The 2019 REU class included the following students:
Connor Burdick, Wofford College
Kerwin Mercado, University of Connecticut
CovSDN: Continuously Optimizing and Verifying Software Defined Networks
Computer networks are more dynamic than at any time before. Enterprise and businesses depend on their networks to be designed with functionality, security, performance, and cost in mind. These networks host security cameras, sensors, and industrial controls systems in addition to personal computers, tablets, and cellular devices. An emerging way to cope with this complexity and better manage networks is the paradigm of Software Defined Networking. In this paradigm, the control plane for each router is outsourced to a shared remote controller, which allows the network to be made programmable.
The goal of this research is to create a rigorous, dynamic and tractable approach for configuring networks that are capable of handling ever-changing workloads, real-time events and security threats while fulfilling their core, multi-faceted mission. We are pushing the framework described in an earlier study, DOCSDN (Dynamic and Optimal Configuration for Software Defined Networks), onto a virtual environment using Mininet and Frenetic SDN Controller, with the goal of eventually pushing to a live network rather than a simulation environment. The ideas of this research are to expand DOCSDN by implementing it on a virtual network and also validating if in fact the new configurations are faster, more secure, functional and meet the demands of its users. By having an optimal network, network behavior is more predictable and manageable by cloud service providers and IT personnel.
Keneel Patel, University of Illinois at Chicago
Controller Area Network (CAN) Bus Security
Automobiles manufactured today have more than 70 microcontrollers. The design of the internal communication of a car has been concerned with reliability and safety. That led to the invention of the Controller Area Network. It was invented by Bosch in the mid-1980s mostly for the automotive industry. The advantage of using CAN is that it is easy to implement. CAN expansion in the network is also much easier than using a conventional microcontroller network. There was, however, no attention paid towards the security of network communication. Therefore, there was a need to find a network security system for a car. In this project, we explore security mechanisms for CAN bus. We start with surveying security problems with CAN bus and then implemented several standard security mechanisms (including integrity, authenticity, confidentiality and key exchange) on CAN bus to quantify the computation time of each algorithm. Our efforts constitute a solid basis for future studies to develop light-weight security mechanisms for CAN bus.
Halie Martineau, Keene State College
Integrating Trust Profiles, Trust Negotiation and Access Control
Medical data is highly classified, allowing access to only certain professionals. This data needs to be accessible to all experts that require it. Through the use of trust profiles, trust negotiations, and attribute-based access control, our goal is to create a medical application for medical professionals to access patient records. It is difficult and time consuming for physicians and other medical specialists to gain access to patient records. This research and creation of a mobile app will make these problems disintegrate.
Maia Iyer, Carnegie Mellon University
Brandon D'Agostino, University of Connecticut
Benchmarking Intel Software Guard Extensions Applications
Intel's Software Guard Extensions (SGX) technology provides not only process-level isolation but also hardware-level isolation in order to provide security to users who wish to run applications on third-party host machines. SGX applications can be developed using an abstraction called enclaves that separates data and operations that are security sensitive from those that do not need security. This dynamic is not only difficult to implement but also introduces non-trivial performance overheads to any application that needs to be ported to SGX technology. This effect is increased with increased interactivity that is often found in many real-world applications. In this paper, we conduct a deeper two-pronged analysis on these overheads. The first analysis measures baseline overheads of individual ecalls and ocalls, as well as goes into detail on the effects of cache behavior on ocall and ecall runtime. The second analysis is comprised of specific case studies on holistic performance add-on that comes with SGX technology. In our analysis, we find that different cache environments significantly affect the overheads of ecalls and ocalls. We also find that there is, as expected, significant slowdown due to SGX interactions in our case-study applications. Furthermore, while some of this slowdown can be attributed to cache behavior, as observed in the first experiment, some of this slowdown can also be attributed to the inherent interactivity of these large applications, with possible larger enclave states.
Sarah Abowitz, Smith College
Sean Bergen, Rochester Institute of Technology
BGP Extrapolator Verification
Information is sent and received over the Internet through the use of an Exterior Gateway Protocol (EGP), the most prominent being Border Gateway Protocol (BGP). It works by picking the "best" path between different Autonomous Systems (ASes) to send data, and then each AS along each "hop" of the path will forward to the next until it has reached its destination. Despite being so widely used, BGP's lack of security has motivated numerous projects aiming to improve BGP security. The BGP Extrapolator is a tool that is being developed by researchers at the University of Connecticut to predicts AS Paths for destination prefixes at an AS. One application of this tool is investigating the benefits of adopting RPKI (Resource Public Key Infrastructure) and ROV (Route Origin Validation) on top of BGP for security. Verification of the Extrapolator's paths is important because of the complexity of reconstructing the paths. At the same time, the scale of the project means that the verification process must be reasonably fast. In this paper, we propose a method of verifying the output that strikes a balance between accuracy and speed. Specifically, we implemented a design for a three- step verification process of the BGP Extrapolator to evaluate the accuracy of the BGP Extrapolator.
Calvin Roth, University of Minnesota
Finite Key Analysis of Semi Quantum Key Distribution
An important problem in bounding the security and limitations of Semi Quantum Key Distribution protocols is the Key Rate and the case of a finite key has not been properly studied until now. The Key Rate determines the worst case ratio of qubits sent to the length of the final key that is still secure. A protocol with low key rate means that it would be fragile to noisy environments and more limited in terms of when it can be used. We found the key rate of a known semi quantum key distribution protocol to be 11% and 7.9 % under two different sets of environments. Later we will use these techniques to analyze the finite key case as opposed to the asymptotic case.
Kevin Kerliu, The Cooper Union for the Advancement of Science and Art
Alexandra Ross, John Hopkins University
Secure Over-The-Air Firmware Updates for Sensor Networks
The IoT (Internet of Things) is spreading quickly thanks to ultra-low power sensors and wireless communications devices. Highly integrated microcontrollers (MCUs) only further add to its accessibility. Among the most significant barriers that limit the adoption of IoT solutions are the security and vulnerability of these systems as well as the lack of technical expertise in this emerging area. To improve on existing technology, we are working on updating firmware OTA (Over-The-Air) securely for sensor networks of MCUs. To date, firmware updates for non-OTA systems are time-consuming and tedious; each device must be taken down from its deployment location to be updated. OTA updates are inherently more efficient and increase the scalability of a project significantly. Furthermore, having an OTA update system in place means that we will have an efficient testbed for future projects. In this paper, we design and implement an OTA update system, and evaluates its performance.