Carlton Shepherd

Vihangi Vagal, Konstantinos Markantonakis, Carlton Shepherd

The anticipated widespread use of unmanned aerial vehicles (UAVs) raises significant safety and security concerns, including trespassing in restricted areas, colliding with other UAVs, and disrupting high-traffic airspaces. To mitigate these risks, geofences have been proposed as one line of defence, which limit UAVs from flying into the perimeters of other UAVs and restricted locations. In this paper, we address the concern that existing geometric geofencing algorithms lack accuracy during the calculation of complex geofences, particularly in dynamic urban environments. We propose a new algorithm based on alpha shapes and Voronoi diagrams, which we integrate into an on-drone framework using an open-source mapping database from OpenStreetMap. To demonstrate its efficacy, we present performance results using Microsoft's AirSim and a low-cost commercial UAV platform in a real-world urban environment.

Carlton Shepherd, Raja Naeem Akram, Konstantinos Markantonakis

Remote mobile and embedded devices are used to deliver increasingly impactful services, such as medical rehabilitation and assistive technologies. Secure system logging is beneficial in these scenarios to aid audit and forensic investigations particularly if devices bring harm to end-users. Logs should be tamper-resistant in storage, during execution, and when retrieved by a trusted remote verifier. In recent years, Trusted Execution Environments (TEEs) have emerged as the go-to root of trust on constrained devices for isolated execution of sensitive applications. Existing TEE-based logging systems, however, focus largely on protecting server-side logs and offer little protection to constrained source devices. In this paper, we introduce EmLog -- a tamper-resistant logging system for constrained devices using the GlobalPlatform TEE. EmLog provides protection against complex software adversaries and offers several additional security properties over past schemes. The system is evaluated across three log datasets using an off-the-shelf ARM development board running an open-source, GlobalPlatform-compliant TEE. On average, EmLog runs with low run-time memory overhead (1MB heap and stack), 430--625 logs/second throughput, and five-times persistent storage overhead versus unprotected logs.

Carlton Shepherd, Jan Kalbantner, Benjamin Semal et al.

Mobile devices often distribute measurements from physical sensors to multiple applications using software multiplexing. On Android devices, the highest requested sampling frequency is returned to all applications, even if others request measurements at lower frequencies. In this paper, we comprehensively demonstrate that this design choice exposes practically exploitable side-channels using frequency-key shifting. By carefully modulating sensor sampling frequencies in software, we show how unprivileged malicious applications can construct reliable spectral covert channels that bypass existing security mechanisms. Additionally, we present a novel variant that allows an unprivileged malicious application to profile other active, sensor-enabled applications at a coarse-grained level. Both methods do not impose any special assumptions beyond accessing standard mobile services available to developers. As such, our work reports side-channel vulnerabilities that exploit subtle yet insecure design choices in Android sensor stacks.

Carlton Shepherd, Konstantinos Markantonakis, Nico van Heijningen et al.

Today's mobile devices contain densely packaged system-on-chips (SoCs) with multi-core, high-frequency CPUs and complex pipelines. In parallel, sophisticated SoC-assisted security mechanisms have become commonplace for protecting device data, such as trusted execution environments, full-disk and file-based encryption. Both advancements have dramatically complicated the use of conventional physical attacks, requiring the development of specialised attacks. In this survey, we consolidate recent developments in physical fault injections and side-channel attacks on modern mobile devices. In total, we comprehensively survey over 50 fault injection and side-channel attack papers published between 2009-2021. We evaluate the prevailing methods, compare existing attacks using a common set of criteria, identify several challenges and shortcomings, and suggest future directions of research.

Carlton Shepherd, Konstantinos Markantonakis, Georges-Axel Jaloyan

This paper presents LIRA-V, a lightweight system for performing remote attestation between constrained devices using the RISC-V architecture. We propose using read-only memory and the RISC-V Physical Memory Protection (PMP) primitive to build a trust anchor for remote attestation and secure channel creation. Moreover, we show how LIRA-V can be used for trusted communication between two devices using mutual attestation. We present the design, implementation and evaluation of LIRA-V using an off-the-shelf RISC-V microcontroller and present performance results to demonstrate its suitability. To our knowledge, we present the first remote attestation mechanism suitable for constrained RISC-V devices, with applications to cyber-physical systems and Internet of Things (IoT) devices.

