-
Anonymizing Masses: Practical Light-weight Anonymity at the Network Level
Authors:
Hooman Mohajeri Moghaddam,
Arsalan Mosenia
Abstract:
In an era of pervasive online surveillance, Internet users are in need of better anonymity solutions for online communications without sacrificing performance. Existing overlay anonymity tools, such as the Tor network, suffer from performance limitations and recent proposals to embed anonymity into Internet protocols face fundamental deployment challenges. In this paper, we introduce Practical Ano…
▽ More
In an era of pervasive online surveillance, Internet users are in need of better anonymity solutions for online communications without sacrificing performance. Existing overlay anonymity tools, such as the Tor network, suffer from performance limitations and recent proposals to embed anonymity into Internet protocols face fundamental deployment challenges. In this paper, we introduce Practical Anonymity at the NEtwork Level (PANEL), a practical light-weight anonymity solution based on hardware switching. We implement a prototype of PANEL on a high-performance hardware switch (namely, Barefoot Tofino) using P4 network programming language, and examine the validity and performance of the prototype. Based on our empirical results, PANEL achieves 96% of the actual throughput of the switch and adds a low-latency overhead (e.g., 3% overhead in Skype calls), while offering partial deployablility and transparency (i.e., PANEL requires neither client-side nor server-side modifications).
△ Less
Submitted 21 November, 2019;
originally announced November 2019.
-
Addressing Security and Privacy Challenges in Internet of Things
Authors:
Arsalan Mosenia
Abstract:
Internet of Things (IoT), also referred to as the Internet of Objects, is envisioned as a holistic and transformative approach for providing numerous services. The rapid development of various communication protocols and miniaturization of transceivers along with recent advances in sensing technologies offer the opportunity to transform isolated devices into communicating smart things. Smart thing…
▽ More
Internet of Things (IoT), also referred to as the Internet of Objects, is envisioned as a holistic and transformative approach for providing numerous services. The rapid development of various communication protocols and miniaturization of transceivers along with recent advances in sensing technologies offer the opportunity to transform isolated devices into communicating smart things. Smart things, that can sense, store, and even process electrical, thermal, optical, chemical, and other signals to extract user-/environment-related information, have enabled services only limited by human imagination.
Despite picturesque promises of IoT-enabled systems, the integration of smart things into the standard Internet introduces several security challenges because the majority of Internet technologies, communication protocols, and sensors were not designed to support IoT. Several recent research studies have demonstrated that launching security/privacy attacks against IoT-enabled systems, in particular wearable medical sensor (WMS)-based systems, may lead to catastrophic situations and life-threatening conditions. Therefore, security threats and privacy concerns in the IoT domain need to be proactively studied and aggressively addressed. In this thesis, we tackle several domain-specific security/privacy challenges associated with IoT-enabled systems.
△ Less
Submitted 17 July, 2018;
originally announced July 2018.
-
DARTS: Deceiving Autonomous Cars with Toxic Signs
Authors:
Chawin Sitawarin,
Arjun Nitin Bhagoji,
Arsalan Mosenia,
Mung Chiang,
Prateek Mittal
Abstract:
Sign recognition is an integral part of autonomous cars. Any misclassification of traffic signs can potentially lead to a multitude of disastrous consequences, ranging from a life-threatening accident to even a large-scale interruption of transportation services relying on autonomous cars. In this paper, we propose and examine security attacks against sign recognition systems for Deceiving Autonom…
▽ More
Sign recognition is an integral part of autonomous cars. Any misclassification of traffic signs can potentially lead to a multitude of disastrous consequences, ranging from a life-threatening accident to even a large-scale interruption of transportation services relying on autonomous cars. In this paper, we propose and examine security attacks against sign recognition systems for Deceiving Autonomous caRs with Toxic Signs (we call the proposed attacks DARTS). In particular, we introduce two novel methods to create these toxic signs. First, we propose Out-of-Distribution attacks, which expand the scope of adversarial examples by enabling the adversary to generate these starting from an arbitrary point in the image space compared to prior attacks which are restricted to existing training/test data (In-Distribution). Second, we present the Lenticular Printing attack, which relies on an optical phenomenon to deceive the traffic sign recognition system. We extensively evaluate the effectiveness of the proposed attacks in both virtual and real-world settings and consider both white-box and black-box threat models. Our results demonstrate that the proposed attacks are successful under both settings and threat models. We further show that Out-of-Distribution attacks can outperform In-Distribution attacks on classifiers defended using the adversarial training defense, exposing a new attack vector for these defenses.
△ Less
Submitted 31 May, 2018; v1 submitted 18 February, 2018;
originally announced February 2018.
-
PinMe: Tracking a Smartphone User around the World
Authors:
Arsalan Mosenia,
Xiaoliang Dai,
Prateek Mittal,
Niraj Jha
Abstract:
With the pervasive use of smartphones that sense, collect, and process valuable information about the environment, ensuring location privacy has become one of the most important concerns in the modern age. A few recent research studies discuss the feasibility of processing data gathered by a smartphone to locate the phone's owner, even when the user does not intend to share his location informatio…
▽ More
With the pervasive use of smartphones that sense, collect, and process valuable information about the environment, ensuring location privacy has become one of the most important concerns in the modern age. A few recent research studies discuss the feasibility of processing data gathered by a smartphone to locate the phone's owner, even when the user does not intend to share his location information, e.g., when the Global Positioning System (GPS) is off. Previous research efforts rely on at least one of the two following fundamental requirements, which significantly limit the ability of the adversary: (i) the attacker must accurately know either the user's initial location or the set of routes through which the user travels and/or (ii) the attacker must measure a set of features, e.g., the device's acceleration, for potential routes in advance and construct a training dataset. In this paper, we demonstrate that neither of the above-mentioned requirements is essential for compromising the user's location privacy. We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment's air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user's location when all location services, e.g., GPS, are turned off.
