BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @InProceedings{zegeye:icnet25, author = {Wondimu K. Zegeye and Ravindra Mangar and Jingyu Qian and Vinton Morris and Mounib Khanafer and Kevin Kornegay and Timothy J. Pierson and David Kotz}, title = {{Comparing smart-home devices that use the Matter protocol}}, booktitle = {{Proceedings of the International Workshop on Intelligent Communication Network Technologies (ICNET'25)}}, year = 2025, month = {January}, publisher = {IEEE}, copyright = {IEEE}, URL = {https://www.cs.dartmouth.edu/~kotz/research/zegeye-icnet25/index.html}, note = {Accepted for publication}, abstract = {This paper analyzes Google Home, Apple HomeKit, Samsung SmartThings, and Amazon Alexa platforms, focusing on their integration with the Matter protocol. Matter is a connectivity standard developed by the Connectivity Standards Alliance (CSA) for the smart-home industry. By examining key features and qualitative metrics, this study aims to provide valuable insights for consumers and industry professionals in making informed decisions about smart-home devices. We conducted (from May to August 2024) a comparative analysis to explore how Google Home Nest, Apple Homepod Mini, Samsung SmartThings station, and Amazon Echo Dot platforms leverage the power of Matter to provide seamless and integrated smart-home experiences.}, } @Misc{hardin:patent1, author = {Taylor Hardin and David Kotz}, title = {{Data system with information provenance}}, howpublished = {U.S. Patent 12,244,726}, year = 2025, month = {March}, day = 4, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-patent1/index.html}, note = {Priority date March 2, 2020. Application March 2, 2021. Issued March 4, 2025.}, abstract = {A secure, integrated data system and method users both blockchain and Trusted Execution Environment (TEE) technologies to achieve information provenance for data, particularly, mobile health device data. Using a blockchain to record and enforce data access policies removes the need to trust a single entity with gatekeeping the health data. Instead, participants form a consortium and collectively partake in verifying and enforcing access policies for data stored in private data silos. Data access and computation takes place inside of TEEs, which preserves data confidentiality and provides a verifiable attestation that can be stored on the blockchain for the purpose of information provenance.}, } @InProceedings{arguello:battery, author = {Cesar Arguello and Beatrice Perez and Timothy J. Pierson and David Kotz}, title = {{Detecting Battery Cells with Harmonic Radar}}, booktitle = {{Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)}}, year = 2024, month = {May}, pages = {231--236}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3643833.3656137}, URL = {https://www.cs.dartmouth.edu/~kotz/research/arguello-battery/index.html}, abstract = {Harmonic radar systems have been shown to be an effective method for detecting the presence of electronic devices, even if the devices are powered off. Prior work has focused on detecting specific non-linear electrical components (such as transistors and diodes) that are present in any electronic device. In this paper we show that harmonic radar is also capable of detecting the presence of batteries. We tested a proof-of-concept system on Alkaline, NiMH, Li-ion, and Li-metal batteries. With the exception of Li-metal coin cells, the prototype harmonic radar detected the presence of batteries in our experiments with 100\% accuracy.}, } @InProceedings{he:ci-survey, author = { Weijia He and Nathan Reitinger and Atheer Almogbil and Yi-Shyuan Chiang and Timothy J. Pierson and David Kotz }, title = {{Contextualizing Interpersonal Data Sharing in Smart Homes}}, booktitle = {{Proceedings of the Privacy Enhancing Technologies Symposium (PETS)}}, year = 2024, month = {July}, volume = 2024, number = 2, pages = {295--312}, copyright = {Creative Commons Attribution 4.0}, DOI = {10.56553/popets-2024-0051}, URL = {https://www.cs.dartmouth.edu/~kotz/research/he-ci-survey/index.html}, abstract = { A key feature of smart home devices is monitoring the environment and recording data. These devices provide security via motion-detection video alerts, cost-savings via thermostat usage history, and peace of mind via functions like auto-locking doors or water leak detectors. At the same time, the sharing of this information in interpersonal relationships---though necessary---is currently accomplished on an all-or-nothing basis. This can easily lead to oversharing in a multi-user environment. Although prior work has studied people's perceptions of information sharing with vendors or ISPs, the sharing of household data among users who interact personally is less well understood. Interpersonal situations make data sharing much more context-based and, thus, more complicated. In this paper, we use themes from the theory of contextual integrity in an online survey (n{$=$}1,992) to study how people perceive data sharing with others in smart homes and inform future designs and research. Our results show that data recipients in a smart home can be reduced to three major groups, and data types matter more than device types. We also found that the types of access control desired by users can vary from scenario to scenario. Depending on whom they are sharing data with and about what data, participants expressed varying levels of comfort when presented with different types of access control (e.g., explicit approval versus time-limited access). Taken together, this provides strong evidence that a more dynamic access control system is needed, and we can design it in a more usable way.