-
Refinement of MMIO Models for Improving the Coverage of Firmware Fuzzing
Authors:
Wei-Lun Huang,
Kang G. Shin
Abstract:
Embedded systems (ESes) are now ubiquitous, collecting sensitive user data and helping the users make safety-critical decisions. Their vulnerability may thus pose a grave threat to the security and privacy of billions of ES users. Grey-box fuzzing is widely used for testing ES firmware. It usually runs the firmware in a fully emulated environment for efficient testing. In such a setting, the fuzze…
▽ More
Embedded systems (ESes) are now ubiquitous, collecting sensitive user data and helping the users make safety-critical decisions. Their vulnerability may thus pose a grave threat to the security and privacy of billions of ES users. Grey-box fuzzing is widely used for testing ES firmware. It usually runs the firmware in a fully emulated environment for efficient testing. In such a setting, the fuzzer cannot access peripheral hardware and hence must model the firmware's interactions with peripherals to achieve decent code coverage. The state-of-the-art (SOTA) firmware fuzzers focus on modeling the memory-mapped I/O (MMIO) of peripherals.
We find that SOTA MMIO models for firmware fuzzing do not describe the MMIO reads well for retrieving a data chunk, leaving ample room for improvement of code coverage. Thus, we propose ES-Fuzz that boosts the code coverage by refining the MMIO models in use. ES-Fuzz uses a given firmware fuzzer to generate stateless and fixed MMIO models besides test cases after testing an ES firmware. ES-Fuzz then instruments a given test harness, runs it with the highest-coverage test case, and gets the execution trace. The trace guides ES-Fuzz to build stateful and adaptable MMIO models. The given fuzzer thereafter tests the firmware with the newly-built models. The alternation between the fuzzer and ES-Fuzz iteratively enhances the coverage of fuzz-testing. We have implemented ES-Fuzz upon Fuzzware and evaluated it with 21 popular ES firmware. ES-Fuzz boosts Fuzzware's coverage by up to $160\%$ in some of these firmware without lowering the coverage in the others much.
△ Less
Submitted 10 March, 2024;
originally announced March 2024.
-
End-to-End Asynchronous Traffic Scheduling in Converged 5G and Time-Sensitive Networks
Authors:
Jiacheng Li,
Yongxiang Zhao,
Chunxi Li,
Zonghui Li,
Kang G. Shin,
Bo Ai
Abstract:
As required by Industry 4.0, companies will move towards flexible and individual manufacturing. To succeed in this transition, convergence of 5G and time-sensitive networks (TSN) is the most promising technology and has thus attracted considerable interest from industry and standardization groups. However, the delay and jitter of end-to-end (e2e) transmission will get exacerbated if the transmissi…
▽ More
As required by Industry 4.0, companies will move towards flexible and individual manufacturing. To succeed in this transition, convergence of 5G and time-sensitive networks (TSN) is the most promising technology and has thus attracted considerable interest from industry and standardization groups. However, the delay and jitter of end-to-end (e2e) transmission will get exacerbated if the transmission opportunities are missed in TSN due to the 5G transmission jitter and the clock skew between the two network systems. To mitigate this phenomenon, we propose a novel asynchronous access mechanism (AAM) that isolates the jitter only in the 5G system and ensures zero transmission jitter in TSN. We then exploit AAM to develop an e2e asynchronous traffic scheduling model for coordinated allocation of resources for 5G and TSN to provide e2e transmission delay guarantees for time-critical flows. The results of our extensive simulation of AAM on OMNET++ corroborate the superior performance of AAM and the scheduling model.
△ Less
Submitted 16 December, 2023;
originally announced December 2023.
-
A Switch Architecture for Time-Triggered Transmission with Best-Effort Delivery
Authors:
Zonghui Li,
Wenlin Zhu,
Kang G. Shin,
Hai Wan,
Xiaoyu Song,
Dong Yang,
Bo Ai
Abstract:
In Time-Triggered (TT) or time-sensitive networks, the transmission of a TT frame is required to be scheduled at a precise time instant for industrial distributed real-time control systems. Other (or {\em best-effort} (BE)) frames are forwarded in a BE manner. Under this scheduling strategy, the transmission of a TT frame must wait until its scheduled instant even if it could have been transmitted…
▽ More
In Time-Triggered (TT) or time-sensitive networks, the transmission of a TT frame is required to be scheduled at a precise time instant for industrial distributed real-time control systems. Other (or {\em best-effort} (BE)) frames are forwarded in a BE manner. Under this scheduling strategy, the transmission of a TT frame must wait until its scheduled instant even if it could have been transmitted sooner. On the other hand, BE frames are transmitted whenever possible but may miss deadlines or may even be dropped due to congestion. As a result, TT transmission and BE delivery are incompatible with each other.
To remedy this incompatibility, we propose a synergistic switch architecture (SWA) for TT transmission with BE delivery to dynamically improve the end-to-end (e2e) latency of TT frames by opportunistically exploiting BE delivery. Given a TT frame, the SWA generates and transmits a cloned copy with BE delivery. The first frame arriving at the receiver device is delivered with a configured jitter and the other copy ignored. So, the SWA achieves shorter latency and controllable jitter, the best of both worlds. We have implemented SWA using FPGAs in an industry-strength TT switches and used four test scenarios to demonstrate SWA's improvements of e2e latency and controllable jitter over the state-of-the-art TT transmission scheme.
△ Less
Submitted 21 September, 2023;
originally announced September 2023.
