Ragib Hasan

Introducing secure provenance: problems and challenges

Data provenance summarizes the history of the ownership of the item, as well as the actions performed on it. While widely used in archives, art, and archeology, provenance is also very important in forensics, scientific computing, and legal proceedings involving data. Significant research has been conducted in this area, yet the security and privacy issues of provenance have not been explored. In this position paper, we define the secure provenance problem and argue that it is of vital importance in numerous applications. We then discuss a select few of the issues related to ensuring the privacy and integrity of provenance information.

Preventing history forgery with secure provenance

As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks. While significant research has been conducted in this area, the associated security and privacy issues have not been explored, leaving provenance information vulnerable to illicit alteration as it passes through untrusted environments. In this article, we show how to provide strong integrity and confidentiality assurances for data provenance information at the kernel, file system, or application layer. We describe Sprov, our provenance-aware system prototype that implements provenance tracking of data writes at the application layer, which makes Sprov extremely easy to deploy. We present empirical results that show that, for real-life workloads, the runtime overhead of Sprov for recording provenance with confidentiality and integrity guarantees ranges from 1% to 13%, when all file modifications are recorded, and from 12% to 16%, when all file read and modifications are tracked.

A survey of peer-to-peer storage techniques for distributed file systems

The popularity of distributed file systems continues to grow. Reasons they are preferred over traditional centralized file systems include fault tolerance, availability, scalability and performance. In addition, peer-to-peer (P2P) system concepts and scalable functions are being incorporated into the domain of file systems. This survey paper explores the design paradigms and important issues that relate to such systems and discusses the various research activities in the field of distributed peerto-peer file systems.

Towards an Analysis of Security Issues, Challenges, and Open Problems in the Internet of Things

The Internet of Things (IoT) devices have become popular in diverse domains such as e-Health, e-Home, e-Commerce, and e-Trafficking, etc. With increased deployment of IoT devices in the real world, they can be, and in some cases, already are subject to malicious attacks to compromise the security and privacy of the IoT devices. While a number of researchers have explored such security challenges and open problems in IoT, there is an unfortunate lack of a systematic study of the security challenges in the IoT landscape. In this paper, we aim at bridging this gap by conducting a thorough analysis of IoT security challenges and problems. We present a detailed analysis of IoT attack surfaces, threat models, security issues, requirements, forensics, and challenges. We also provide a set of open problems in IoT security and privacy to guide the attention of researchers into solving the most critical problems.

Toward a threat model for storage systems

The growing number of storage security breaches as well as the need to adhere to government regulations is driving the need for greater storage protection. However, there is the lack of a comprehensive process to designing storage protection solutions. Designing protection for storage systems is best done by utilizing proactive system engineering rather than reacting with ad hoc countermeasures to the latest attack du jour. The purpose of threat modeling is to organize system threats and vulnerabilities into general classes to be addressed with known storage protection techniques. Although there has been prior work on threat modeling primarily for software applications, to our knowledge this is the first attempt at domain-specific threat modeling for storage systems. We discuss protection challenges unique to storage systems and propose two different processes to creating a threat model for storage systems: one based on classical security principles Confidentiality, Integrity, Availability, Authentication, or CIAA) and another based on the Data Lifecycle Model. It is our hope that this initial work will start a discussion on how to better design and implement storage protection solutions against storage threats.

Analyzing NASPInet data flows

One of the missions of the North American SynchroPhasor Initiative (NASPI) is to create a robust, widely available and secure synchronized data measurement infrastructure, dubbed NASPInet, that will improve reliability of the power grid. Phasor Measurement Unit (PMU), a GPS clock synchronized measurement device capable of measuring the current and voltage phasors in the power grid, is the main measurement device that NASPInet envisions to support. While the dataflow, latency and to some extent security requirements for individual PMU applications that depend on the measurement infrastructure have been characterized, this work undertakes the challenge of characterizing the collective dataflow, latency and security requirements of the measurement infrastructure when using different network architectures and when multiple PMU applications simultaneously utilize NASPInet. For our analysis we focus on a case study where we model a scalable scenario in NASPInet for a part of the North American Power Grid, the western interconnect, using Network Simulator v2 (NS-2).

A statistical analysis of disclosed storage security breaches

Many storage security breaches have recently been reported in the mass media as the direct result of new breach disclosure state laws across the United States (unfortunately, not internationally). In this paper, we provide an empirical analysis of disclosed storage security breaches for the period of 2005-2006. By processing raw data from the best available sources, we seek to understand the what, who, how, where, and when questions about storage security breaches so that others can build upon this evidence when developing best practices for preventing and mitigating storage breaches. While some policy formulation has already started in reaction to media reports (many without empirical analysis), this work provides initial empirical analysis upon which future empirical analysis and future policy decisions can be based.

Sensing-enabled channels for hard-to-detect command and control of mobile devices

The proliferation of mobile computing devices has enabled immense opportunities for everyday users. At the same time, however, this has opened up new, and perhaps more severe, possibilities for attacks. In this paper, we explore a novel generation of mobile malware that exploits the rich variety of sensors available on current mobile devices. Two properties distinguish the proposed malware from the existing state-of-the-art. First, in addition to the misuse of the various traditional services available on modern mobile devices, this malware can be used for the purpose of targeted context-aware attacks. Second, this malware can be commanded and controlled over context-aware, out-of-band channels as opposed to a centralized infrastructure. These communication channels can be used to quickly reach out to a large number of infected devices, while offering a high degree of undetectability. In particular, unlike traditional network-based communication, the proposed sensing-enabled channels cannot be detected by monitoring the cellular or wireless communication networks. To demonstrate the feasibility of our proposed attack, we present different flavors of command and control channels based on acoustic, visual, magnetic and vibrational signaling. We further build and test a proof-of-concept Android application implementing many such channels.

CellCloud: A Novel Cost Effective Formation of Mobile Cloud Based on Bidding Incentives

Cloud computing has become the dominant computing paradigm in recent years. As clouds evolved, researchers have explored the possibility of building clouds out of loosely associated mobile computing devices. However, most such efforts failed due to the lack of a proper incentive model for the mobile device owners. In this paper, we propose CellCloud - a practical mobile cloud architecture which can be easily deployed on existing cellular phone network infrastructure. It is based on a novel reputation-based economic incentive model in order to compensate the phone owners for the use of their phones as cloud computing nodes. CellCloud offers a practical model for performing cloud operations, with lower costs compared to a traditional cloud. We provide an elaborate analysis of the model with security and economic incentives as major focus. Along with a cost equation model, we discuss detailed results to prove the feasibility of our proposed model. Our simulation results show that CellCloud creates a win-win scenario for all three stakeholders (client, cloud provider, and mobile device owners) to ensure the formation of a successful mobile cloud architecture.

The evolution of storage service providers: techniques and challenges to outsourcing storage

As enterprise storage needs grow, it is challenging to manage storage systems. The costs of locally managing, supporting, and maintaining resilience in storage systems has skyrocketed. Also, companies must comply with a growing number of federal and state legislations mandating secure handling of electronic information.In this context, outsourcing of storage to utility-model based service providers has emerged as a popular and often cost-effective option. However, this raises issues related to data safety and storage techniques. In this paper, we discuss the business model and evolution of service-oriented companies known as Storage Service Providers and examine the challenges organizations should consider when outsourcing their storage management. To our knowledge, this is the first work to study the SSP model from both technical and business viewpoints. Lastly, we present two case studies, one of a failed SSP and the other of a successful market leader.