2024 Workshop on

Abstract: IoT environments have complex physical interactions between actuators and sensors that create new classes of app interaction vulnerabilities. For instance, an app that turns on the heater interacts with another app that opens the window when the temperature exceeds a threshold and may result in opening the window when the residents are not at home. Unfortunately, existing IoT security measures fail to achieve sufficient fidelity to uncover these vulnerabilities, causing poor accuracy and false alarms. In this talk, I will introduce IoTSeer, which combines app code analysis and dynamic analysis with new security policies to discover physical interaction vulnerabilities among IoT apps. IoTSeer first models each IoT app’s physical behavior through hybrid modeling and proposed a new composition algorithm to construct a model that describes the joint physical behavior of apps. It then leverages optimization-guided falsification to validate if the apps’ composite model adheres to a set of safety and security policies represented with metric temporal logic. Through this effort, we develop formal techniques and tools that enable developers to build safe and secure IoT environments.

Bio: Muslum Ozgur Ozmen is a Ph.D. candidate in the Department of Computer Science at Purdue University, where he is advised by Professor Z. Berkay Celik. He has researched a variety of topics, including IoT security and privacy, mobile robot and self-driving car security, and lightweight cryptography. He received the Diamond Award for academic excellence from the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. He served at the student advisory council of NSF AI Institute for Agent-based Cyber Threat Intelligence and Operation (ACTION) as the Purdue representative in 2023-2024. He also interned with the cyber-physical systems research team at the Toyota Research Institute North America. He will join SCAI at ASU as an assistant professor in Fall 2024. More information can be obtained at https://ozgurozmen.github.io/.

Abstract: As healthcare systems become increasingly dependent on electronic health records and various digital platforms for managing patient data, ensuring the privacy and security of this sensitive information has become a paramount concern. In this talk, I will outline the main threats to health data privacy, along with the evolving legal frameworks and standards, such as HIPAA, that govern its use. I will also share initial results from a controlled experiment involving over 80 students, highlighting the critical role of education and technology in enforcing robust patient privacy protections. Furthermore, I will explore innovative technologies and practices that are emerging to protect and manage health data. This discussion aims to shed light on how healthcare providers, policymakers, and technologists can work together to develop more secure and private systems for health data management.  

Bio: Hailong Zhang is an Assistant Collegiate Professor in the Business Information Technology Department. He received his Ph.D. in Computer Science and Engineering from the Ohio State University in 2020. Prior to joining VT, he worked as an Assistant Professor in the Department of Computer and Information Sciences at Fordham University. His research interest lies in the general area of security and privacy, where he bridges business, technology, and public policy and law. His research has been published in top-tier computer science conferences and peer-reviewed journals, including USENIX Security Symposium, the International Conference on Software Engineering.

Abstract: With hardware support, confidential computing (CC) is one of the promising solutions for efficient privacy-preserving computing on the cloud. However, the current commercial confidential computing platforms are limited to CPUs and very recently GPUs. Not all the devices will have hardware CC support immediately. In the first part of the talk, I will present SecNDP, a lightweight encryption and verification scheme for a trusted CPU to leverage untrusted Near-Data Processing (NDP) devices to perform computation over ciphertext and verify the correctness of linear operations. Our evaluation shows that SecNDP has performance speedup and energy savings compared with a secure CPU baseline. In the second part of the talk, I will talk about our ongoing work on the analysis of the potential leakages in confidential computing platforms and software mitigations.

Bio: Wenjie Xiong is an Assistant Professor at Virginia Tech. She received her Ph.D. in the Department of Electrical Engineering at Yale University in May 2020, advised by Prof. Jakub Szefer. Her research interests are in computer architecture and hardware security, where she leverages hardware features to enhance the security of computer systems as well as identify and mitigate security vulnerabilities that are rooted in the hardware designs. Her work on covert channel attacks on cache replacement states was selected as an Honorable Mention of IEEE Micro Top Picks 2021 and the featured paper of IEEE Transactions on Computers (TC). Her earlier work on run-time accessible DRAM PUFs was selected as the Top Picks in Hardware and Embedded Security 2019. More details at https://computing.ece.vt.edu/~wenjiex/. 

Abstract: Mobile mixed reality has become increasingly popular over the last decade with the release of dedicated headsets and apps that blend virtual content into users’ real-world environments. MR apps require an elaborate spatial map of the user’s surroundings in three dimensions (3D), captured via specialized sensors, to localize the MR device and enable realistic assimilation of virtual content in the user’s environment. Unmonitored access of MR apps to the sensor data and in turn spatial information poses serious privacy threats to users as the spatial maps capture detailed geometric and semantic characteristics of users' environments. In this talk, I will demonstrate how sophisticated sensors on MR devices can be exploited to launch a new location inference attack, LocIn, on MR devices. LocIn attack exploits the detailed characteristics embedded in 3D spatial maps to infer a user's indoor location type. It leverages a multi-task approach for training an end-to-end encoder-decoder network that extracts a spatial feature representation for capturing contextual patterns of the user's environment and integrates them into a classification network with a novel unified optimization function to predict the user’s indoor location. 

