Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmab...Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmability, the “three-layer two-interface” architecture of SDN changes the traditional network and increases the network attack nodes, which results in new security issues. In this paper, we firstly introduced the background, architecture and working process of SDN. Secondly, we summarized and analyzed the typical security issues from north to south: application layer, northbound interface, control layer, southbound interface and data layer. Another contribution is to review and analyze the existing solutions and latest research progress of each layer, mainly including: authorized authentication module, application isolation, DoS/DDoS defense, multi-controller deployment and flow rule consistency detection. Finally, a conclusion about the future works of SDN security and an idealized global security architecture is proposed.展开更多
Air-gapped computers are isolated both logically and physically from all kinds of existing common communication channel, such as USB ports, wireless and wired net- works. Although the feasibility of infiltrating an ai...Air-gapped computers are isolated both logically and physically from all kinds of existing common communication channel, such as USB ports, wireless and wired net- works. Although the feasibility of infiltrating an air-gapped computer has been proved in recent years, data exfiltration from such sys- tems is still considered to be a challenging task. In this paper we present Powermittcr, a novel approach that can exfiltrate data through an air-gapped computer via its power adapter. Our method utilizes the switched-mode pow- er supply, which exists in all of the laptops, desktop computers and servers nowadays. We demonstrate that a malware can indirectly con- trol the electromagnetic emission frequency of the power supply by leveraging the CPU utili- zation. Furthermore, we show that the emitted signals can be received and demodulated by a dedicated device. We present the proof of con- cept design of the power covert channel and implement a prototype of Powermitter consist- ing of a transmitter and a receiver. The trans- mitter leaks out data by using a variant binary frequency shift keying modulation, and the emitted signal can be captured and decoded by software based virtual oscilloscope through such covert channel. We tested Powermitter on three different computers. The experiment re-suits show the feasibility of this power covert channel. We show that our method can also be used to leak data from different types of embedded systems which use switching power supply.展开更多
Amidst the rapid development of the Internet of Things (loT), Vehicular Ad-Hoc NETwork (VANET), a typical loT application, are bringing an ever-larger number of intelligent and convenient services to the daily lives o...Amidst the rapid development of the Internet of Things (loT), Vehicular Ad-Hoc NETwork (VANET), a typical loT application, are bringing an ever-larger number of intelligent and convenient services to the daily lives of individuals. However, there remain challenges for VANETs in preserving privacy and security. In this paper, we propose the first lattice-based Double-Authentication-Preventing Ring Signature (DAPRS) and adopt it to propose a novel privacy-preserving authentication scheme for VANETs, offering the potential for security against quantum computers. The new construction is proven secure against chosen message attacks. Our scheme is more efficient than other ring signature in terms of the time cost of the message signing phase and verification phase, and also in terms of signature length. Analyses of security and efficiency demonstrate that our proposed scheme is provably secure and efficient in the application.展开更多
Remote authentication is a safe and verifiable mechanism.In the Internet of Things (loT),remote hosts need to verify the legitimacy of identity of terminal devices.However,embedded devices can hardly afford sufficient...Remote authentication is a safe and verifiable mechanism.In the Internet of Things (loT),remote hosts need to verify the legitimacy of identity of terminal devices.However,embedded devices can hardly afford sufficient resources for the necessary trusted hardware components.Software authentication with no hardware guarantee is generally vulnerable to various network attacks.In this paper,we propose a lightweight remote verification protocol.The protocol utilizes the unique response returned by Physical Unclonable Function (PUF) as legitimate identity basis of the terminal devices and uses quadratic residues to encrypt the PUF authentication process to perform a double identity verification scheme.Our scheme is secure against middleman attacks on the attestation response by preventing conspiracy attacks from forgery authentication.展开更多
Private data leakage is a threat to current integrity verification schemes of cloud components. To address this issue, this work proposes a privacy-enhancing Structural Integrity Verification (SIV) approach. It is mad...Private data leakage is a threat to current integrity verification schemes of cloud components. To address this issue, this work proposes a privacy-enhancing Structural Integrity Verification (SIV) approach. It is made up of three processes: proof organization, proof transformation, and integrity judgement. By introducing a Merkle tree technique, the integrity of a constituent part of a cloud component on a node is represented by a root value. The value is then masked to cipher texts in proof transformation. With the masked proofs, a structural feature is extracted and validated in an integrity judgement by a third-party verification provider. The integrity of the cloud component is visually displayed in the output result matrix. If there are abnormities, the corrupted constituent parts can be located. Integrity is verified through the encrypted masked proofs. All raw proofs containing sensitive information stay on their original nodes, thus minimizing the attack surface of the proof data, and eliminating the risk of leaking private data at the source. Although some computations are added, the experimental results show that the time overhead is within acceptable bounds.展开更多
基金supported by the Wuhan Frontier Program of Application Foundation (No.2018010401011295)National High Technology Research and Development Program of China (“863” Program) (Grant No. 2015AA016002)
文摘Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmability, the “three-layer two-interface” architecture of SDN changes the traditional network and increases the network attack nodes, which results in new security issues. In this paper, we firstly introduced the background, architecture and working process of SDN. Secondly, we summarized and analyzed the typical security issues from north to south: application layer, northbound interface, control layer, southbound interface and data layer. Another contribution is to review and analyze the existing solutions and latest research progress of each layer, mainly including: authorized authentication module, application isolation, DoS/DDoS defense, multi-controller deployment and flow rule consistency detection. Finally, a conclusion about the future works of SDN security and an idealized global security architecture is proposed.