-
Eye-Shield: Real-Time Protection of Mobile Device Screen Information from Shoulder Surfing
Authors:
Brian Tang,
Kang G. Shin
Abstract:
People use mobile devices ubiquitously for computing, communication, storage, web browsing, and more. As a result, the information accessed and stored within mobile devices, such as financial and health information, text messages, and emails, can often be sensitive. Despite this, people frequently use their mobile devices in public areas, becoming susceptible to a simple yet effective attack, shou…
▽ More
People use mobile devices ubiquitously for computing, communication, storage, web browsing, and more. As a result, the information accessed and stored within mobile devices, such as financial and health information, text messages, and emails, can often be sensitive. Despite this, people frequently use their mobile devices in public areas, becoming susceptible to a simple yet effective attack, shoulder surfing. Shoulder surfing occurs when a person near a mobile user peeks at the user's mobile device, potentially acquiring passcodes, PINs, browsing behavior, or other personal information. We propose Eye-Shield, a solution to prevent shoulder surfers from accessing or stealing sensitive on-screen information. Eye-Shield is designed to protect all types of on-screen information in real time, without any serious impediment to users' interactions with their mobile devices. Eye-Shield generates images that appear readable at close distances, but appear blurry or pixelated at farther distances and wider angles. It is capable of protecting on-screen information from shoulder surfers, operating in real time, and being minimally intrusive to the intended users. Eye-Shield protects images and text from shoulder surfers by reducing recognition rates to 24.24% and 15.91%. Our implementations of Eye-Shield, with frame rates of 24 FPS for Android and 43 FPS for iOS, effectively work on screen resolutions as high as 1440x3088. Eye-Shield also incurs acceptable memory usage, CPU utilization, and energy overhead. Finally, our MTurk and in-person user studies indicate that Eye-Shield protects on-screen information without a large usability cost for privacy-conscious users.
△ Less
Submitted 7 August, 2023;
originally announced August 2023.
-
DynaMIX: Resource Optimization for DNN-Based Real-Time Applications on a Multi-Tasking System
Authors:
Minkyoung Cho,
Kang G. Shin
Abstract:
As deep neural networks (DNNs) prove their importance and feasibility, more and more DNN-based apps, such as detection and classification of objects, have been developed and deployed on autonomous vehicles (AVs). To meet their growing expectations and requirements, AVs should "optimize" use of their limited onboard computing resources for multiple concurrent in-vehicle apps while satisfying their…
▽ More
As deep neural networks (DNNs) prove their importance and feasibility, more and more DNN-based apps, such as detection and classification of objects, have been developed and deployed on autonomous vehicles (AVs). To meet their growing expectations and requirements, AVs should "optimize" use of their limited onboard computing resources for multiple concurrent in-vehicle apps while satisfying their timing requirements (especially for safety). That is, real-time AV apps should share the limited on-board resources with other concurrent apps without missing their deadlines dictated by the frame rate of a camera that generates and provides input images to the apps. However, most, if not all, of existing DNN solutions focus on enhancing the concurrency of their specific hardware without dynamically optimizing/modifying the DNN apps' resource requirements, subject to the number of running apps, owing to their high computational cost. To mitigate this limitation, we propose DynaMIX (Dynamic MIXed-precision model construction), which optimizes the resource requirement of concurrent apps and aims to maximize execution accuracy. To realize a real-time resource optimization, we formulate an optimization problem using app performance profiles to consider both the accuracy and worst-case latency of each app. We also propose dynamic model reconfiguration by lazy loading only the selected layers at runtime to reduce the overhead of loading the entire model. DynaMIX is evaluated in terms of constraint satisfaction and inference accuracy for a multi-tasking system and compared against state-of-the-art solutions, demonstrating its effectiveness and feasibility under various environmental/operating conditions.
△ Less
Submitted 3 February, 2023;
originally announced February 2023.
-
Elastic Model Aggregation with Parameter Service
Authors:
Juncheng Gu,
Mosharaf Chowdhury,
Kang G. Shin,
Aditya Akella
Abstract:
Model aggregation, the process that updates model parameters, is an important step for model convergence in distributed deep learning (DDL). However, the parameter server (PS), a popular paradigm of performing model aggregation, causes CPU underutilization in deep learning (DL) clusters, due to the bursty nature of aggregation and static resource allocation. To remedy this problem, we propose Para…
▽ More
Model aggregation, the process that updates model parameters, is an important step for model convergence in distributed deep learning (DDL). However, the parameter server (PS), a popular paradigm of performing model aggregation, causes CPU underutilization in deep learning (DL) clusters, due to the bursty nature of aggregation and static resource allocation. To remedy this problem, we propose Parameter Service, an elastic model aggregation framework for DDL training, which decouples the function of model aggregation from individual training jobs and provides a shared model aggregation service to all jobs in the cluster. In Parameter Service, model aggregations are efficiently packed and dynamically migrated to fit into the available CPUs with negligible time overhead. Furthermore, Parameter Service can elastically manage its CPU resources based on its load to enhance resource efficiency. We have implemented Parameter Service in a prototype system called AutoPS and evaluated it via testbed experimentation and trace-driven simulations. AutoPS reduces up to 75% of CPU consumption with little or no performance impact on the training jobs. The design of Parameter Service is transparent to the users and can be incorporated in popular DL frameworks.
△ Less
Submitted 7 April, 2022;
originally announced April 2022.
-
Fuzzing Hardware Like Software
Authors:
Timothy Trippel,
Kang G. Shin,
Alex Chernyakhovsky,
Garret Kelly,
Dominic Rizzo,
Matthew Hicks
Abstract:
Hardware flaws are permanent and potent: hardware cannot be patched once fabricated, and any flaws may undermine any software executing on top. Consequently, verification time dominates implementation time. The gold standard in hardware Design Verification (DV) is concentrated at two extremes: random dynamic verification and formal verification. Both struggle to root out the subtle flaws in comple…
▽ More
Hardware flaws are permanent and potent: hardware cannot be patched once fabricated, and any flaws may undermine any software executing on top. Consequently, verification time dominates implementation time. The gold standard in hardware Design Verification (DV) is concentrated at two extremes: random dynamic verification and formal verification. Both struggle to root out the subtle flaws in complex hardware that often manifest as security vulnerabilities. The root problem with random verification is its undirected nature, making it inefficient, while formal verification is constrained by the state-space explosion problem, making it infeasible against complex designs. What is needed is a solution that is directed, yet under-constrained.
