Project Details
Layman's description
Consider a complicated distributed system like a modern factory floor. This system may consist of many heterogeneous devices, like manufacturing machines, autonomous vehicles for moving materials and goods between machines, and monitoring devices. These devices are digitally controlled and must communicate effectively to ensure the seamless operation of the system. If the communication is done in a peer-to-peer fashion (that is, without every device being orchestrated by a central server), we can call the system a heterogeneous swarm. Such systems can be particularly sensitive to threats. Competitors might gain a competitive edge through acts of sabotage or by illicitly obtaining proprietary information, while political organizations or vigilante groups may attempt to compromise the system for various motives. My project revolves around protecting heterogeneous swarms from outside attackers and dishonest users.
There are many unique challenges to securing heterogeneous swarms. If a new device joins, how can you be sure that it is actually authorized to join and not a malicious device inserted by an intruder? What happens to the system as a whole if an intruder gains physical access to one device and thereby completely compromises it? How may we restore the system to a secure state? When designing solutions to such problems, we are often constrained by the limited capabilities of many of the devices in such systems. A small battery-powered sensor might not be suitable for schemes where it must constantly perform involved cryptographic proofs and checks.
Resilience is one of the central aspects of my research. If an attacker successfully compromises a device, we expect all information supposed to go to that device to be compromised as well. With many systems it may be, however, that the attacker can leverage that device to obtain additional information about completely unrelated parts of the system. This would be like an attacker successfully impersonating a janitor at a company and then retrieving critical financial information from the administration. If a janitor is compromised we have to consider the overview of office supplies to also be compromised, but a janitor should not be able to retrieve confidential financial plans! This is, however, how a distributed system might work by default if all devices communicate using the same encryption key.
In my PhD I will develop methods and tools for checking the security of distributed systems while they are being developed. One such method is that of information flow analysis. The programmer must label the data in their programs such that we know which devices are supposed to be able to obtain which pieces of information. We can then do an analysis of how information flows through the system to check for any violation of the policy. If there are no such violations then the system should be reasonably resilient to privilege escalation attacks. In my research, I will develop such analyses and formally prove their security guarantees.
By providing developers with tools to verify their systems while they are being constructed, we can prevent serious issues that might only become apparent after disaster has struck. In the realm of security, prevention during the construction phase is vastly superior to addressing issues in a live system. Inadequately designed systems may result in severe damage to both user privacy and a company's production capacity when exploited by attackers. By analyses with a rigorous theoretical foundation we hope to make it easier to produce reliable and trustworthy systems.
There are many unique challenges to securing heterogeneous swarms. If a new device joins, how can you be sure that it is actually authorized to join and not a malicious device inserted by an intruder? What happens to the system as a whole if an intruder gains physical access to one device and thereby completely compromises it? How may we restore the system to a secure state? When designing solutions to such problems, we are often constrained by the limited capabilities of many of the devices in such systems. A small battery-powered sensor might not be suitable for schemes where it must constantly perform involved cryptographic proofs and checks.
Resilience is one of the central aspects of my research. If an attacker successfully compromises a device, we expect all information supposed to go to that device to be compromised as well. With many systems it may be, however, that the attacker can leverage that device to obtain additional information about completely unrelated parts of the system. This would be like an attacker successfully impersonating a janitor at a company and then retrieving critical financial information from the administration. If a janitor is compromised we have to consider the overview of office supplies to also be compromised, but a janitor should not be able to retrieve confidential financial plans! This is, however, how a distributed system might work by default if all devices communicate using the same encryption key.
In my PhD I will develop methods and tools for checking the security of distributed systems while they are being developed. One such method is that of information flow analysis. The programmer must label the data in their programs such that we know which devices are supposed to be able to obtain which pieces of information. We can then do an analysis of how information flows through the system to check for any violation of the policy. If there are no such violations then the system should be reasonably resilient to privilege escalation attacks. In my research, I will develop such analyses and formally prove their security guarantees.
By providing developers with tools to verify their systems while they are being constructed, we can prevent serious issues that might only become apparent after disaster has struck. In the realm of security, prevention during the construction phase is vastly superior to addressing issues in a live system. Inadequately designed systems may result in severe damage to both user privacy and a company's production capacity when exploited by attackers. By analyses with a rigorous theoretical foundation we hope to make it easier to produce reliable and trustworthy systems.
Status | Not started |
---|
Collaborative partners
Fingerprint
Explore the research topics touched on by this project. These labels are generated based on the underlying awards/grants. Together they form a unique fingerprint.