Browsing by Author "Wang, Haining"

Now showing 1 - 20 of 29
  • Thumbnail Image
    All Use-After-Free Vulnerabilities Are Not Created Equal: An Empirical Study on Their Characteristics and Detectability
    Chen, Zeyu; Liu, Daiping; Xiao, Jidong; Wang, Haining (ACM, 2023-10-16)
    Over the past decade, use-after-free (UaF) has become one of the most exploited types of vulnerabilities. To address this increasing threat, we need to advance the defense in multiple directions, such as UaF vulnerability detection, UaF exploit defense, and UaF bug fix. Unfortunately, the intricacy rooted in the temporal nature of UaF vulnerabilities makes it quite challenging to develop effective and efficient defenses in these directions. This calls for an in-depth understanding of real-world UaF characteristics. This paper presents the first comprehensive empirical study of UaF vulnerabilities, with 150 cases randomly sampled from multiple representative software suites, such as Linux kernel, Python, and Mozilla Firefox. We aim to identify the commonalities, root causes, and patterns from realworld UaF bugs, so that the empirical results can provide operational guidance to avoid, detect, deter, and fix UaF vulnerabilities. Our main finding is that the root causes of UaF bugs are diverse, and they are not evenly or equally distributed among different software. This implies that a generic UaF detector/fuzzer is probably not an optimal solution. We further categorize the root causes into 11 patterns, several of which can be translated into simple static detection rules to cover a large portion of the 150 UaF vulnerabilities with high accuracy. Motivated by our findings, we implement 11 checkers in a static bug detector called Palfrey. Running Palfrey on the code of popular open source software, we detect 9 new UaF vulnerabilities. Compared with state-of-the-art static bug detectors, Palfrey outperforms in coverage and accuracy for UaF detection, as well as time and memory overhead.
  • Thumbnail Image
    The application of DRAM PUF as a physical token
    Ayaluru Venkata Krishnan, Sruthi (Virginia Tech, 2024-05-31)
    The exploration of leveraging physical attributes of hardware for cryptographic purposes has become a topic of research. Among these avenues, the utilization of Physical Unclonable Functions (PUFs) is one feature that is widely studied. PUFs provide the ability to generate encryption keys for device authentication by exploiting inherent variations in physical structures. In this research work, the focus lies on probing the characteristics of a DRAM-based PUF structure on the Intel Galileo Platform to discern its degradation traits and assess its suitability as a cryptographic primitive. As the adoption of PUFs in diverse applications surges, it becomes imperative to scrutinize their susceptibility to various forms of side-channel attacks. The research work is divided into two parts. First, experimental investigations have been undertaken to ascertain the vulnerability of the DRAM PUF which is the magnetic fault injection to understand its resilience against such threats. Secondly, the analysis of PUF measurements has been conducted to elucidate its potential as a dependable source for physical cryptography, particularly in the context of the oblivious transfer protocol which is based on the fuzzy transfer protocol. The results contributes to a deeper understanding of its application as a physical token as well as the security implications associated with deploying PUFs in cryptographic applications and pave the way for the development of robust countermeasures to mitigate emerging risks.
  • Thumbnail Image
    Blockchain-enabled Secure and Trusted Personalized Health Record
    Dong, Yibin (Virginia Tech, 2022-12-20)
    Longitudinal personalized electronic health record (LPHR) provides a holistic view of health records for individuals and offers a consistent patient-controlled information system for managing the health care of patients. Except for the patients in Veterans Affairs health care service, however, no LPHR is available for the general population in the U.S. that can integrate the existing patients' electronic health records throughout life of care. Such a gap may be contributed mainly by the fact that existing patients' electronic health records are scattered across multiple health care facilities and often not shared due to privacy and security concerns from both patients and health care organizations. The main objective of this dissertation is to address these roadblocks by designing a scalable and interoperable LPHR with patient-controlled and mutually-trusted security and privacy. Privacy and security are complex problems. Specifically, without a set of access control policies, encryption alone cannot secure patient data due to insider threat. Moreover, in a distributed system like LPHR, so-called race condition occurs when access control policies are centralized while decisions making processes are localized. We propose a formal definition of secure LPHR and develop a blockchain-enabled next generation access control (BeNGAC) model. The BeNGAC solution focuses on patient-managed secure authorization for access, and NGAC operates in open access surroundings where users can be centrally known or unknown. We also propose permissioned blockchain technology - Hyperledger Fabric (HF) - to ease the shortcoming of race condition in NGAC that in return enhances the weak confidentiality protection in HF. Built upon BeNGAC, we further design a blockchain-enabled secure and trusted (BEST) LPHR prototype in which data are stored in a distributed yet decentralized database. The unique feature of the proposed BEST-LPHR is the use of blockchain smart contracts allowing BeNGAC policies to govern the security, privacy, confidentiality, data integrity, scalability, sharing, and auditability. The interoperability is achieved by using a health care data exchange standard called Fast Health Care Interoperability Resources. We demonstrated the feasibility of the BEST-LPHR design by the use case studies. Specifically, a small-scale BEST-LPHR is built for sharing platform among a patient and health care organizations. In the study setting, patients have been raising additional ethical concerns related to consent and granular control of LPHR. We engineered a Web-delivered BEST-LPHR sharing platform with patient-controlled consent granularity, security, and privacy realized by BeNGAC. Health organizations that holding the patient's electronic health record (EHR) can join the platform with trust based on the validation from the patient. The mutual trust is established through a rigorous validation process by both the patient and built-in HF consensus mechanism. We measured system scalability and showed millisecond-range performance of LPHR permission changes. In this dissertation, we report the BEST-LPHR solution to electronically sharing and managing patients' electronic health records from multiple organizations, focusing on privacy and security concerns. While the proposed BEST-LPHR solution cannot, expectedly, address all problems in LPHR, this prototype aims to increase EHR adoption rate and reduce LPHR implementation roadblocks. In a long run, the BEST-LPHR will contribute to improving health care efficiency and the quality of life for many patients.
