Dissertations / Theses on the topic 'Genomic security and privacy'

There are new mechanisms to sequence and process the genomic code, discovering thus diagnostic tools and treatments. The file for a sequenced genome can reach hundreds of gigabytes. Thus, for further studies, we need new means to compress the information and a standardized representation to simplify the development of new tools. The ISO standardization group MPEG has used its expertise in compressing multimedia content to compress genomic information and develop its ´MPEG-G standard’. Given the sensitivity of the data, security is a major identified requirement. This thesis proposes novel technologies that assure the security of both the sequenced data and its metadata. We define a container-based file format to group data, metadata, and security information at the syntactical level. It includes new features like grouping multiple results in a same file to simplify the transport of whole studies. We use the granularity of the encoder’s output to enhance security. The information is represented in units, each dedicated to a specific region of the genome, which allows to provide encryption and signature features on a region base. We analyze the trade-off between security and an even more fine-grained approach and prove that apparently secure settings can be insecure: if the file creator may encrypt only specific elements of a unit, cross-checking unencrypted information permits to infer encrypted content. Most of the proposals for MPEG-G coming from other research groups and companies focused on data compression and representation. However, the need was recognized to find a solution for metadata encoding. Our proposal was included in the standard: an XML-based solution, separated in a core specification and extensions. It permits to adapt the metadata schema to the different genomic repositories' frameworks, without importing requirements from one framework to another. To simplify the handling of the resulting metadata, we define profiles, i.e. lists of extensions that must be present in a given framework. We use XML signature and XML encryption for metadata security. The MPEG requirements also concern access rules. Our privacy solutions limit the range of persons with access and we propose access rules represented with XACML to convey under which circumstances a user is granted access to a specific action among the ones specified in MPEG-G's API, e.g. filtering data by attributes. We also specify algorithms to combine multiple rules by defining default behaviors and exceptions. The standard’s security mechanisms protect the information only during transport and access. Once the data is obtained, the user could publish it. In order to identify leakers, we propose an algorithm that generates unique, virtually undetectable variations. Our solution is novel as the marking can be undone (and the utility of the data preserved) if the corresponding secret key is revealed. We also show how to combine multiple secret keys to avoid collusion. The API retained for MPEG-G considers search criteria not present in the indexing tables, which highlights shortcomings. Based on the proposed MPEG-G API we have developed a solution. It is based on a collaboration framework where the different users' needs and the patient's privacy settings result in a purpose-built file format that optimizes query times and provides privacy and authenticity on the patient-defined genomic regions. The encrypted output units are created and indexed to optimize query times and avoid rarely used indexing fields. Our approach resolves the shortcomings of MPEG-G's indexing strategy. We have submitted our technologies to the MPEG standardization committee. Many have been included in the final standard, via merging with other proposals (e.g. file format), discussion (e.g. security mechanisms), or direct acceptance (e.g. privacy rules).
Hi han nous mètodes per la seqüenciació i el processament del codi genòmic, permetent descobrir eines de diagnòstic i tractaments en l’àmbit mèdic. El resultat de la seqüenciació d’un genoma es representa en un fitxer, que pot ocupar centenars de gigabytes. Degut a això, hi ha una necessitat d’una representació estandarditzada on la informació és comprimida. Dins de la ISO, el grup MPEG ha fet servir la seva experiència en compressió de dades multimèdia per comprimir dades genòmiques i desenvolupar l'estàndard MPEG-G, sent la seguretat un dels requeriments principals. L'objectiu de la tesi és garantir aquesta seguretat (encriptant, firmant i definint regles d¿ accés) tan per les dades seqüenciades com per les seves metadades. El primer pas és definir com transportar les dades, metadades i paràmetres de seguretat. Especifiquem un format de fitxer basat en contenidors per tal d'agrupar aquets elements a nivell sintàctic. La nostra solució proposa noves funcionalitats com agrupar múltiples resultats en un mateix fitxer. Pel que fa la seguretat de dades, la nostra proposta utilitza les propietats de la sortida del codificador. Aquesta sortida és estructurada en unitats, cadascuna dedicada a una regió concreta del genoma, permetent una encriptació i firma de dades específica a la unitat. Analitzem el compromís entre seguretat i un enfocament de gra més fi demostrant que configuracions aparentment vàlides poden no ser-ho: si es permet encriptar sols certes sub-unitats d'informació, creuant els continguts no encriptats, podem inferir el contingut encriptat. Quant a metadades, proposem una solució basada en XML separada en una especificació bàsica i en extensions. Podem adaptar l'esquema de metadades als diferents marcs de repositoris genòmics, sense imposar requeriments d’un marc a un altre. Per simplificar l'ús, plantegem la definició de perfils, és a dir, una llista de les extensions que han de ser present per un marc concret. Fem servir firmes XML i encriptació XML per implementar la seguretat de les metadades. Les nostres solucions per la privacitat limiten qui té accés a les dades, però no en limita l’ús. Proposem regles d’accés representades amb XACML per indicar en quines circumstàncies un usuari té dret d'executar una de les accions especificades a l'API de MPEG-G (per exemple, filtrar les dades per atributs). Presentem algoritmes per combinar regles, per tal de poder definir casos per defecte i excepcions. Els mecanismes de seguretat de MPEG-G protegeixen la informació durant el transport i l'accés. Una vegada l’usuari ha accedit a les dades, les podria publicar. Per tal d'identificar qui és l'origen del filtratge de dades, proposem un algoritme que genera modificacions úniques i virtualment no detectables. La nostra solució és pionera, ja que els canvis es poden desfer si el secret corresponent és publicat. Per tant, la utilitat de les dades és mantinguda. Demostrem que combinant varis secrets, podem evitar col·lusions. L'API seleccionada per MPEG-G, considera criteris de cerca que no són presents en les taules d’indexació. Basant-nos en aquesta API, hem desenvolupat una solució. És basada en un marc de col·laboració, on la combinació de les necessitats dels diferents usuaris i els requeriments de privacitat del pacient, es combinen en una representació ad-hoc que optimitza temps d’accessos tot i garantint la privacitat i autenticitat de les dades. La majoria de les nostres propostes s’han inclòs a la versió final de l'estàndard, fusionant-les amb altres proposes (com amb el format del fitxer), demostrant la seva superioritat (com amb els mecanismes de seguretat), i fins i tot sent acceptades directament (com amb les regles de privacitat).

Radio Frequency Identification (RFID) is a very versatile technology. It has the potential to increase the efficiency of many common applications and is thus becoming increasingly popular. The main drawback is that the general principles the technology is built on are very vulnerable to attack. The ID imbedded in every chip combined with the openness of the radio interface exposes the users to tracking. As additional sensitive information may be stored on the tags, the user may also be exposed to other security and privacy threats. This thesis investigates how easily the reading distance of RFID tags can be increased by modifying a regular reader. A thorough presentation of general privacy and security threats to RFID systems is also given together with an analysis of how the results from the experiments influence these threats. General countermeasures to defend against threats are also evaluated. Finally, the thesis investigates how easily a user can reduce the reading distance of tags he is carrying by physical shielding. The general results are that moderately increasing the reading distance of RFID tags by modifying a regular reader is possible. It is, however, not trivial. Given that the attacker has extensive knowledge of the technology and its implementation, obtaining extensive increases in reading distance by using very sophisticated techniques may be possible. Users can, on the other hand, relatively easily decrease the reading distances of tags by physically shielding them. The obtainable reading distance using an electronics hobbyist’s tools, skills and knowledge is sufficient to greatly simplify the execution of several attacks aimed at RFID systems. As the technological development is likely to increase the obtainable reading distance even further, inclusion of on-tag security measures for the future is of great importance.

The problem of revealing accurate statistics about a population while maintaining privacy of individuals is extensively studied in several related disciplines. Statisticians, information security experts, and computational theory researchers, to name a few, have produced extensive bodies of work regarding privacy preservation. Still the need to improve our ability to control the dissemination of potentially private information is driven home by an incessant rhythm of data breaches, data leaks, and privacy exposure. History has shown that both public and private sector organizations are not immune to loss of control over data due to lax handling, incidental leakage, or adversarial breaches. Prudent organizations should consider the sensitive nature of network security data and network operations performance data recorded as logged events. These logged events often contain data elements that are directly correlated with sensitive information about people and their activities -- often at the same level of detail as sensor data. Privacy preserving data publication has the potential to support reproducibility and exploration of new analytic techniques for network security. Providing sanitized data sets de-couples privacy protection efforts from analytic research. De-coupling privacy protections from analytical capabilities enables specialists to tease out the information and knowledge hidden in high dimensional data, while, at the same time, providing some degree of assurance that people's private information is not exposed unnecessarily. In this research we propose methods that support a risk based approach to privacy preserving data publication for network security data. Our main research objective is the design and implementation of technical methods to support the appropriate release of network security data so it can be utilized to develop new analytic methods in an ethical manner. Our intent is to produce a database which holds network security data representative of a contextualized network and people's interaction with the network mid-points and end-points without the problems of identifiability.
Ph. D.

