Zhendong Ma

Secure vehicular communication systems: design and architecture

Significant developments have taken place over the past few years in the area of vehicular communication systems. Now, it is well understood in the community that security and protection of private user information are a prerequisite for the deployment of the technology. This is so precisely because the benefits of VC systems, with the mission to enhance transportation safety and efficiency, are at stake. Without the integration of strong and practical security and privacy enhancing mechanisms, VC systems can be disrupted or disabled, even by relatively unsophisticated attackers. We address this problem within the SeVeCom project, having developed a security architecture that provides a comprehensive and practical solution. We present our results in a set of two articles in this issue. In this first one, we analyze threats and types of adversaries, identify security and privacy requirements, and present a spectrum of mechanisms to secure VC systems. We provide a solution that can be quickly adopted and deployed. In the second article we present our progress toward the implementation of our architecture and results on the performance of the secure VC system, along with a discussion of upcoming research challenges and our related current results.

Privacy in inter-vehicular networks: Why simple pseudonym change is not enough

Inter-vehicle communication (IVC) systems disclose rich location information about vehicles. State-of-the-art security architectures are aware of the problem and provide privacy enhancing mechanisms, notably pseudonymous authentication. However, the granularity and the amount of location information IVC protocols divulge, enable an adversary that eavesdrops all traffic throughout an area, to reconstruct long traces of the whereabouts of the majority of vehicles within the same area. Our analysis in this paper confirms the existence of this kind of threat. As a result, it is questionable if strong location privacy is achievable in IVC systems against a powerful adversary.

Privacy Requirements in Vehicular Communication Systems

A primary goal of vehicular communication systems is the enhancement of traffic safety by equipping vehicles with wireless communication units to facilitate cooperative awareness. Privacy issues arise from the frequent broadcasting of real-time positioning information. Thus privacy protection becomes a key factor for enabling widespread deployment. At the same time, stakeholders demand accountability due to the safety-critical nature of many applications. Earlier works on privacy requirements for vehicular networks often discussed them as a part of security. Therefore many aspects of privacy requirements have been overlooked. In this paper, we identify a structured and comprehensive set of privacy-related requirements for vehicular communication systems, andanalyze the complex inter-relations among them. Our results enable system designers to better understand privacy issues in vehicular networks and properly address privacy requirements during the system design process. We further show that our requirements set facilitates the comparison and evaluation of different privacy approaches for vehicular communication systems.

V-Tokens for Conditional Pseudonymity in VANETs

Privacy is an important requirement in vehicle networks, because vehicles broadcast detailed location information. Also of importance is accountability due to safety critical applications. Conditional pseudonymity, i.e., usage of resolvable pseudonyms, is a common approach to address both. Often, resolvability of pseudonyms is achieved by authorities maintaining pseudonym- identity mappings. However, these mappings are privacy sensitive and require strong protection to prevent abuse or leakage. We present a new approach that does not rely on pseudonym-identity mappings to be stored by any party. Resolution information is directly embedded in pseudonyms and can only be accessed when multiple authorities cooperate. Our privacy-preserving pseudonym issuance protocol ensures that pseudonyms contain valid resolution information but prevents issuing authorities from creating pseudonym-identity mappings.

Pseudonym-On-Demand: A New Pseudonym Refill Strategy for Vehicular Communications

Pseudonyms are pseudonymous certificates, which are regarded as a silver bullet to meet the security and privacy requirements of vehicular communications. Most works so far assume that pseudonyms are readily available when they are needed. In this paper, we identify and compare two strategies to refill pseudonyms. We then propose the pseudonym-on-demand scheme, which is an implementation of one of the strategies. We show that our approach supports the functionalities of pseudonyms in terms of secure and privacy-preserved vehicular communications. Furthermore, our proposed scheme serves as a platform, into which many features to enhance security and privacy can be integrated.

