Bruno Crispo

Is your cat infected with a computer virus

RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted. RFID attacks are currently conceived as properly formatted but fake RFID data; however no one expects an RFID tag to send a SQL injection attack or a buffer overflow. This paper is meant to serve as a warning that data from RFID tags can be used to exploit back-end software systems. RFID middleware writers must therefore build appropriate checks (bounds checking, special character filtering, etc.), to prevent RFID middleware from suffering all of the well-known vulnerabilities experienced by the Internet. Furthermore, as a proof of concept, this paper presents the first self-replicating RFID virus. This virus uses RFID tags as a vector to compromise backend RFID middleware systems, via a SQL injection attack

CRePE: context-related policy enforcement for android

Most of the research work for enforcing security policies on smartphones considered coarse-grained policies, e.g. either to allow an application to run or not. In this paper we present CRePE, the first system that is able to enforce fine-grained policies, e.g. that vary while an application is running, that also depend on the context of the smartphone. A context can be defined by the status of some variables (e.g. location, time, temperature, noise, and light), the presence of other devices, a particular interaction between the user and the smartphone, or a combination of these. CRePE allows context-related policies to be defined either by the user or by trusted third parties. Depending on the authorization, third parties can set a policy on a smartphone at any moment or just when the phone is within a particular context, e.g. within a building, or a plane.

RFID guardian: a battery-powered mobile device for RFID privacy management

RFID tags are tiny, inexpensive, inductively powered computers that are going to replace bar codes on many products, but which have many other uses as well. For example, they will allow smart washing machines to check for incompatible clothes (e.g., white shirts and red socks) and smart refrigerators to check for milk that is too old to be consumed. Subdermal tags with medical information are already being implanted in animals and people. However, a world in which practically everything is tagged and can be read at a modest distance by anyone who wants to buy an RFID reader introduces serious security and privacy issues. For example, women walking down the street may be effectively broadcasting the sizes of their RFID-tagged bras and medical data without realizing it. To protect people in this environment, we propose developing a compact, portable, electronic device called an RFID Guardian, which people can carry with them. In the future, it could be integrated into PDAs or cell phones. The RFID Guardian looks for, records, and displays all RFID tags and scans in the vicinity, manages RFID keys, authenticates nearby RFID readers, and blocks attempted accesses to the user’s RFID tags from unauthorized readers. In this way, people can find out what RFID activity is occuring around them and take corrective action if need be.

The evolution of RFID security

As RFID technology progresses, security and privacy threats also evolve. By examining RFIDs history, we can learn from past mistakes, rediscover successful solutions, and inspire future research.

A new family of authentication protocols

We present a related family of authentication and digital signature protocols based on symmetric cryptographic primitives which perform substantially better than previous constructions. Previously, one-time digital signatures based on hash functions involved hundreds of hash function computations for each signature; we show that given online access to a timestamping service, we can sign messages using only two computations of a hash function. Previously, techniques to sign infinite streams involved one such one-time signature for each message block; we show that in many realistic scenarios a small number of hash function computations is sufficient. Previously, the Diffie Hellman protocol enabled two principals to create a confidentiality key from scratch: we provide an equivalent protocol for integrity, which enables two people who do not share a secret to set up a securely serialised channel into which attackers cannot subsequently intrude. In addition to being of potential use in real applications, our constructions also raise interesting questions about the definition of a digital signature, and the relationship between integrity and authenticity.

XACML Policy Integration Algorithms

XACML is the OASIS standard language specifically aimed at the specification of authorization policies. While XACML fits well with the security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises in which several autonomous subjects collaborate by sharing their resources to provide better services to customers. In this article we highlight such limitation, and we propose an XACML extension, the policy integration algorithms, to address them. In the article we also present the implementation of a system that makes use of the policy integration algorithms to securely replicate information in a P2P-like environment. In our solution, the data replication process considers the policies specified by both the owners of the data shared and the peers sharing data storage.

Taking Sensor Networks from the Lab to the Jungle

Sensor networks pose unique technical and logistical challenges. One of the most widely cited applications for sensor networks is monitoring national borders for humans attempting to surreptitiously cross on foot, especially at night. Other suggested applications of sensor networks include battlefield observation and forest fire detection

Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call

In this paper we propose a new biometric measure to authenticate the user of a smartphone: the movement the user performs when answering (or placing) a phone call. The biometric measure leverages features that are becoming commodities in new smartphones, i.e. accelerometer and orientation sensors. We argue that this new biometric measure has a unique feature. That is, it allows a transparent authentication (not requiring an additional specific interaction for this) to check that the user that is answering (or placing) a phone call is the one authorized to do that. At the same time, this biometric measure can also be used as a non transparent authentication method, e.g. the user may need to move the phone as if answering a call, in order to unlock the phone to get access to SMSs or emails. As a consequence of being a biometric measure, an adversary that spies on the movement (e.g. captures it with a camera) and tries to replicate it, will not be granted access to the phone. We prototyped our solution and conducted several experiments to assess its feasibility. Results show that the method is effective, and the performance is comparable to that of other transparent authentication methods, like face or voice recognition.

A Virtual Machine Based Information Flow Control System for Policy Enforcement

The ability to enforce usage policies attached to data in a fine grained manner requires that the system be able to trace and control the flow of information within it. This paper presents the design and implementation of such an information flow control system, named Trishul, as a Java Virtual Machine. In particular we address the problem of tracing implicit information flow, which had not been resolved by previous run-time systems and the additional intricacies added on by the Java architecture. We argue that the security benefits offered by Trishul are substantial enough to counter-weigh the performance overhead of the system as shown by our experiments.

Providing Source Location Privacy in Wireless Sensor Networks: A Survey

Wireless sensor networks (WSNs) consist of numerous small nodes that can sense, collect, and disseminate information for many different types of applications. One of these applications is subject tracking and monitoring, in which the monitored subjects often need protection. For instance, a WSN can be deployed to monitor the movement of a panda in a national park. The panda needs protection from different adversaries, such as hunters and poachers. An adversary might trace the messages in the WSN to find the source node that sensed the panda, with the final aim of killing the panda. Hence the question is: how do we hide the location of the source node from the adversary? This question is relevant in several of the scenarios related to this application, such as patient monitoring and battlefield surveillance. In other words, the problem is to provide privacy to the source node: source location privacy. In this paper, we provide a survey of the state of the art in source location privacy. We first discuss the key concepts in source location privacy, such as anonymity, unobservability, safety period, and capture likelihood. Then, we present an overview of the solutions that provide source location privacy within a WSN, in relation to the assumptions about the adversarys capabilities. In particular, we summarize the concepts and solutions, which are categorized based on the core techniques used to provide source location privacy. We mention the limitations of the algorithms as found in the literature, classify the solutions based on their approach, and provide an overview of the assumptions on the adversarial capabilities related to each solution.