  • Thumbnail Image
    Design of Secure Scalable Frameworks for Next Generation Cellular Networks
    Atalay, Tolga Omer (Virginia Tech, 2024-06-06)
    Leveraging Network Functions Virtualization (NFV), the Fifth Generation (5G) core, and Radio Access Network (RAN) functions are implemented as Virtual Network Functions (VNFs) on Commercial-off-the-Shelf (COTS) hardware. The use of virtualized micro-services to implement these 5G VNFs enables the flexible and scalable construction of end-to-end logically isolated network fragments denoted as network slices. The goal of this dissertation is to design more scalable, flexible, secure, and visible 5G networks. Thus, each chapter will present a design and evaluation that addresses one or more of these aspects. The first objective is to understand the limits of 5G core micro-service virtualization when using lightweight containers for constructing various network slicing models with different service guarantees. The initial deployment model consists of the OpenAirInterface (OAI) 5G core in a containerized setting to create a universally deployable testbed. Operational and computational stress tests are performed on individual 5G core VNFs where different network slicing models are created that are applicable to real-life scenarios. The analysis captures the increase in compute resource consumption of individual VNFs during various core network procedures. Furthermore, using different network slicing models, the progressive increase in resource consumption can be seen as the service guarantees of the slices become more demanding. The framework created using this testbed is the first to provide such analytics on lightweight virtualized 5G core VNFs with large-scale end-to-end connections. Moving into the cloud-native ecosystem, 5G core deployments will be orchestrated by middle-men Network-slice-as-a-Service (NSaaS) providers. These NSaaS providers will consume Infrastructure-as-a-service (IaaS) offerings and offer network slices to Mobile Virtual Network Operators (MVNOs). To investigate this future model, end-to-end emulated 5G deployments are conducted to offer insight into the cost implications surrounding such NSaaS offerings in the cloud. The deployment features real-life traffic patterns corresponding to practical use cases which are matched with specific network slicing models. These models are implemented in a 5G testbed to gather compute resource consumption metrics. The obtained data are used to formulate infrastructure procurement costs for popular cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. The results show steady patterns in compute consumption across multiple use cases, which are used to make high-scale cost projections for public cloud deployments. In the end, the trade-off between cost and throughput is achieved by decentralizing the network slices and offloading the user plane. The next step is the demystification of 5G traffic patterns using the Over-the-Air (OTA) testbed. An open-source OTA testbed is constructed leveraging advanced features of 5G radio access and core networks developed by OAI. The achievable Quality of Service (QoS) is evaluated to provide visibility into the compute consumption of individual components. Additionally, a method is presented to utilize WiFi devices for experimenting with 5G QoS. Resource consumption analytics are collected from the 5G user plane in correlation to raw traffic patterns. The results show that the open-source 5G testbed can sustain sub-20ms latency with up to 80Mbps throughput over a 25m range using COTS devices. Device connection remains stable while supporting different use cases such as AR/VR, online gaming, video streaming, and Voice-over IP (VoIP). It illustrates how these popular use cases affect CPU utilization in the user plane. This provides insight into the capabilities of existing 5G solutions by demystifying the resource needs of specific use cases. Moving into public cloud-based deployments, creates a growing demand for general-purpose compute resources as 5G deployments continue to expand. Given their existing infrastructures, cloud providers such as AWS are attractive platforms to address this need. Therefore, it is crucial to understand the control and user plane QoS implications associated with deploying the 5G core on top of AWS. To this end, a 5G testbed is constructed using open-source components spanning multiple global locations within the AWS infrastructure. Using different core deployment strategies by shuffling VNFs into AWS edge zones, an operational breakdown of the latency overhead is conducted for 5G procedures. The results show that moving specific VNFs into edge regions reduces the latency overhead for key 5G operations. Multiple user plane connections are instantiated between availability zones and edge regions with different traffic loads. As more data sessions are instantiated, it is observed that the deterioration of connection quality varies depending on traffic load. Ultimately, the findings provide new insights for MVNOs to determine favorable placements of their 5G core entities in the cloud. The transition into cloud-native deployments has encouraged the development of supportive platforms for 5G. One such framework is the OpenRAN initiative, led by the O-RAN Alliance. The OpenRAN initiative promotes an open Radio Access Network (RAN) and offers operators fine-grained control over the radio stack. To that end, O-RAN introduces new components to the 5G ecosystem, such as the near real-time RAN Intelligent Controller (near-RT RIC) and the accompanying Extensible Applications (xApps). The introduction of these entities expands the 5G threat surface. Furthermore, with the movement from proprietary hardware to virtual environments enabled by NFV, attack vectors that exploit the existing NFV attack surface pose additional threats. To deal with these threats, the textbf{xApp repository function (XRF)} framework is constructed for scalable authentication, authorization, and discovery of xApps. In order to harden the XRF microservices, deployments are isolated using Intel Software Guard Extensions (SGX). The XRF modules are individually benchmarked to compare how different microservices behave in terms of computational overhead when deployed in virtual and hardware-based isolation sandboxes. The evaluation shows that the XRF framework scales efficiently in a multi-threaded Kubernetes environment. Isolation of the XRF microservices introduces different amounts of processing overhead depending on the sandboxing strategy. A security analysis is conducted to show how the XRF framework addresses chosen key issues from the O-RAN and 5G standardization efforts. In the final chapter of the dissertation, the focus shifts towards the development and evaluation of 5G-STREAM, a service mesh tailored for rapid, efficient, and authorized microservices in cloud-based 5G core networks. 5G-STREAM addresses critical scalability and efficiency challenges in the 5G core control plane by optimizing traffic and reducing signaling congestion across distributed cloud environments. The framework enhances Virtual Network Function (VNF) service chains' topology awareness, enabling dynamic configuration of communication pathways which significantly reduces discovery and authorization signaling overhead. A prototype of 5G-STREAM was developed and tested, showing a reduction of up to 2× in inter-VNF latency per HTTP transaction in the core network service chains, particularly benefiting larger service chains with extensive messaging. Additionally, 5G-STREAM's deployment strategies for VNF placement are explored to further optimize performance and cost efficiency in cloud-based infrastructures, ultimately providing a scalable solution that can adapt to increasing network demands while maintaining robust service levels. This innovative approach signifies a pivotal advancement in managing 5G core networks, paving the way for more dynamic, efficient, and cost-effective cellular network infrastructures. Overall, this dissertation is devoted to designing, building, and evaluating scalable and secure 5G deployments.