Due to an exponentially larger address space than Internet Protocol version 4 (IPv4), the Internet Protocol version 6 (IPv6) uses new methods to assign network addresses to Internet nodes. StateLess Address Auto Configuration (SLAAC) creates an address using a static value derived from the Media Access Control (MAC) address of a network interface as host portion, or interface identifier (IID). The Dynamic Host Configuration Protocol version 6 (DHCPv6) uses a client-server model to manage network addresses, providing stateful address configuration. While DHCPv6 can be configured to assign randomly distributed addresses, the DHCP Unique Identifier (DUID) was designed to remain static for clients as they move between different DHCPv6 subnets and networks. Both the IID and DUID are static values which are publicly exposed, creating a privacy and security threat for users and nodes. The static IID and DUID allow attackers to violate unsuspecting IPv6 users' privacy and security with ease. These static identifiers make geographic tracking and network traffic correlation over multiple sessions simple. Also, different classes of computer and network attacks, such as system-specific attacks and Denial-of-Service (DoS) attacks, are easier to successfully employ due to these identifiers. This research identifies and tests the validity of the privacy and security threat of static IIDs and DUIDs. Solutions which mitigate or eliminate the threat posed by static identifiers in IPv6 are identified.
Master of Science

Smartphones are highly-capable mobile computing devices that have dramatically changed how people do business, interact with online services, and receive entertainment. Smartphone functionality is enhanced by an ecosystem of apps seemingly covering the entire gamut of functionality. While smartphone apps have undoubtedly provided immeasurable benefit to users, they also contribute their fair share of drawbacks, such as increases in security risks and the erosion of user privacy. In this thesis, I focus on the Android smartphone operating system, and pave the way for improving the security and privacy of its app ecosystem. Chapter 3 starts by doing a comprehensive study on how Android apps have evolved over a three-year period, both in terms of their dangerous permission usage and the vulnerabilities they contain. It uncovers a trend whereby apps are using increasing numbers of dangerous permissions over time and at the same time becoming increasingly vulnerable to attack by adversaries. By analysing the Google Play Store, Android's official app marketplace, Chapter 4 shows that many general-purpose apps can be replaced with functionallysimilar alternatives to the benefit of the user. This confirms that users still wield power to improve their own security and privacy. Chapter 5 combines this insight with real-world data from approximately 30,000 smartphones to understand the actual risk that the average user faces as a result of their use of apps, and takes an important first step in measuring the improvements that can be made. Users, however, are not always aware of the risks they face and thus Chapter 6 demonstrates the feasibility of a classification system that can transparently and unobtrusively identify and alert users to the presence of apps of concern on their devices. This classification system identifies apps from features in the network traffic they generate, without itself analysing the payload of their traffic, thus maintaining a high threshold of privacy. While the work presented in this thesis has uncovered undesirable trends in app evolution, and shows that a large fraction of users are exposed to non-trivial risk from the apps they use, in many cases there is suficient diversity in the offerings of general-purpose apps in the Google Play Store to empower users to mitigate the risks coming from the apps they use. This work takes us a step further in keeping users safe as they navigate and enjoy app ecosystems.

The 802.11 standard defines the Wired Equivalent Privacy (WEP) and encapsulation of data frames. It is intended to provide data privacy to the level of a wired network. WEP suffered threat of attacks from hackers owing to certain security shortcomings in the WEP protocol. Lately, many new protocols like WiFi Protected Access (WPA), WPA2, Robust Secure Network (RSN) and 802.11i have come into being, yet their implementation is fairly limited. Despite its shortcomings one cannot undermine the importance of WEP as it still remains the most widely used system and we chose to address certain security issues and propose some modifications to make it more secure. In this thesis we have proposed a modification to the existing WEP protocol to make it more secure. We achieve Message Privacy by ensuring that the encryption is not breached. The idea is to update the shared secret key frequently based on factors like network traffic and number of transmitted frames. We also develop an Initialization Vector (IV) avoidance algorithm that eliminates IV collision problem. The idea is to partition the IV bits among different wireless hosts in a predetermined manner unique to every node. We can use all possible 224 different IVs without making them predictable for an attacker. Our proposed algorithm eliminates the IV collision ensuring Message Privacy that further strengthens security of the existing WEP. We show that frequent rekeying thwarts all kinds of cryptanalytic attacks on the WEP.
M.S.
School of Computer Science
Engineering and Computer Science
Computer Science

In this thesis, we examine the architecture and the security framework underlying the Android operating system. We explore existing Android end-to-end encrypted (E2EE) messaging applications and derive four categories of common issues that are applicable to these applications. We then provide an overview of the known issue of privilege escalation wherein a malicious privileged application can utilize inter-process communication techniques to send protected data to an unauthorized application on a user’s device. We demonstrate through a proof of concept how this behavior can be achieved in real applications, and we suggest potential countermeasures that can help prevent this issue. Furthermore, in the interest of diminishing the common issues that are applicable to E2EE messaging applications, we propose a new design for such applications that employs some of the principal security features offered by the Android operating system. We explain how our design can help eliminate trust-related issues associated with such applications, as well as how it can help minimize issues in other categories. Finally, we demonstrate how our proposed design can be used in practice by implementing a proof of concept.

With an increasingly digitally connected society comes complexity, uncertainty, and risk. Network monitoring, incident management, and digital forensics is of increasing importance with the escalation of cybercrime and other network supported serious crimes. New laws and regulations governing electronic communications, cybercrime, and data retention are being proposed, continuously requiring new methods and tools.

This thesis introduces a novel approach to real-time network risk assessment based on hidden Markov models to represent the likelihood of transitions between security states. The method measures risk as a composition of individual hosts, providing a precise, fine-grained model for assessing risk and providing decision support for incident response. The approach has been integrated with an existing framework for distributed, large-scale intrusion detection, and the results of the risk assessment are applied to prioritize the alerts produced by the intrusion detection sensors. Using this implementation, the approach is evaluated on both simulated and real-world data.

Network monitoring can encompass large networks and process enormous amounts of data, and the practice and its ubiquity can represent a great threat to the privacy and confidentiality of network users. Existing measures for anonymization and pseudonymization are analyzed with respect to the trade-off of performing meaningful data analysis while protecting the identities of the users. The results demonstrate that most existing solutions for pseudonymization are vulnerable to a range of attacks. As a solution, some remedies for strengthening the schemes are proposed, and a method for unlinkable transaction pseudonyms is considered.

Finally, a novel method for performing digital forensic reconstructions in a virtual security testbed is proposed. Based on a hypothesis of the security incident in question, the testbed is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment combined with event reconstruction and testing can lend credibility to an investigation and can be a valuable asset in court.

Emergent networks like mobile ad hoc networks, sensor networks, opportunistic networks, peer-to-peer networks and social networks are introducing new and exciting opportunities of communication between people and devices. But these dynamic networks also introduce many security- and privacy-related challenges. When dealing with complex and dynamic environments, information about the current level of security or privacy, expressed in a quantified manner, could be of great value in a decision-making process. In order to derive such quantified measures there is a need for mathematical models for security, privacy and trust. The development, application and evaluation of such models are the topics of this thesis. In order to obtain quantitative measures of security, a state modeling approach, which has traditionally been used to model dependable systems is used. The modeling is based on the view that the notions of security and dependability are integrated concepts, both describing aspects of trustworthy computer systems. The state modeling allows for a probabilistic evaluation of the security of the system, which can be used for security quantification, prediction, risk assessment, intrusion detection and intrusion prevention. The first part of the thesis describes a real-time risk assessment method for computer networks using hidden Markov modeling. Hidden Markov models are well suited for the modeling of sensor trustworthiness in an intrusion prevention system, and as a result of this research, a new method for aggregation of intrusion detection alerts from multiple intrusion detection systems is proposed. New security metrics for computer networks, such as computer network risk, the mean time to next intrusion and the intrusion frequency, are derived from the Markov models. Hidden Markov models are also used for supporting the actions of agents in dynamic networking environments who are faced with significant degrees of uncertainty in making decisions. Assuming access to perfect information about the environment and the properties of the interacting partners is unrealistic, but if agents are able to establish appropriate trust in each other, the decisions-making process would be facilitated and the risk associated with the interactions could still be acceptable. Trust may also play a significant role for the efficient operation of more general multiagent systems. A novel trust model based on hidden Markov modeling and reinforcement learning has been developed, where the measuring of agent trustworthiness is based on the predicted state probability distribution. Trust modeling is also used as a basis for a decentralized reputation system suitable for dynamic multiagent environments.As infrastructures are gradually becoming more intelligent, trust may play an increasingly important role in the interactions between network components. A trust-based security extension to the mobile ad hoc network dynamic source routing protocol is given, where the state probability of a node, according to its corresponding hidden Markov model, is being used for deciding the node’s trustworthiness. Nodes with different trustworthiness may be offered different service levels based on a trust policy. Since network services normally will be denied to untrusted nodes, an incentive for nodes not to misbehave is created. Users in dynamic networking environments like mobile ad hoc networks would be particularly exposed to threats against their privacy since they have limited control over the trustworthiness of network nodes that handle the messages sent. Appropriate privacy enhancing cryptographic mechanisms, which can be trusted to work as intended, are required to handle this problem. A novel approach to quantifying the amount of privacy that is offered by anonymous ad hoc routing protocols using conditional entropy is given, which takes into account the proportion of adversarial nodes and includes the a priori knowledge of the attacker.

