Claudio Soriente

On the difficulty of software-based attestation of embedded devices

Device attestation is an essential feature in many security protocols and applications. The lack of dedicated hardware and the impossibility to physically access devices to be attested, makes attestation of embedded devices, in applications such as Wireless Sensor Networks, a prominent challenge. Several software-based attestation techniques have been proposed that either rely on tight time constraints or on the lack of free space to store malicious code. This paper investigates the shortcomings of existing software-based attestation techniques. We first present two generic attacks, one based on a return-oriented rootkit} and the other on code compression. We further describe specific attacks on two existing proposals, namely SWATT and ICE-based schemes, and argue about the difficulty of fixing them. All attacks presented in this paper were implemented and validated on commodity sensors.

HAPADEP: Human-Assisted Pure Audio Device Pairing

The number and diversity of personal electronic gadgets have been steadily increasing but there has been fairly little progress in secure pairing of such devices. The pairing challenge revolves around establishing on-the-fly secure communication without any trusted (on- or off-line) third parties between devices that have no prior association. One basic approach to counter Man-in-the-Middle (MiTM) attacks in such setting is to involve the user in the pairing process. Previous research yielded some interesting secure pairing techniques, some of which ask too much of the human user, while others assume availability of specialized equipment (e.g., wires, photo or video cameras) on personal devices. Furthermore, all prior methods assumed an established insecure channel over a common digital (human-imperceptible) communication medium, such as infrared, 802.11 or Bluetooth. In this paper we introduce a very simple technique called HAPADEP (Human-Assisted Pure Audio Device Pairing). HAPADEP uses the audio channel to exchange both data and verification information among devices without requiring any other means of common electronic communication. Despite its simplicity, a number of interesting issues arise in the design of HAPADEP. We discuss design and implementation highlights as well as usability features and limitations.

Hummingbird: Privacy at the Time of Twitter

In the last several years, micro-blogging Online Social Networks (OSNs), such as Twitter, have taken the world by storm, now boasting over 100 million subscribers. As an unparalleled stage for an enormous audience, they offer fast and reliable centralized diffusion of pithy tweets to great multitudes of information-hungry and always-connected followers. At the same time, this information gathering and dissemination paradigm prompts some important privacy concerns about relationships between tweeters, followers and interests of the latter. In this paper, we assess privacy in todays Twitter-like OSNs and describe an architecture and a trial implementation of a privacy-preserving service called Hummingbird. It is essentially a variant of Twitter that protects tweet contents, hash tags and follower interests from the (potentially) prying eyes of the centralized server. We argue that, although inherently limited by Twitters mission of scalable information-sharing, this degree of privacy is valuable. We demonstrate, via a working prototype, that Hummingbirds additional costs are tolerably low. We also sketch out some viable enhancements that might offer better privacy in the long term.

POSH: Proactive co-Operative Self-Healing in Unattended Wireless Sensor Networks

Unattended Wireless Sensor Networks (UWSNs) are composed of many small resource-constrained devices and operate autonomously, gathering data which is periodically collected by a visiting sink. Unattended mode of operation, deployment in hostile environments and value (or criticality) of collected data are some of the factors that complicate UWSN security. This paper makes two contributions. First, it explores a new threat model involving a mobile adversary who periodically compromises and releases sensors aiming to maximize its advantage and overall knowledge of collected data. Second, it constructs a self-healing protocol that allows sensors to continuously and collectively recover from compromise. The proposed protocol is both effective and efficient, as supported by analytical and simulation results.

Data Security in Unattended Wireless Sensor Networks

In recent years, wireless sensor networks (WSNs) have been a very popular research topic, offering a treasure trove of systems, networking, hardware, security, and application-related problems. Much of prior research assumes that the WSN is supervised by a constantly present sink and sensors can quickly offload collected data. In this paper, we focus on unattended WSNs (UWSNs) characterized by intermittent sink presence and operation in hostile settings. Potentially lengthy intervals of sink absence offer greatly increased opportunities for attacks resulting in erasure, modification, or disclosure of sensor-collected data. This paper presents an in-depth investigation of security problems unique to UWSNs (including a new adversarial model) and proposes some simple and effective countermeasures for a certain class of attacks.