  • Thumbnail Image
    Designing Security Defenses for Cyber-Physical Systems
    Foruhandeh, Mahsa (Virginia Tech, 2022-05-04)
    Legacy cyber-physical systems (CPSs) were designed without considering cybersecurity as a primary design tenet especially when considering their evolving operating environment. There are many examples of legacy systems including automotive control, navigation, transportation, and industrial control systems (ICSs), to name a few. To make matters worse, the cost of designing and deploying defenses in existing legacy infrastructure can be overwhelming as millions or even billions of legacy CPS systems are already in use. This economic angle, prevents the use of defenses that are not backward compatible. Moreover, any protection has to operate efficiently in resource constraint environments that are dynamic nature. Hence, the existing approaches that require ex- pensive additional hardware, propose a new protocol from scratch, or rely on complex numerical operations such as strong cryptographic solutions, are less likely to be deployed in practice. In this dissertation, we explore a variety of lightweight solutions for securing different existing CPSs without requiring any modifications to the original system design at hardware or protocol level. In particular, we use fingerprinting, crowdsourcing and deterministic models as alternative backwards- compatible defenses for securing vehicles, global positioning system (GPS) receivers, and a class of ICSs called supervisory control and data acquisition (SCADA) systems, respectively. We use fingerprinting to address the deficiencies in automobile cyber-security from the angle of controller area network (CAN) security. CAN protocol is the de-facto bus standard commonly used in the automotive industry for connecting electronic control units (ECUs) within a vehicle. The broadcast nature of this protocol, along with the lack of authentication or integrity guarantees, create a foothold for adversaries to perform arbitrary data injection or modification and impersonation attacks on the ECUs. We propose SIMPLE, a single-frame based physical layer identification for intrusion detection and prevention on such networks. Physical layer identification or fingerprinting is a method that takes advantage of the manufacturing inconsistencies in the hardware components that generate the analog signal for the CPS of our interest. It translates the manifestation of these inconsistencies, which appear in the analog signals, into unique features called fingerprints which can be used later on for authentication purposes. Our solution is resilient to ambient temperature, supply voltage value variations, or aging. Next, we use fingerprinting and crowdsourcing at two separate protection approaches leveraging two different perspectives for securing GPS receivers against spoofing attacks. GPS, is the most predominant non-authenticated navigation system. The security issues inherent into civilian GPS are exacerbated by the fact that its design and implementation are public knowledge. To address this problem, first we introduce Spotr, a GPS spoofing detection via device fingerprinting, that is able to determine the authenticity of signals based on their physical-layer similarity to the signals that are known to have originated from GPS satellites. More specifically, we are able to detect spoofing activities and track genuine signals over different times and locations and propagation effects related to environmental conditions. In a different approach at a higher level, we put forth Crowdsourcing GPS, a total solution for GPS spoofing detection, recovery and attacker localization. Crowdsourcing is a method where multiple entities share their observations of the environment and get together as a whole to make a more accurate or reliable decision on the status of the system. Crowdsourcing has the advantage of deployment with the less complexity and distributed cost, however its functionality is dependent on the adoption rate by the users. Here, we have two methods for implementing Crowdsourcing GPS. In the first method, the users in the crowd are aware of their approximate distance from other users using Bluetooth. They cross validate this approximate distance with the GPS-derived distance and in case of any discrepancy they report ongoing spoofing activities. This method is a strong candidate when the users in the crowd have a sparse distribution. It is also very effective when tackling multiple coordinated adversaries. For method II, we exploit the angular dispersion of the users with respect to the direction that the adversarial signal is being transmitted from. As a result, the users that are not facing the attacker will be safe. The reason for this is that human body mostly comprises of water and absorbs the weak adversarial GPS signal. The safe users will help the spoofed users find out that there is an ongoing attack and recover from it. Additionally, the angular information is used for localizing the adversary. This method is slightly more complex, and shows the best performance in dense areas. It is also designed based on the assumption that the spoofing attack is only terrestrial. Finally, we propose a tandem IDS to secure SCADA systems. SCADA systems play a critical role in most safety-critical infrastructures of ICSs. The evolution of communications technology has rendered modern SCADA systems and their connecting actuators and sensors vulnerable to malicious attacks on both physical and application layers. The conventional IDS that are built for securing SCADA systems are focused on a single layer of the system. With the tandem IDS we break this habit and propose a strong multi-layer solution which is able to expose a wide range of attack. To be more specific, the tandem IDS comprises of two parts, a traditional network IDS and a shadow replica. We design the shadow replica as a deterministic IDS. It performs a workflow analysis and makes sure the logical flow of the events in the SCADA controller and its connected devices maintain their expected states. Any deviation would be a malicious activity or a reliability issue. To model the application level events, we leverage finite state machines (FSMs) to compute the anticipated states of all of the devices. This is feasible because in many of the existing ICSs the flow of traffic and the resulting states and actions in the connected devices have a deterministic nature. Consequently, it leads to a reliable and free of uncertainty solution. Aside from detecting traditional network attacks, our approach bypasses the attacker in case it succeeds in taking over the devices and also maintains continuous service if the SCADA controller gets compromised.
  • Thumbnail Image
    Dial "N" for NXDomain: The Scale, Origin, and Security Implications of DNS Queries to Non-Existent Domains
    Liu, Guannan; Jin, Lin; Hao, Shuai; Zhang, Yubao; Liu, Daiping; Stavrou, Angelos; Wang, Haining (ACM, 2023-10-24)
    Non-Existent Domain (NXDomain) is one type of the Domain Name System (DNS) error responses, indicating that the queried domain name does not exist and cannot be resolved. Unfortunately, little research has focused on understanding why and how NXDomain responses are generated, utilized, and exploited. In this paper, we conduct the first comprehensive and systematic study on NXDomain by investigating its scale, origin, and security implications. Utilizing a large-scale passive DNS database, we identify 146,363,745,785 NXDomains queried by DNS users between 2014 and 2022. Within these 146 billion NXDomains, 91 million of them hold historic WHOIS records, of which 5.3 million are identified as malicious domains including about 2.4 million blocklisted domains, 2.8 million DGA (Domain Generation Algorithms) based domains, and 90 thousand squatting domains targeting popular domains. To gain more insights into the usage patterns and security risks of NXDomains, we register 19 carefully selected NXDomains in the DNS database, each of which received more than ten thousand DNS queries per month. We then deploy a honeypot for our registered domains and collect 5,925,311 incoming queries for 6 months, from which we discover that 5,186,858 and 505,238 queries are generated from automated processes and web crawlers, respectively. Finally, we perform extensive traffic analysis on our collected data and reveal that NXDomains can be misused for various purposes, including botnet takeover, malicious file injection, and residue trust exploitation.
  • Thumbnail Image
    DynaCut: A Framework for Dynamic Code Customization
    Mahurkar, Abhijit (Virginia Tech, 2021-09-03)
    Software systems are becoming increasingly bloated to accommodate a wide array of features, platforms and users. This results not only in wastage of memory but also in an increase in their attack surface. Existing works broadly use binary-rewriting techniques to remove unused code, but this results in a binary that is highly customized for a given usage context. If the usage scenario of the binary changes, the binary has to be regenerated. We present DYNACUT– a framework for Dynamic and Adaptive Code Customization. DYNACUT provides the user with the capability to customize the application to changing usage scenarios at runtime without the need for the source code. DYNACUT achieves this customization by leveraging two techniques: 1) identifying the code to be removed by using execution traces of the application and 2) by rewriting the process dynamically. The first technique uses traces of the wanted features and the unwanted features of the application and generates their diffs to identify the features to be removed. The second technique modifies the process image to add traps and fault-handling code to remove vulnerable but unused code. DYNACUT can also disable temporally unused code – code that is used only during the initialization phase of the application. To demonstrate its effectiveness, we built a prototype of DYNACUT and evaluated it on 9 real-world applications including NGINX, Lighttpd and 7 applications of the SPEC Intspeed benchmark suite. DYNACUT removes upto 56% of executed basic blocks and upto 10% of the application code when used to remove initialization code. The total overhead is in the range of 1.63 seconds for Lighttpd, 4.83 seconds for NGINX and about 39 seconds for perlbench in the SPEC suite.
