talk – Chalmers Security Seminar
Modern commodity computing platforms such as smartphones (e.g., Android and iOS) and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling popular third-party functionality that is often manifested in applications, or apps. Thus, for the last decade, designing systems to analyze mobile apps for vulnerabilities or unwanted behavior has been a major research focus within the security community. Leveraging the lessons and techniques learned from mobile app analysis, researchers have developed similar systems to evaluate the security, safety, and privacy of smart homes by inspecting IoT apps developed for platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate the need to move away from the approach of IoT app analysis, as IoT apps may not be representative of the home automation in real homes, and moreover, be unavailable for analysis or instrumentation in the near future. In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoT apps for practical security analysis, and motivate alternate research directions. First, I will motivate the need to develop an alternative to IoT apps that is representative of automation in the wild, in order to enable a practical artifact for building and evaluating security systems for smart homes. To this end, I will describe Helion, a system that leverages the "user-driven" nature of home automation to generate natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes, which are then used for several critical tasks in building and evaluating security systems. Second, I will motivate the need to improve the state of security analysis of mobile companion apps, which often form the weakest link in IoT ecosystems, by systematically and rigorously evaluating the security analyses targeted at them. To this end, I will describe how mutation testing can be leveraged for empirically evaluating static program analysis-based security systems. Our research in this direction has led to two mutation frameworks, and the discovery of critical flaws in leading tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing the lessons learned from our work, as well as by highlighting challenges and opportunities for future research in home automation security.
Read More ›talk – Chalmers Security Seminar
How can we write secure programs in a pervasively effectful language? In a “pure” language, such as Haskell, effects performed by a program are recorded explicitly in its type. Thus, a function of type `Int -> Int` is just that: a function that receives an integer and returns an integer. It does not perform side effects such as writing to or reading from a channel. In an impure language, such as ML, however, a function of type `Int -> Int` may read, write, or even order a burrito. It’s impossible to assert that a function is secure from its type alone, since it may be performing invisible side effects that may leak a secret. For this reason, standard approaches to enforcing static Information-Flow Control (IFC)—be it fine-grained or coarse-grained—are not readily applicable to impure languages since they require a complete reimplementation of the compiler and significant ingenuity from the programmer to restructure programs to conform to the new enforcement paradigm. So should we all just switch to Haskell? While I would never discourage anybody from doing that, this talk is about developing the foundations for retrofitting impure languages with static IFC at a much lower cost. In a recent result, Choudhury and Krishnaswami [1] show how purity can be recovered in an impure language by using capabilities and a special “modal” type operator. In this informal talk, I’ll show how their observations, in combination with recent advances in formulating modal types, pave the way towards the goal of this work.
Read More ›talk – Chalmers Security Seminar
Finding suitable ways to handle personal data in conformance with the law is challenging. The European General Data Protection Regulation (GDPR), enforced since May 2018, makes it mandatory to citizens and companies to comply with the privacy requirements set in the regulation. For existing systems the challenge is to be able to show evidence that they are already complying with the GDPR, or otherwise to work towards compliance by modifying their systems and procedures, or alternatively reprogramming their systems in order to pass the eventual controls. For those starting new projects the advice is to take privacy into consideration since the very beginning, already at design time. This has been known as Privacy by Design (PbD). The main question is how much privacy can you effectively achieve by using PbD, and in particular whether it is possible to achieve Privacy by Construction. In this short non-technical talk I will give my personal opinion on issues related to the ambition of achieving Privacy by Construction.
Read More ›talk – Chalmers Security Seminar
The recent Covid-19 pandemic has shown that individuals’ whereabouts and social contact data can be very effective in understanding a new infectious disease in a timely manner. However, due to the privacy-sensitive nature of such data, liberal societies have hesitated to even collect such data. Part of the problem is the lack of technology for securely storing and querying such data in the presence of extremely strong adversaries (e.g., state-sponsored adversaries). This talk will present the design of CoVault, a work-in-progress system for securely storing and querying data under a very strong threat model that doesn’t place trust in any one entity or authority, and includes the complete compromise of all CPUs of a specific manufacturer, as well as many common side channel attacks. This threat model transcends prior work on database security. Technically, CoVault relies on state-of-the-art trusted execution environments, secret sharing and secure multi-party computation. While this combination is expensive in terms of computational power, we believe that this design point is worth exploring for applications like epidemic studies where security is non-negotiable, but the returns for society are extremely high.
Read More ›talk – Chalmers Security Seminar
"In the 1990s the information security (infosec) community was not what it is today" is such an obvious statement that it shouldn't be used to start any abstract. However, if we further qualify and describe more precisely all the different aspects in which the 1990s and today's infosec communities differ, the way academia, industry and practitioners evolved over time, the co-evolution of security attacks & defenses, and the fundamental problems that remain unsolved, we may start to have the outline of an interesting talk. Having spent almost 30 years in the field, Ivan intends to provide his insights — opinions informed by experience — about the information security discipline and its young history: Where we are, how did we get here, and what we could look for in the future of our field. If you are interested in a career in infosec this may be a good opportunity to hear the perspective of a veteran in the field. This will not be a technical talk and it will not be narrowly focused on a specific topic but the speaker will not shy away from technical discussion.
Read More ›