Qi Alfred Chen

Discovering fine-grained RRC state dynamics and performance impacts in cellular networks

To conserve power while ensuring good performance on resource-constrained mobile devices, devices transition between different Radio Resource Control (RRC) states in response to network traffic and according to parameters specific to network operators. As RRC states significantly affect application power consumption and performance, it is important to understand how RRC state timers interact with network traffic patterns. In this paper, we show that the impact of RRC states on performance is significantly more complex and diverse than found in previous work. To do so, we introduce an open-source tool that allows the impact of RRC states on network and application performance to be measured in a robust and accurate manner on unmodified user devices, and deploy the tool in 23 countries around the world to test a broad range of cellular network technologies. We detect previously unknown performance problems which increase network latencies by up to several seconds and for LTE, can increase packet losses by an order of magnitude. Through an in-depth cross-layer analysis of several carriers, we examine the lower-layer causes of these problems. We determine that the highly complex state transitions of certain carriers, and in particular poor interactions between state demotions and network traffic, can lead to substantial, unexpected latencies.

Android UI Deception Revisited: Attacks and Defenses

App-based deception attacks are increasingly a problem on mobile devices and they are used to steal passwords, credit card numbers, text messages, etc. Current versions of Android are susceptible to these attacks. Recently, Bianchi et al. proposed a novel solution “What the App is That” that included a host-based system to identify apps to users via a security indicator and help assure them that their input goes to the identified apps [7]. Unfortunately, we found that the solution has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input. We discuss the vulnerabilities found, propose possible defenses, and then evaluate the defenses against different types of UI deception attacks.

Understanding On-device Bufferbloat for Cellular Upload

Despite the extensive characterization of the growth of cellular network traffic, we observe two important trends not yet thoroughly investigated. First, fueled by the LTE technology and applications involving wearable devices and device-to-device (D2D) communication, device upload traffic is increasingly popular. Second, the multi-tasking and multi-window features of modern mobile devices allow many concurrent TCP connections, resulting in potentially complex interactions. Motivated by these new observations, we conduct to our knowledge the first comprehensive characterization of cellular upload traffic and investigate its interaction with other concurrent traffic. In particular, we reveal rather poor performance associated with applications running concurrently with cellular upload traffic, due to excessive on-device buffering (i.e., on-device bufferbloat). This leads to significant performance degradation on real mobile applications, eg.,66% of download throughput degradation and more than doubling of page load times. We further systematically study a wide range of solutions for mitigating on-device bufferbloat, and provide concrete recommendations by proposing a system called QCUT to control the firmware buffer occupancy from the OS kernel.

Performance Characterization and Call Reliability Diagnosis Support for Voice over LTE

To understand VoLTE performance in a commercial deployment, in this paper we conduct the first comprehensive performance characterization of commercially deployed VoLTE, and compare with legacy call and over-the-top (OTT) VoIP call. We confirm that VoLTE excels in most metrics such as audio quality, but its call reliability still lags behind legacy call for all the three major U.S. operators. We propose an on-device VoLTE problem detection tool, which can capture new types of problems concerning audio quality with high accuracy and minimum overhead, and perform stress testing on VoLTE calls reliability. We discover 3 instances of problems in the early deployment of VoLTE lying in the protocol design and implementation. Although the identified problems are all concerned with the immature LTE coverage in the current deployment, we find that they can cause serious impairment on user experience and are urgent to be solved in the developing stage. For example, one such instance can lead to up to 50-second-long muting problem during a VoLTE call! We perform in-depth cross-layer analysis and find that the causes are rooted in the lack of coordination among protocols designed for different purposes, and invalid assumptions made by protocols used in existing infrastructure when integrated with VoLTE. We summarize learnt lessons and suggest solutions.

Understanding RRC state dynamics through client measurements with mobilyzer

Understanding how network and application behavior patterns impact client performance on mobile devices is a difficult yet important problem to solve. Often, we are most interested in the performance experienced by end users, but accurately and effectively measuring performance on uncontrolled mobile devices in the wild continues to be a challenging problem. In this paper, we have developed a tool to allow us to more accurately characterize RRC states using client-based measurements. To do so, we have made use of and contributed to an open-source framework called Mobilyzer, which facilitates collecting complex network measurements on client devices without impacting the user. We have deployed our tool on unmodified devices in 23 countries worldwide to directly measure the impact of RRC state machine configurations on individual packets and network protocols. Demonstrating the value of client-based measurements, our large-scale measurement study allowed us to uncover previously unknown performance problems that can increase network latency by several seconds and increase packet losses by an order of magnitude.

Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications

Open ports are typically used by server software to serve remote clients, and the usage historically leads to remote exploitation due to insufficient protection. Smartphone operating systems inherit the open port support, but since they are significantly different from traditional server machines in performance and availability guarantees, little is known about how smartphone applications use open ports and what the security implications are. In this paper, we perform the first systematic study of open port usage on mobile platform and their security implications. To achieve this goal, we design and implement OPAnalyzer, a static analysis tool which can effectively identify and characterize vulnerable open port usage in Android applications. Using OPAnalyzer, we perform extensive usage and vulnerability analysis on a dataset with over 100K Android applications. OPAnalyzer successfully classifies 99% of the mobile usage of open ports into 5 distinct families, and from the output, we are able to identify several mobile-specific usage scenarios such as data sharing in physical proximity. In our subsequent vulnerability analysis, we find that nearly half of the usage is unprotected and can be directly exploited remotely. From the identified vulnerable usage, we discover 410 vulnerable applications with 956 potential exploits in total. We manually confirmed the vulnerabilities for 57 applications, including popular ones with 10 to 50 million downloads on the official market, and also an app that is pre-installed on some device models. These vulnerabilities can be exploited to cause highly-severe damage such as remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution. We have reported these vulnerabilities and already got acknowledged by the application developers for some of them. We also propose countermeasures and improved practices for each usage scenario.

Efficient route guidance in vehicular wireless networks

With the rapid proliferation of Wi-Fi technologies in recent years, it has become possible to utilize the vehicular wireless network to assist the route guidance for drivers in a cooperative approach, aiming to mitigating heavy traffic congestion. In this paper, we investigate into the route guidance problem in vehicular wireless network, and then propose two efficient routing algorithms, i.e., centralized route guidance and distributed route guidance, according to different situations. A hybrid framework is then proposed to provide optimized routing decisions in a uniform way. Simulation results in Simulation of Urban MObility (SUMO) indicate that, our route guidance schemes achieve much better performance than traditional GPS-based navigation and randomized routing.

No One In The Middle: Enabling Network Access Control Via Transparent Attribution

Commodity small networks typically rely on NAT as a perimeter defense, but are susceptible to a variety of well-known intra-network attacks, such as ARP spoofing. With the increased prevalence of oft-compromised Internet-of-Things (IoT) devices now taking up residence in homes and small businesses, the potential for abuse has never been higher. In this work, we present a novel mechanism for strongly attributing local network traffic to its originating principal, fully-compatible with existing legacy devices. We eliminate Man-in-the-Middle attacks at both the link and service discovery layers, and enable users to identify and block malicious devices from direct attacks against other endpoints. Despite the prevalence of prior work with similar goals, previous solutions have either been unsuited to non-Enterprise environments or have broken compatibility with existing network devices and therefore failed to be adopted. Our prototype imposes negligible performance overhead, runs on an inexpensive commodity router, and retains full compatibility with modern and legacy devices.

Vulnerability of Traffic Control System Under Cyberattacks with Falsified Data

Existing traffic control systems are mostly deployed in private wired networks. With the development of wireless technology, vehicles and infrastructure devices will be connected through wireless communications, which might open a new door for cyberattackers. It is still not clear what types of cyberattacks can be performed through infrastructure-to-infrastructure and vehicle-to-infrastructure communications, whether such attacks can introduce critical failure to the system, and what the impacts are of cyberattacks on traffic operations. This paper investigates the vulnerability of traffic control systems in a connected environment. Four typical elements, including signal controllers, vehicle detectors, roadside units, and onboard units, are identified as the attack surfaces. The paper mainly focuses on attacking actuated and adaptive signal control systems by sending falsified data, which is considered as an indirect but realistic attack approach. The objective of an attacker is to maximize system delay with constraints such as budget and attack intensity. Empirical results show that different attack scenarios result in significant differences in delay, and some ineffective attacks may even improve the system performance. Simulation results from a real-world corridor show that critical intersections, which have a higher impact on network performance, can be identified by analyzing the attack locations. Identification of such intersections can be helpful in designing a more resilient transportation network.

Towards secure and safe appified automated vehicles

The advancement in Autonomous Vehicles (AVs) has created an enormous market for the development of self-driving functionalities, raising the question of how it will transform the traditional vehicle development process. One adventurous proposal is to open the AV platform to third-party developers, so that AV functionalities can be developed in a crowd-sourcing way, which could provide tangible benefits to both automakers and end users. Some pioneering companies in the automotive industry have made the move to open the platform so that developers are allowed to test their code on the road. Such openness, however, brings serious security and safety issues by allowing untrusted code to run on the vehicle. In this paper, we introduce the concept of an Appified AV platform that opens the development framework to third-party developers. To further address the safety challenges, we propose an enhanced appified AV design schema called AVGUARD, which focuses primarily on mitigating the threats brought about by untrusted code, leveraging theory in the vehicle evaluation field, and conducting program analysis techniques in the cyber security area. Our study provides guidelines and suggested practice for the future design of open AV platforms.