  • Thumbnail Image
    Enhancing Software Security through Code Diversification Verification, Control-flow Restriction, and Automatic Compartmentalization
    Jang, Jae-Won (Virginia Tech, 2024-07-26)
    In today's digital age, computer systems are prime targets for adversaries due to the vast amounts of sensitive information stored digitally. This ongoing cat-and-mouse game between programmers and adversaries forces security researchers to continually develop novel security measures. Widely adopted schemes like NX bits have safeguarded systems against traditional memory exploits such as buffer overflows, but new threats like code-reuse attacks quickly bypass these defenses. Code-reuse attacks exploit existing code sequences, known as gadgets, without injecting new malicious code, making them challenging to counter. Additionally, input-based vulnerabilities pose significant risks by exploiting external inputs to trigger malicious paths. Languages like C and C++ are often considered unsafe due to their tendency to cause issues like buffer overflows and use-after-free errors. Addressing these complex vulnerabilities requires extensive research and a holistic approach. This dissertation initially introduces a methodology for verifying the functional equivalence between an original binary and its diversified version. The Verification of Diversified Binary (VDB) algorithm is employed to determine whether the two binaries—the original and the diversified—maintain functional equivalence. Code diversification techniques modify the binary compilation process to produce functionally equivalent yet different binaries from the same source code. Most code diversification techniques focus on analyzing non-functional properties, such as whether the technique improves security. The objective of this contribution is to enable the use of untrusted diversification techniques in essential applications. Our evaluation demonstrates that the VDB algorithm can verify the functional equivalence of 85,315 functions within binaries from the GNU Coreutils 8.31 benchmark suite. Next, this dissertation proposes a binary-level tool that modifies binaries to protect against control-flow hijacking attacks. Traditional approaches to guard against ROP attacks either introduce significant overhead, require hardware support, or need intimate knowledge of the binary, such as source code. In contrast, this contribution does not rely on source code nor the latest hardware technology (e.g., Intel Control-flow Enforcement Technology). Instead, we show that we can precisely restrict control flow transfers from transferring to non-intended paths even without these features. To that end, this contribution proposes a novel control-flow integrity policy based on a deny list called Control-flow Restriction (CFR). CFR determines which control flow transfers are allowed in the binary without requiring source code. Our implementation and evaluation of CFR show that it achieves this goal with an average runtime performance overhead for commercial off-the-shelf (COTS) binaries in the range of 5.5% to 14.3%. In contrast, a state-of-the-art binary-level solution such as BinCFI has an average overhead of 61.5%. Additionally, this dissertation explores leveraging the latest hardware security primitives to compartmentalize sensitive data. Specifically, we use a tagged memory architecture introduced by ARM called the Memory Tagging Extension (MTE), which assigns a metadata tag to a memory location that is associated with pointers referencing that memory location. Although promising, ARM MTE suffers from predictable tag allocation on stack data, vulnerable plain-text metadata tags, and lack of fine-grained memory access control. Therefore, this contribution introduces Shroud to enhance data security through compartmentalization using MTE and protect MTE's tagged pointers' vulnerability through encryption. Evaluation of Shroud demonstrates its security effectiveness against non-control-data attacks like Heartbleed and Data-Oriented Programming, with performance evaluations showing an average overhead of 4.2% on lighttpd and 2% on UnixBench. Finally, the NPB benchmark measured Shroud's overhead, showing an average runtime overhead of 2.57%. The vulnerabilities highlighted by exploits like Heartbleed capitalize on external inputs, underscoring the need for enhanced input-driven security measures. Therefore, this dissertation describes a method to improve upon the limitations of traditional compartmentalization techniques. This contribution introduces an Input-Based Compartmentalization System (IBCS), a comprehensive toolchain that utilizes user input to identify data for memory protection automatically. Based on user inputs, IBCS employs hybrid taint analysis to generate sensitive code paths and further analyze each tainted data using novel assembly analyses to identify and enforce selective targets. Evaluations of IBCS demonstrate its security effectiveness through adversarial analysis and report an average overhead of 3% on Nginx. Finally, this dissertation concludes by revisiting the problem of implementing a classical technique known as Software Fault Isolation (SFI) on an x86-64 architecture. Prior works attempting to implement SFI on an x86-64 architecture have suffered from supporting a limited number of sandboxes, high context-switch overhead, and requiring extensive modifications to the toolchain, jeopardizing maintainability and introducing compatibility issues due to the need for specific hardware. This dissertation describes x86-based Fault Isolation (XFI), an efficient SFI scheme implemented on an x86-64 architecture with minimal modifications needed to the toolchain, while reducing complexity in enforcing SFI policies with low performance (22.48% average) and binary size overheads (2.65% average). XFI initializes the sandbox environment for the rewritten binary and, depending on the instructions, enforces data-access and control-flow policies to ensure safe execution. XFI provides the security benefits of a classical SFI scheme and offers additional protection against several classes of side-channel attacks, which can be further extended to enhance its protection capabilities.
  • Thumbnail Image
    An Efficient Architecture For Networking Event-Based Fluorescent Imaging Analysis Processes
    Bright, Mark D. (Virginia Tech, 2023-01)
    Complex user-end procedures for the execution of computationally expensive processes and tools on high performance computing platforms can hinder the scientific progress of researchers across many domains. In addition, such processes occasionally cannot be executed on user-end platforms either due to insufficient hardware resources or unacceptably long computing times. Such circumstances currently extend to highly sophisticated algorithms and tools utilized for analysis of fluorescent imaging data. Although an extensive collection of cloud-computing solutions exist allowing software developers to resolve these issues, such solutions often abstract both developers and integrators from the executing hardware particulars and can inadvertently incentivize non-ideal software design practices. The discussion herein consists of the theoretical design and real-world realization of an efficient architecture to enable direct multi-user parallel remote utilization of such research tools. Said networked scalable real-time architecture is multi-tier, extensible by design to a vast collection of application archetypes, and is not strictly limited to imaging analysis applications. Transport layer interfaces for packetized binary data transmission, asynchronous command issuance mechanisms, compression and decompression algorithm aggregation, and relational database management systems for inter-tier communication intermediation enable a robust, lightweight, and efficient architecture for networking and remotely interfacing with fluorescent imaging analysis processes.
  • Thumbnail Image
    Gurthang - A Fuzzing Framework for Concurrent Network Servers
    Shugg, Connor William (Virginia Tech, 2022-06-13)
    The emergence of Internet-connected technologies has given the world a vast number of services easily reachable from our computers and mobile devices. Web servers are one of the dominant types of computer programs that provide these services to the world by serving files and computations to connected users. Because of their accessibility and importance, web servers must be robust to avoid exploitation by hackers and other malicious users. Fuzzing is a software testing technique that seeks to discover bugs in computer programs in an automated fashion. However, most state-of-the-art fuzzing tools (fuzzers) are incapable of fuzzing web servers effectively, due to their reliance on network connections to receive input and other unique constraints they follow. Past research exists to remedy this situation, and while they have had success, certain drawbacks are introduced in the process. To address this, we created Gurthang, a fuzzing framework that gives state-of-the-art fuzzers the ability to fuzz web servers easily, without having to modify source code, the web server's threading model, or fundamentally change the way a server behaves. We introduce novelty by providing the ability to establish and send data across multiple concurrent connections to the target web server in a single execution of a fuzzing campaign, thus opening the door to the discovery of concurrency-related bugs. We accomplish this through a novel file format and two shared libraries that harness existing state-of-the-art fuzzers. We evaluated Gurthang by performing a research study at Virginia Tech that yielded 48 discovered bugs among 55 web servers written by students. Participants utilized Gurthang to integrate fuzzing into their software development process and discover bugs. In addition, we evaluated Gurthang against Apache and Nginx, two real-world web servers. We did not discover any bugs on Apache or Nginx, but Gurthang successfully enabled us to fuzz them without needing to modify their source code. Our evaluations show Gurthang is capable of performing fuzz-testing on web servers and discovering real bugs.