Radio frequency identification (RFID) is a ubiquitous wireless technology that allows objects to be identified automatically. Using the RFID technology can simplify many applications and provide many benefits but meanwhile, the security and privacy of RFID systems should be taken into account. In this thesis, we have two goals. The first one is to improve the security and privacy in RFID systems. Our second goal is to provide accurate analytical models for the most important tag singulation schemes. We use these analytical models to evaluate and compare the efficiency of the tag singulation schemes. First, we study the blocking attack in RFID systems and develop an analytical model for it. Using this analytical model, we propose two probabilistic blocker tag detection (P-BTD) algorithms for RFID systems that operate based on the binary tree walking and ALOHA techniques. Then, we study the security and privacy of some recently introduced light-weight authentication protocols, and discuss their advantages and drawbacks. Based on this analysis and considering the hardware limitations of RFID tags, we propose a new authentication protocol that improves the security and privacy in RFID systems. By taking advantage of the analytical model we proposed for the ALOHA-based P-BTD algorithm, we develop an accurate tag estimate method. Using the proposed method, we can estimate the number of tags in RFID systems accurately, and design more efficient ALOHA-based tag singulation mechanisms. Next, we study the EPC Gen-2 protocol and its tag singulation mechanism. We model the EPC Gen-2 protocol as an absorbing Markov chain. Using the model proposed, we derive accurate analytical expressions for the expected number of queries and the expected number of transmitted bits needed to identify all tags in the RFID system. Finally, we study the use of the CDMA technique for RFID systems. We model the CDMA-based tag singulation procedure as an absorbing Markov chain, and derive accurate analytical expressions for the expected number of queries and the amount of transmitted data needed to identify all tags in the system. Using the analytical models developed, we compare the performance of the CDMA-based and the EPC Gen-2 tag singulation schemes.

CHDS State/Local
Approved for public release; distribution is unlimited
The terror attacks against the United States on September 11, 2001, necessitated changes in the way domestic intelligence agencies and services conducted information-collection activities to protect against further attacks. Congress acted quickly to prevent the next attack by expanding government authority under the USA PATRIOT Act and the Federal Intelligence Surveillance Court. This gave domestic intelligence services the tools needed due to advances in technology that allowed terror organizations and suspects to travel, communicate, raise money and recruit using the Internet. Safeguards were written into the enhanced authority to protect against privacy abuses by government. Ten years after 9/11, civil-liberties advocates called for more transparency, more privacy protections and better oversight because of past abuses by government officials operating in the name of national security. Leaks about government spying on U.S. citizens have heightened the balance debate between security and privacy. Privacy or security is not a zero-sum game. A policy that incorporates an adversarial process in the FISC and a streamlined oversight mechanism in Congress for more effective oversight, and the release of redacted classified documents to educate the public about surveillance techniques, would instill more balance and greater public trust.

Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2002.
Includes bibliographical references (leaves 73-74).
by Rattapoom Tuchinda.
M.Eng.

Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2015.
Cataloged from PDF version of thesis.
Includes bibliographical references (pages 143-150).
In this thesis, we study problems in cryptography, privacy and estimation through the information-theoretic lens. We introduce information-theoretic metrics and associated results that shed light on the fundamental limits of what can be learned from noisy data. These metrics and results, in turn, are used to evaluate and design both symmetric-key encryption schemes and privacy-assuring mappings with provable information-theoretic security guarantees. We start by studying information-theoretic properties of symmetric-key encryption in the "small key" regime (i.e. when the key rate is smaller than the entropy rate of the message source). It is well known that security against computationally unbounded adversaries in such settings can only be achieved when the communicating parties share a key that is at least as long as the secret message (i.e. plaintext) being communicated, which is infeasible in practice. Nevertheless, even with short keys, we show that a certain level of security can be guaranteed, albeit not perfect secrecy. In order to quantify exactly how much security can be provided with short keys, we propose a new security metric, called symbol secrecy, that measures how much an adversary that observes only the encrypted message learns about individual symbols of the plaintext. Unlike most traditional rate-based information-theoretic metrics for security, symbol secrecy is non-asymptotic. Furthermore, we demonstrate how fundamental symbol secrecy performance bounds can be achieved through standard code constructions (e.g. Reed-Solomon codes). While much of information-theoretic security has considered the hiding of the plaintext, cryptographic metrics of security seek to hide functions thereof. Consequently, we extend the definition of symbol secrecy to quantify the information leaked about certain classes of functions of the plaintext. This analysis leads to a more general question: can security claims based on information metrics be translated into guarantees on what an adversary can reliably infer from the output of a security system? On the one hand, information metrics usually quantify how far the probability distribution between the secret and the disclosed information is from the ideal case where independence is achieved. On the other hand, estimation guarantees seek to assure that an adversary cannot significantly improve his estimate of the secret given the information disclosed by the system. We answer this question in the positive, and present formulations based on rate-distortion theory that allow security bounds given in terms of information metrics to be transformed into bounds on how well an adversary can estimate functions of secret variable. We do this by solving a convex program that minimizes the average estimation error over all possible distributions that satisfy the bound on the information metric. Using this approach, we are able to derive a set of general sharp bounds on how well certain classes of functions of a hidden variable can(not) be estimated from a noisy observation in terms of different information metrics. These bounds provide converse (negative) results: If an information metric is small, then any non-trivial function of the hidden variable cannot be estimated with probability of error or mean-squared error smaller than a certain threshold. The main tool used to derive the converse bounds is a set of statistics known as the Principal Inertia Components (PICs). The PICs provide a fine-grained decomposition of the dependence between two random variables. Since there are well-studied statistical methods for estimating the PICs, we can then determine the (im)possibility of estimating large classes of functions by using the bounds derived in this thesis and standard statistical tests. The PICs are of independent interest, and are applicable to problems in information theory, statistics, learning theory, and beyond. In the security and privacy setting, the PICs fulfill the dual goal of providing (i) a measure of (in)dependence between the secret and disclosed information of a security system, and (ii) a complete characterization of the functions of the secret information that can or cannot be reliably inferred given the disclosed information. We study the information-theoretic properties of the PICs, and show how they characterize the fundamental limits of perfect privacy. The results presented in this thesis are applicable to estimation, security and privacy. For estimation and statistical learning theory, they shed light on the fundamental limits of learning from noisy data, and can help guide the design of practical learning algorithms. Furthermore, as illustrated in this thesis, the proposed converse bounds are particularly useful for creating security and privacy metrics, and characterize the inherent trade-off between privacy and utility in statistical data disclosure problems. The study of security systems through the information-theoretic lens adds a new dimension for understanding and quantifying security against very powerful adversaries. Furthermore, the framework and metrics discussed here provide practical insight on how to design and improve security systems using well-known coding and optimization techniques. We conclude the thesis by presenting several promising future research directions.
by Flavio du Pin Calmon.
Ph. D.

When in physical proximity, data can be directly exchanged between the mobile devices people carry - for example over Bluetooth. If people cooperate to store, carry and forward messages on one another's behalf, then an opportunistic network may be formed, independent of any fixed infrastructure. To enable performant routing within opportunistic networks, use of social network information has been proposed for social network routing protocols. But the decentralised and cooperative nature of the networks can however expose users of such protocols to privacy and security threats, which may in turn discourage participation in the network. In this thesis, we examine how to mitigate privacy and security threats in opportunistic networks while maintaining network performance. We first demonstrate that privacy-aware routing protocols are required in order to maintain network performance while respecting users' privacy preferences. We then demonstrate novel social network routing protocols that mitigate specific threats to privacy and security while maintaining network performance.

Power consumption has become a key issue for smartphone security and privacy protection. In this dissertation, we propose to exploit power for smartphone security, as well as to optimize energy consumption for smartphone privacy. First, we show that public USB charging stations pose a significant privacy risk to smartphone users. We present a side-channel attack that allows a charging station to identify which webpages are loaded while the smartphone is charging. to evaluate this side-channel, we collected power traces of Alexa top 50 websites on multiple smartphones under several conditions, including: varied battery charging level, browser cache enabled/disabled, taps/no taps on the screen, WiFi/LTE, TLS encryption enabled/disabled, different amounts of time elapsed between collection of training and testing data, and various hosting locations of the website being visited. The results of our evaluation show that the attack is highly successful: in many settings, we were able to achieve over 90% accuracy on webpage identification. On the other hand, our experiments also show that this side-channel is sensitive to some of the aforementioned conditions. Second, we introduce a new attack that allows a malicious charging station to identify which website is being visited by a smartphone user via Tor network. Our attack solely depends on power measurements performed while the user is charging her smartphone. We evaluated the attack by training a machine learning model on power traces from 50 regular webpages and 50 Tor hidden services. We considered realistic constraints such as different Tor circuits types and battery charging levels. We were able to correctly identify webpages visited using the official mobile Tor browser with accuracy of up to 85.7% when the battery was fully charged, and up to 46% when the battery level was between 30% and 50%. Our results show that hidden services can be identified with higher accuracies than regular webpages. Third, we propose a memory- and energy-efficient garbled circuit evaluation mechanism named MEG on smartphones. MEG utilizes batch data transmission and multi-threading to reduce memory and energy consumption. We implement MEG on android smartphones and compare its performance with existing methods (non-pipelined and pipelined). Two garbled circuits of different scales, AES encryption (AES-128) and Levenshtein distance (EDT-256), are considered. Our measurement results show that compared with non-pipelined method, MEG decreases the memory consumption by up to 97.5% for EDT-256 when batch size is 2 MB. Compared with pipelined method, MEG reduces the energy consumption by up to 42% for AES-128 and 23% for EDT-256. Multi-thread MEG also significantly decreases the circuit evaluation time by up to 56.7% for AES-128 and up to 13.5% for EDT-256.