基金supported by the National High Technology Research and Development Program of China ("863" Program) (Grant No. 2015AA016002)the National Basic Research Program of China ("973" Program) (Grant No. 2014CB340600)
文摘Air-gapped computers are isolated both logically and physically from all kinds of existing common communication channel, such as USB ports, wireless and wired net- works. Although the feasibility of infiltrating an air-gapped computer has been proved in recent years, data exfiltration from such sys- tems is still considered to be a challenging task. In this paper we present Powermittcr, a novel approach that can exfiltrate data through an air-gapped computer via its power adapter. Our method utilizes the switched-mode pow- er supply, which exists in all of the laptops, desktop computers and servers nowadays. We demonstrate that a malware can indirectly con- trol the electromagnetic emission frequency of the power supply by leveraging the CPU utili- zation. Furthermore, we show that the emitted signals can be received and demodulated by a dedicated device. We present the proof of con- cept design of the power covert channel and implement a prototype of Powermitter consist- ing of a transmitter and a receiver. The trans- mitter leaks out data by using a variant binary frequency shift keying modulation, and the emitted signal can be captured and decoded by software based virtual oscilloscope through such covert channel. We tested Powermitter on three different computers. The experiment re-suits show the feasibility of this power covert channel. We show that our method can also be used to leak data from different types of embedded systems which use switching power supply.
基金supported by the National Key R&D(973)Program of China(No.2017YFB0802000)the National Natural Science Foundation of China(Nos.61772326,61572303,61872229,and 61802239)+4 种基金the NSFC Research Fund for International Young Scientists(No.61750110528)the National Cryptography Development Fund during the 13th Five-Year Plan Period(Nos.MMJJ20170216 and MMJJ201701304)the Foundation of State Key Laboratory of Information Security(No.2017-MS-03)the Fundamental Research Funds for the Central Universities(No.GK201702004,GK201803061,and 2018CBLY006)the China Postdoctoral Science Foundation(No.2018M631121)
文摘Amidst the rapid development of the Internet of Things (loT), Vehicular Ad-Hoc NETwork (VANET), a typical loT application, are bringing an ever-larger number of intelligent and convenient services to the daily lives of individuals. However, there remain challenges for VANETs in preserving privacy and security. In this paper, we propose the first lattice-based Double-Authentication-Preventing Ring Signature (DAPRS) and adopt it to propose a novel privacy-preserving authentication scheme for VANETs, offering the potential for security against quantum computers. The new construction is proven secure against chosen message attacks. Our scheme is more efficient than other ring signature in terms of the time cost of the message signing phase and verification phase, and also in terms of signature length. Analyses of security and efficiency demonstrate that our proposed scheme is provably secure and efficient in the application.
基金supported in part by the National Basic Research Program of China(973 Program)(No.2014CB340600)in part by the Wuhan Frontier Program of Application Foundation(No.2018010401011295)。
文摘Remote authentication is a safe and verifiable mechanism.In the Internet of Things (loT),remote hosts need to verify the legitimacy of identity of terminal devices.However,embedded devices can hardly afford sufficient resources for the necessary trusted hardware components.Software authentication with no hardware guarantee is generally vulnerable to various network attacks.In this paper,we propose a lightweight remote verification protocol.The protocol utilizes the unique response returned by Physical Unclonable Function (PUF) as legitimate identity basis of the terminal devices and uses quadratic residues to encrypt the PUF authentication process to perform a double identity verification scheme.Our scheme is secure against middleman attacks on the attestation response by preventing conspiracy attacks from forgery authentication.
基金supported by the National Key Basic Research and Development(973) Program of China(No.2014CB340600)Wuhan FRONTIER Program of Application Foundation(No.2018010401011295)+2 种基金the National Natural Science Foundation of China(No.61802239)the Fundamental Research Funds for the Central Universities(No.GK201803061)China Postdoctoral Science Foundation(No.2018M631121)
文摘Private data leakage is a threat to current integrity verification schemes of cloud components. To address this issue, this work proposes a privacy-enhancing Structural Integrity Verification (SIV) approach. It is made up of three processes: proof organization, proof transformation, and integrity judgement. By introducing a Merkle tree technique, the integrity of a constituent part of a cloud component on a node is represented by a root value. The value is then masked to cipher texts in proof transformation. With the masked proofs, a structural feature is extracted and validated in an integrity judgement by a third-party verification provider. The integrity of the cloud component is visually displayed in the output result matrix. If there are abnormities, the corrupted constituent parts can be located. Integrity is verified through the encrypted masked proofs. All raw proofs containing sensitive information stay on their original nodes, thus minimizing the attack surface of the proof data, and eliminating the risk of leaking private data at the source. Although some computations are added, the experimental results show that the time overhead is within acceptable bounds.