  • Thumbnail Image
    Improving Operating System Security, Reliability, and Performance through Intra-Unikernel Isolation, Asynchronous Out-of-kernel IPC, and Advanced System Servers
    Sung, Mincheol (Virginia Tech, 2023-03-28)
    Computer systems are vulnerable to security exploits, and the security of the operating system (OS) is crucial as it is often a trusted entity that applications rely on. Traditional OSs have a monolithic design where all components are executed in a single privilege layer, but this design is increasingly inadequate as OS code sizes have become larger and expose a large attack surface. Microkernel OSs and multiserver OSs improve security and reliability through isolation, but they come at a performance cost due to crossing privilege layers through IPCs, system calls, and mode switches. Library OSs, on the other hand, implement kernel components as libraries which avoids crossing privilege layers in performance-critical paths and thereby improves performance. Unikernels are a specialized form of library OSs that consist of a single application compiled with the necessary kernel components, and execute in a single address space, usually atop a hypervisor for strong isolation. Unikernels have recently gained popularity in various application domains due to their better performance and security. Although unikernels offer strong isolation between each instance due to virtualization, there is no isolation within a unikernel. Since the model eliminates the traditional separation between kernel and user parts of the address space, the subversion of a kernel or application component will result in the subversion of the entire unikernel. Thus, a unikernel must be viewed as a single unit of trust, reducing security. The dissertation's first contribution is intra-unikernel isolation: we use Intel's Memory Protection Keys (MPK) primitive to provide per-thread permission control over groups of virtual memory pages within a unikernel's single address space, allowing different areas of the address space to be isolated from each other. We implement our mechanisms in RustyHermit, a unikernel written in Rust. Our evaluations show that the mechanisms have low overhead and retain unikernel's low system call latency property: 0.6% slowdown on applications including memory/compute intensive benchmarks as well as micro-benchmarks. Multiserver OS, a type of microkernel OS, has high parallelism potential due to its inherent compartmentalization. However, the model suffers from inferior performance. This is due to inter-process communication (IPC) client-server crossings that require context switches for single-core systems, which are more expensive than traditional system calls; on multi-core systems (now ubiquitous), they have poor resource utilization. The dissertation's second contribution is Aoki, a new approach to IPC design for microkernel OSs. Aoki incorporates non-blocking concurrency techniques to eliminate in-kernel blocking synchronization which causes performance challenges for state-of-the-art microkernels. Aoki's non-blocking (i.e., lock-free and wait-free) IPC design not only improves performance and scalability, but also enhances reliability by preventing thread starvation. In a multiserver OS setting, the design also enables the reconnection of stateful servers after failure without loss of IPC states. Aoki solves two problems that have plagued previous microkernel IPC designs: reducing excessive transitions between user and kernel modes and enabling efficient recovery from failures. We implement Aoki in the state-of-the-art seL4 microkernel. Results from our experiments show that Aoki outperforms the baseline seL4 in both fastpath IPC and cross-core IPC, with improvements of 2.4x and 20x, respectively. The Aoki IPC design enables the design of system servers for multiserver OSs with higher performance and reliability. The dissertation's third and final contribution is the design of a fault-tolerant storage server and a copy-free file system server. We build both servers using NetBSD OS's rumprun unikernel, which provides robust isolation through hardware virtualization, and is capable of handling a wide range of storage devices including NVMe. Both servers communicate with client applications using Aoki's IPC design, which yields scalable IPC. In the case of the storage server, the IPC also enables the server to transparently recover from server failures and reconnect to client applications, with no loss of IPC state and no significant overhead. In the copy-free file system server's design, applications grant the server direct memory access to file I/O data buffers for high performance. The performance problems solved in the server designs have challenged all prior multiserver/microkernel OSs. Our evaluations show that both servers have a performance comparable to Linux and the rumprun baseline.
  • Thumbnail Image
    Investigating Security Threats of Resource Mismanagement in Networked Systems
    Liu, Guannan (Virginia Tech, 2023-08-10)
    The complexity of networked systems has been continuously growing, and the abundance of online resources has presented practical management challenges. Specifically, system administrators are required to carefully configure their online systems to minimize security vulnerabilities of resource management, including resource creation, maintenance, and disposal. However, numerous networked systems have been exploited or compromised by adversaries, due to misconfiguration and mismanagement of human errors. In this dissertation, we explore different network systems to identify security vulnerabilities that adversaries could exploit for malicious purposes. First, we investigate the identity-account inconsistency threat, a new SSO vulnerability that can cause the compromise of online accounts. We demonstrate that this inconsistency in SSO authentication allows adversaries controlling a reused email address to take over online accounts without using any credentials. To substantiate our findings, we conduct a measurement study on the account management policies of various cloud email providers, highlighting the feasibility of acquiring previously used email accounts. To gain insight into email reuse in the wild, we examine commonly employed naming conventions that contribute to a significant number of potential email address collisions. To mitigate the identity-account inconsistency threat, we propose a range of useful practices for end-users, service providers, and identity providers. Secondly, we present a comprehensive study on the vulnerability of container registries to typosquatting attacks. In typosquatting attacks, adversaries intentionally upload malicious container images with identifiers similar to those of benign images, leading users to inadvertently download and execute malicious images. Our study demonstrates that typosquatting attacks can pose a significant security threat across public and private container registries, as well as across multiple platforms. To mitigate the typosquatting attacks in container registries, we propose CRYSTAL, a lightweight extension to the existing Docker command-line interface. Thirdly, we present an in-depth study on hardware resource management in cloud gaming services. Our research uncovers that adversaries can intentionally inject malicious programs or URLs into these services using game mods. To demonstrate the severity of these vulnerabilities, we conduct four proof-of-concept attacks on cloud gaming services, including crypto-mining, machine-learning model training, Command and Control, and censorship circumvention. In response to these threats, we propose several countermeasures that cloud gaming services can implement to safeguard their valuable assets from malicious exploitation. These countermeasures aim to enhance the security of cloud gaming services and mitigate the security risks associated with hardware mismanagement. Last but not least, we present a comprehensive and systematic study on NXDomain, examining its scale, origin, and security implications. By leveraging a large-scale passive DNS database, we analyze a vast dataset spanning from 2014 to 2022, identifying an astonishing 146 trillion NXDomains queried by DNS users. To gain further insights into the usage patterns and security risks associated with NXDomains, we carefully select and register 19 NXDomains in the DNS database. To analyze the behavior and sources of these queries, we deploy a honeypot for our registered domains and collect 5,925,311 queries over a period of six months. Furthermore, we conduct extensive traffic analysis on the collected data, uncovering various malicious uses of NXDomains, including botnet takeovers, malicious file injections, and exploitation of residual trust.
