Yu-an Tan

DPPDL: A Dynamic Partial-Parallel Data Layout for Green Video Surveillance Storage

Video surveillance requires storing massive amounts of video data, which results in the rapid increasing of storage energy consumption. With the popularization of video surveillance, green storage for video surveillance is very attractive. The existing energy-saving methods for massive storage mostly concentrate on the data centers, mainly with random access, whereas the storage of video surveillance has inherent workload characteristics and access pattern, which can be fully exploited to save more energy. A dynamic partial-parallel data layout (DPPDL) is proposed for green video surveillance storage. It adopts a dynamic partial-parallel strategy, which dynamically allocates the storage space with an appropriate degree of partial parallelism according to performance requirement. Partial parallelism benefits energy conservation by scheduling only partial disks to work; a dynamic degree of parallelism can provide appropriate performances for various intensity workloads. DPPDL is evaluated by a simulated video surveillance consisting of 60–300 cameras with

A round-optimal lattice-based blind signature scheme for cloud services

1920 \times 1080

Determining image base of firmware for ARM devices by matching literal pools

pixels. The experiment shows that DPPDL is most energy efficient, while tolerating single disk failure and providing more than 20% performance margin. On average, it saves 7%, 19%, 31%, 36%, 56%, and 59% more energy than a CacheRAID, Semi-RAID, Hibernator, MAID, eRAID5, and PARAID, respectively.

A methodology for determining the image base of ARM-based industrial control system firmware

To process rapidly growing Big Data, many organizations migrate their data and services such as e-voting and e-payment systems to the cloud. In these two systems, blind signature has become an essential cryptographic primitive since it allows the signer to sign a message without learning what he signs. Thus, it can guarantee trustworthy of Big Data. However, most blind signature schemes based on factoring and discrete logarithm problems cannot resist quantum computer attacks. The alternative blind signature schemes are based on lattice. Here, we present a round-optimal lattice-based blind signature scheme constructed on the closest vector problem using infinity norm. Firstly, our scheme is proven blind and one-more unforgeable, and is resistant to brute-force attacks, theoretical-timing attacks, and NguyenRegev attacks. Secondly, our scheme outperforms the RSA, the Schnorr, and the ECC blind signature schemes in terms of efficiency and security. Also, it outperforms the Rckerts blind signature in terms of signature length, moves, and security. Finally, our scheme outperforms the Rckerts blind signature in terms of communication and computation energy costs. Additionally, it outperforms the RSA blind signature in terms of communication energy cost. We propose a novel CVP blind signature scheme based on lattice, which can guarantee trustworthy of Big Data.Our scheme can resist brute-force attacks, theoretical-timing attacks, and NguyenRegev attacks.Our scheme can offer statistical blindness and one-more unforgeability.Our round-optimal scheme outperforms the RSA, the Schnorr, and the ECC blind signature schemes in terms of efficiency and security.Our scheme outperforms the Rckerts lattice-based blind signature scheme in terms of signature length, moves, security, and energy cost.

Cryptographic key protection against FROST for mobile devices

Abstract In the field of reverse engineering, the correct image base of firmware has very important significance for the reverse engineers to understand the firmware by building accurate cross references. Furthermore, patching firmware needs to insert some instructions that references absolute addresses depending on the correct image base. However, for a large number of embedded system firmwares, the format is nonstandard and the image base is unknown. In this paper, we present a two-step method to determine the image base of firmwares for ARM-based devices. First, based on the storage characteristic of string in the firmware files and the encoding feature of literal pools that contain string addresses, we propose an algorithm called FIND-LP to recognize all possible literal pools in firmware. Second, we propose an algorithm called Determining image Base by Matching Literal Pools (DBMLP) to determine the image base. DBMLP can obtain the relationship between absolute addresses of strings and their corresponding offsets in a firmware file, thereby a candidate list for image base value is obtained. If the number of matched literal pools corresponding to a certain candidate image base is far greater than the others, this candidate is considered as the correct image base of the firmware. The experimental result indicates that the proposed method can effectively determine image base for a lot of firmwares that use the literal pools to store the string addresses.

A root privilege management scheme with revocable authorization for Android devices

Abstract A common way to evaluate the security of an industrial control system is to reverse engineer its firmware; this is typically performed when the source code of the device is not available and the firmware is not trusted. However, many industrial control systems are based on the ARM architecture for which the firmware format is always unknown. Therefore, it is difficult to obtain the image base of firmware directly, which significantly complicates reverse engineering efforts. This paper describes a methodology for automatically determining the image base of firmware of ARM-based industrial control systems. Two algorithms, FIND-String and FIND-LDR, are presented that obtain the offsets of strings in firmware and the string addresses loaded by LDR instructions, respectively. Additionally, the DBMSSL algorithm is presented that uses the outputs of the FIND-String and FIND-LDR algorithms to determine the image base of firmware. Experiments are performed with 10 samples of industrial control system firmware collected from the Internet. The experimental results demonstrate that the proposed methodology is effective at determining the image bases of the majority of the firmware samples.