Instead of making incremental improvements to existing DV approaches, we leverage the observation that existing software fuzzers already provide such a solution, and adapt them for hardware DV. Specifically, we translate RTL hardware to a software model and fuzz that model. The central challenge we address is how best to mitigate the differences between the hardware execution model and software execution model. This includes: 1) how to represent test cases, 2) what is the hardware equivalent of a crash, 3) what is an appropriate coverage metric, and 4) how to create a general-purpose fuzzing harness for hardware.
To evaluate our approach, we fuzz four IP blocks from Google's OpenTitan SoC. Our experiments reveal a two orders-of-magnitude reduction in run time to achieve Finite State Machine (FSM) coverage over traditional dynamic verification schemes. Moreover, with our design-agnostic harness, we achieve over 88% HDL line coverage in three out of four of our designs -- even without any initial seeds.
△ Less
Submitted 3 February, 2021;
originally announced February 2021.
-
Hydra: Resilient and Highly Available Remote Memory
Authors:
Youngmoon Lee,
Hasan Al Maruf,
Mosharaf Chowdhury,
Asaf Cidon,
Kang G. Shin
Abstract:
We present Hydra, a low-latency, low-overhead, and highly available resilience mechanism for remote memory. Hydra can access erasure-coded remote memory within a single-digit microsecond read/write latency, significantly improving the performance-efficiency trade-off over the state-of-the-art -- it performs similar to in-memory replication with 1.6X lower memory overhead. We also propose CodingSet…
▽ More
We present Hydra, a low-latency, low-overhead, and highly available resilience mechanism for remote memory. Hydra can access erasure-coded remote memory within a single-digit microsecond read/write latency, significantly improving the performance-efficiency trade-off over the state-of-the-art -- it performs similar to in-memory replication with 1.6X lower memory overhead. We also propose CodingSets, a novel coding group placement algorithm for erasure-coded data, that provides load balancing while reducing the probability of data loss under correlated failures by an order of magnitude. With Hydra, even when only 50% of memory is local, unmodified memory-intensive applications achieve performance close to that of the fully in-memory case in the presence of remote failures and outperform the state-of-the-art solutions by up to 4.35X.
△ Less
Submitted 28 May, 2023; v1 submitted 21 October, 2019;
originally announced October 2019.
-
Federated User Representation Learning
Authors:
Duc Bui,
Kshitiz Malik,
Jack Goetz,
Honglei Liu,
Seungwhan Moon,
Anuj Kumar,
Kang G. Shin
Abstract:
Collaborative personalization, such as through learned user representations (embeddings), can improve the prediction accuracy of neural-network-based models significantly. We propose Federated User Representation Learning (FURL), a simple, scalable, privacy-preserving and resource-efficient way to utilize existing neural personalization techniques in the Federated Learning (FL) setting. FURL divid…
▽ More
Collaborative personalization, such as through learned user representations (embeddings), can improve the prediction accuracy of neural-network-based models significantly. We propose Federated User Representation Learning (FURL), a simple, scalable, privacy-preserving and resource-efficient way to utilize existing neural personalization techniques in the Federated Learning (FL) setting. FURL divides model parameters into federated and private parameters. Private parameters, such as private user embeddings, are trained locally, but unlike federated parameters, they are not transferred to or averaged on the server. We show theoretically that this parameter split does not affect training for most model personalization approaches. Storing user embeddings locally not only preserves user privacy, but also improves memory locality of personalization compared to on-server training. We evaluate FURL on two datasets, demonstrating a significant improvement in model quality with 8% and 51% performance increases, and approximately the same level of performance as centralized training with only 0% and 4% reductions. Furthermore, we show that user embeddings learned in FL and the centralized setting have a very similar structure, indicating that FURL can learn collaboratively through the shared parameters while preserving user privacy.
△ Less
Submitted 27 September, 2019;
originally announced September 2019.
-
Provisioning Energy-Efficiency and QoS for Multi-Carrier CoMP with Limited Feedback
Authors:
Mohammad G. Khoshkholgh,
Victor C. M. Leung,
Kang G. Shin,
Keivan Navaie
Abstract:
We consider resource allocation (RA) in multi-carrier coordinated multi-point (CoMP) systems with limited feedback, in which a cluster of base stations (BSs), each equipped with multiple antennas, are connect to each other and/or a central processor via backhauls/fronthauls. The main objective of coordinated RA is to select user equipments (UEs) on each subcarrier, dynamically decide upon the clus…
▽ More
We consider resource allocation (RA) in multi-carrier coordinated multi-point (CoMP) systems with limited feedback, in which a cluster of base stations (BSs), each equipped with multiple antennas, are connect to each other and/or a central processor via backhauls/fronthauls. The main objective of coordinated RA is to select user equipments (UEs) on each subcarrier, dynamically decide upon the cluster size for each subcarrier, and finally partition the feedback resources, provisioned for acquisition of channel direction information (CDI) across all subcarriers, active cells, and selected UEs, in order to maximize the weighted sum utility (WSU). We show how to recast the WSU maximization problem to achieve spectral efficiency, quality-of-service (QoS), and energyefficiency (EE). Specifically, we investigate four instances of WSU to maximize practical system objectives: (i) weighted sum capacity, (ii) weighted sum effective capacity, (iii) weighted sum energy-efficiency (EE), and (iv) weighted sum effective EE. The unified composition of these problems through WSU allows us to use the same set of developed algorithms for all cases. The algorithms have a greedy structure achieving fast convergence, and successfully cope with the huge computational complexity of RA problems, mostly rooted in their combinatorial compositions. Our simulation results shed lights on the network optimization by discovering insights on appropriate cluster-size, distribution of BSs in the cluster, and the number of subcarriers. The proposed UE scheduling and subcarrier assignment are shown to improve the system performance by several orders-of-magnitude.
△ Less
Submitted 19 August, 2019;
originally announced August 2019.