  • Thumbnail Image
    Oblivious RAM in Scalable SGX
    Marathe, Akhilesh Parag (Virginia Tech, 2024-06-05)
    The prevalence of cloud storage has yielded significant benefits to consumers. Trusted Exe- cution Environments (TEEs) have been introduced to protect program execution and data in the cloud. However, an attacker targeting the cloud storage server through side-channel attacks can still learn some data in TEEs. This data retrieval is possible through the monitor- ing and analysis of the encrypted ciphertext as well as a program's memory access patterns. As the attacks grow in complexity and accuracy, innovative protection methods must be de- signed to secure data. This thesis proposes and implements an ORAM controller primitive in TEE and protects it from all potential side-channel attacks. This thesis presents two vari- ations, each with two different encryption methods designed to mitigate attacks targeting both memory access patterns and ciphertext analysis. The latency for enabling this protec- tion is calculated and proven to be 75.86% faster overall than the previous implementation on which this thesis is based.
  • Thumbnail Image
    On Optimizing and Leveraging Distributed Shared Memory for High Performance, Resource Aggregation, and Cache-coherent Heterogeneous-ISA Processors
    Chuang, Ho-Ren (Virginia Tech, 2022-06-28)
    This dissertation focuses on the problem space of heterogeneous-ISA multiprocessors – an architectural design point that is being studied by the academic research community and increasingly available in commodity systems. Since such architectures usually lack globally coherent shared memory, software-based distributed shared memory (DSM) is often used to provide the illusion of such a memory. The DSM abstraction typically provides this illusion using a reader-replicate, writer-invalidate memory consistency protocol that operates at the granularity of memory pages and is usually implemented as a first-class operating system abstraction. This enables symmetric multiprocessing (SMP) programming frameworks, augmented with a heterogeneous-ISA compiler, to use CPU cores of different ISAs for parallel computations as if they are of the same ISA, improving programmability, especially for legacy SMP applications which therefore can run unmodified on such hardware. Past DSMs have been plagued by poor performance, in part due to the high latency and low bandwidth of interconnect network infrastructures. The dissertation revisits DSM in light of modern interconnects that reverse this performance trend. The dissertation presents Xfetch, a bulk page prefetching mechanism designed for the DEX DSM system. Xfetch exploits spatial locality, and aggressively and sequentially prefetches pages before potential read faults, improving DSM performance. Our experimental evaluations reveal that Xfetch achieves up to ≈142% speedup over the baseline DEX DSM that does not prefetch page data. SMP programming models often allow primitives that permit weaker memory consistency semantics, where synchronization updates can be delayed, permitting greater parallelism and thereby higher performance. Inspired by such primitives, the dissertation presents a DSM protocol called MWPF that trades-off memory consistency for higher performance in select SMP code regions, targeting heterogeneous-ISA multiprocessor systems. MWPF also overcomes performance bottlenecks of past DSM systems for heterogeneous-ISA multiprocessors such as due to significant number of invalidation messages, false page sharing, large number of read page faults, and large synchronization overheads by using efficient protocol primitives that delay and batch invalidation messages, aggressively prefetch data pages, and perform cross-domain synchronization with low overhead. Our experimental evaluations reveal that MWPF achieves, on average, 11% speedup over the baseline DSM implementation. The dissertation presents PuzzleHype, a distributed hypervisor that enables a single virtual machine (VM) to use fragmented resources in distributed virtualized settings such as CPU cores, memory, and devices of different physical hosts, and thereby decrease resource fragmentation and increase resource utilization. PuzzleHype leverages DSM implemented in host operating systems to present an unified and consistent view of a continuous pseudo-physical address space to guest operating systems. To transparently utilize CPU and I/O resources, PuzzleHype integrates multiple physical CPUs into a single VM by migrating threads, forwarding interrupts, and by delegating I/O. Our experimental evaluations reveal that PuzzleHype yields speedups in the range of 355%–173% over baseline over-provisioning scenarios which are otherwise necessary due to resource fragmentation. To enable a distributed hypervisor to adapt to resource and workload changes, the dissertation proposes the concept of CPU borrowing that allows a VM's virtual CPU (vCPU) to migrate to an available physical CPU (pCPU) and release it when it is no longer necessary, i.e., CPU returning. CPU borrowing can thus be used when a node is over-committed, and CPU returning can be used when the borrowed CPU resource is no longer necessary. To transparently migrate a vCPU at runtime without incurring a significant downtime, the dissertation presents a suite of techniques including leveraging thread migration, loading/restoring vCPU in KVM states, maintaining a global vCPU location table, and creating a DSM kernel thread for handling on-demand paging. Our experimental evaluations reveal that migrating vCPUs to resource-available nodes achieves a speedup of 1.4x over running the vCPUs on distributed nodes. When a VM spans multiple nodes, it is likelihood for failure increases. To mitigate this, the dissertation presents a distributed checkpoint/restart mechanism that allows a distributed VM to tolerate failures. A user interface is introduced for sending/receiving checkpoint/restart commands to a distributed VM. We implement the checkpoint/restart technique in the native KVM tool, and extend it to a distributed mode by converting Inter-Process Communication (IPC) into message passing between nodes, pausing/resuming distributed vCPU executions, and loading/restoring runtime states on the correct set of nodes. Our experimental evaluations indicate that the overhead of checkpointing a distributed VM is ≈10% or less than that of the native KVM tool with our checkpoint support. Restarting a distributed VM is faster than native KVM with our restart support because no additional page faults occur during restarting. The dissertation's final contribution is PopHype, a system software stack that allows simulation of cache-coherent, shared memory heterogeneous-ISA hardware. PopHype includes a Linux operating system that implements DSM as an OS abstraction for processes, i.e., allows multiple processes running on multiple (ISA-different) machines to share memory. With KVM-enabled, this OS becomes a hypervisor that allows multiple, process-based instances of an architecture emulator such as QEMU to execute in a shared address space, allowing multiple QEMU instances to emulate different ISAs in shared memory, i.e., emulate shared memory heterogeneous-ISA hardware. PopHype also includes a modified QEMU to use process-level DSM and an optimized guest OS kernel for improved performance. Our experimental studies confirm PopHype's effectiveness, and reveal that PopHype achieves an average speedup of 7.32x over a baseline that runs multiple QEMU instances in shared memory atop a single host OS.
  • Thumbnail Image
    OPTILOD: Optimal Beacon Placement for High-Accuracy Indoor Localization of Drones
    Famili, Alireza; Stavrou, Angelos; Wang, Haining; Park, Jung-Min (Jerry) (MDPI, 2024-03-14)
    For many applications, drones are required to operate entirely or partially autonomously. In order to fly completely or partially on their own, drones need to access location services for navigation commands. While using the Global Positioning System (GPS) is an obvious choice, GPS is not always available, can be spoofed or jammed, and is highly error-prone for indoor and underground environments. The ranging method using beacons is one of the most popular methods for localization, especially for indoor environments. In general, the localization error in this class is due to two factors: the ranging error, and the error induced by the relative geometry between the beacons and the target object to be localized. This paper proposes OPTILOD (Optimal Beacon Placement for High-Accuracy Indoor Localization of Drones), an optimization algorithm for the optimal placement of beacons deployed in three-dimensional indoor environments. OPTILOD leverages advances in evolutionary algorithms to compute the minimum number of beacons and their optimal placement, thereby minimizing the localization error. These problems belong to the Mixed Integer Programming (MIP) class and are both considered NP-hard. Despite this, OPTILOD can provide multiple optimal beacon configurations that minimize the localization error and the number of deployed beacons concurrently and efficiently.
