Research Experience for Undergraduates 2017

  • NSF Summer Research Experience for Undergraduates in Trustable Embedded Systems Security Research
  • Departments of Electrical and Computer Engineering and Computer Science and Engineering
  • May 29 - August 3, 2018

The 2017 REU class included the following students:

2017 Group

Erica Blum, Haverford College Disruptive Adversaries in Blockchain Protocols

We consider the abilities and limitations of a new adversary in the blockchain setting. In order for a blockchain to be useful to its community, honest users must be able to agree on the “true” state of the chain, subject to some minor discrepancies in the most recent blocks. We consider an attack model in which an adversary sows confusion by circulating several contradictory blockchains, thereby preventing honest users from reaching agreement and making the chain vulnerable to double-spending attacks. We present a strategy that allows an online adversary to maximize the timespan affected by the chain split. We also show (somewhat surprisingly) that it is not possible for an online adversary to maximize the number of blocks incorporated into the chain split.

Alexandra Kenoian, Mount Holyoke College Securing Optimized Neighbor Discovery for 6LoWPAN: Reviews, Challenges and Recommendations

In recent years, we have been witnessing that a large number of Internet-of-Things (IoT) devices are penetrating into both consumer and industrial systems and applications to connect physical things and human beings into the Internet. Considering the extremely constrained resources on IoT devices (memory size, network bandwidth, computing capability, etc.), it is not feasible to run a standard TCP/IP stack directly on IoT devices. Instead, adaptation layers, such as 6LoWPAN, are being designed to perform neighbor discovery, frame compression, and fragmentation/reassembly to perform protocol adaptation between resource-constrained OT (operation technologies) protocols and IT (Information Technologies) protocols. In this project, we study how to design a secure and efficient neighbor discovery protocol (NDP) for 6LoWPAN. Based on the observations that the optimized NDP designed for 6LoWPAN network has no built-in security protection, and the security extension for standard IPv6 NDP, SeND, is too heavy to be directly applied on 6LoWPAN, we propose to develop a secure and lightweight NDP for 6LoWAN by using elliptic curve cryptography (ECC) instead of RSA for CGA (cryptographically generated addresses) generation. Compared to other possible solutions, such as employing IPsec for NDP or router advertisement guard, our approach is expected to provide mostly equal security but significantly reduced computational overhead, As the ongoing work, we are implementing the proposed secure and optimized NDP on Cooja simulator, and compare its performance with existing solutions. Once the code base is mature after thorough tests, it will be made open source and contribute to the research community and Contiki/Cooja development team.

Rigel Mahmood (University of Bridgeport), Mary Wishart (Eastern Connecticut State University) An Exploration of Intel SGX and Remote Attestation

Trustable computing is currently one of the most challenging and quickly evolving fields in software engineering. There is a developing interest in protecting against lower level computing layer attacks through the implementation of hardware primitives. One such implementation is Intel’s Software Guard Extensions (SGX), which functions as a set of CPU instructions that denies unauthorized access to private, specially allocated pieces of code called enclaves. By using remote attestation, a secure protocol for communication between the enclave and a trusted server, we were able to write a GUI test application in C# for authenticating usernames and passwords. By connecting the managed C# code to native C within the enclave and incorporating full remote attestation with the Intel Attestation Server, we were able to create a successful application of Intel SGX.

Jonathon Brugman (DePauw University), Jose Velez (University of Puerto Rico, Rio Piedra) Including Role Based Access Control and Unified Service APIs in Mobile Health Applications

The rise of mobile health applications in recent years has required an increased need for security and interoperability within and between these applications. The HL7 has developed the Fast Healthcare Interoperability Resources (FHIR) standard in order to ease integration between all new technologies being developed. The development of healthcare information technology (HIT) systems caused it to become necessary to create a stable way to safely interact with multiple external HIT systems. Each of these HITs use their own methods of access control and own security measures. This creates a situation in which it becomes advantageous to create application programming interfaces to consolidate calls to a particular set of methods related to one particular field using role based access control (RBAC). This is demonstrated through the construction of the MyGoogle API which connects to multiple health and fitness related APIs, including OpenEMR health records and Google Fit datastores, in order to create a unified HIT system.

The MyGoogle API includes HAPI FHIR capability to increase interoperability between many third party health applications. One of these applications being ShareMyHealth, a fitness application, which is also used to demonstrate the importance and implementation of RBAC.

Carolina Brager, University of Rochester Adding Accessibility to the Voter Station

The paper outlines a program that we have created to help with accessibility in the Voting Technology Research Center at the University of Connecticut. The program allows a user without much technical background to create a .asconf file. This file is needed for the voter station: a machine that counts and analyzes ballots and finds the areas where there are bubbles to be filled in. The file that is created contains a unique signature and several files that contain information needed by the voter station. Along with an explanation of the program, this paper provides timing and memory overhead analysis of the program. This timing and memory analysis demonstrates that the program has low overhead.

Kyle Zinke, Arizona State University Bluetooth Low Energy Security

In this project, we have explored the security of Bluetooth and Bluetooth Low Enery (BLE), two communication protocols commonly used in Internet of Things (IoT) devices. We surveyed the specific security designs of these two protocols and explored their security using three state-of-the-art hardware/software tools: Ubertooth One, TI CC2650, and RedBear Blend 2. We tried to write a basic BLE application for TI CC2650, and sniffing using Ubertooth One and RedBear Blend 2 with mixed successes and failures. The findings of the project point to important next steps for future research.

Adithya Nott, Georgia Institute of Technology Obfuscating Memory Access Using Path ORAM

Vincent Perez (Syracuse University), Blake Pritchard (Wesleyan University) Towards Robust ECG-based Authentication Using Wearable Devices

While many forms of biometric authentication are available, electrocardiogram (ECG) based authentication has been shown to be both unique and hard to spoof. Numerous ECG-based authentication methods have been proposed in the past. Many methods, however, assume static settings. In addition, many use ECG measurements collected from chest-band straps, which are reliable, but burdensome. The focus of our project is to develop robust ECG-based authentication methods that use measurements collected from wearable devices (e.g., smart watches) during dynamic and realistic environment (e.g., when a user may transition between different activities). We have developed a method that uses a heartbeat wave from a user as a whole, instead of using a finite number of features. Using measurements collected from chest-band straps and smart watches, we have performed preliminary evaluation of the method; further evaluation is left as future work.

Author's picture

C3

The Connecticut Cybersecurity Center (C3) leverages the synergies existing in CHASE, CSI, and VoTeR to investigate, develop, promote, and nurture the best hardware and software based security practices for indispensible defense and commercial (e.g., insurance, telecommunications) application domains and, in particular, for emerging fields such as mobile device security.

Storrs, CT