A location privacy metric for V2X communication systems

The emerging vehicle-to-vehicle/vehicle-to-infrastructure (V2X) communication systems enable a new way of collaboration among the vehicles, the operators of transportation systems, and the service providers. However, many functionalities of V2X systems rely on detailed location information. This raises concerns on location privacy of the users of such systems. Although privacy protection mechanisms have been developed, existing privacy metrics are inappropriate or insufficient to reflect the true underlying privacy values in such systems. Without a proper metric, preserving location privacy in V2X communication systems becomes difficult due to the lack of a benchmark to evaluate any given protection mechanisms. In this paper, we develop a quantitative metric to measure and quantify location privacy in V2X systems. To do so, we introduce the concept of snapshots, which capture the information related to a user in a given space and time. Then the level of location privacy is quantified as the uncertainty of the information related to that user. Our analyses show that the metric provides the users, the system designers, and other stakeholders a valuable tool to evaluate the risk and measure the level of location privacy in V2X communication systems.

Embedded systems security: Threats, vulnerabilities, and attack taxonomy

Embedded systems are the driving force for technological development in many domains such as automotive, healthcare, and industrial control in the emerging post-PC era. As more and more computational and networked devices are integrated into all aspects of our lives in a pervasive and “invisible” way, security becomes critical for the dependability of all smart or intelligent systems built upon these embedded systems. In this paper, we conduct a systematic review of the existing threats and vulnerabilities in embedded systems based on public available data. Moreover, based on the information, we derive an attack taxonomy for embedded systems. We envision that the findings in this paper provide a valuable insight of the threat landscape facing embedded systems. The knowledge can be used for a better understanding and the identification of security risks in system analysis and design.

Measuring location privacy in V2X communication systems with accumulated information

Vehicle-to-vehicle/vehicle-to-infrastructure (V2X) communication systems are envisioned to greatly improve road safety, traffic efficiency, and driver convenience. However, many V2X applications rely on continuous and detailed location information, which raises location privacy concerns. A multitude of privacy-protection mechanisms have been proposed in recent years. However, few efforts have been made to develop privacy metrics, which can provide a rigorous way to assess the privacy risk, evaluate the effectiveness of a given mechanism, and exploit the full possibilities of protection methods in V2X systems. Therefore, in this paper we present a trip-based location privacy metric for measuring user location privacy in V2X systems. The most distinguishable aspect of the metric is to take into account the accumulated information, which is the privacy-related information acquired by an adversary for an extended period of time, e.g., days or weeks. We develop methods to model and process the accumulated information, and reflect the impact on the privacy level in the metric. We further prove the viability and correctness of the metric by various case studies. Our simulations find out that under certain conditions, accumulated information can significantly decrease the level of user location privacy. The metric and our findings in this paper give some valuable insights into location privacy, which can contribute to the development of effective privacy-protection mechanisms for the users of V2X systems.

Enhance Data Privacy in Service Compositions through a Privacy Proxy

Web services are loosely coupled Web-enabled applications that can be dynamically invoked to facilitate business interactions through well-defined interfaces over the Internet. However, since personal data will be exchanged between nested Web services, the question how to preserve a users data privacy becomes a challenging issue. In this paper we aim to minimize personal data disclosure in service composition that consists several nested Web services. To do so, we propose a practical, scalable and light-weight privacy-enhanced design that uses a privacy proxy to achieve data privacy. We furthermore show that by utilizing the privacy proxy in combination with advertising its capabilities and requirements as service level agreements (SLAs), it is possible to enhance data privacy in existing service infrastructure in a minimal invasive manner.

Towards Semi-automated Detection of Trigger-based Behavior for Software Security Assurance

A program exhibits trigger-based behavior if it performs undocumented, often malicious, functions when the environmental conditions and/or specific input values match some pre-specified criteria. Checking whether such hidden functions exist in the program is important for increasing trustworthiness of software. In this paper, we propose a framework to effectively detect trigger-based behavior at the source code level. Our approach is semi-automated: We use automated source code instrumentation and mixed concrete and symbolic execution to generate potentially suspicious test cases that may trigger hidden, potentially malicious functions. The test cases must be investigated by a human analyst manually to decide which of them are real triggers. While our approach is not fully automated, it greatly reduces manual work by allowing analysts to focus on a few test cases found by our automated tools.