Pradip Mainali, Carlton Shepherd

Motion-based fall detection systems are concerned with detecting falls from vulnerable users, which is typically performed by classifying measurements from a body-worn inertial measurement unit (IMU) using machine learning. Such systems, however, necessitate the collection of high-resolution measurements that may violate users' privacy, such as revealing their gait, activities of daily living (ADLs), and relative position using dead reckoning. In this paper, we investigate the application of multi-party computation (MPC) to IMU-based fall detection for protecting device measurement confidentiality. Our system is evaluated in a cloud-based setting that precludes parties from learning the underlying data using multiple, disparate cloud instances deployed in three geographical configurations. Using a publicly-available dataset, we demonstrate that MPC-based fall detection from IMU measurements is practical while achieving state-of-the-art error rates. In the best case, our system executes in 365.2 milliseconds, which falls well within the required time window for on-device data acquisition (750ms).

Pradip Mainali, Carlton Shepherd, Fabien A. P. Petitcolas

This paper proposes a new privacy-enhancing, context-aware user authentication system, ConSec, which uses a transformation of general location-sensitive data, such as GPS location, barometric altitude and noise levels, collected from the user's device, into a representation based on locality-sensitive hashing (LSH). The resulting hashes provide a dimensionality reduction of the underlying data, which we leverage to model users' behaviour for authentication using machine learning. We present how ConSec supports learning from categorical and numerical data, while addressing a number of on-device and network-based threats. ConSec is implemented subsequently for the Android platform and evaluated using data collected from 35 users, which is followed by a security and privacy analysis. We demonstrate that LSH presents a useful approach for context authentication from location-sensitive data without directly utilising plain measurements.

Carlton Shepherd, Raja N. Akram, Konstantinos Markantonakis

Trusted Execution Environments (TEEs) are rapidly emerging as a root-of-trust for protecting sensitive applications and data using hardware-backed isolated worlds of execution. TEEs provide robust assurances regarding critical algorithm execution, tamper-resistant credential storage, and platform integrity using remote attestation. However, the challenge of remotely managing credentials between TEEs remains largely unaddressed in existing literature. In this work, we present novel protocols using mutual attestation for supporting four aspects of secure remote credential management with TEEs: backups, updates, migration, and revocation. The proposed protocols are agnostic to the underlying TEE implementation and subjected to formal verification using Scyther, which found no attacks.

Iakovos Gurulian, Carlton Shepherd, Konstantinos Markantonakis et al.

Over the past decade, smartphones have become the point of convergence for many applications and services. There is a growing trend in which traditional smart-card based services like banking, transport and access control are being provisioned through smartphones. Smartphones with Near Field Communication (NFC) capability can emulate a contactless smart card; popular examples of such services include Google Pay and Apple Pay. Similar to contactless smart cards, NFC-based smartphone transactions are susceptible to relay attacks. For contactless smart cards, distance-bounding protocols are proposed to counter such attacks; for NFC-based smartphone transactions, ambient sensors have been proposed as potential countermeasures. In this study, we have empirically evaluated the suitability of ambient sensors as a proximity detection mechanism for contactless transactions. To provide a comprehensive analysis, we also collected relay attack data to ascertain whether ambient sensors are able to thwart such attacks effectively. We initially evaluated 17 sensors before selecting 7 sensors for in-depth analysis based on their effectiveness as potential proximity detection mechanisms within the constraints of a contactless transaction scenario. Each sensor was used to record 1000 legitimate and relay (illegitimate) contactless transactions at four different physical locations. The analysis of these transactions provides an empirical foundation on which to determine whether ambient sensors provide a strong proximity detection mechanism for security-sensitive applications like banking, transport and high-security access control.

Raja Naeem Akram, Iakovos Gurulian, Carlton Shepherd et al.

Near Field Communication (NFC) has enabled mobile phones to emulate contactless smart cards. Similar to contactless smart cards, they are also susceptible to relay attacks. To counter these, a number of methods have been proposed that rely primarily on ambient sensors as a proximity detection mechanism (also known as an anti-relay mechanism). In this paper, we, for the first time in academic literature, empirically evaluate a comprehensive set of ambient sensors for their effectiveness as a proximity detection mechanism. We selected 15 out of a total of 17 sensors available via the Google Android platform for evaluation, with the other two sensors unavailable on widely-used handsets. In existing academic literature, only 5 sensors have been proposed with positive results as a potential proximity detection mechanism. Each sensor, where feasible, was used to record the measurements of 1000 contactless transactions at four different physical locations. A total of 252 random users, random sample of the university student population, were involved during the field trails. The analysis of these transactions provides an empirical foundation to categorically answer whether ambient sensors provide a strong proximity detection mechanism for security sensitive applications like banking, transport and high-security access control. After careful analysis, we conclude that no single evaluated mobile ambient sensor is suitable for such critical applications in realistic deployment scenarios. Lastly, we identify a number of potential avenues that may improve their effectiveness.