  • Thumbnail Image
    PACTIGHT: Tightly Seal Sensitive Pointers with Pointer Authentication
    Ismail, Mohannad A (Virginia Tech, 2021-12-02)
    ARM is becoming more popular in desktops and data centers. This opens a new realm in terms of security attacks against ARM, increasing the importance of having an effective and efficient defense mechanism for ARM. ARM has released Pointer Authentication, a new hardware security feature that is intended to ensure pointer integrity with cryptographic primitives. Recently, it has been found to be vulnerable. In this thesis, we utilize Pointer Authentication to build a novel scheme to completely prevent any misuse of security-sensitive pointers. We propose PACTight to tightly seal these pointers from attacks targeting Pointer Authentication itself as well as from control-flow hijacks. PACTight utilizes a strong and unique modifier that addresses the current issues with PAC and its implementations. We implement four defenses by fully integrating with the LLVM compiler toolchain. Through a robust and systemic security and performance evaluation, we show that PACTight defenses are more efficient and secure than their counterparts. We evaluated PACTight on 30 different applications, including NGINX web server and using real PAC instructions, with an average performance and memory overhead of 4.28% and 23.2% respectively even when enforcing its strongest defense. As far as we know, PACTight is the first defense mechanism to demonstrate effectiveness and efficiency with real PAC instructions.
  • Thumbnail Image
    Practical Mitigations Against Memory Corruption and Transient Execution Attacks
    Ismail, Mohannad Adel Abdelmoniem Ahmed (Virginia Tech, 2024-05-31)
    Memory corruption attacks have existed in C and C++ for more than 30 years, and over the years many defenses have been proposed. In addition to that, a new class of attacks, Spectre, has emerged that abuse speculative execution to leak secrets and sensitive data through micro-architectural side channels. Many defenses have been proposed to mitigate Spectre as well. However, with every new defense a new attack emerges, and then a new defense is proposed. This is an ongoing cycle between attackers and defenders. There exists many defenses for many different attack avenues. However, many suffer from either practicality or effectiveness issues, and security researchers need to balance out their compromises. Recently, many hardware vendors, such as Intel and ARM, have realized the extent of the issue of memory corruption attacks and have developed hardware security mechanisms that can be utilized to defend against these attacks. ARM, in particular, has released a mechanism called Pointer Authentication in which its main intended use is to protect the integrity of pointers by generating a Pointer Authentication Code (PAC) using a cryptographic hash function, as a Message Authentication Code (MAC), and placing it on the top unused bits of a 64-bit pointer. Placing the PAC on the top unused bits of the pointer changes its semantics and the pointer cannot be used unless it is properly authenticated. Hardware security features such as PAC are merely mechanisms not full fledged defences, and their effectiveness and practicality depends on how they are being utililzed. Naive use of these defenses doesn't alleviate the issues that exist in many state-of-the-art software defenses. The design of the defense that utilizes these hardware security features needs to have practicality and effectiveness in mind. Having both practicality and effectiveness is now a possible reality with these new hardware security features. This dissertation describes utilizing hardware security features, namely ARM PAC, to build effective and practical defense mechanisms. This dissertation first describes my past work called PACTight, a PAC based defense mechanism that defends against control-flow hijack- ing attacks. PACTight defines three security properties of a pointer such that, if achieved, prevent pointers from being tampered with. They are: 1) unforgeability: A pointer p should always point to its legitimate object; 2) non-copyability: A pointer p can only be used when it is at its specific legitimate location; 3) non-dangling: A pointer p cannot be used after it has been freed. PACTight tightly seals pointers and guarantees that a sealed pointer cannot be forged, copied, or dangling. PACTight protects all sensitive pointers, which are code pointers and pointers that point to code pointers. This completely prevents control-flow hijacking attacks, all while having low performance overhead. In addition to that, this dissertation proposes Scope-Type Integrity (STI), a new defense policy that enforces pointers to conform to the programmer's intended manner, by utilizing scope, type, and permission information. STI collects information offline about the type, scope, and permission (read/write) of every pointer in the program. This information can then be used at runtime to ensure that pointers comply with their intended purpose. This allows STI to defeat advanced pointer attacks since these attacks typically violate either the scope, type, or permission. We present Runtime Scope-Type Integrity (RSTI). RSTI leverages ARM Pointer Authentication (PA) to generate Pointer Authentication Codes (PACs), based on the information from STI, and place these PACs at the top bits of the pointer. At runtime, the PACs are then checked to ensure pointer usage complies with STI. RSTI overcomes two drawbacks that were present in PACTight: 1) PACTight relied on a large external metadata for protection, whereas RSTI uses very little metadata. 2) PACTight only protected a subset of pointers, whereas RSTI protects all pointers in a program. RSTI has large coverage with relatively low overhead. Also, this dissertation proposes sPACtre, a new and novel defense mechanism that aims to prevent Spectre control-flow attacks on existing hardware. sPACtre is an ARM-based defense mechanism that prevents Spectre control-flow attacks by relying on ARM's Pointer Authentication hardware security feature, annotations added to the program on the secrets that need to be protected from leakage and a dynamic tag-based bounds checking mechanism for arrays. We show that sPACtre can defend against these attacks. We evaluate sPACtre on a variety of cryptographic libraries with several cryptographic algorithms, as well as a synthetic benchmark, and show that it is efficient and has low performance overhead Finally, this dissertation explains a new direction for utilizing hardware security features to protect energy harvesting devices from checkpoint-recovery errors and malicious attackers.
