple Security Domain Nondeducibility [2] to explore the vulnerabilities of exploiting this error recovery process through information flow leakages and leads to protection of the system through desirable information flows.

Multiple Security Domains Nondeducibility, MSDND, yields results even when the attack hides important information from electronic monitors and human operators. Because MSDND is based upon modal frames, it is able to analyze the event system as it progresses rather than relying on traces of the system. Not only does it provide results as the system evolves, MSDND can point out attacks designed to be missed in other security models. This work examines information flow disruption attacks such as Stuxnet and formally explains the role that implicit trust in the cyber security of a cyber physical system (CPS) plays in the success of the attack. The fact that the attack hides behind MSDND can be used to help secure the system by modifications to break MSDND and leave the attack nowhere to hide. Modal operators are defined to allow the manipulation of belief and trust states within the model. We show how the attack hides and uses the operator's trust to remain undetected. In fact, trust in the CPS is key to the success of the attack.