}, } @InProceedings{jois:sigcse, author = {Tushar Jois and Tina Pavlovich and Brigid McCarron and David Kotz and Timothy Pierson}, title = {{Smart Use of Smart Devices in Your Home: A Smart Home Security and Privacy Workshop for the General Public}}, booktitle = {{Proceedings of the ACM Technical Symposium on Computer Science Education (SIGCSE)}}, year = 2024, month = {March}, pages = {611--617}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3626252.3630925}, URL = {https://www.cs.dartmouth.edu/~kotz/research/jois-sigcse/index.html}, abstract = {With 'smart' technology becoming more prevalent in homes, computing is increasingly embedded into everyday life. The benefits are well-advertised, but the risks associated with these technologies are not as clearly articulated. We aim to address this gap by educating community members on some of these risks, and providing actionable advice to mitigate risks. To this end, we describe our efforts to design and implement a hands-on workshop for the public on smart-home security and privacy. \par Our workshop curriculum centers on the smart-home device lifecycle: obtaining, installing, using, and removing devices in a home. For each phase of the lifecycle, we present possible vulnerabilities along with preventative measures relevant to a general audience. We integrate a hands-on activity for participants to put best-practices into action throughout the presentation. \par We ran our designed workshop at a science museum in June 2023, and used participant surveys to evaluate the effectiveness of our curriculum. Prior to the workshop, 38.8\% of survey responses did not meet learning objectives, 22.4\% partially met them, and 38.8\% fully met them. After the workshop, only 9.2\% of responses did not meet learning objectives, while 29.6\% partially met them and 61.2\% fully met them. Our experience shows that consumer-focused workshops can aid in bridging information gaps and are a promising form of outreach.}, } @InProceedings{khanafer:discovery, author = {Mounib Khanafer and Logan Kostick and Chixiang Wang and Wondimu Zegeye and Weijia He and Berkay Kaplan and Nurzaman Ahmed and Kevin Kornegay and David Kotz and Timothy Pierson}, title = {{Device Discovery in the Smart Home Environment}}, booktitle = {{Proceedings of the IEEE/ACM Workshop on the Internet of Safe Things (SafeThings)}}, year = 2024, month = {May}, pages = {298--304}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/SPW63631.2024.10705647}, URL = {https://www.cs.dartmouth.edu/~kotz/research/khanafer-discovery/index.html}, abstract = {With the availability of Internet of Things (IoT) devices offering varied services, smart home environments have seen widespread adoption in the last two decades. Protecting privacy in these environments becomes an important problem because IoT devices may collect information about the home's occupants without their knowledge or consent. Furthermore, a large number of devices in the home, each collecting small amounts of data, may, in aggregate, reveal non-obvious attributes about the home occupants. A first step towards addressing privacy is discovering what devices are present in the home. In this paper, we formally define device discovery in smart homes and identify the features that constitute discovery in that environment. Then, we propose an evaluative rubric that rates smart home technology initiatives on their device discovery capabilities and use it to evaluate four commonly deployed technologies. We find none cover all device discovery aspects. We conclude by proposing a combined technology solution that provides comprehensive device discovery tailored to smart homes.}, } @Article{mangar:framework, author = {Ravindra Mangar and Timothy J. Pierson and David Kotz}, title = {{A framework for evaluating the security and privacy of smart-home devices, and its application to common platforms}}, journal = {IEEE Pervasive Computing}, year = 2024, month = {July}, volume = 23, number = 3, pages = {7--19}, publisher = {IEEE}, copyright = {the authors}, DOI = {10.1109/MPRV.2024.3421668}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-framework/index.html}, abstract = {In this article, we outline the challenges associated with the widespread adoption of smart devices in homes. These challenges are primarily driven by scale and device heterogeneity: a home may soon include dozens or hundreds of devices, across many device types, and may include multiple residents and other stakeholders. We develop a framework for reasoning about these challenges based on the deployment, operation, and decommissioning life cycle stages of smart devices within a smart home. We evaluate the challenges in each stage using the well-known CIA triad---Confidentiality, Integrity, and Availability. In addition, we highlight open research questions at each stage. Further, we evaluate solutions from Apple and Google using our framework and find notable shortcomings in these products. Finally, we sketch some preliminary thoughts on a solution for the smart home of the near future.}, } @InProceedings{mangar:testbed, author = {Ravindra Mangar and Jingyu Qian and Wondimu Zegeye and Mounib Khanafer and Abdulrahman AlRabah and Ben Civjan and Shalni Sundram and Sam Yuan and Carl Gunter and Kevin Kornegay and Timothy J. Pierson and David Kotz}, title = {{Designing and Evaluating a Testbed for the Matter Protocol: Insights into User Experience}}, booktitle = {{Proceedings of the NDSS Workshop on Security and Privacy in Standardized IoT (SDIoTSec)}}, year = 2024, month = {February}, publisher = {NDSS}, copyright = {the authors}, DOI = {10.14722/sdiotsec.2024.23012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-testbed/index.html}, note = {Distinguished Paper Award}, abstract = {As the integration of smart devices into our daily environment accelerates, the vision of a fully integrated smart home is becoming more achievable through standards such as the Matter protocol. In response, this research paper explores the use of Matter in addressing the heterogeneity and interoperability problems of smart homes. We built a testbed and introduce a network utility device, designed to sniff network traffic and provide a wireless access point within IoT networks. This paper also presents experience of students using the testbed in an academic scenario.