RootAgency: A digital signature-based root privilege management agency for cloud terminal devices

With the flourish of applications based on the internet of things and cloud computing, privacy issues have been attracting a lot of attentions. Although the increasing use of full disk encryption (FDE) significantly hamper privacy leakage and digital forensics, cold boot attacks have thwarted FDE since forensic recovery of scrambled telephones (FROST), a forensic tool, is proposed. The cryptographic keys which are stored in the mobile devices are inclined to be obtained by FROST. Recent research results have shown CPU-bound encryption methods to resist FROST. However, these methods performs AES encryption solely on CPU registers, whose advantage comes at the cost of encryption speed. This paper, therefore, presents a cryptographic key protection scheme for android devices which prevents FROST from acquiring the key of AES by changing storage location of the key in memory. The storage location of the key is switched to the fixed position where command line parameters will be stored when android boots. Therefore, the key will be covered by command line parameters while the system reboots, which negates FROST from obtaining the key. Compared with the popular CPU-bound encryption methods, our method has less impact on encryption efficiency and employs no additional storage resources.

An optimized data hiding scheme for Deflate codes

Abstract As a critical part in mobile cloud computing, the vulnerability of Android devices can directly affect the security of the mobile cloud. The unsecured Android can be potentially exploited by malwares to obtain the root privilege. Root privilege misuse is the critical issue for Android security, which breaks the integrity of Android security and rises the risk of permission escalation from malwares. The existing solutions still fail to balance the trade-off between the users desires on using root privilege and the Android security, which lays risks in leading to the root privilege misuse. To address this issue, a root privilege management scheme named Root Privilege Manager (RPM) is proposed, which adopts the root privilege access control to guarantee the exclusive root access opportunity of the authenticated apps. RPM verifies the authorization and integrity of root requesting apps based on the extracted authorization files during app installation, and then root access management controls the granting of root privilege based on the authenticated results. In this way, the end users are free from the embarrassment of appropriate decision-making while confront root access management. The prototype of RPM is implemented to evaluate its effectiveness, efficiency and performance. The experiments show RPM can effectively control the granting of root privilege and the time consumption in root access management is increased by 0.21%–0.94% respectively compared with the user management.

Cross-cluster asymmetric group key agreement for wireless sensor networks

Abstract Rooting an Android device can be a voluntary behavior from end users with various motivations, such as removing OEM pre-installed apps. This leads to an increase in opportunity of privilege escalation for malwares. The existing root privilege management schemes rely on the end users to make privilege granting decisions for all legal and illegal apps installed on the device. However, unskilled end users are incapable, or are careless in determining which privileges are appropriate for what type of app. To address this issue, a root privilege management agency named RootAgency is proposed, which adopts a digital signature scheme to guarantee the exclusive root-privilege-granting opportunities of authenticated apps. RootAgency authenticates an app by checking whether it holds the signature generated by the secret key, and grants the root privilege when a signed app submits the request. Moreover, it verifies the app’s integrity to prevent it from repackaging. Thus, the users are not involved in decision making while confronting root requests. The proposed scheme ensures the security of rooted Android devices, and enhances the security of mobile terminal devices. This diminishes the threat to cloud infrastructure from root-misused Android devices. In addition, a prototype is implemented to evaluate its effectiveness, efficiency, and overhead. The experimental results show that RootAgency is widely compatible and its performance overhead is reasonable.

Building covert timing channels by packet rearrangement over mobile networks

Compression file is a common form of carriers in network data transmission; therefore, it is essential to investigate the data hiding schemes for compression files. The existing data hiding schemes embed secret bits by shrinking the length of symbols, while they are not secure enough since the shrinking of symbol length is easily detected. First, we propose a longest match detecting algorithm that can detect the data hiding behavior of shrinking the length of symbols, by checking whether items of the generated dictionary are longest matches or not. Then, we propose a secret data hiding scheme based on Deflate codes, which reversibly embeds secret data by altering the matching process, to choose the proper matching result that the least significant bit of length field in [distance, length] pair is equal to the current embedded secret bit. The proposed data hiding scheme can resist on the longest match detection, and the embedding rate is higher than DH-LZW algorithm. The experiment shows that the proposed scheme achieves 5.12% of embedding rate and 10.18% size increase in the compressed file. Moreover, an optimization is made in providing practical suggestion for DH-Deflate data hiding. One can choose which format and size of files are to be selected based upon the optimization, and thus, data hiding work can be achieved in a convenient and targeted way.