Olivier Festor

CrowdOut: A mobile crowdsourcing service for road safety in digital cities

Nowadays cities invest more in their public services, and particularly digital ones, to improve their residents quality of life and attract more people. Thus, new crowdsourcing services appear and they are based on contributions made by mobile users equipped with smartphones. For example, the respect of the traffic code is essential to ensure citizens security and welfare in their city. In this paper, we present CrowdOut, a new mobile crowdsourcing service for improving road safety in cities. CrowdOut allows users to report traffic offence they witness in real time and to map them on a city plan. CrowdOut service has been implemented and experiments and demonstrations have been performed in the urban environment of the Grand Nancy, in France. This service allows users appropriating their urban environment with an active participation regarding the collectivity. This service also represents a tool for city administrators to help for decisions and improve their urbanization policy, or to check the impact of their policy in the city environment.

Outsourcing Mobile Security in the Cloud

In order to prevent attacks against smartphones and tablets, dedicated security applications are deployed on the mobile devices themselves. However, these applications may have a significant impact on the device resources. Users may be tempted to uninstall or disable them with the objective of increasing battery lifetime and avoiding configuration operations and updates. In this paper, we propose a new approach for outsourcing mobile security functions as cloud-based services. The outsourced functions are dynamically activated, configured and composed using software-defined networking and virtualization capabilities. We detail also preliminary results and point out future research efforts.

An Online Risk Management Strategy for VoIP Enterprise Infrastructures

Telephony over IP has been widely deployed, supported by the standardization of VoIP signalling and media transfer protocols. This deployment has also led to the emergence of several security threats, including attacks inherited from the IP layer and attacks specific to the application layer. A large variety of security mechanisms has been proposed for addressing them, but these mechanisms may seriously degrade such a critical service. We propose in this paper an online risk management strategy for protecting VoIP infrastructures. The objective is to minimize the network exposure to security attacks while maintaining the quality of service, through the dynamic application of countermeasures. We describe our approach from the formalization of a dedicated risk model to its proof-of-concept implementation into an Asterisk VoIP server. We detail a portfolio of countermeasures and evaluate the performance of our solution with respect to different criteria, including the number of countermeasures, the risk threshold and the size of attack signatures.

Increasing Android Security Using a Lightweight OVAL-Based Vulnerability Assessment Framework

Mobile computing devices and the services offered by them are utilized by millions of users on a daily basis. However, they operate in hostile environments getting exposed to a wide variety of threats. Accordingly, vulnerability management mechanisms are highly required. We present in this paper a novel approach for increasing the security of mobile devices by efficiently detecting vulnerable configurations. In that context, we propose a modeling for performing vulnerability assessment activities as well as an OVAL-based distributed framework for ensuring safe configurations within the Android platform. We also describe an implementation prototype and evaluate its performance through an extensive set of experiments.

Oko: Extending Open vSwitch with Stateful Filters

With the Software-Defined Networking paradigm, software switches emerged as the new edge of datacenter networks. The widely adopted Open vSwitch implements the OpenFlow forwarding model; its simple match-action abstraction eases network management, while providing enough flexibility to define complex forwarding pipelines. OpenFlow, however, cannot express the many packets processing algorithms required for traffic measurement, network security, or congestion diagnosis, as it lacks a persistent state and basic arithmetic and logic operations. This paper presents Oko, an extension of Open vSwitch that enables runtime integration of stateful filtering and monitoring functionalities based on Berkeley Packet Filter (BPF) programs into the OpenFlow pipeline. BPF programs attached to OpenFlow rules act as intelligent filters over packets, while leaving the packets unmodified. This approach enables the transparent extension of Open vSwitchs flow caching architecture, retaining its high-performance benefits. Furthermore, the use of BPF allows for safe runtime extension and prevention of switch failures due to faulty programs. We compare our implementation based on Open vSwitch-DPDK to existing approaches with comparable isolation properties and measure a near 2x improvement of performance.

Server-side performance evaluation of NDN

NDN is a promising protocol that can help to reduce congestion at Internet scale by putting content at the center of communications instead of hosts, and by providing each node with a caching capability. NDN can also natively authenticate transmitted content with a mechanism similar to website certificates that allows clients to assess the original provider. But this security feature comes at a high cost, as it relies heavily on asymmetric cryptography which affects server performance when NDN Data are generated. This is particularly critical for many services dealing with real-time data (VOIP, live streaming, etc.), but current tools are not adapted for a realistic server-side performance evaluation of NDN traffic generation when digital signature is used. We propose a new tool, NDNperf, to perform this evaluation and show that creating NDN packets is a major bottleneck of application performances. On our testbed, 14 server cores only generate ~400 Mbps of new NDN Data with default packet settings. We propose and evaluate practical solutions to improve the performance of server-side NDN Data generation leading to significant gains.

Leveraging countermeasures as a service for VoIP security in the cloud

SUMMARY n n nThe emergence of cloud computing is contributing to the integration of multiple services, in particular VoIP services. While the cloud has recently been used for performing security attacks targeting IP telephony, it also provides new opportunities for supporting the security of this service. In that context, we propose a risk management strategy for VoIP cloud based on security countermeasures that may be outsourced as services. We present the architecture of our solution and its components in the context of services implementing the SIP protocol. We describe the mathematical modelling supporting our approach and detail different treatment strategies for the application of countermeasures. Finally, we quantify the benefits and limits of these strategies based on extensive simulation results. When a countermeasure fails, these strategies allow us to maintain the risk level low at an additional cost of up to 7%, or to accept an additional risk of up to 12%. They can also be combined to obtain a trade-off between cost and performance. Copyright

PIT matching from unregistered remote faces: a critical NDN vulnerability

In this work, we describe two attack scenarios exploiting a NDN vulnerability based on the fact that malicious nodes can send unexpected Data that can consume legitimate PIT entries, thus badly affecting NDN communications. We also propose two ways to prevent it. Both attacks and remediation strategies will be demonstrated at the conference.

Evaluation of the anonymous I2P network's design choices against performance and security

Anonymous communications are growing extremely fast because more and more Internet users employ anony mous systems, such as the I2P or Tor networks, as a way to hide their online activity. Therefore, these networks have been more and more studied, mainly from a security point of view. Different studies have shown important design flaws in these systems that could break users anonymity and how these issues can be overcome, but the resilience of the underlying information systems has not been much investigated so far. Indeed, these anonymous systems rely entirely on directories, either centralised or decentralised, to store vital network information. In this paper, we consider the I2P anonymous system and its decentralised directory, known as the netDB, where our contributions are twofold. On the one hand, we conduct arguably the first churn study of the I2P network, showing that I2P users are more stable than non-anonymous peer-to-peer users. On the other hand, we analyse the design of the netDB and compare it against the popular KAD design, demonstrating that the former is more vulnerable to different attacks, specially to Eclipse attacks, which can be mitigated by applying design choices of the latter. We lately show the positive impact on performances of including KADs DHT configuration into the netDB in terms of bandwidth, storage and messages overhead.