College of Electrical Engineering at Zhejiang University, China
Title: Rethinking IoT Security: Understanding and Mitigating Out-of-Band Vulnerabilities
Wenyuan Xu is a Professor in the College of Electrical Engineering at Zhejiang University. She received her Ph.D. in Electrical and Computer Engineering from Rutgers University in 2007. Prior to joining Zhejiang University in 2013, she was a tenured faculty member in the Department of Computer Science and Engineering at the University of South Carolina in the United States. Her research focuses on embedded systems security, smart systems security, and IoT security. She is a recipient of the National Science Fund for Distinguished Young Scholars of China, the NSF CAREER award, and various best-paper awards including ACM CCS 2017 and ACM AsiaCCS 2018. In addition, she is a program committee co-chair for NDSS 2022-2023 and USENIX Security 2024, and serves as an associate editor for IEEE TMC, ACM TOSN, and TPS.
Vulnerabilities pose a significant challenge in ensuring cybersecurity for information systems. In the past, vulnerabilities were mainly associated with functional defects in system software and hardware, known as “in-band vulnerabilities,” whereby “band” refers to the functional domain. However, with the rapid development of the Internet of Things (IoT), new security issues have emerged that traditional vulnerability categorization may not fully cover. IoT devices rely on sensors and actuators to interact with the real world, but this interaction process between physical and digital systems has created defects that are difficult to analyze and detect. These defects include unintentional coupling effects of sensors from ambient analog signals or abnormal channels that were not intentionally designed, collectively known as “out-of-band vulnerabilities.” Various security incidents have highlighted the prevalence of out-of-band vulnerabilities in IoT systems, and their activation can result in serious consequences.
To address this issue, we propose a vulnerability categorization framework that includes out-of-band vulnerabilities and provides examples for each category. Our talk highlights the need to shift the research paradigm for system security to encompass both in-band and out-of-band vulnerabilities in the intelligence era. Finally, we explore potential solutions for mitigating out-of-band vulnerabilities and securing IoT devices.
AXA Chair Professor of Cybersecurity, Singapore Management University,
Fellow of IEEE, Fellow of Academy of Engineering Singapore
Title: Hardware-Assisted Data Security & Privacy Solutions
Robert Deng is AXA Chair Professor of Cybersecurity, Director of Secure Mobile Centre, and Deputy Dean for Faculty & Research, School of Computing and Information Systems, Singapore Management University (SMU). His research interests are in the areas of data security and privacy, mobile and IoT security, and applied cryptography. He received the Outstanding University Researcher Award from National University of Singapore, Lee Kuan Yew Fellowship for Research Excellence from SMU, and Asia-Pacific Information Security Leadership Achievements Community Service Star from International Information Systems Security Certification Consortium (ISC2). He is a Fellow of IEEE and Fellow of Academy of Engineering Singapore.
Traditional public key cryptography and symmetric key cryptography are at the heart of ubiquitously deployed security solutions for protecting data in transit and storage (such as TLS, IPSec, WPA2 & WPA3, Signal Protocol, BitLocker). To protect data in use, many powerful crypto algorithms, such as functional encryption, fully homomorphic encryption, multi-party computation, and zero-knowledge proof, have been proposed. While significant progress has been made in the research of these advanced crypto techniques, they still suffer from high processing cost and are mostly limited to applications in certain niche areas. On the other hand, trusted execution environments (TEEs) offer hardware-assisted security guarantees with CPU speed performance but suffer from a larger attack surface. In this talk, we will first present an overview of TEEs’ security features, threat models, attacks and countermeasures. We will then present our efforts on designing hardware-assisted crypto systems for data security and privacy, and show how crypto and TEE may complement each other and be combined to realize practical security solutions. Finally, we will point out some potential future research directions.