△ Less
Submitted 5 February, 2018;
originally announced February 2018.
-
Rogue Signs: Deceiving Traffic Sign Recognition with Malicious Ads and Logos
Authors:
Chawin Sitawarin,
Arjun Nitin Bhagoji,
Arsalan Mosenia,
Prateek Mittal,
Mung Chiang
Abstract:
We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to…
▽ More
We propose a new real-world attack against the computer vision based systems of autonomous vehicles (AVs). Our novel Sign Embedding attack exploits the concept of adversarial examples to modify innocuous signs and advertisements in the environment such that they are classified as the adversary's desired traffic sign with high confidence. Our attack greatly expands the scope of the threat posed to AVs since adversaries are no longer restricted to just modifying existing traffic signs as in previous work. Our attack pipeline generates adversarial samples which are robust to the environmental conditions and noisy image transformations present in the physical world. We ensure this by including a variety of possible image transformations in the optimization problem used to generate adversarial samples. We verify the robustness of the adversarial samples by printing them out and carrying out drive-by tests simulating the conditions under which image capture would occur in a real-world scenario. We experimented with physical attack samples for different distances, lighting conditions and camera angles. In addition, extensive evaluations were carried out in the virtual setting for a variety of image transformations. The adversarial samples generated using our method have adversarial success rates in excess of 95% in the physical as well as virtual settings.
△ Less
Submitted 26 March, 2018; v1 submitted 8 January, 2018;
originally announced January 2018.
-
Acoustic Denial of Service Attacks on HDDs
Authors:
Mohammad Shahrad,
Arsalan Mosenia,
Liwei Song,
Mung Chiang,
David Wentzlaff,
Prateek Mittal
Abstract:
Among storage components, hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and significantly-improved areal density. Such advances in HDDs have made them an inevitable part of numerous computing systems, including, personal computers, closed-circuit television (CCTV) systems, medi…
▽ More
Among storage components, hard disk drives (HDDs) have become the most commonly-used type of non-volatile storage due to their recent technological advances, including, enhanced energy efficacy and significantly-improved areal density. Such advances in HDDs have made them an inevitable part of numerous computing systems, including, personal computers, closed-circuit television (CCTV) systems, medical bedside monitors, and automated teller machines (ATMs). Despite the widespread use of HDDs and their critical role in real-world systems, there exist only a few research studies on the security of HDDs. In particular, prior research studies have discussed how HDDs can potentially leak critical private information through acoustic or electromagnetic emanations. Borrowing theoretical principles from acoustics and mechanics, we propose a novel denial-of-service (DoS) attack against HDDs that exploits a physical phenomenon, known as acoustic resonance. We perform a comprehensive examination of physical characteristics of several HDDs and create acoustic signals that cause significant vibrations in HDD's internal components. We demonstrate that such vibrations can negatively influence the performance of HDDs embedded in real-world systems. We show the feasibility of the proposed attack in two real-world case studies, namely, personal computers and CCTVs.
△ Less
Submitted 21 December, 2017;
originally announced December 2017.
-
ProCMotive: Bringing Programability and Connectivity into Isolated Vehicles
Authors:
Arsalan Mosenia,
Jad F. Bechara,
Tao Zhang,
Prateek Mittal,
Mung Chiang
Abstract:
In recent years, numerous vehicular technologies, e.g., cruise control and steering assistant, have been proposed and deployed to improve the driving experience, passenger safety, and vehicle performance. Despite the existence of several novel vehicular applications in the literature, there still exists a significant gap between resources needed for a variety of vehicular (in particular, data-domi…
▽ More
In recent years, numerous vehicular technologies, e.g., cruise control and steering assistant, have been proposed and deployed to improve the driving experience, passenger safety, and vehicle performance. Despite the existence of several novel vehicular applications in the literature, there still exists a significant gap between resources needed for a variety of vehicular (in particular, data-dominant, latency-sensitive, and computationally-heavy) applications and the capabilities of already-in-market vehicles. To address this gap, different smartphone-/Cloud-based approaches have been proposed that utilize the external computational/storage resources to enable new applications. However, their acceptance and application domain are still very limited due to programability, wireless connectivity, and performance limitations, along with several security/privacy concerns. In this paper, we present a novel architecture that can potentially enable rapid development of various vehicular applications while addressing shortcomings of smartphone-/Cloud-based approaches. The architecture is formed around a core component, called SmartCore, a privacy/security-friendly programmable dongle that brings general-purpose computational and storage resources to the vehicle and hosts in-vehicle applications. Based on the proposed architecture, we develop an application development framework for vehicles, that we call ProCMotive. ProCMotive enables developers to build customized vehicular applications along the Cloud-to-edge continuum, i.e., different functions of an application can be distributed across SmartCore, the user's personal devices, and the Cloud. To highlight potential benefits that the framework provides, we design and develop two different vehicular applications based on ProCMotive, namely, Amber Response and Insurance Monitor.
△ Less
Submitted 21 September, 2017;
originally announced September 2017.