We live in a world where mobile devices are already ubiquitous. It is estimated that in the United States approximately two thirds of adults own a smartphone, and that for many, these devices are their primary method of accessing the Internet. World wide, it is estimated that in May of 2014 there were 6.9 billion mobile cellular subscriptions, almost as much as the world population. of these 6.9 billion, approximately 1 billion are smart devices, which are concentrated in the developed world. In the developing world, users are moving from feature phones to smart devices as a result of lower prices and marketing efforts. Because smart mobile devices are ubiquitous, security and privacy are primary concerns. Threats such as mobile malware are already substantial, with over 2500 different types identified in 2010 alone. It is likely that, as the smart device market continues to grow, so to will concerns about privacy, security, and malicious software. This is especially true, because these mobile devices are relatively new. Our research focuses on increasing the security and privacy of user data on smart mobile devices. We propose three applications in this domain: (1) a service that provides private, mobile location sharing; (2) a secure, intuitive proximity networking solution; and (3) a potential attack vector in mobile devices, which utilizes novel covert channels. We also propose a first step defense mechanism against these covert channels. Our first project is the design and implementation of a service, which provides users with private and secure location sharing. This is useful for a variety of applications such as online dating, taxi cab services, and social networking. Our service allows users to share their location with one another with trust and location based access controls. We allow users to identify if they are within a certain distance of one another, without either party revealing their location to one another, or any third party. We design this service to be practical and efficient, requiring no changes to the cellular infrastructure and no explicit encryption key management for the users. For our second application, we build a modem, which enables users to share relatively small pieces of information with those that are near by, also known as proximity based networking. Currently there are several mediums which can be used to achieve proximity networking such as NFC, bluetooth, and WiFi direct. Unfortunately, these currently available schemes suffer from a variety of drawbacks including slow adoption by mobile device hardware manufactures, relatively poor usability, and wide range, omni-directional propagation. We propose a new scheme, which utilizes ultrasonic (high frequency) audio on typical smart mobile devices, as a method of communication between proximal devices. Because mobile devices already carry the necessary hardware for ultrasound, adoption is much easier. Additionally, ultrasound has a limited and highly intuitive propagation pattern because it is highly directional, and can be easily controlled using the volume controls on the devices. Our ultrasound modem is fast, achieving several thousand bits per second throughput, non-intrusive because it is inaudible, and secure, requiring attackers with normal hardware to be less than or equal to the distance between the sender and receiver (a few centimeters in our tests). Our third work exposes a novel attack vector utilizing physical media covert channels on smart devices, in conjunction with privilege escalation and confused deputy attacks. This ultimately results in information leakage attacks, which allow the attacker to gain access to sensitive information stored on a user's smart mobile device such as their location, passwords, emails, SMS messages and more. Our attack uses our novel physical media covert channels to launder sensitive information, thereby circumventing state of the art, taint-tracking analysis based defenses and, at the same time, the current, widely deployed permission systems employed by mobile operating systems. We propose and implement a variety of physical media covert channels, which demonstrate different strengths such as high speed, low error rate, and stealth. By proposing several different channels, we make defense of such an attack much more difficult. Despite the challenging situation, in this work we also propose a novel defense technique as a first step towards research on more robust approaches. as a contribution to the field, we present these three systems, which together enrich the smart mobile experience, while providing mobile security and keeping privacy in mind. Our third approach specifically, presents a unique attack, which has not been seen "in the wild", in an effort to keep ahead of malicious efforts.

Computer and Information Science
Ph.D.
The growing concerns in term of the privacy of data stored in public cloud have restrained the widespread adoption of cloud computing. The traditional method to protect the data privacy is to encrypt data before they are sent to public cloud, but heavy computation is always introduced by this approach, especially for the image and video data, which has much more amount of data than text data. Another way is to take advantage of hybrid cloud by separating the sensitive data from non-sensitive data and storing them in trusted private cloud and un-trusted public cloud respectively. But if we adopt the method directly, all the images and videos containing sensitive data have to be stored in private cloud, which makes this method meaningless. Moreover, the emergence of the Software-Defined Networking (SDN) paradigm, which decouples the control logic from the closed and proprietary implementations of traditional network devices, enables researchers and practitioners to design new innovative network functions and protocols in a much easier, flexible, and more powerful way. The data plane will ask the control plane to update flow rules when the data plane gets new network packets with which it does not know how to deal with, and the control plane will then dynamically deploy and configure flow rules according to the data plane's requests, which makes the whole network could be managed and controlled efficiently. However, this kind of reactive control model could be used by hackers launching Distributed Denial-of-Service (DDoS) attacks by sending large amount of new requests from the data plane to the control plane. For image data, we divide the image is into pieces with equal size to speed up the encryption process, and propose two kinds of method to cut the relationship between the edges. One is to add random noise in each piece, the other is to design a one-to-one mapping function for each piece to map different pixel value into different another one, which cuts off the relationship between pixels as well the edges. Our mapping function is given with a random parameter as inputs to make each piece could randomly choose different mapping. Finally, we shuffle the pieces with another random parameter, which makes the problems recovering the shuffled image to be NP-complete. For video data, we propose two different methods separately for intra frame, I-frame, and inter frame, P-frame, based on their different characteristic. A hybrid selective video encryption scheme for H.264/AVC based on Advanced Encryption Standard (AES) and video data themselves is proposed for I-frame. For each P-slice of P-frame, we only abstract small part of them in private cloud based on the characteristic of intra prediction mode, which efficiently prevents P-frame being decoded. For cloud running with SDN, we propose a framework to keep the controller away from DDoS attack. We first predict the amount of new requests for each switch periodically based on its previous information, and the new requests will be sent to controller if the predicted total amount of new requests is less than the threshold. Otherwise these requests will be directed to the security gate way to check if there is a attack among them. The requests that caused the dramatic decrease of entropy will be filter out by our algorithm, and the rules of these request will be made and sent to controller. The controller will send the rules to each switch to make them direct the flows matching with the rules to honey pot.
Temple University--Theses

The rapid growth of the Internet has served to intensify existing privacy concerns of the individual, to the point that privacy is the number one concern amongst Internet users today. Tools exist that can provide users with a choice of anonymity or pseudonymity. However, many Web transactions require the release of personally identifying information, thus rendering such tools infeasible in many instances. Since it is then a given that users are often required to release personal information, which could be recorded, it follows that they require a greater degree of control over the information they release. Hippocratic databases, designed by Agrawal, Kiernan, Srikant, and Xu (2002), aim to give users greater control over information stored in a data- base. Their design was inspired by the medical Hippocratic oath, and makes data privacy protection a fundamental responsibility of the database itself. To achieve the privacy of data, Hippocratic databases are governed by 10 key privacy principles. This dissertation argues, that asides from a few challenges, the 10 prin- ciples of Hippocratic databases can be applied to log ¯les. This argument is supported by presenting a high-level functional view of a Hippocratic log file architecture. This architecture focuses on issues that highlight the con- trol users gain over their personal information that is collected in log files. By presenting a layered view of the aforementioned architecture, it was, fur- thermore, possible to provide greater insight into the major processes that would be at work in a Hippocratic log file implementation. An exploratory prototype served to understand and demonstrate certain of the architectural components of Hippocratic log files. This dissertation, thus, makes a contribution to the ideal of providing users with greater control over their personal information, by proposing the use of Hippocratic logfiles.

In current Android architecture, users have to decide whether an app is safe to use or not. Expert users can make savvy decisions to avoid unnecessary private data breach. However, the majority of regular users are not technically capable or do not care to consider privacy implications to make safe decisions. To assist the technically incapable crowd, we propose a permission control framework based on crowdsourcing. At its core, our framework runs new apps under probation mode without granting their permission requests up-front. It provides recommendations on whether to accept or not the permission requests based on decisions from peer expert users. To seek expert users, we propose an expertise rating algorithm using a transitional Bayesian inference model. The recommendation is based on aggregated expert responses and their confidence level. As a complete framework design of the system, this thesis also includes a solution for Android app risks estimation based on behaviour analysis. To eliminate the negative impact from dishonest app owners, we also proposed a bot user detection to make it harder to utilize false recommendations through bot users to impact the overall recommendations. This work also covers a multi-view permission notification design to customize the app safety notification interface based on users' need and an app recommendation method to suggest safe and usable alternative apps to users.

This master thesis is to highlight the importance of what needs to be identified in the CVIS system, how this could be done, how different techniques affect privacy and security and how the privacy and security mechanisms can be improved for the whole system. The report starts with a background of ERTICO – ITS Europe, followed by a description of how the CVIS project is organized, how the CVIS system will work, and a presentation of privacy, security and identification, both in general and in CVIS. After this follows the analysis and the report is finally wrapped up with conclusions and recommendations.