-
Accurate Angular Inference for 802.11ad Devices Using Beam-Specific Measurements
Authors:
Haichuan Ding,
Kang G. Shin
Abstract:
Due to their sparsity, 60GHz channels are characterized by a few dominant paths. Knowing the angular information of their dominant paths, we can develop various applications, such as the prediction of link performance and the tracking of an 802.11ad device. Although they are equipped with phased arrays, the angular inference for 802.11ad devices is still challenging due to their limited number of…
▽ More
Due to their sparsity, 60GHz channels are characterized by a few dominant paths. Knowing the angular information of their dominant paths, we can develop various applications, such as the prediction of link performance and the tracking of an 802.11ad device. Although they are equipped with phased arrays, the angular inference for 802.11ad devices is still challenging due to their limited number of RF chains and limited phase control capabilities. Considering the beam sweeping operation and the high communication bandwidth of 802.11ad devices, we propose variation-based angle estimation (VAE), called VAE-CIR, by utilizing beam-specific channel impulse responses (CIRs) measured under different beams and the directional gains of the corresponding beams to infer the angular information of dominant paths. Unlike state-of-the-arts, VAE-CIR exploits the variations between different beam-specific CIRs, instead of their absolute values, for angular inference. To evaluate the performance of VAE-CIR, we generate the beam-specific CIRs by simulating the beam sweeping of 802.11ad devices with the beam patterns measured on off-the-shelf 802.11ad devices. The 60GHz channel is generated via a ray-tracing simulator and the CIRs are extracted via channel estimation based on Golay sequences. Through experiments in various scenarios, we demonstrate the effectiveness of VAE-CIR and its superiority to existing angular inference schemes for 802.11ad devices.
△ Less
Submitted 24 July, 2019;
originally announced July 2019.
-
T-TER: Defeating A2 Trojans with Targeted Tamper-Evident Routing
Authors:
Timothy Trippel,
Kang G. Shin,
Kevin B. Bush,
Matthew Hicks
Abstract:
Since the inception of the Integrated Circuit (IC), the size of the transistors used to construct them has continually shrunk. While this advancement significantly improves computing capability, fabrication costs have skyrocketed. As a result, most IC designers must now outsource fabrication. Outsourcing, however, presents a security threat: comprehensive post-fabrication inspection is infeasible…
▽ More
Since the inception of the Integrated Circuit (IC), the size of the transistors used to construct them has continually shrunk. While this advancement significantly improves computing capability, fabrication costs have skyrocketed. As a result, most IC designers must now outsource fabrication. Outsourcing, however, presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, so it is nearly impossible to know if the foundry has altered the original design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because---even with as few as two gates---hardware Trojans can completely undermine software security. Researchers have attempted to both detect and prevent foundry-side attacks, but all existing defenses are ineffective against Trojans with footprints of a few gates or less.
We present Targeted Tamper-Evident Routing (T-TER), a preventive layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. T-TER is directed and routing-centric: it prevents foundry-side attackers from routing Trojan wires to, or directly adjacent to, security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, T-TER guard wires pose an additional technical challenge: they must be tamper-evident in both the digital (deletion attacks) and analog (move and jog attacks) domains. We address this challenge by developing a class of designed-in guard wires, that are added to the design specifically to protect security-critical wires. T-TER's guard wires incur minimal overhead, scale with design complexity, and provide tamper-evidence against attacks.
△ Less
Submitted 27 October, 2020; v1 submitted 20 June, 2019;
originally announced June 2019.
-
An Extensible Framework for Quantifying the Coverage of Defenses Against Untrusted Foundries
Authors:
Timothy Trippel,
Kang G. Shin,
Kevin B. Bush,
Matthew Hicks
Abstract:
The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabr…
▽ More
The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabricated IC makes comprehensive inspection infeasible. Since prior work shows the feasibility of fabrication-time attackers' evasion of existing post-fabrication defenses, IC designers must be able to protect their physical designs before handing them off to an untrusted foundry. To this end, recent work suggests methods to harden IC layouts against attack. Unfortunately, no tool exists to assess the effectiveness of the proposed defenses---meaning gaps may exist.
This paper presents an extensible IC layout security analysis tool called IC Attack Surface (ICAS) that quantifies defensive coverage. For researchers, ICAS identifies gaps for future defenses to target, and enables the quantitative comparison of existing and future defenses. For practitioners, ICAS enables the exploration of the impact of design decisions on an IC's resilience to fabrication-time attack. ICAS takes a set of metrics that encode the challenge of inserting a hardware Trojan into an IC layout, a set of attacks that the defender cares about, and a completed IC layout and reports the number of ways an attacker can add each attack to the design. While the ideal score is zero, practically, our experience is that lower scores correlate with increased attacker effort.
△ Less
Submitted 20 June, 2019;
originally announced June 2019.
-
Coverage Performance of Aerial-Terrestrial HetNets
Authors:
M. G. Khoshkholgh,
Keivan Navaie,
Halim Yanikomerogluy,
V. C. M. Leung,
Kang. G. Shin
Abstract:
Providing seamless coverage under current cellular network technologies is surmountable only through gross overengineering. Alternatively, as an economically effective solution, the use of unmanned aerial vehicles (UAVs), augmented with the functionalities of terrestrial base stations (BSs), is recently advocated. In this paper we investigate the effect that the incorporation of UAV-mounted BSs (U…
▽ More
Providing seamless coverage under current cellular network technologies is surmountable only through gross overengineering. Alternatively, as an economically effective solution, the use of unmanned aerial vehicles (UAVs), augmented with the functionalities of terrestrial base stations (BSs), is recently advocated. In this paper we investigate the effect that the incorporation of UAV-mounted BSs (U-BS) poses on the coverage probability of cellular networks. To this end, we focus on the evaluation of the coverage probability of a large-scale aerialterrestrial heterogenous cellular network (AT-HetNet), in which BSs of each technology/tier can be either ground (G-BS) or UBS. Our analysis incorporates the impact of Line-of-Sight (LOS) and non-LOS (NLOS) path-loss attenuations of both ground-toground (G2G) and Air-to-Ground (A2G) links. Adopting tools of stochastic geometry we provide an expression for the coverage probability based on main system parameters and percentage of BSs in each tier that are aerial. We confirm the accuracy of our analysis. Using our analysis, we observe that for several common communication environments, e.g., high-rise and dense urban environments, the inclusion of U-BSs can be detrimental to the coverage probability. Nevertheless, it is still possible to minimize the coverage cost by turning off a percentage of G-BSs. Interestingly, for urban and sub-urban areas one can adjust the altitude of U-BSs in order to increase the coverage probability.