Bio: Habiba Farrukh is an Assistant Professor in the Computer Science department at the University of California, Irvine. Prior to joining UCI, Habiba received her Ph.D. at Purdue University, where she was advised by Professor Z. Berkay Celik and was a part of the PurSec Lab. Habiba has conducted research on a variety of topics, including mobile and IoT security and privacy and human-centered computing. Her dissertation focused on leveraging multimodal sensing on mobile and IoT devices to provide rigorous security and privacy guarantees for these systems. She received the Bilsland Fellowship for her dissertation in 2022. More information is available at https://habiba-farrukh.github.io/.  

Abstract: Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to deeply penetrate the network, resulting in huge data breaches and devastating financial losses in many companies and organizations. To defend against these sophisticated attacks, zero trust security has emerged as a set of new security paradigms, radically shifting from the traditional "castle-and-moat" network security model that assumes implicit trust within network perimeters. Motivated by the U.S. White House-issued Executive Order EO-14028 and Memo M-22-09, zero trust has recently gained wide attention. However, realizing a zero trust architecture in current enterprise networks presents multiple challenges. In this talk, I will shed light on our recent works on building novel in-network defenses to architect existing networks with zero trust principles. I will mainly discuss P4Control, a novel network defense system that enables fine-grained, least-privilege network access control over information flows across hosts in a network, preventing cross-host attack traffic in real time. Enabled by the recently proposed programmable switches and eBPF technologies, P4Control is the first work that uses programmable data planes to enforce complex secrecy and integrity policies at line rate. Remarkably, P4Control can be seamlessly integrated into the existing network infrastructure with minimal modifications and overhead, transforming it into a defense backbone.

Bio: Peng Gao is an Assistant Professor in the Department of Computer Science at Virginia Tech. He is a Commonwealth Cyber Initiative (CCI) Faculty Fellow. He was a Postdoctoral Researcher at the University of California, Berkeley. He received his Ph.D. from Princeton University. His research interest lies in security and privacy issues in systems and networks. His work centers on creating scalable, secure, intelligent, and trustworthy systems to solve real-world challenges, with publications at multiple top-tier conferences (e.g., IEEE S&P, USENIX Security, USENIX ATC, ACM CCS, ICDE, and ICSE), patents, and industry deployments. He is the recipient of several awards (e.g., 2018 CSAW Applied Research Finalist, 2020 Microsoft Security AI Research Award, 2020 Amazon Research Award, 2021 Cisco Research Award, and 2022 Amazon - Virginia Tech Initiative Faculty Research Award). More details at: https://people.cs.vt.edu/penggao/

Abstract: In recent years, we have witnessed a remarkable proliferation of networked intelligent devices - collectively known as the Internet of Things (IoT). The “smartness” of IoT is empowered by data-driven and learning-based techniques to enhance cognition, prediction, and decision-making. It often requires a sheer amount of data from various organizations and end users to be collected, transmitted, and processed. Privacy is a fundamental hurdle to such collective data aggregation and analysis across different entities. We need the new modern cryptography schemes to integrate into the IoT system, which not only achieve the efficiency but also guarantee data protection. In this talk, we begin with the stories of Functional Encryption, as the power tool of modern cryptography, and we go through the seminal schemes. Based on the mechanism of Functional Encryption, we will discuss how to design lightweight computation for secure evaluating/retrieval data and privacy-preserving federated learning in IoT Environments. This goal will lead to the generation of new crypto models for IoT devices supporting Artificial Intelligence.

Bio:  Tran Viet Xuan Phuong is currently Assistant Professor at University of Arkansas at Little Rock. Before that she was a Research Assistant Professor at the School of Cybersecurity, University of Old Dominion University, USA. From 2018-2021, she was a Research Fellow at the School of Computing and Information Technology, University of Wollongong, Australia, and a Contributed Fellow CSIRO – Data61 of the Australian Government,  and a Postdoc Researcher at Old Dominion University, USA, from 2017-2018. She obtained her Ph.D. in Cryptology and Cybersecurity at the University of Wollongong, Australia, in 2016. Her main research interests include applied cryptography for machine learning, such as federated learning and deep learning, blockchain security, and IoT cybersecurity. She has published in the top tier of cryptography/security conferences and journals, including ACM CCS, ESORICS, IEEE INFOCOM, ACM ASIACCS, IEEE TIFS, IEEE TII, Design Codes and Cryptography, etc.