  • Thumbnail Image
    Precise Geolocation for Drones, Metaverse Users, and Beyond: Exploring Ranging Techniques Spanning 40 KHz to 400 GHz
    Famili, Alireza (Virginia Tech, 2024-01-09)
    This dissertation explores the realm of high-accuracy localization through the utilization of ranging-based techniques, encompassing a spectrum of signals ranging from low-frequency ultrasound acoustic signals to more intricate high-frequency signals like Wireless Fidelity (Wi-Fi) IEEE 802.11az, 5G New Radio (NR), and 6G. Moreover, another contribution is the conception of a novel timing mechanism and synchronization protocol grounded in tunable quantum photonic oscillators. In general, our primary focus is to facilitate precise indoor localization, where conventional GPS signals are notably absent. To showcase the significance of this innovation, we present two vital use cases at the forefront: drone localization and metaverse user positioning. In the context of indoor drone localization, the spectrum of applications ranges from recreational enthusiasts to critical missions requiring pinpoint accuracy. At the hobbyist level, drones can autonomously navigate intricate indoor courses, enriching the recreational experience. As a finer illustration of a hobbyist application, consider the case of ``follow me drones". These specialized drones are tailored for indoor photography and videography, demanding an exceptionally accurate autonomous flight capability. This precision is essential to ensure the drone can consistently track and capture its designated subject, even as it moves within the confined indoor environment. Moving on from hobby use cases, the technology extends its profound impact to more crucial scenarios, such as search and rescue operations within confined spaces. The ability of drones to localize with high precision enhances their autonomy, allowing them to maneuver seamlessly, even in environments where human intervention proves challenging. Furthermore, the technology holds the potential to revolutionize the metaverse. Within the metaverse, where augmented and virtual realities converge, the importance of high-accuracy localization is amplified. Immersive experiences like Augmented/Virtual/Mixed Reality (AR/VR/MR) gaming rely heavily on precise user positioning to create seamless interactions between digital and physical environments. In entertainment, this innovation sparks innovation in narrative design, enhancing user engagement by aligning virtual elements with real-world surroundings. Beyond entertainment, applications extend to areas like telemedicine, enabling remote medical procedures with virtual guidance that matches physical reality. In light of all these examples, the imperative for an advanced high-accuracy localization system has become increasingly pronounced. The core objective of this dissertation is to address this pressing need by engineering systems endowed with exceptional precision in localization. Among the array of potential techniques suitable for GPS-absent scenarios, we have elected to focus on ranging-based methods. Specifically, our methodologies are built upon the fundamental principles of time of arrival, time difference of arrival, and time of flight measurements. In essence, each of our devised systems harnesses the capabilities of beacons such as ultrasound acoustic sensors, 5G femtocells, or Wi-Fi access points, which function as the pivotal positioning nodes. Through the application of trilateration techniques, based on the calculated distances between these positioning nodes and the integrated sensors on the drone or metaverse user side, we facilitate robust three-dimensional localization. This strategic approach empowers us to realize our ambition of creating localization systems that not only compensate for the absence of GPS signals but also deliver unparalleled accuracy and reliability in complex and dynamic indoor environments. A significant challenge that we confronted during our research pertained to the disparity in z-axis localization performance compared to that of the x-y plane. This nuanced yet pivotal concern often remains overlooked in much of the prevailing state-of-the-art literature, which predominantly emphasizes two-dimensional localization methodologies. Given the demanding context of our work, where drones and metaverse users navigate dynamically across all three dimensions, the imperative for three-dimensional localization became evident. To address this, we embarked on a comprehensive analysis, encompassing mathematical derivations of error bounds for our proposed localization systems. Our investigations unveiled that localization errors trace their origins to two distinct sources: errors induced by ranging-based factors and errors stemming from geometric considerations. The former category is chiefly influenced by factors encompassing the quality of measurement devices, channel quality in which the signal communication between the sensor on the user and the positioning nodes takes place, environmental noise, multipath interference, and more. In contrast, the latter category, involving geometry-induced errors, arises primarily from the spatial configuration of the positioning nodes relative to the user. Throughout our journey, we dedicated efforts to mitigate both sources of error, ensuring the robustness of our system against diverse error origins. Our approach entails a two-fold strategy for each proposed localization system. Firstly, we introduce innovative techniques such as Frequency-Hopping Spread Spectrum (FHSS) and Frequency-Hopping Code Division Multiple Access (FH-CDMA) and incorporate devices such as Reconfigurable Intelligent Surfaces (RIS) and photonic oscillators to fortify the system against errors stemming from ranging-related factors. Secondly, we devised novel evolutionary-based optimization algorithms, adept at addressing the complex NP-Hard challenge of optimal positioning node placement. This strategic placement mitigates the impact of geometry-induced errors on localization accuracy across the entire environmental space. By meticulously addressing both these sources of error, our localization systems stand as a testament to comprehensive robustness and accuracy. Our methodologies not only extend the frontiers of three-dimensional localization but also equip the systems to navigate the intricacies of indoor environments with precision and reliability, effectively fulfilling the evolving demands of drone navigation and metaverse user interaction.
  • Thumbnail Image
    Random Linear Network Coding Enabled Routing Protocol in UAV Swarm Networks: Development, Emulation, and Optimization
    Xu, Bowen (Virginia Tech, 2021-12-10)
    The development of Unmanned Aerial Vehicles (UAVs) and fifth-generation (5G) wireless technology provides more possibilities for wireless networks. The application of UAVs is gradually evolving from individual UAVs performing tasks to UAV swarm performing tasks in concert. A UAV swarm network is when many drones work cooperatively in a swarm mode to achieve a particular goal. Due to the UAV swarm's easy deployment, self-organization, self-management, and high flexibility, it can provide robust and efficient wireless communications in some unique scenarios, such as emergency communications, hotspot region coverage, sensor networks, and vehicular networks. Therefore, UAV networks have attracted more and more attention from commercial and military; however, many problems need to be resolved before UAV cellular communications become a reality. One of the most challenging core components is the routing protocol design in the UAV swarm network. Due to the high mobility of UAVs, the position of each UAV changes dynamically, so problems such as high latency, high packet loss rate, and even loss of connection arise when UAVs are far apart. These problems dramatically reduce the transmission rate and data integrity for traditional routing protocols based on path discovery. This thesis focuses on developing, emulating, and optimizing a flooding-based routing protocol for UAV swarm using Random Linear Network Coding (RLNC) to improve the latency and bit rate and solve the packet loss problem without routing information and network topology. RLNC can reduce the number of packets demand in some hops. Due to this feature of RLNC, when relay transmitter UAVs or the destination receiver UAV receive sufficient encoded packets from any transmitter UAVs, the raw data can be decoded. For those relay transmitter UAVs in the UAV swarm network that already received some encoded packets in previous hops but not enough to decode the raw data, only need to receive the rest of the different encoded packets needed for decoding. Thus, flooding-based routing protocol significantly improves transmission efficiency in the UAV swarm network.
  • Thumbnail Image
    Ransomware Detection Using Windows API Calls and Machine Learning
    Karanam, Sanjula (Virginia Tech, 2023-05-31)
    Ransomware is an ever-growing issue that has been affecting individuals and corporations since its inception, leading to losses of the order of billions each year. This research builds upon the existing body of research pertaining to ransomware detection for Windows-based platforms through behavioral analysis using sandboxing techniques and classification using machine learning (ML), considering the various predefined function calls, known as API (Application Programming Interface) calls, made by ransomware and benign samples as classifying features. The primary aim of this research is to study the effect of the frequency of API calls made by ransomware samples spanning across a large number of ransomware families exhibiting varied behavior, and benign samples on the classification accuracy of various ML algorithms. Conducting an experiment based on this, a quantitative analysis of the ML classification algorithms was performed, for the frequency of API calls based input and binary input based on the existence of an API call, resulting in the conclusion that considering the frequency of API calls marginally improves the ransomware recall rate. The secondary research question posed by this research aims to justify the ML classification of ransomware by conducting behavioral analysis of ransomware and goodware in the context of the API calls that had a major effect on the classification of ransomware. This research was able to provide meaningful insights into the runtime behavior of ransomware and goodware, and how such behavior including API calls and their frequencies were in line with the MLbased classification of ransomware.