Participatory privacy: Enabling privacy in participatory sensing

Participatory sensing is an emerging computing paradigm that enables the distributed collection of data by self-selected participants. It allows the increasing number of mobile phone users to share local knowledge acquired by their sensor-equipped devices (e.g., to monitor temperature, pollution level, or consumer pricing information). While research initiatives and prototypes proliferate, their real-world impact is often bounded to comprehensive user participation. If users have no incentive, or feel that their privacy might be endangered, it is likely that they will not participate. In this article, we focus on privacy protection in participatory sensing and introduce a suitable privacy-enhanced infrastructure. First, we provide a set of definitions of privacy requirements for both data producers (i.e., users providing sensed information) and consumers (i.e., applications accessing the data). Then we propose an efficient solution designed for mobile phone users, which incurs very low overhead. Finally, we discuss a number of open problems and possible research directions.

Short paper: PEPSI---privacy-enhanced participatory sensing infrastructure

Participatory Sensing combines the ubiquity of mobile phones with the sensing capabilities of Wireless Sensor Networks. It targets the pervasive collection of information, e.g., temperature, traffic conditions, or medical data. Users produce measurements from their mobile devices, thus, a number of privacy concerns -- due to the personal information conveyed by reports -- may hinder the large-scale deployment of participatory sensing applications. Prior work has attempted to protect privacy in participatory sensing, but it relied on unrealistic assumptions and achieved no provably-secure guarantees. In this paper, we introduce PEPSI: Privacy-Enhanced Participatory Sensing Infrastructure. We explore realistic architectural assumptions and a minimal set of formal requirements aiming at protecting privacy of both data producers and consumers. We also present an instantiation that attains privacy guarantees with provable security at very low additional computational cost and almost no extra communication overhead. Finally, we highlight some problems that call for further research in this developing area.

Collaborative authentication in unattended WSNs

An unattended wireless sensor network (UWSN) might collect valuable data representing an attractive target for the adversary. Since a sink visits the network infrequently, unattended sensors cannot immediately off-load data to some safe external entity. With sufficient time between sink visits, a powerful mobile adversary can easily compromise sensor-collected data. In this paper, we propose two schemes (CoMAC and ExCo) that leverage sensor co-operation to achieve data authentication. These schemes use standard (and inexpensive) symmetric cryptographic primitives coupled with key evolution and few messages exchange. We provide security analysis for proposed schemes and assess their effectiveness via simulations. We show that proposed schemes cope well with real WSN issues, such as message loss and sensor failure. We also compare the two schemes with respect to robustness and overhead, which allows network designers to carefully select the right scheme and tune appropriate system parameters.

Playing hide-and-seek with a focused mobile adversary in unattended wireless sensor networks

Some sensor network settings involve disconnected or unattended operation with periodic visits by a mobile sink. An unattended sensor network operating in a hostile environment can collect data that represents a high-value target for the adversary. Since an unattended sensor can not immediately off-load sensed data to a safe external entity (such as a sink), the adversary can easily mount a focused attack aiming to erase or modify target data. To maximize chances of data survival, sensors must collaboratively attempt to mislead the adversary and hide the location, the origin, and the contents of collected data. In this paper, we focus on applications of well-known security techniques to maximize chances of data survival in unattended sensor networks, where sensed data can not be off-loaded to a sink in real time. Our investigation yields some interesting insights and surprising results. The highlights of our work are: (1) thorough exploration of the data survival challenge, (2) exploration of the design space for possible solutions, (3) construction of several practical and effective techniques, and (4) their evaluation.

Using audio in secure device pairing

Secure pairing of electronic devices is an important issue that must be addressed in many contexts. In the absence of prior security context, the need to involve the user in the pairing process is a prominent challenge. In this paper, we investigate the use of the audio channel for human-assisted device pairing. First we assume a common (insecure) wireless channel between devices. We then obviate the assumption of a pre-existing common channel with a single-channel device pairing approach only based on audio. Both approaches are applicable to a wide range of devices and place light burden on the user.