△ Less
Submitted 22 February, 2019;
originally announced February 2019.
-
Randomized Caching in Cooperative UAV-Enabled Fog-RAN
Authors:
M. G. Khoshkholgh,
Keivan Navaie,
Halim Yanikomerogluy,
V. C. M. Leung,
Kang G. Shin
Abstract:
We consider an unmanned aerial vehicle enabled (UAV-enabled) fog-radio access network (F-RAN) in which UAVs are considered as flying remote radio heads (RRH) equipped with caching and cooperative communications capabilities. We are mainly focus on probabilistic/randomized content placement strategy, and accordingly formulate the content placement as an optimization problem. We then study the effic…
▽ More
We consider an unmanned aerial vehicle enabled (UAV-enabled) fog-radio access network (F-RAN) in which UAVs are considered as flying remote radio heads (RRH) equipped with caching and cooperative communications capabilities. We are mainly focus on probabilistic/randomized content placement strategy, and accordingly formulate the content placement as an optimization problem. We then study the efficiency of the proposed content placement by evaluating the average system capacity and its energy-efficiency. Our results indicate that cooperative communication plays an essential role in UAVenabled edge communications as it effectively curbs the impact of dominant Line-of-Sight (LOS) received interference. It is also seen that cooperative cache-enabled UAV F-RAN performs better in high-rise environments than dense urban and sub-urban environments. This is due to a significant reduction of the received LOS interference because of blockage by the high-rise buildings, and the performance gain of cooperative communication on the attending signal. Comparing the performances of the developed content placement strategy and conventional caching techniques shows that our proposed probabilistic/randomized caching outperforms the others in most of the practical cases.
△ Less
Submitted 22 February, 2019;
originally announced February 2019.
-
How Do Non-Ideal UAV Antennas Affect Air-to-Ground Communications?
Authors:
M. G. Khoshkholgh,
Keivan Navaie,
Halim Yanikomeroglu,
V. C. M. Leung,
Kang. G. Shin
Abstract:
Analysis of the performance of Unmanned Aerial Vehicle (UAV)-enabled communications systems often relies upon idealized antenna characteristic, where the side-lobe gain of UAVs' antenna is ignored. In practice, however, side-lobe cause inevitable interference to the ground users. We investigate the impact of UAVs' antenna side-lobe on the performance of UAV-enabled communication. Our analysis show…
▽ More
Analysis of the performance of Unmanned Aerial Vehicle (UAV)-enabled communications systems often relies upon idealized antenna characteristic, where the side-lobe gain of UAVs' antenna is ignored. In practice, however, side-lobe cause inevitable interference to the ground users. We investigate the impact of UAVs' antenna side-lobe on the performance of UAV-enabled communication. Our analysis shows that even for a very small antenna's side-lobe gain, the ground receiver can experience substantial interference. We further show that a rather large exclusion zone is required to ensure a sufficient level of protection for the ground receiver. Nevertheless, in a multiple-antenna setting for the ground users, even when such a large exclusion zone was in place, UAVs' antenna side-lobe creates a high level of correlation among the interference signals received across receive antennas. Such a correlation limits the system ability to exploit channel diversity in a multiple-antenna setting for improving capacity. We then quantify the impact of UAVs' antenna side-lobes on the overall system performance by deriving the corresponding loss of the achieved capacity in various communications environments. We provide a new quantitative insight on the cost of adopting non-ideal UAV antenna on the overall capacity. Our analysis also shows that the capacity loss can be confined by careful selection of system parameters.
△ Less
Submitted 22 February, 2019;
originally announced February 2019.
-
Caching or No Caching in Dense HetNets?
Authors:
M. G. Khoshkholgh,
Keivan Navaie,
Kang G. Shin,
V. C. M. Leung,
Halim Yanikomeroglu
Abstract:
Caching the content closer to the user equipments (UEs) in heterogenous cellular networks (HetNets) improves user-perceived Quality-of-Service (QoS) while lowering the operators backhaul usage/costs. Nevertheless, under the current networking strategy that promotes aggressive densification, it is unclear whether cache-enabled HetNets preserve the claimed cost-effectiveness and the potential benefi…
▽ More
Caching the content closer to the user equipments (UEs) in heterogenous cellular networks (HetNets) improves user-perceived Quality-of-Service (QoS) while lowering the operators backhaul usage/costs. Nevertheless, under the current networking strategy that promotes aggressive densification, it is unclear whether cache-enabled HetNets preserve the claimed cost-effectiveness and the potential benefits. This is due to 1) the collective cost of caching which may inevitably exceed the expensive cost of backhaul in a dense HetNet, and 2) the excessive interference which affects the signal reception irrespective of content placement. We analyze these significant, yet overlooked, issues, showing that while densification reduces backhaul load and increases spectral efficiency in cache-enabled dense networks, it simultaneously reduces cache-hit probability and increases the network cost. We then introduce a caching efficiency metric, area spectral efficiency per unit spent cost, and find it enough to cache only about 3% of the content library size in the cache of smallcell base stations. Furthermore, we show that range expansion, which is known to be of substantial value in wireless networks, is almost impotent to curb the caching inefficiency. Surprisingly, unlike the conventional wisdom recommending traffic offloading from macro cells to small cells, in cache-enabled HetNets, it is generally more beneficial to exclude offloading altogether or to do the opposite.
△ Less
Submitted 30 January, 2019;
originally announced January 2019.