Why this is an important topic to highlight and discuss and the reason being for this master thesis, is because there is a clear need within the CVIS consortium to harmonise these topics. As it is today, different persons and different sub-projects have different views and opinions on what needs to be identified for example. This needs to be harmonised in order for everyone to know what is being developed, but also, and much more importantly, to in the end get acceptance for the CVIS system. If people do not feel they can trust the system, if they feel it is not secure or that it violates their privacy, they will not use it, even if it has been proved the technique works.

The key question discussed in the report is what needs to be identified. This is the most important question to solve. There must be very good reasons and consensus why a certain entity is to be identified, otherwise identification of that entity will always be questioned. This also links very tightly with privacy.

The objective of this master thesis is to bring forward this critical question about identification, to highlight different reasons for identifying or not identifying different entities and to get the discussion started.

Finally, the main conclusions and recommendations on what to actually identify is the vehicle and the different parts in the central sub-system. The best technique would be by using single sign on with a very strong encryption, for example random numbers, that will be handle by a new node Identification Management Centre or that it will be a part of the Host Management Centre. To ensure privacy in the system, the single sign on mechanism should be combined with the approach of using pseudonyms when communicating in the CVIS system.

This thesis investigates the permissions requested by Android applications, and the possibility of identifying suspicious applications based only on information presented to the user before an application is downloaded. During the course of this project, a large data set consisting of applications published on Google Play and three different third-party Android application markets was collected over a two-month period. These applications are analysed using manual pattern recognition and k-means clustering, focusing on the permissions they request. The pattern analysis is based on a smaller data set consisting of confirmed malicious applications. The method is evaluated based on its ability to recognise malicious potential in the analysed applications. The k-means clustering analysis takes the whole data set into consideration, in the attempt of uncovering suspicious patterns. This method is evaluated based on its ability to uncover distinct suspicious permission patterns and the findings acquired after further analysis of the clustering results.

Today's Internet is aging. Connections are point-to-point and increasingly protected by end-to-end encryption. This reduces security to data transport instead of data itself. Content-Centric Networking (CCN) is a paradigm shift away from this host- and channel-based design. CCN is an architecture for naming, securing, and transferring named data from producers to consumers upon request. Consumers issue interests for named content. Routers forward interests towards producers capable of providing authentic content with cryptographic name-to-data bindings. Once found, routers forward content, in reverse, towards consumers. Routers may also choose to cache content to serve duplicate future interests. Object security, native authenticity, pull-based data transfer, flow symmetry, and in-network services are among the notable characteristics of CCN. In this dissertation, we study security and privacy issues that stem from these architectural properties. Specifically, we study variations and facets of access control, privacy risks and remedies, and network-layer availability attacks and architectural mitigations. For each issue, we describe the problem in detail and explain several countermeasures. We also present detailed analyses and experimental assessments for each approach. We find that sound engineering can mitigate several issues, while others remain insurmountable challenges exacerbated by fundamental security and performance tradeoffs made by CCN.

Preferences and behaviors for privacy management with mobile applications are difficult to capture. Previous measures are mostly based on self-report data, which often does not accurately predict actual user behavior. A deeper understanding was sought, gleaned from observing actual practices. This thesis analyzes 11,777 applications from the Google Play marketplace in order to determine the impact of privacy settings on purchase behavior. This was done by looking at the effect of the number of privacy concessions as well as the effect of individual concessions and category on number of downloads. It was found that users of paid applications do not have a preference for fewer privacy concessions. This study further reinforces the disconnect between the user's often stated preference for privacy and their actual behavior -- a discrepancy known as the “privacy paradox ”. Theoretical and practical implications are discussed.

The threat of government and corporate surveillance around the world, as well as the publicity surrounding major cybersecurity attacks, have increased interest in secure and private end-to-end communications. In response to this demand, numerous secure messaging applications have been developed in recent years. These applications have been welcomed and publically used not just by political activists and journalists but by everyday users as well. Most of these popular secure messaging applications are usable because they hide many of the details of how encryption is provided. The strength of the security properties of these applications relies on the authentication ceremony, wherein users validate the keys being used for encryption that is exchanged through the service providers. The validation process typically involves verifying the fingerprints of encryption keys to protect the communication from being intercepted.In this dissertation, we explore how to help users enhance the privacy of their communica- tions, with a particular focus on secure messaging applications. First, we explore whether secure messaging applications are meeting the security and privacy needs of their users, especially in countries that practice censorship and restrict civil liberties, including blocking access to social media and communication applications. Second, we studied existing popular secure messaging applications to explore how users interact with these applications and how well they are using the authentication ceremony during lab studies. Third, we applied design principles to improve the interfaces for the authentication ceremony, and also to help users find and perform the authentication ceremony faster. Forth, we applied the lessons from our interviews with participants in our user studies to help users comprehend the importance of authentication. As part of the effort, we developed an authentication ceremony using social media accounts to map key fingerprints to social features, pushing the ceremony to a more natural domain for users. We modified the Signal secure messaging application to include this social authentication ceremony and used a user study to compare this method to other common methods. We found that social authentication has some promising features, but that social media companies are too distrusted by users. Based on our results, we make several recommendations to improve the use of security and privacy features in secure messaging applications and outline areas for future work.

With the usage of biometrics becoming commonly used in a variety of applications, keeping those biometrics private and secure is an important issue. Indeed, the convenience of using biometrics for authentication is counteracted by the fact that they cannot easily be modified or changed. This can have dire consequences to a person if their biometrics are leaked. In the past decades, various techniques have been proposed to solve this problem. Such techniques range from using and storing randomized templates, using homomorphic encryption, or using biometric encryption techniques such as fuzzy extractors. Fuzzy extractors are a construction that allows the extraction of cryptographic keys from noisy data like biometrics. The key can then be rebuilt from some helper data and another biometric, provided that it is similar enough to the biometrics used to generate the key. This can be achieved through various approaches like the use of a quantizer or an error correcting code. In this thesis, we consider specifically fuzzy extractors for facial images. The first part of this thesis focuses on improving the security, privacy and performance of the extractor for faces first proposed by Sutcu et al. Our improvements make their construction more resistant to partial and total leaks of secure information, as well as improve the performance in a biometric authentication setting. The second part looks at using low density lattice codes (LDLC) as a quantizer in the fuzzy extractor, instead of using component based quantization. Although LDLC have been proposed as a quantizer for a general fuzzy extractor, they have yet to be used or tested for continuous biometrics like face images. We present a construction for a fuzzy extractor scheme using LDLC and we analyze its performance on a publicly available data set of images. Using an LDLC quantizer on this data set has lower accuracy than the improved scheme from the first part of this thesis. On the other hand, the LDLC scheme performs better when the inputs have additive white Gaussian noise (AWGN), as we show through simulated data. As such, we expect it to perform well in general on data and biometrics with variance akin to a AWGN channel.

Many studies have proven that digital natives are not as tech-savvy as previously thought, and possibly vulnerable in terms of privacy and security. My focus was to characterise how this generation interacted with mobile privacy and security. We provide evidence from a cohort of South African students, using this to discuss areas in which they need to be protected. We employed a web-based survey of 77 students, supplemented by in-depth interviews with 10 additional students. In both cases, we enquired about knowledge of permissions, encryption and application installation practices. With the in-depth interviews we also observed students as they installed two applications, one of which over-requested permissions. Our findings showed that most students (80%) did not look for- or understand permissions, did not understand or look for encryption, and used location-based services unsafely. Based on these results, we argue that digital natives lack the technical skills to properly engage with mobile privacy and security. Furthermore, digital natives do not understand mobile security and privacy features and therefore ignore them. Digital natives trust the authors of software and fail to act securely when security and privacy features are requested out of context. We further argue that this generation of digital natives has been so overexposed to mobile requests that violate their privacy and security that they have become desensitised to them. We further argue that digital natives’ definition of privacy is different from that of previous generations. Lastly, we discuss the implications of our findings for Higher Education Institutions, Higher Education Policy and mobile application design.

Thesis (Ph.D.)--City University of Hong Kong, 2009.
"Submitted to Department of Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy." Includes bibliographical references (leaves 102-110)

Online social networks (OSNs) have gained soaring popularity and are among the most popular sites on the Web. With OSNs, users around the world establish and strengthen connections by sharing thoughts, activities, photos, locations, and other personal information. However, the immense popularity of OSNs also raises significant security and privacy concerns. Storing millions of users' private information and their social connections, OSNs are susceptible to becoming the target of various attacks. In addition, user privacy will be compromised if the private data collected by OSNs are abused, inadvertently leaked, or under the control of adversaries. as a result, the tension between the value of joining OSNs and the security and privacy risks is rising.;To make OSNs more secure and privacy-preserving, our work follow a bottom-up approach. OSNs are composed of three components, the infrastructure layer, the function layer, and the user data stored on OSNs. For each component of OSNs, in this dissertation, we analyze and address a representative security/privacy issue. Starting from the infrastructure layer of OSNs, we first consider how to improve the reliability of OSN infrastructures, and we propose Fast Mencius, a crash-fault tolerant state machine replication protocol that has low latency and high throughput in wide-area networks. For the function layer of OSNs, we investigate how to prevent the functioning of OSNs from being disturbed by adversaries, and we propose SybilDefender, a centralized sybil defense scheme that can effectively detect sybil nodes by analyzing social network topologies. Finally, we study how to protect user privacy on OSNs, and we propose two schemes. MobiShare is a privacy-preserving location-sharing scheme designed for location-based OSNs (LBSNs), which supports sharing locations between both friends and strangers. LBSNSim is a trace-driven LBSN model that can generate synthetic LBSN datasets used in place of real datasets. Combining our work contributes to improving security and privacy in OSNs.

