Visible to the public Biblio

Filters: Author is Chen, L.  [Clear All Filters]
2019-10-14
Guo, Y., Chen, L., Shi, G..  2018.  Function-Oriented Programming: A New Class of Code Reuse Attack in C Applications. 2018 IEEE Conference on Communications and Network Security (CNS). :1–9.
Control-hijacking attacks include code injection attacks and code reuse attacks. In recent years, with the emergence of the defense mechanism data-execution prevention(DEP), code reuse attacks have become mainstream, such as return-oriented programming(ROP), Jump-Oriented Programming(JOP), and Counterfeit Object-oriented Programming(COOP). And a series of defensive measures have been proposed, such as DEP, address space layout randomization (ASLR), coarse-grained Control-Flow Integrity(CFI) and fine-grained CFI. In this paper, we propose a new attack called function-oriented programming(FOP) to construct malicious program behavior. FOP takes advantage of the existing function of the C program to induce attack. We propose concrete algorithms for FOP gadgets and build a tool to identify FOP gadgets. FOP can successfully bypass coarse-grained CFI, and FOP also can bypass some existing fine-grained CFI technologies, such as shadow stack technology. We show a real-world attack for proftpd1.3.0 server in the Linux x64 environment. We believe that the FOP attack will encourage people to come up with more effective defense measures.
2019-10-08
Liu, Y., Yuan, X., Li, M., Zhang, W., Zhao, Q., Zhong, J., Cao, Y., Li, Y., Chen, L., Li, H. et al..  2018.  High Speed Device-Independent Quantum Random Number Generation without Detection Loophole. 2018 Conference on Lasers and Electro-Optics (CLEO). :1–2.

We report a an experimental study of device-independent quantum random number generation based on an detection-loophole free Bell test with entangled photons. After considering statistical fluctuations and applying an 80 Gb × 45.6 Mb Toeplitz matrix hashing, we achieve a final random bit rate of 114 bits/s, with a failure probability less than 10-5.

2019-04-01
Hu, Y., Chen, L., Cheng, J..  2018.  A CAPTCHA recognition technology based on deep learning. 2018 13th IEEE Conference on Industrial Electronics and Applications (ICIEA). :617–620.
Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is an important human-machine distinction technology for website to prevent the automatic malicious program attack. CAPTCHA recognition studies can find security breaches in CAPTCHA, improve CAPTCHA technology, it can also promote the technologies of license plate recognition and handwriting recognition. This paper proposed a method based on Convolutional Neural Network (CNN) model to identify CAPTCHA and avoid the traditional image processing technology such as location and segmentation. The adaptive learning rate is introduced to accelerate the convergence rate of the model, and the problem of over-fitting and local optimal solution has been solved. The multi task joint training model is used to improve the accuracy and generalization ability of model recognition. The experimental results show that the model has a good recognition effect on CAPTCHA with background noise and character adhesion distortion.
Xu, L., Chen, L., Gao, Z., Chang, Y., Iakovou, E., Shi, W..  2018.  Binding the Physical and Cyber Worlds: A Blockchain Approach for Cargo Supply Chain Security Enhancement. 2018 IEEE International Symposium on Technologies for Homeland Security (HST). :1–5.

Maritime transportation plays a critical role for the U.S. and global economies, and has evolved into a complex system that involves a plethora of supply chain stakeholders spread around the globe. The inherent complexity brings huge security challenges including cargo loss and high burdens in cargo inspection against illicit activities and potential terrorist attacks. The emerging blockchain technology provides a promising tool to build a unified maritime cargo tracking system critical for cargo security. However, most existing efforts focus on transportation data itself, while ignoring how to bind the physical cargo movements and information managed by the system consistently. This can severely undermine the effectiveness of securing cargo transportation. To fulfill this gap, we propose a binding scheme leveraging a novel digital identity management mechanism. The digital identity management mechanism maps the best practice in the physical world to the cyber world and can be seamlessly integrated with a blockchain-based cargo management system.

2019-03-18
Chen, L., Liu, J., Ha, W..  2018.  Cloud Service Risk in the Smart Grid. 2018 14th International Conference on Computational Intelligence and Security (CIS). :242–244.

Smart grid utilizes cloud service to realize reliable, efficient, secured, and cost-effective power management, but there are a number of security risks in the cloud service of smart grid. The security risks are particularly problematic to operators of power information infrastructure who want to leverage the benefits of cloud. In this paper, security risk of cloud service in the smart grid are categorized and analyzed characteristics, and multi-layered index system of general technical risks is established, which applies to different patterns of cloud service. Cloud service risk of smart grid can evaluate according indexes.

2019-01-31
Zhang, H., Chen, L., Liu, Q..  2018.  Digital Forensic Analysis of Instant Messaging Applications on Android Smartphones. 2018 International Conference on Computing, Networking and Communications (ICNC). :647–651.