-
Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning
Authors:
Hamza Harkous,
Kassem Fawaz,
Rémi Lebret,
Florian Schaub,
Kang G. Shin,
Karl Aberer
Abstract:
Privacy policies are the primary channel through which companies inform users about their data collection and sharing practices. These policies are often long and difficult to comprehend. Short notices based on information extracted from privacy policies have been shown to be useful but face a significant scalability hurdle, given the number of policies and their evolution over time. Companies, us…
▽ More
Privacy policies are the primary channel through which companies inform users about their data collection and sharing practices. These policies are often long and difficult to comprehend. Short notices based on information extracted from privacy policies have been shown to be useful but face a significant scalability hurdle, given the number of policies and their evolution over time. Companies, users, researchers, and regulators still lack usable and scalable tools to cope with the breadth and depth of privacy policies. To address these hurdles, we propose an automated framework for privacy policy analysis (Polisis). It enables scalable, dynamic, and multi-dimensional queries on natural language privacy policies. At the core of Polisis is a privacy-centric language model, built with 130K privacy policies, and a novel hierarchy of neural-network classifiers that accounts for both high-level aspects and fine-grained details of privacy practices. We demonstrate Polisis' modularity and utility with two applications supporting structured and free-form querying. The structured querying application is the automated assignment of privacy icons from privacy policies. With Polisis, we can achieve an accuracy of 88.4% on this task. The second application, PriBot, is the first freeform question-answering system for privacy policies. We show that PriBot can produce a correct answer among its top-3 results for 82% of the test questions. Using an MTurk user study with 700 participants, we show that at least one of PriBot's top-3 answers is relevant to users for 89% of the test questions.
△ Less
Submitted 29 June, 2018; v1 submitted 7 February, 2018;
originally announced February 2018.
-
Who Killed My Parked Car?
Authors:
Kyong-Tak Cho,
Yuseung Kim,
Kang G. Shin
Abstract:
We find that the conventional belief of vehicle cyber attacks and their defenses---attacks are feasible and thus defenses are required only when the vehicle's ignition is turned on---does not hold. We verify this fact by discovering and applying two new practical and important attacks: battery-drain and Denial-of-Body-control (DoB). The former can drain the vehicle battery while the latter can pre…
▽ More
We find that the conventional belief of vehicle cyber attacks and their defenses---attacks are feasible and thus defenses are required only when the vehicle's ignition is turned on---does not hold. We verify this fact by discovering and applying two new practical and important attacks: battery-drain and Denial-of-Body-control (DoB). The former can drain the vehicle battery while the latter can prevent the owner from starting or even opening/entering his car, when either or both attacks are mounted with the ignition off. We first analyze how operation (e.g., normal, sleep, listen) modes of ECUs are defined in various in-vehicle network standards and how they are implemented in the real world. From this analysis, we discover that an adversary can exploit the wakeup function of in-vehicle networks---which was originally designed for enhanced user experience/convenience (e.g., remote diagnosis, remote temperature control)---as an attack vector. Ironically, a core battery-saving feature in in-vehicle networks makes it easier for an attacker to wake up ECUs and, therefore, mount and succeed in battery-drain and/or DoB attacks. Via extensive experimental evaluations on various real vehicles, we show that by mounting the battery-drain attack, the adversary can increase the average battery consumption by at least 12.57x, drain the car battery within a few hours or days, and therefore immobilize/cripple the vehicle. We also demonstrate the proposed DoB attack on a real vehicle, showing that the attacker can cut off communications between the vehicle and the driver's key fob by indefinitely shutting down an ECU, thus making the driver unable to start and/or even enter the car.
△ Less
Submitted 23 January, 2018;
originally announced January 2018.
-
Dynamic Interference Steering in Heterogeneous Cellular Networks
Authors:
Zhao Li,
Canyu Shu,
Fengjuan Guo,
Kang G. Shin,
Jia Liu
Abstract:
With the development of diverse wireless communication technologies, interference has become a key impediment in network performance, thus making effective interference management (IM) essential to accommodate a rapidly increasing number of subscribers with diverse services. Although there have been numerous IM schemes proposed thus far, none of them are free of some form of cost. It is, therefore…
▽ More
With the development of diverse wireless communication technologies, interference has become a key impediment in network performance, thus making effective interference management (IM) essential to accommodate a rapidly increasing number of subscribers with diverse services. Although there have been numerous IM schemes proposed thus far, none of them are free of some form of cost. It is, therefore, important to balance the benefit brought by and cost of each adopted IM scheme by adapting its operating parameters to various network deployments and dynamic channel conditions.
We propose a novel IM scheme, called dynamic interference steering (DIS), by recognizing the fact that interference can be not only suppressed or mitigated but also steered in a particular direction. Specifically, DIS exploits both channel state information (CSI) and the data contained in the interfering signal to generate a signal that modifies the spatial feature of the original interference to partially or fully cancel the interference appearing at the victim receiver. By intelligently determining the strength of the steering signal, DIS can steer the interference in an optimal direction to balance the transmitter's power used for IS and the desired signal's transmission. DIS is shown via simulation to be able to make better use of the transmit power, hence enhancing users' spectral efficiency (SE) effectively.
△ Less
Submitted 30 December, 2017;
originally announced January 2018.
-
Interference Steering to Manage Interference
Authors:
Zhao Li,
Fengjuan Guo,
Kang G Shin,
Yinghou Liu,
Jia Liu
Abstract:
To enable densely deployed base stations (BSs) or access points (APs) to serve an increasing number of users and provide diverse mobile services, we need to improve spectrum utilization in wireless communication networks. Although spectral efficiency (SE) can be enhanced via smart and dynamic resource allocation, interference has become a major impediment in improving SE. There have been numerous…
▽ More
To enable densely deployed base stations (BSs) or access points (APs) to serve an increasing number of users and provide diverse mobile services, we need to improve spectrum utilization in wireless communication networks. Although spectral efficiency (SE) can be enhanced via smart and dynamic resource allocation, interference has become a major impediment in improving SE. There have been numerous interference management (IM) proposals at the interfering transmitter or the victim transmitter/receiver separately or cooperatively. Moreover, the existing IM schemes rely mainly on the use of channel state information (CSI). However, in some communication scenarios, the option to adjust the interferer is not available, and, in the case of downlink transmission, it is always difficult or even impossible for the victim receiver to acquire necessary information for IM. Based on the above observations, we first propose a novel IM technique, called interference steering (IS). By making use of both CSI w.r.t. and data carried in the interfering signal, IS generates a signal to modify the spatial feature of the original interference, so that the steered interference at the victim receiver is orthogonal to its intended signal. We then apply IS to an infrastructurebased enterprise wireless local area network (WLAN) in which the same frequency band is reused by adjacent basic service sets (BSSs) with overlapping areas. With IS, multiple nearby APs could simultaneously transmit data on the same channel to their mobile stations (STAs), thus enhancing spectrum reuse. Our in-depth simulation results show that IS significantly improves network SE over existing IM schemes.