Over the past several years, the press, trade publications and academic literature have reported with increasing frequency on the social concerns caused by ubiquitous computingInformation Technology (IT) embedded in artifacts, infrastructure and environments of daily life. Designers and researchers of ubiquitous computing (ubicomp) technologies have spent considerable efforts to address these concerns, which include privacy and data protection issues, information security and personal safety. Yet, designing successful ubicomp applications is still an unreliable and expensive endeavor, in part due to imperfect understanding of how technology is appropriated, the lack of effective design tools and the challenges of prototyping these applications in realistic conditions. I introduce the concept of proportionality as a principle able to guide design of ubiquitous computing applications and specifically to attack privacy and security issues. Inspired by the principle, I propose a design process framework that assists the practitioner in making reasoned and documented design choices throughout the development process. I validate the design process framework through a quantitative design experiment vis--vis other design methods. Furthermore, I present several case studies and evaluations to demonstrate the design methods effectiveness and generality. I claim that the design method helps to identify some of the obstacles to the acceptance of ubiquitous computing applications and to translate security and privacy concerns into research questions in the design process. I further discuss some of the inquiry and validation techniques that are appropriate to answer these questions.

Cloud is becoming the most popular computing infrastructure because it can attract more and more traditional companies due to flexibility and cost-effectiveness. However, privacy concern is the major issue that prevents users from deploying on public clouds. My research focuses on protecting user's privacy in cloud computing. I will present a hardware-based and a migration-based approach to protect user's privacy. The root cause of the privacy problem is current cloud privilege design gives too much power to cloud providers. Once the control virtual machine (installed by cloud providers) is compromised, external adversaries will breach users’ privacy. Malicious cloud administrators are also possible to disclose user’s privacy by abusing the privilege of cloud providers. Thus, I develop two cloud architectures – MyCloud and MyCloud SEP to protect user’s privacy based on hardware virtualization technology. I eliminate the privilege of cloud providers by moving the control virtual machine (control VM) to the processor’s non-root mode and only keep the privacy protection and performance crucial components in the Trust Computing Base (TCB). In addition, the new cloud platform can provide rich functionalities on resource management and allocation without greatly increasing the TCB size. Besides the attacks to control VM, many external adversaries will compromise one guest VM or directly install a malicious guest VM, then target other legitimate guest VMs based on the connections. Thus, collocating with vulnerable virtual machines, or ”bad neighbors” on the same physical server introduces additional security risks. I develop a migration-based scenario that quantifies the security risk of each VM and generates virtual machine placement to minimize the security risks considering the connections among virtual machines. According to the experiment, our approach can improve the survivability of most VMs.

Users share a large amount of information with modern platforms such as web platforms and social platforms for various services. However, they face the risk of information leakage because modern platforms still lack proper security policies. Existing security policies, such as permission systems and isolation, can help regulate information sharing. However, these policies have problems, such as coarse granularity, bad usability, and incompleteness, especially when new features are introduced. I investigate the security impacts of new features in web and mobile platforms and find design problems that lead to user information leakage. Based on these analyses, I propose design principles for permission systems that mediate how information should be shared in modern and emerging platforms, such as web and social platforms, to provide functionality with privacy preserved. I aim to design permission systems that only allow least-privilege information access. Specifically, I utilize program analysis and natural language processing to understand how applications use sensitive data and correlate these data with their functionality. With this understanding, I design schemes that ask for user consent about unexpected information access and automatically reduce overprivileged access. I provide guidelines for platform designers to build their permission systems according to respective adversary models and resources. In particular, I implement the new permission system for social platforms and Internet of Things (IoT) platforms that enable least-privilege information sharing. For the social platforms, I incorporate the primitives of Opaque handle, Opaque display, and User-driven access control (OOU) to design a least-privilege, user-friendly, developer-friendly, and feature-rich permission system. According to my study on Facebook, OOU can be applied to remove or replace 81.2% of sensitive permission instances without affecting functionality. For IoT platforms, I present a new authorization framework, SmartAuth, that supports user-centric, semantic-based authorization. SmartAuth automatically collects security-relevant information from an IoT application’s description, code, and annotations, and generates an authorization user interface to bridge the gap between the functionalities explained to the user and the operations the application actually performs.

This thesis is about providing security and privacy to new emergent applications which are based on special-purpose networks. More precisely, we study different aspects regarding security and privacy issues related to sensor networks, mobile ad hoc networks, vehicular ad hoc networks and social networks.
Sensor networks consist of resource-constrained wireless devices with sensor capabilities. This emerging technology has a wide variety of applications related to event surveillance like emergency response, habitat monitoring or defense-related networks.
Ad hoc networks are suited for use in situations where deploying an infrastructure is not cost effective or is not possible for any other reason. When the nodes of an ad hoc network are small mobile devices (e.g. cell phones or PDAs), such a network is called mobile ad hoc network. One of many possible uses of MANETs is to provide crisis management services applications, such as in disaster recovery, where the entire communication infrastructure is destroyed and reestablishing communication quickly is crucial. Another useful situation for MANETs is a scenario without fixed communication systems where there is the need for any kind of collaborative computing. Such situation can occur in both business and military environments.
When the mobile nodes of a MANET are embedded in cars, such a network is called Vehicular Ad hoc Network (VANET). This kind of networks can be very useful to increase the road traffic safety and they will be deployed for real use in the forthcoming years. As a proof of that, eight important European vehicle manufacturers have founded the CAR 2 CAR Communication Consortium. This non-profit organisation is dedicated to the objective of further increasing traffic safety and efficiency by means of inter-vehicle communications.Social networks differ from the special-purpose networks commented above in that they are not physical networks. Social networks are applications that work through classic networks. They can be defined as a community of web users where each user can publish and share information and services. Social networks have become an object of study both in computer and social sciences, with even dedicated journals and conferences.The special-purpose networks described above provide a wide range of new services and applications. Even though they are expected to improve the society in several ways, these innovative networks and their related applications bring also security and privacy issues that must be addressed.This thesis solves some security and privacy issues related to such new applications and services. More specifically, it focuses on:
·Secure information transmission in many-to-one scenarios with resource-constrained devices such as sensor networks.
·Secure and private information sharing in MANETs.
·Secure and private information spread in VANETs.
·Private resource access in social networks.
Results presented in this thesis include four contributions published in ISI JCR journals (IEEE Transactions on Vehicular Technology, Computer Networks (2) and Computer Communications) and two contributions published in two international conferences (Lecture Notes in Computer Science).
Esta tesis trata diversos problemas de seguridad y privacidad que surgen al implantar en escenarios reales novedosas aplicaciones basadas en nuevos y emergentes modelos de red. Estos nuevos modelos de red difieren significativamente de las redes de computadores clásicas y son catalogadas como redes de propósito especial. Específicamente, en este trabajo se estudian diferentes aspectos relacionados con la seguridad de la información y la privacidad de los usuarios en redes de sensores, redes ad hoc móviles (MANETs), redes ad hoc vehiculares (VANETs) y redes sociales.
Las redes de sensores están formadas por dispositivos inalámbricos muy limitados a nivel de recursos (capacidad de computación y batería) que detectan eventos o condiciones del entorno donde se instalan. Esta tecnología tiene una amplia variedad de aplicaciones entre las que destacan la detección de emergencias o la creación de perímetros de seguridad.
Una MANET esta formada por nodos móviles conectados entre ellos mediante conexiones inalámbricas y de forma auto-organizada. Este tipo de redes se constituye sin la ayuda de infraestructuras, por ello son especialmente útiles en situaciones donde implantar una infraestructura es inviable por ser su coste demasiado elevado o por cualquier otra razón. Una de las muchas aplicaciones de las MANETs es proporcionar servicio en situaciones críticas (por ejemplo desastres naturales) donde la infraestructura de comunicaciones ha sido destruida y proporcionar conectividad rápidamente es crucial. Otra aplicación directa aparece en escenarios sin sistemas de comunicación fijos donde existe la necesidad de realizar algún tipo de computación colaborativa entre diversas máquinas. Esta situación se da tanto en ámbitos empresariales como militares.
Cuando los nodos móviles de una MANET se asocian a vehículos (coches, camiones.), dicha red se denomina red ad hoc vehicular o VANET. Este tipo de redes pueden ser muy útiles para incrementar la seguridad vial y se espera su implantación para uso real en los próximos años. Como prueba de la gran importancia que tiene esta tecnología, los ocho fabricantes europeos más importantes han fundado la CAR 2 CAR Communication Consortium. Esta organización tiene como objetivo incrementar la seguridad y la eficiencia del tráfico mediante el uso de comunicaciones entre los vehículos.
Las redes sociales se diferencian de las redes especiales descritas anteriormente en que éstas no son redes físicas. Las redes sociales son aplicaciones que funcionan a través de las redes de computadores clásicas. Una red de este tipo puede ser definida como una comunidad de usuarios web en donde dichos usuarios pueden publicar y compartir información y servicios. En la actualidad, las redes sociales han adquirido gran importancia ofreciendo un amplio abanico de posibilidades a sus usuarios: trabajar de forma colaborativa, compartir ficheros, búsqueda de nuevos amigos, etc.
A continuación se resumen las aplicaciones en las que esta tesis se centra según el tipo de red asociada:
·Transmisión segura de información en escenarios muchos-a-uno (múltiples emisores y un solo receptor) donde los dispositivos en uso poseen recursos muy limitados. Este escenario es el habitual en redes de sensores.
·Distribución de información de forma segura y preservando la privacidad de los usuarios en redes ad hoc móviles.
·Difusión de información (con el objeto de incrementar la seguridad vial) fidedigna preservando la privacidad de los usuarios en redes ad hoc vehiculares.
·Acceso a recursos en redes sociales preservando la privacidad de los usuarios.
Los resultados de la tesis incluyen cuatro publicaciones en revistas ISI JCR (IEEE Transactions on Vehicular Technology, Computer Networks (2) y Computer Communications) y dos publicaciones en congresos internacionales(Lecture Notes in Computer Science).

