| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | July 6, 2010 |
| Latest Amendment Date: | August 22, 2013 |
| Award Number: | 1012910 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Ralph Wachter
rwachter@nsf.gov (703)292-8950 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | July 1, 2010 |
| End Date: | June 30, 2016 (Estimated) |
| Total Intended Award Amount: | $2,999,906.00 |
| Total Awarded Amount to Date: | $3,040,531.00 |
| Funds Obligated to Date: |
FY 2011 = $668,962.00 FY 2012 = $1,185,820.00 FY 2013 = $547,154.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
1 SILBER WAY BOSTON MA US 02215-1703 (617)353-4365 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
1 SILBER WAY BOSTON MA US 02215-1703 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Information Technology Researc, Special Projects - CNS, TRUSTWORTHY COMPUTING, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001112DB NSF RESEARCH & RELATED ACTIVIT 01001213DB NSF RESEARCH & RELATED ACTIVIT 01001314DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Mobile phones are in the midst of a dramatic transformation; they are becoming highly powerful sensor-rich software-controlled computing and communication devices. These "softphones" are increasingly entrusted with maintaining users' electronic identity, calendars, social networks, and even bank accounts. However, the vast increases in the flexibility of softphones comes with equally large security issues and opportunities, some of which we are only beginning to understand.
This project studies the new threats and promises of softphones, and focuses on identifying, understanding, and mitigating new security risks. Two broad risk categories are addressed: threats to individual users (such as user privacy or personal finances), and threats to the entire communication system (such as disruptions to emergency services). The project ultimately aims to understand how security problems associated with softphones and their networks are different from those of traditional computers and networks, and how to harness the unique capabilities of softphones for improved security.
The research is being conducted by a broad and diverse team of nine senior investigators, in collaboration with international industry and academic partners, under the aegis of the RISCS Center at Boston University. The project is striving for wide impact through a public seminar series, multiple workshops, course development in phone security across all levels (including honors courses), and cross-disciplinary training of graduate and undergraduate students
The project's successful conclusion will deliver an essential and timely understanding of how to secure the mobile phone infrastructure that already manages many intimate aspects of our lives.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The research undertaken with the support of this award focuses on cybersecurity threats to "softphones"; mobile devices including cell phones, small mobile computers, embedded systems and a myriad of ubiquitous on-line devices. These threats represent increasingly serious risks to the core of modern technology and must be assessed and secured in the near future.
The theme of the proposed work is a broad-based inquiry into two central classes of emerging threats. The first, threats from the user's standpoint, are that softphones bring the opportunity for new assaults on user privacy and anonymity. From a system standpoint, the phones capacitate potentially catastrophic disruptions of or malicious changes to functionality, both of the phones and of the networks they use. Our goal is to study and understand such threats and to find ways to identify them and avoid their intended effects.
This was a large award occupying the research efforts of many scientists and resulted in notable progress in several related areas. The following examples of our activity illustrates the breadth and variety of the scientific work that was produced.
Research Outcomes
We have researched the attack surfaces of smartphone subsystems, with examples such as
* side-channel attacks on sensors (e.g. audio keylogging and visual fingerprinting)
* gait-based owner identification from accelerometer data
* flash-based data leakage due to wear-leveling
These various attack surfaces were incorporated into a broad overview of privacy-preserving technologies in modern smartphones.
We have also identified practical and theoretical directions for defending smartphones against external attacks. Notable results include:
(i) the design and analysis of a micro-Trusted Computing Base for secure app functionality, and
(ii) a novel implementation of deniable encryption.
We have developed a theoretical framework to formally analyze the vulnerabilities of radio communication protocols (e.g., rate adaptation algorithms) to targeted jamming attacks. The key contributions of this framework are:
1) The definition of a new metric, referred to as Rate of Jamming (RoJ).
A low RoJ implies that a protocol is highly vulnerable to jamming attacks while a high RoJ implies that the protocol is resilient.
2) The introduction of a new adversarial model which allowed us to establish that several state-of-the-art protocols have low RoJ.
3) The development of counter-measures offering provable performance guarantees.
Using tools from renewal theory we showed that the introduction of randomization in the design of the communication protocols can enhance their resiliency by a factor of 3.
A medical data application for mobile devices was developed for use in a hospital setting. The app which, includes strong privacy and data security methods, was designed and prototyped in collaboration a medical group at a major area hospital. The app's purpose is to identify and ameliorate surgical risks in post-operative hospital care and to minimize the complications that occur there. The latest version was designed using the Ionic application framework and a prototype implemented for use on iPhones and iPads.
We have developed new approaches to the problem of phone-based authentication, such as authentication of a user to a phone, or authentication of a user to a remote service with the help of a phone. Currently, such authentication is accomplished with the help of passwords or pin codes, which are both insecure and inconvenient. Our approaches will allow authentication with other data, such as user-drawn pictures or biometrics acquired with the phone's sensors. Such data sources are often more secure than passwords, but are difficult to use for authentication because they are inherently noisy. If noise is too high, then authentication fails.
We have shown how to securely tolerate more noise than was previously thought possible.
Two new classes of attack detection codes (Robust and AMD codes) were developed which provide security for transmission channels or memory against a variety of weak and strong attacks. Compared with similar codes with the same parameters, robust and AMD codes have the highest attack detection probability. Additionally, these codes can be used by mobile devices to provide strong security to secret sharing systems. Also developed were a new class of low cost multi-error correcting codes: GTB codes. GTB codes can be applied to cache and flash memories of phones and computers and provide much improved reliability for memory recovery from multiple random errors while maintaining the same read/write speed. Finally, a new security scheme against Man-In-The-Middle (MITM) attacks has been designed which can protect phones and networks, and human interface devices (HID) such as keyboards or mice, from eavesdropping, hijack, tampering, and replay attacks. Our scheme protects phones and computers against all these attacks which no current HID manufacturers do.
Last Modified: 11/23/2016
Modified by: Steven E Homer
Please report errors in award information by writing to: awardsearch@nsf.gov.