△ Less
Submitted 21 December, 2017;
originally announced December 2017.
-
How Long Will My Phone Battery Last?
Authors:
Liang He,
Kang G. Shin
Abstract:
Mobile devices are only as useful as their battery lasts. Unfortunately, the operation and life of a mobile device's battery degrade over time and usage. The state-of-health (SoH) of batteries quantifies their degradation, but mobile devices are unable to support its accurate estimation -- despite its importance -- due mainly to their limited hardware and dynamic usage patterns, causing various pr…
▽ More
Mobile devices are only as useful as their battery lasts. Unfortunately, the operation and life of a mobile device's battery degrade over time and usage. The state-of-health (SoH) of batteries quantifies their degradation, but mobile devices are unable to support its accurate estimation -- despite its importance -- due mainly to their limited hardware and dynamic usage patterns, causing various problems such as unexpected device shutoffs or even fire/explosion. To remedy this lack of support, we design, implement and evaluate V-Health, a low-cost user-level SoH estimation service for mobile devices based only on their battery voltage, which is commonly available on all commodity mobile devices. V-Health also enables four novel use-cases that improve mobile users' experience from different perspectives. The design of V-Health is inspired by our empirical finding that the relaxing voltages of a device battery fingerprint its SoH, and is steered by extensive measurements with 15 batteries used for various commodity mobile devices, such as Nexus 6P, Galaxy S3, iPhone 6 Plus, etc. These measurements consist of 13,377 battery discharging/charging/resting cycles and have been conducted over 72 months cumulatively. V-Health has been evaluated via both laboratory experiments and field tests over 4-6 months, showing <5% error in SoH estimation.
△ Less
Submitted 9 November, 2017;
originally announced November 2017.
-
Mobile IMUs Reveal Driver's Identity From Vehicle Turns
Authors:
Dongyao Chen,
Kyong-Tak Cho,
Kang G. Shin
Abstract:
As vehicle maneuver data becomes abundant for assisted or autonomous driving, their implication of privacy invasion/leakage has become an increasing concern. In particular, the surface for fingerprinting a driver will expand significantly if the driver's identity can be linked with the data collected from his mobile or wearable devices which are widely deployed worldwide and have increasing sensin…
▽ More
As vehicle maneuver data becomes abundant for assisted or autonomous driving, their implication of privacy invasion/leakage has become an increasing concern. In particular, the surface for fingerprinting a driver will expand significantly if the driver's identity can be linked with the data collected from his mobile or wearable devices which are widely deployed worldwide and have increasing sensing capabilities. In line with this trend, this paper investigates a fast emerging driving data source that has driver's privacy implications. We first show that such privacy threats can be materialized via any mobile device with IMUs (e.g., gyroscope and accelerometer). We then present Dri-Fi (Driver Fingerprint), a driving data analytic engine that can fingerprint the driver with vehicle turn(s). Dri-Fi achieves this based on IMUs data taken only during the vehicle's turn(s). Such an approach expands the attack surface significantly compared to existing driver fingerprinting schemes. From this data, Dri-Fi extracts three new features --- acceleration along the end-of-turn axis, its deviation, and the deviation of the yaw rate --- and exploits them to identify the driver. Our extensive evaluation shows that an adversary equipped with Dri-Fi can correctly fingerprint the driver within just one turn with 74.1%, 83.5%, and 90.8% accuracy across 12, 8, and 5 drivers --- typical of an immediate family or close-friends circle --- respectively. Moreover, with measurements on more than one turn, the adversary can achieve up to 95.3%, 95.4%, and 96.6% accuracy across 12, 8, and 5 drivers, respectively.
△ Less
Submitted 12 October, 2017;
originally announced October 2017.
-
Scalable Real-time Transport of Baseband Traffic
Authors:
Krishna C. Garikipati,
Kang G. Shin
Abstract:
In wireless deployments, such as Massive-MIMO, where radio front-ends and back-end processing are connected through a transport network, meeting the real-time processing requirements is essential to realize the capacity gains from network scaling. While simple forms of baseband transport have been implemented, their real-time analysis at much larger scale is lacking.
Towards this, we present the…
▽ More
In wireless deployments, such as Massive-MIMO, where radio front-ends and back-end processing are connected through a transport network, meeting the real-time processing requirements is essential to realize the capacity gains from network scaling. While simple forms of baseband transport have been implemented, their real-time analysis at much larger scale is lacking.
Towards this, we present the design, delay, and capacity analysis of baseband transport networks, utilizing results from real-time systems in the context of wireless processing. We propose a novel Fat-Tree-based design, called DISTRO, for baseband transport, which is a real-time network that bounds the maximum end-to-end transport delay of each baseband packet. It achieves this by placing design constraints and bounding the queuing delay at each aggregation point in the network. We further characterize the wireless capacity using DISTRO and provide an efficient search algorithm for the design of a capacity achieving baseband transport.
△ Less
Submitted 29 January, 2018; v1 submitted 4 June, 2017;
originally announced June 2017.