A recommender system is an automatic system that, given a customer model and a set of available documents, is able to select and offer those documents that are more interesting to the customer. From the point of view of security, there are two main issues that recommender systems must face: protection of the users' privacy and protection of other participants of the recommendation process. Recommenders issue personalized recommendations taking into account not only the profile of the documents, but also the private information that customers send to the recommender. Hence, the users' profiles include personal and highly sensitive information, such as their likes and dislikes. In order to have a really useful recommender system and improve its efficiency, we believe that users shouldn't be afraid of stating their preferences. The second challenge from the point of view of security involves the protection against a new kind of attack. Copyright holders have shifted their targets to attack the document providers and any other participant that aids in the process of distributing documents, even unknowingly. In addition, new legislation trends such as ACTA or the ¿Sinde-Wert law¿ in Spain show the interest of states all over the world to control and prosecute these intermediate nodes. we proposed the next contributions: 1.A social model that captures user's interests into the users' profiles, and a metric function that calculates the similarity between users, queries and documents. This model represents profiles as vectors of a social space. Document profiles are created by means of the inspection of the contents of the document. Then, user profiles are calculated as an aggregation of the profiles of the documents that the user owns. Finally, queries are a constrained view of a user profile. This way, all profiles are contained in the same social space, and the similarity metric can be used on any pair of them. 2.Two mechanisms to protect the personal information that the user profiles contain. The first mechanism takes advantage of the Johnson-Lindestrauss and Undecomposability of random matrices theorems to project profiles into social spaces of less dimensions. Even if the information about the user is reduced in the projected social space, under certain circumstances the distances between the original profiles are maintained. The second approach uses a zero-knowledge protocol to answer the question of whether or not two profiles are affine without leaking any information in case of that they are not. 3.A distributed system on a cloud that protects merchants, customers and indexers against legal attacks, by means of providing plausible deniability and oblivious routing to all the participants of the system. We use the term DocCloud to refer to this system. DocCloud organizes databases in a tree-shape structure over a cloud system and provide a Private Information Retrieval protocol to avoid that any participant or observer of the process can identify the recommender. This way, customers, intermediate nodes and even databases are not aware of the specific database that answered the query. 4.A social, P2P network where users link together according to their similarity, and provide recommendations to other users in their neighborhood. We defined an epidemic protocol were links are established based on the neighbors similarity, clustering and randomness. Additionally, we proposed some mechanisms such as the use SoftDHT to aid in the identification of affine users, and speed up the process of creation of clusters of similar users. 5.A document distribution system that provides the recommended documents at the end of the process. In our view of a recommender system, the recommendation is a complete process that ends when the customer receives the recommended document. We proposed SCFS, a distributed and secure filesystem where merchants, documents and users are protected
Este documento explora c omo localizar documentos interesantes para el usuario en grandes redes distribuidas mediante el uso de sistemas de recomendaci on. Se de fine un sistema de recomendaci on como un sistema autom atico que, dado un modelo de cliente y un conjunto de documentos disponibles, es capaz de seleccionar y ofrecer los documentos que son m as interesantes para el cliente. Las caracter sticas deseables de un sistema de recomendaci on son: (i) ser r apido, (ii) distribuido y (iii) seguro. Un sistema de recomendaci on r apido mejora la experiencia de compra del cliente, ya que una recomendaci on no es util si es que llega demasiado tarde. Un sistema de recomendaci on distribuido evita la creaci on de bases de datos centralizadas con informaci on sensible y mejora la disponibilidad de los documentos. Por ultimo, un sistema de recomendaci on seguro protege a todos los participantes del sistema: usuarios, proveedores de contenido, recomendadores y nodos intermedios. Desde el punto de vista de la seguridad, existen dos problemas principales a los que se deben enfrentar los sistemas de recomendaci on: (i) la protecci on de la intimidad de los usuarios y (ii) la protecci on de los dem as participantes del proceso de recomendaci on. Los recomendadores son capaces de emitir recomendaciones personalizadas teniendo en cuenta no s olo el per l de los documentos, sino tambi en a la informaci on privada que los clientes env an al recomendador. Por tanto, los per les de usuario incluyen informaci on personal y altamente sensible, como sus gustos y fobias. Con el n de desarrollar un sistema de recomendaci on util y mejorar su e cacia, creemos que los usuarios no deben tener miedo a la hora de expresar sus preferencias. Para ello, la informaci on personal que est a incluida en los per les de usuario debe ser protegida y la privacidad del usuario garantizada. El segundo desafi o desde el punto de vista de la seguridad implica un nuevo tipo de ataque. Dado que la prevenci on de la distribuci on ilegal de documentos con derechos de autor por medio de soluciones t ecnicas no ha sido efi caz, los titulares de derechos de autor cambiaron sus objetivos para atacar a los proveedores de documentos y cualquier otro participante que ayude en el proceso de distribuci on de documentos. Adem as, tratados y leyes como ACTA, la ley SOPA de EEUU o la ley "Sinde-Wert" en España ponen de manfi esto el inter es de los estados de todo el mundo para controlar y procesar a estos nodos intermedios. Los juicios recientes como MegaUpload, PirateBay o el caso contra el Sr. Pablo Soto en España muestran que estas amenazas son una realidad.

Radio Frequency Identification (RFID) technology is widely used for variousapplications from access control to object tracking systems. Automation and fasterservices provided by this technology have striking effects on our daily life. However,there are several security and privacy concerns about RFID systems that remainunsolved. During the past years, several attacks have been designed against MifareClassic and HID iClass, two of the most widely used RFID systems on the market.The aim of this study was to improve the security and privacy mechanisms of RFIDsystems through the development of tools and the methodology of system analysis, inthe hope to find the possible flaws before the adversaries do. As an example, effortswere made to partially analyze OPUS cards (the RFID-enabled public transportationpasses in Montreal) and several security and privacy violating specifications of thesecards were highlighted. It was revealed that the static identification number of thecard is transfered in the anticollision process which can be used to track the cardholder without his consent. In addition, the information about the last three usages ofthe card (the time, the date and the metro/bus station) are transferred unencryptedand before the authentication process. Only a linear conversion is applied to theinformation which can be reversed by a simple application such as the one developedand provided in this study.Furthermore, design modifications to improve the security and privacy level of RFIDsystems were provided. These modifications are categorized based on the cost andthe disruption of service that the application of these modifications imposes to themanufacturing company.Key Words: RFID Systems, Privacy, Security, OPUS Cards
Les technologies de radio identification (RFID) sont fortement utilisées dans diverses applications qui vont du contrôle d'accès aux systèmes de traçabilité d'objets. L'automatisation et la rapidité accrue des services que ces technologies rendent possibles ont des effets marqués sur notre vie quotidienne. Cependant, les systèmes RFID comportent de nombreux problèmes de sécurité et de protection de la vie privée qui ne sont toujours pas résolus. Au cours des dernières années, de nombreuses attaques ont été conues contre la puce Classic de MIFARE ainsi que la puce iClass d'HID, deux des systèmes RFID les plus répandus sur le marché. Le but de cette étude est d'améliorer les mécanismes de sécurité et de protection de la vie privée des systèmes RFID par le développement d'outils et la méthodologie d'analyse des systèmes, dans l'espoir de découvrir les failles de sécurité potentielles avant que des adversaires ne le fassent. Par exemple, nous avons procédé à une analyse partielle des cartes OPUS (les cartes qui contiennent les titres de transport en commun utilisés à Montréal, qui font usage de la technologie RFID), et mis en évidence de nombreux éléments des spécifications de ces cartes qui représentent une faille de sécurité ou de protection de la vie privée. Nous avons découvert que le numéro d'identification statique de la carte est transmis durant le processus anticollision, ce qui peut être utilisé pour suivre la trace du détenteur de la carte sans son consentement. De plus, des informations concernant les trois dernières utilisations d'une carte (l'heure, la date, et la station de métro ou d'autobus) sont transmis sans être chiffrés, et avant le processus d'authentification n'ait lieu. Seule une conversion linéaire est appliquée sur l'information, et cette conversion peut être inversée par une simple application telle que celle que nous avons développé au cours de cette étude. De plus, nous présentons des modifications visant à améliorer le niveau de sécurité et de protection de la vie privée des systèmes RFID. Nous classons ces modifications sur la base de leur coût et de la gravité des interruptions de service que l'application de ces modifications ferait subir au manufacturier.Mots clés: Systèmes RFID, protection de la vie privée, sécurité, cartes OPUS

Newly implemented technologies within the aviation lack, according to recent studies, built in security measures to protect them against outside interference. In this thesis we study the security and privacy status of the digital wireless Controller Pilot Data Link Communication (CPDLC) used in air traffic management alongside other systems to increase the safety and traffic capacity of controlled airspaces. The findings show that CPDCL is currently insecure and exposed to attacks. Any solutions to remedy this must adhere to its low levels of performance. Elliptical Curve Cryptography, Protected ACARS and Host Identity Protocol have been identified as valid solutions to the system’s security drawbacks and all three are possible to implement in the present state of CPDLC.