In this paper, we discuss the digital forensic procedure and techniques for analyzing the local artifacts from four popular Instant Messaging applications in Android. As part of our findings, the user chat messages details and contacts were investigated for each application. By using two smartphones with different brands and the latest Android operating systems as experimental objects, we conducted digital investigations in a forensically sound manner. We summarize our findings regarding the different Instant Messaging chat modes and the corresponding encryption status of artifacts for each of the four applications. Our findings can be helpful to many mobile forensic investigations. Additionally, these findings may present values to Android system developers, Android mobile app developers, mobile security researchers as well as mobile users.

2019-01-16
Horton, M., Samanta, B., Reid, C., Chen, L., Kadlec, C..  2018.  Development of a Secure, Heterogeneous Cloud Robotics Infrastructure: Implementing a Mesh VPN and Robotic File System Security Practices. SoutheastCon 2018. :1–8.
Robotics and the Internet of Things (IoT) are enveloping our society at an exponential rate due to lessening costs and better availability of hardware and software. Additionally, Cloud Robotics and Robot Operating System (ROS) can offset onboard processing power. However, strong and fundamental security practices have not been applied to fully protect these systems., partially negating the benefits of IoT. Researchers are therefore tasked with finding ways of securing communications and systems. Since security and convenience are oftentimes at odds, securing many heterogeneous components without compromising performance can be daunting. Protecting systems from attacks and ensuring that connections and instructions are from approved devices, all while maintaining the performance is imperative. This paper focuses on the development of security best practices and a mesh framework with an open-source, multipoint-to-multipoint virtual private network (VPN) that can tie Linux, Windows, IOS., and Android devices into one secure fabric, with heterogeneous mobile robotic platforms running ROSPY in a secure cloud robotics infrastructure.
2018-11-14
Xi, Z., Chen, L., Chen, M., Dai, Z., Li, Y..  2018.  Power Mobile Terminal Security Assessment Based on Weights Self-Learning. 2018 10th International Conference on Communication Software and Networks (ICCSN). :502–505.

At present, mobile terminals are widely used in power system and easy to be the target or springboard to attack the power system. It is necessary to have security assessment of power mobile terminal system to enable early warning of potential risks. In the context, this paper builds the security assessment system against to power mobile terminals, with features from security assessment system of general mobile terminals and power application scenarios. Compared with the existing methods, this paper introduces machine learning to the Rank Correlation Analysis method, which relies on expert experience, and uses objective experimental data to optimize the weight parameters of the indicators. From experiments, this paper proves that weights self-learning method can be used to evaluate the security of power mobile terminal system and improve credibility of the result.

2018-05-24
Chen, L., Yue, D., Dou, C., Ge, H., Lu, J., Yang, X..  2017.  Cascading Failure Initially from Power Grid in Interdependent Networks. 2017 IEEE Conference on Energy Internet and Energy System Integration (EI2). :1–5.

The previous consideration of power grid focuses on the power system itself, however, the recent work is aiming at both power grid and communication network, this coupling networks are firstly called as interdependent networks. Prior study on modeling interdependent networks always extracts main features from real networks, the model of network A and network B are completely symmetrical, both degree distribution in intranetwork and support pattern in inter-network, but in reality this circumstance is hard to attain. In this paper, we deliberately set both networks with same topology in order to specialized research the support pattern between networks. In terms of initial failure from power grid or communication network, we find the remaining survival fraction is greatly disparate, and the failure initially from power grid is more harmful than failure initially from communication network, which all show the vulnerability of interdependency and meantime guide us to pay more attention to the protection measures for power grid.

2018-04-02
Jia, J., Chen, L..  2017.  (L, m, d) \#x2014; Anonymity : A Resisting Similarity Attack Model for Multiple Sensitive Attributes. 2017 IEEE 2nd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). :756–760.

Preserving privacy is extremely important in data publishing. The existing privacy-preserving models are mostly oriented to single sensitive attribute, can not be applied to multiple sensitive attributes situation. Moreover, they do not consider the semantic similarity between sensitive attribute values, and may be vulnerable to similarity attack. In this paper, we propose a (l, m, d)-anonymity model for multiple sensitive attributes similarity attack, where m is the dimension of the sensitive attributes. This model uses the semantic hierarchical tree to analyze and compute the semantic dissimilarity between sensitive attribute values, and each equivalence class must exist at least l sensitive attribute values that satisfy d-different on each dimension sensitive attribute. Meanwhile, in order to make the published data highly available, our model adopts the distance-based measurement method to divide the equivalence class. We carry out extensive experiments to certify the (1, m, d)-anonymity model can significantly reduce the probability of sensitive information leakage and protect individual privacy more effectively.

2018-02-06
Camenisch, J., Chen, L., Drijvers, M., Lehmann, A., Novick, D., Urian, R..  2017.  One TPM to Bind Them All: Fixing TPM 2.0 for Provably Secure Anonymous Attestation. 2017 IEEE Symposium on Security and Privacy (SP). :901–920.