-
Continuous Authentication for Voice Assistants
Authors:
Huan Feng,
Kassem Fawaz,
Kang G. Shin
Abstract:
Voice has become an increasingly popular User Interaction (UI) channel, mainly contributing to the ongoing trend of wearables, smart vehicles, and home automation systems. Voice assistants such as Siri, Google Now and Cortana, have become our everyday fixtures, especially in scenarios where touch interfaces are inconvenient or even dangerous to use, such as driving or exercising. Nevertheless, the…
▽ More
Voice has become an increasingly popular User Interaction (UI) channel, mainly contributing to the ongoing trend of wearables, smart vehicles, and home automation systems. Voice assistants such as Siri, Google Now and Cortana, have become our everyday fixtures, especially in scenarios where touch interfaces are inconvenient or even dangerous to use, such as driving or exercising. Nevertheless, the open nature of the voice channel makes voice assistants difficult to secure and exposed to various attacks as demonstrated by security researchers. In this paper, we present VAuth, the first system that provides continuous and usable authentication for voice assistants. We design VAuth to fit in various widely-adopted wearable devices, such as eyeglasses, earphones/buds and necklaces, where it collects the body-surface vibrations of the user and matches it with the speech signal received by the voice assistant's microphone. VAuth guarantees that the voice assistant executes only the commands that originate from the voice of the owner. We have evaluated VAuth with 18 users and 30 voice commands and find it to achieve an almost perfect matching accuracy with less than 0.1% false positive rate, regardless of VAuth's position on the body and the user's language, accent or mobility. VAuth successfully thwarts different practical attacks, such as replayed attacks, mangled voice attacks, or impersonation attacks. It also has low energy and latency overheads and is compatible with most existing voice assistants.
△ Less
Submitted 16 January, 2017;
originally announced January 2017.
-
BinderCracker: Assessing the Robustness of Android System Services
Authors:
Huan Feng,
Kang G. Shin
Abstract:
In Android, communications between apps and system services are supported by a transaction-based Inter-Process Communication (IPC) mechanism. Binder, as the cornerstone of this IPC mechanism, separates two communicating parties as client and server. As with any client-server model, the server should not make any assumption on the validity (sanity) of client-side transaction. To our surprise, we fi…
▽ More
In Android, communications between apps and system services are supported by a transaction-based Inter-Process Communication (IPC) mechanism. Binder, as the cornerstone of this IPC mechanism, separates two communicating parties as client and server. As with any client-server model, the server should not make any assumption on the validity (sanity) of client-side transaction. To our surprise, we find this principle has frequently been overlooked in the implementation of Android system services. In this paper, we demonstrate the prevalence and severity of this vulnerability surface and try to answer why developers keep making this seemingly simple mistake. Specifically, we design and implement BinderCracker, an automatic testing framework that supports parameter-aware fuzzing and has identified more than 100 vulnerabilities in six major versions of Android, including the latest version Android 6.0, Marshmallow. Some of the vulnerabilities have severe security implications, causing privileged code execution or permanent Denial-of-Service (DoS). We analyzed the root causes of these vulnerabilities to find that most of them exist because system service developers only considered exploitations via public APIs. We thus highlight the deficiency of testing only on client-side public APIs and argue for the necessity of testing and protection on the Binder interface - the actual security boundary. Specifically, we discuss the effectiveness and practicality of potential countermeasures, such as precautionary testing and runtime diagnostic.
△ Less
Submitted 23 April, 2016;
originally announced April 2016.
-
Plan Development using Local Probabilistic Models
Authors:
Ella M. Atkins,
Edmund H. Durfee,
Kang G. Shin
Abstract:
Approximate models of world state transitions are necessary when building plans for complex systems operating in dynamic environments. External event probabilities can depend on state feature values as well as time spent in that particular state. We assign temporally -dependent probability functions to state transitions. These functions are used to locally compute state probabilities, which are…
▽ More
Approximate models of world state transitions are necessary when building plans for complex systems operating in dynamic environments. External event probabilities can depend on state feature values as well as time spent in that particular state. We assign temporally -dependent probability functions to state transitions. These functions are used to locally compute state probabilities, which are then used to select highly probable goal paths and eliminate improbable states. This probabilistic model has been implemented in the Cooperative Intelligent Real-time Control Architecture (CIRCA), which combines an AI planner with a separate real-time system such that plans are developed, scheduled, and executed with real-time guarantees. We present flight simulation tests that demonstrate how our probabilistic model may improve CIRCA performance.
△ Less
Submitted 13 February, 2013;
originally announced February 2013.
-
Attack Prevention for Collaborative Spectrum Sensing in Cognitive Radio Networks
Authors:
Lingjie Duan,
Alexander W. Min,
Jianwei Huang,
Kang G. Shin
Abstract:
Collaborative spectrum sensing can significantly improve the detection performance of secondary unlicensed users (SUs). However, the performance of collaborative sensing is vulnerable to sensing data falsification attacks, where malicious SUs (attackers) submit manipulated sensing reports to mislead the fusion center's decision on spectrum occupancy. Moreover, attackers may not follow the fusion c…
▽ More
Collaborative spectrum sensing can significantly improve the detection performance of secondary unlicensed users (SUs). However, the performance of collaborative sensing is vulnerable to sensing data falsification attacks, where malicious SUs (attackers) submit manipulated sensing reports to mislead the fusion center's decision on spectrum occupancy. Moreover, attackers may not follow the fusion center's decision regarding their spectrum access. This paper considers a challenging attack scenario where multiple rational attackers overhear all honest SUs' sensing reports and cooperatively maximize attackers' aggregate spectrum utilization. We show that, without attack-prevention mechanisms, honest SUs are unable to transmit over the licensed spectrum, and they may further be penalized by the primary user for collisions due to attackers' aggressive transmissions. To prevent such attacks, we propose two novel attack-prevention mechanisms with direct and indirect punishments. The key idea is to identify collisions to the primary user that should not happen if all SUs follow the fusion center's decision. Unlike prior work, the proposed simple mechanisms do not require the fusion center to identify and exclude attackers. The direct punishment can effectively prevent all attackers from behaving maliciously. The indirect punishment is easier to implement and can prevent attacks when the attackers care enough about their long-term reward.
△ Less
Submitted 5 September, 2011;
originally announced September 2011.