Thesis: S.M. in Engineering and Management, Massachusetts Institute of Technology, System Design and Management Program, 2018.
Page 104 blank. Cataloged from PDF version of thesis.
Includes bibliographical references (pages 101-103).
A review of national health records (NEHR) systems shows that privacy and security risks have a profound impact on the success of such projects. Countries have different approaches when dealing with privacy and security considerations. The aims of this study were to explore how governments can design secure national health records systems. To do that systematically, we developed a framework to analyze NEHR systems. We then applied the framework to investigate the privacy and security risks in these systems. The studied systems demonstrate that getting privacy and security right have a considerable impact on the success of NEHR projects. Also, our study reveals that the healthcare system structure has a substantial impact on the adoption and usage rates of the system. The studied cases uncover many opportunities for improving privacy and security measures in future projects. The framework demonstrates the utility of applying it to the three cases.
by Ahmed S. Alawaji.
S.M. in Engineering and Management

Cloud computing offers the prospect of on-demand, elastic computing, provided as a utility service, and it is revolutionizing many domains of computing. Compared with earlier methods of processing data, cloud computing environments provide significant benefits, such as the availability of automated tools to assemble, connect, configure and reconfigure virtualized resources on demand. These make it much easier to meet organizational goals as organizations can easily deploy cloud services. However, the shift in paradigm that accompanies the adoption of cloud computing is increasingly giving rise to security and privacy considerations relating to facets of cloud computing such as multi-tenancy, trust, loss of control and accountability. Consequently, cloud platforms that handle sensitive information are required to deploy technical measures and organizational safeguards to avoid data protection breakdowns that might result in enormous and costly damages. Sensitive information in the context of cloud computing encompasses data from a wide range of different areas and domains. Data concerning health is a typical example of the type of sensitive information handled in cloud computing environments, and it is obvious that most individuals will want information related to their health to be secure. Hence, with the growth of cloud computing in recent times, privacy and data protection requirements have been evolving to protect individuals against surveillance and data disclosure. Some examples of such protective legislation are the EU Data Protection Directive (DPD) and the US Health Insurance Portability and Accountability Act (HIPAA), both of which demand privacy preservation for handling personally identifiable information. There have been great efforts to employ a wide range of mechanisms to enhance the privacy of data and to make cloud platforms more secure. Techniques that have been used include: encryption, trusted platform module, secure multi-party computing, homomorphic encryption, anonymization, container and sandboxing technologies. However, it is still an open problem about how to correctly build usable privacy-preserving cloud systems to handle sensitive data securely due to two research challenges. First, existing privacy and data protection legislation demand strong security, transparency and audibility of data usage. Second, lack of familiarity with a broad range of emerging or existing security solutions to build efficient cloud systems. This dissertation focuses on the design and development of several systems and methodologies for handling sensitive data appropriately in cloud computing environments. The key idea behind the proposed solutions is enforcing the privacy requirements mandated by existing legislation that aims to protect the privacy of individuals in cloud-computing platforms. We begin with an overview of the main concepts from cloud computing, followed by identifying the problems that need to be solved for secure data management in cloud environments. It then continues with a description of background material in addition to reviewing existing security and privacy solutions that are being used in the area of cloud computing. Our first main contribution is a new method for modeling threats to privacy in cloud environments which can be used to identify privacy requirements in accordance with data protection legislation. This method is then used to propose a framework that meets the privacy requirements for handling data in the area of genomics. That is, health data concerning the genome (DNA) of individuals. Our second contribution is a system for preserving privacy when publishing sample availability data. This system is noteworthy because it is capable of cross-linking over multiple datasets. The thesis continues by proposing a system called ScaBIA for privacy-preserving brain image analysis in the cloud. The final section of the dissertation describes a new approach for quantifying and minimizing the risk of operating system kernel exploitation, in addition to the development of a system call interposition reference monitor for Lind - a dual sandbox.
“Cloud computing”, eller “molntjänster” som blivit den vanligaste svenska översättningen, har stor potential. Molntjänster kan tillhandahålla exaktden datakraft som efterfrågas, nästan oavsett hur stor den är; dvs. molntjäns-ter möjliggör vad som brukar kallas för “elastic computing”. Effekterna avmolntjänster är revolutionerande inom många områden av datoranvändning.Jämfört med tidigare metoder för databehandling ger molntjänster mångafördelar; exempelvis tillgänglighet av automatiserade verktyg för att monte-ra, ansluta, konfigurera och re-konfigurera virtuella resurser “allt efter behov”(“on-demand”). Molntjänster gör det med andra ord mycket lättare för or-ganisationer att uppfylla sina målsättningar. Men det paradigmskifte, sominförandet av molntjänster innebär, skapar även säkerhetsproblem och förutsätter noggranna integritetsbedömningar. Hur bevaras det ömsesidiga förtro-endet, hur hanteras ansvarsutkrävandet, vid minskade kontrollmöjligheter tillföljd av delad information? Följaktligen behövs molnplattformar som är såkonstruerade att de kan hantera känslig information. Det krävs tekniska ochorganisatoriska hinder för att minimera risken för dataintrång, dataintrångsom kan resultera i enormt kostsamma skador såväl ekonomiskt som policymässigt. Molntjänster kan innehålla känslig information från många olikaområden och domäner. Hälsodata är ett typiskt exempel på sådan information. Det är uppenbart att de flesta människor vill att data relaterade tillderas hälsa ska vara skyddad. Så den ökade användningen av molntjänster påsenare år har medfört att kraven på integritets- och dataskydd har skärptsför att skydda individer mot övervakning och dataintrång. Exempel på skyd-dande lagstiftning är “EU Data Protection Directive” (DPD) och “US HealthInsurance Portability and Accountability Act” (HIPAA), vilka båda kräverskydd av privatlivet och bevarandet av integritet vid hantering av informa-tion som kan identifiera individer. Det har gjorts stora insatser för att utvecklafler mekanismer för att öka dataintegriteten och därmed göra molntjänsternasäkrare. Exempel på detta är; kryptering, “trusted platform modules”, säker“multi-party computing”, homomorfisk kryptering, anonymisering, container-och “sandlåde”-tekniker.Men hur man korrekt ska skapa användbara, integritetsbevarande moln-tjänster för helt säker behandling av känsliga data är fortfarande i väsentligaavseenden ett olöst problem på grund av två stora forskningsutmaningar. Fördet första: Existerande integritets- och dataskydds-lagar kräver transparensoch noggrann granskning av dataanvändningen. För det andra: Bristande kän-nedom om en rad kommande och redan existerande säkerhetslösningar för att skapa effektiva molntjänster.Denna avhandling fokuserar på utformning och utveckling av system ochmetoder för att hantera känsliga data i molntjänster på lämpligaste sätt.Målet med de framlagda lösningarna är att svara de integritetskrav som ställsi redan gällande lagstiftning, som har som uttalad målsättning att skyddaindividers integritet vid användning av molntjänster.Vi börjar med att ge en överblick av de viktigaste begreppen i molntjäns-ter, för att därefter identifiera problem som behöver lösas för säker databe-handling vid användning av molntjänster. Avhandlingen fortsätter sedan med en beskrivning av bakgrundsmaterial och en sammanfattning av befintligasäkerhets- och integritets-lösningar inom molntjänster.Vårt främsta bidrag är en ny metod för att simulera integritetshot vidanvändning av molntjänster, en metod som kan användas till att identifierade integritetskrav som överensstämmer med gällande dataskyddslagar. Vårmetod används sedan för att föreslå ett ramverk som möter de integritetskravsom ställs för att hantera data inom området “genomik”. Genomik handlari korthet om hälsodata avseende arvsmassan (DNA) hos enskilda individer.Vårt andra större bidrag är ett system för att bevara integriteten vid publice-ring av biologiska provdata. Systemet har fördelen att kunna sammankopplaflera olika uppsättningar med data. Avhandlingen fortsätter med att före-slå och beskriva ett system kallat ScaBIA, ett integritetsbevarande systemför hjärnbildsanalyser processade via molntjänster. Avhandlingens avslutan-de kapitel beskriver ett nytt sätt för kvantifiering och minimering av risk vid“kernel exploitation” (“utnyttjande av kärnan”). Denna nya ansats är ävenett bidrag till utvecklingen av ett nytt system för (Call interposition referencemonitor for Lind - the dual layer sandbox).

QC 20160516