Division of Computer and Network Systems (CNS)

group_project

Visible to the public CRII: SaTC: Automated Security Analysis of Software-based Control in Emerging Smart Transportation Under Sensor Attacks

Transportation systems are being profoundly transformed with the emergence of a series of software-based smart transportation solutions such as intelligent traffic signal control and autonomous driving. In these systems, the key enabler of their functional intelligence is the sensing capability, which collects necessary road information to enable better control decisions. However, sensor data are collected from a public channel, i.e., the physical transportation environment, which thus inevitably creates opportunities for attackers to tamper with the sensing process.

group_project

Visible to the public CRII: SaTC: Towards Efficient and Scalable Crowdsourced Vulnerability-Discovery using Bug-Bounty Programs

Many organizations and companies have recently chosen to use so-called bug-bounty programs, which allow outside security experts to evaluate the security of an organization's products and services and to report security vulnerabilities in exchange for rewards. Bug-bounty programs provide unique benefits by allowing organizations to publicly signal their commitment to security and to harness the diverse expertise of thousands of security experts in an affordable way. Despite their rapidly growing popularity, bug-bounty programs are not well understood and can be mismanaged.

group_project

Visible to the public CRII: SaTC: Improving the Usability and Effectiveness of Security and Privacy Settings in Mobile Apps

Mobile users hold people's sensitive information such as passwords, locations, and health information. Users are permitted to control the use of some of this information by configuring their privacy settings in the apps they use. These settings, however, are often difficult to locate and understand, even in popular apps such as Facebook. Moreover, the settings are often set to share user data by default, exposing personal data without users' explicit consent.

group_project

Visible to the public CRII: SaTC: Measuring and Improving the Management of Resource Public Key Infrastructure (RPKI)

The Border Gateway Protocol (BGP) is responsible for managing how packets are routed across the Internet by exchanging routing related messages (path announcements) between routers. While the Border Gateway Protocol plays a critical role in the Internet communications, it remains highly vulnerable to many attacks. This is because the protocol was originally designed for each BGP router to trust all protocol related messages, especially path announcements, sent by its neighboring routers.

group_project

Visible to the public CRII: SaTC: Mitigating Software-Based Microarchitectural Attacks via Secure Microcode Customization

Modern high-performance processors implement complex microarchitectural optimizations involving speculative execution which has recently been shown to be vulnerable to a type of malicious attack called Spectre. This project will investigate a microarchitectural solution framework to secure against such attacks. This framework, called context-sensitive fencing, will seek to automatically track and detect malicious execution patterns dynamically to trigger defense code without programmer intervention and with minimal impact on processor performance.

group_project

Visible to the public CRII: SaTC: Creating and Managing Structurally-Morphing IT Systems - Moving Targets

Current information technology (IT) systems are relatively static from a configuration perspective and give adversaries the valuable advantage of time for breaching them. A new concept, called Moving Target Defense or MTD, dynamically reconfigures systems to increase uncertainty and complexity for attackers, reduce their window of opportunity, and raise the costs of their reconnaissance and attack endeavors. All of these contribute towards increased security.

group_project

Visible to the public CRII: SaTC: Secure and Comprehensive Forensic Audit Infrastructure for Transparent Heterogeneous Computing

Cyber attackers are increasingly targeting emerging smart devices (e.g., Internet of Things devices) causing devastating damages to various enterprises and government agencies. To combat these attacks, rapid and effective investigation is critical to understand attack paths and measure the damages. Unfortunately, forensic logging infrastructures are not efficient and effective enough. Many devices completely lack forensic logging systems and others rely on ineffective logging schemes, delaying or often completely preventing forensic investigation.

group_project

Visible to the public CRII: SaTC: Exploring the Real World Applicability of Denial of Service Mitigation via Routing

Distributed Denial of Service (DDoS) attacks disrupt the ability of computers to communicate over the Internet by flooding victims with large volumes of unwanted network traffic. Due to their high economic impact and low technical complexity, such attacks remain one of the most problematic and common attacks experienced by companies, organizations, and high-profile individuals.

group_project

Visible to the public CRII: SaTC: Preempting Physical Damage from Control-related Attacks on Smart Grids' Cyber-Physical Infrastructure

Control-related attacks are a severe threat to cyber-physical systems (CPSs) such as smart grids, because they can introduce catastrophic physical damage by using malicious control commands crafted in a legitimate format. While current research efforts have focused on detecting malicious commands that lead to physical damage, the investigator proposes to preemptively prevent the damage by disrupting and misleading adversaries' preparation before they issue the malicious commands.

group_project

Visible to the public CRII: SaTC: Secure Instruction Set Extensions for Lattice-Based Post-Quantum Cryptosystems

The emergence of quantum computers poses a serious threat for existing security standards, which motivates post-quantum cryptography (PQC) research. Various PQC schemes have been proposed for standardization, whose mathematical soundness are under investigation. Unfortunately, even a mathematically sound cryptography scheme may be attacked at the implementation level. The primary research goal of this project is to develop secure implementations for lattice-based cryptosystems, a major class of PQC encryption proposals.