Golam Kayas

Golam Kayas, Mahmud Hossain, Jamie Payton et al.

Advances in the development and increased availability of smart devices ranging from small sensors to complex cloud infrastructures as well as various networking technologies and communication protocols have supported the rapid expansion of Internet of Things deployments. The Universal Plug and Play (UPnP) protocol has been widely accepted and used in the IoT domain to support interactions among heterogeneous IoT devices, in part due to zero configuration implementation which makes it feasible for use in large-scale networks. The popularity and ubiquity of UPnP to support IoT systems necessitate an exploration of security risks associated with the use of the protocol for IoT deployments. In this work, we analyze security vulnerabilities of UPnP-based IoT systems and identify attack opportunities by the adversaries leveraging the vulnerabilities. Finally, we propose prospective solutions to secure UPnP-based IoT systems from adversarial operations.

Qiang Zeng, Jianhai Su, Chenglong Fu et al.

Adversarial examples (AEs) are crafted by adding human-imperceptible perturbations to inputs such that a machine-learning based classifier incorrectly labels them. They have become a severe threat to the trustworthiness of machine learning. While AEs in the image domain have been well studied, audio AEs are less investigated. Recently, multiple techniques are proposed to generate audio AEs, which makes countermeasures against them an urgent task. Our experiments show that, given an AE, the transcription results by different Automatic Speech Recognition (ASR) systems differ significantly, as they use different architectures, parameters, and training datasets. Inspired by Multiversion Programming, we propose a novel audio AE detection approach, which utilizes multiple off-the-shelf ASR systems to determine whether an audio input is an AE. The evaluation shows that the detection achieves accuracies over 98.6%.

Qiang Zeng, Golam Kayas, Emil Mohammed et al.

Exploitation of heap vulnerabilities has been on the rise, leading to many devastating attacks. Conventional heap patch generation is a lengthy procedure, requiring intensive manual efforts. Worse, fresh patches tend to harm system dependability, hence deterring users from deploying them. We propose a heap patching system that simultaneously has the following prominent advantages: (1) generating patches without manual efforts; (2) installing patches without altering the code (so called code-less patching); (3) handling various heap vulnerability types; (4) imposing a very low overhead; and (5) no dependency on specific heap allocators. As a separate contribution, we propose targeted calling context encoding, which is a suite of algorithms for optimizing calling context encoding, an important technique with applications in many areas. The system properly combines heavyweight offline attack analysis with lightweight online defense generation, and provides a new countermeasure against heap attacks. The evaluation shows that the system is effective and efficient.