The Trusted Platform Module (TPM) is an international standard for a security chip that can be used for the management of cryptographic keys and for remote attestation. The specification of the most recent TPM 2.0 interfaces for direct anonymous attestation unfortunately has a number of severe shortcomings. First of all, they do not allow for security proofs (indeed, the published proofs are incorrect). Second, they provide a Diffie-Hellman oracle w.r.t. the secret key of the TPM, weakening the security and preventing forward anonymity of attestations. Fixes to these problems have been proposed, but they create new issues: they enable a fraudulent TPM to encode information into an attestation signature, which could be used to break anonymity or to leak the secret key. Furthermore, all proposed ways to remove the Diffie-Hellman oracle either strongly limit the functionality of the TPM or would require significant changes to the TPM 2.0 interfaces. In this paper we provide a better specification of the TPM 2.0 interfaces that addresses these problems and requires only minimal changes to the current TPM 2.0 commands. We then show how to use the revised interfaces to build q-SDH-and LRSW-based anonymous attestation schemes, and prove their security. We finally discuss how to obtain other schemes addressing different use cases such as key-binding for U-Prove and e-cash.

2018-02-02
Chen, L., May, J..  2017.  Theoretical Feasibility of Statistical Assurance of Programmable Systems Based on Simulation Tests. 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). :630–631.

This presents a new model to support empirical failure probability estimation for a software-intensive system. The new element of the approach is that it combines the results of testing using a simulated hardware platform with results from testing on the real platform. This approach addresses a serious practical limitation of a technique known as statistical testing. This limitation will be called the test time expansion problem (or simply the 'time problem'), which is that the amount of testing required to demonstrate useful levels of reliability over a time period T is many orders of magnitude greater than T. The time problem arises whether the aim is to demonstrate ultra-high reliability levels for protection system, or to demonstrate any (desirable) reliability levels for continuous operation ('high demand') systems. Specifically, the theoretical feasibility of a platform simulation approach is considered since, if this is not proven, questions of practical implementation are moot. Subject to the assumptions made in the paper, theoretical feasibility is demonstrated.

2017-12-28
Chen, L., Dai, W., Qiu, M., Jiang, N..  2017.  A Design for Scalable and Secure Key-Value Stores. 2017 IEEE International Conference on Smart Cloud (SmartCloud). :216–221.

Reliable and scalable storage systems are key to cloud-based applications. In cloud storage, users store their data on remote servers rather than their local computers. Secure storage is used to ensure the safety of data in clouds. As more and more users rely on third-party cloud vendors to store their data, concerns have arisen among users and cloud providers. Encryption-based approaches are commonly used in secure storage systems. Data are encrypted and stored on persistent storage like disks and flash memories. When data are needed by the users, they are decrypted and accessed by the users. This way of managing data hurts the scalability and throughput of cloud systems. In the meantime, cloud systems have to perform fault-tolerance strategies on data, which also brings performance deduction. The combination of these issues cause a high price for data security in cloud systems. Aware of such issues. we propose methods to reduce the overhead of secure storage while guaranteeing the safeness of data.

2017-11-13
Yu, F., Chen, L., Zhang, H..  2016.  Virtual TPM Dynamic Trust Extension Suitable for Frequent Migrations. 2016 IEEE Trustcom/BigDataSE/ISPA. :57–65.

This paper has presented an approach of vTPM (virtual Trusted Platform Module) Dynamic Trust Extension (DTE) to satisfy the requirements of frequent migrations. With DTE, vTPM is a delegation of the capability of signing attestation data from the underlying pTPM (physical TPM), with one valid time token issued by an Authentication Server (AS). DTE maintains a strong association between vTPM and its underlying pTPM, and has clear distinguishability between vTPM and pTPM because of the different security strength of the two types of TPM. In DTE, there is no need for vTPM to re-acquire Identity Key (IK) certificate(s) after migration, and pTPM can have a trust revocation in real time. Furthermore, DTE can provide forward security. Seen from the performance measurements of its prototype, DTE is feasible.

2017-02-27
Ismail, Z., Leneutre, J., Bateman, D., Chen, L..  2015.  A Game-Theoretical Model for Security Risk Management of Interdependent ICT and Electrical Infrastructures. 2015 IEEE 16th International Symposium on High Assurance Systems Engineering. :101–109.

The communication infrastructure is a key element for management and control of the power system in the smart grid. The communication infrastructure, which can include equipment using off-the-shelf vulnerable operating systems, has the potential to increase the attack surface of the power system. The interdependency between the communication and the power system renders the management of the overall security risk a challenging task. In this paper, we address this issue by presenting a mathematical model for identifying and hardening the most critical communication equipment used in the power system. Using non-cooperative game theory, we model interactions between an attacker and a defender. We derive the minimum defense resources required and the optimal strategy of the defender that minimizes the risk on the power system. Finally, we evaluate the correctness and the efficiency of our model via a case study.