}, } @Article{pierson:inspector, author = {Timothy J. Pierson and Cesar Arguello and Beatrice Perez and Wondimu Zegeye and Kevin Kornegay and Carl Gunter and David Kotz}, title = {{We need a ``building inspector for IoT'' when smart homes are sold}}, journal = {IEEE Security \& Privacy}, year = 2024, month = {Nov-Dec.}, volume = 22, number = 6, pages = {75--84}, publisher = {IEEE}, copyright = {Open access}, DOI = {10.1109/MSEC.2024.3386467}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-inspector/index.html}, abstract = {Internet of Things (IoT) devices left behind when a home is sold create security and privacy concerns for both prior and new residents. We envision a specialized ``building inspector for IoT'' to help securely facilitate transfer of the home.}, } @Article{wang:insideout, author = {Chixiang Wang and Weijia He and Timothy Pierson and David Kotz}, title = {{Moat: Adaptive Inside/Outside Detection System for Smart Homes}}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT)}, year = 2024, month = {September}, volume = 8, number = 4, articleno = 157, numpages = 31, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3699751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-insideout/index.html}, abstract = {Smart-home technology is now pervasive, demanding increased attention to the security of the devices and the privacy of the home's residents. To assist residents in making security and privacy decisions - e.g., whether to allow a new device to connect to the network, or whether to be alarmed when an unknown device is discovered - it helps to know whether the device is inside the home, or outside. \par In this paper we present MOAT, a system that leverages Wi-Fi sniffers to analyze the physical properties of a device's wireless transmissions to infer whether that device is located inside or outside of a home. MOAT can adaptively self-update to accommodate changes in the home indoor environment to ensure robust long-term performance. Notably, MOAT does not require prior knowledge of the home's layout or cooperation from target devices, and is easy to install and configure. \par We evaluated MOAT in four different homes with 21 diverse commercial smart devices and achieved an overall balanced accuracy rate of up to 95.6\%. Our novel periodic adaptation technique allowed our approach to maintain high accuracy even after rearranging furniture in the home. MOAT is a practical and efficient first step for monitoring and managing devices in a smart home. }, } @InProceedings{wang:onboarding, author = {Chixiang Wang and Liam Cassidy and Weijia He and Timothy J. Pierson and David Kotz}, title = {{Challenges and opportunities in onboarding smart-home devices}}, booktitle = {{Proceedings of the International Workshop on Mobile Computing Systems and Applications (HotMobile)}}, year = 2024, month = {February}, pages = {60--65}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3638550.3641137}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-onboarding/index.html}, abstract = {Smart-home devices have become integral to daily routines, but their onboarding procedures - setting up a newly acquired smart device into operational mode - remain understudied. The heterogeneity of smart-home devices and their onboarding procedure can easily overwhelm users when they scale up their smart-home system. While Matter, the new IoT standard, aims to unify the smart-home ecosystem, it is still evolving, resulting in mixed compliance among devices. In this paper, we study the complexity of device onboarding from users' perspectives. We thus performed cognitive walkthroughs on 12 commercially available smart-home devices, documenting the commonality and distinctions of the onboarding process across these devices. We found that onboarding smart home devices can often be tedious and confusing. Users must devote significant time to creating an account, searching for the target device, and providing Wi-Fi credentials for each device they install. Matter-compatible devices are supposedly easier to manage, as they can be registered through one single hub independent of the vendor. Unfortunately, we found such a statement is not always true. Some devices still need their own companion apps and accounts to fully function. Based on our observations, we give recommendations about how to support a more user-friendly onboarding process.}, } @Misc{perez:scanner-patent, author = {Beatrice Perez and Timothy Pierson and Gregory Mazzaro and David Kotz}, title = {{Harmonic Radar Scanner for Electronics}}, howpublished = {Patent Application 18/749,826, published as US2024/0426974}, year = 2024, month = {December}, day = 26, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-scanner-patent/index.html}, note = {Priority date 6/21/23; filed 6/21/24; published 12/26/24}, abstract = {A harmonic radar system for detecting an electronic device includes a signal generator for generating one or more transmit radio frequency (RF) signals, a transmitting antenna for sending the transmit RF signals into an environment, a receiving antenna for receiving signals reflected or re-radiated by the electronic device in the environment in response to the transmit RF signals, and a spectrum analyzer for identifying a harmonic frequency of the transmit RF signals in the filtered signals.}, } @Misc{pierson:snap-patent, author = {Timothy J. Pierson and Ronald Peterson and David F. Kotz}, title = {{System and method for proximity detection with single-antenna device}}, howpublished = {U.S. Patent 11,871,233; International Patent Application WO2019210201A1}, year = 2024, month = {January}, day = 9, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-patent/index.html}, note = {Priority date 2018-04-27; Filed 2019-04-26; Published 2021-07-29, Issued 2024-01-09}, abstract = {A single-antenna device includes a single antenna, at least one processor, and at least one memory. The single-antenna device is operable to receive a signal including at least one frame. Each of said frame includes a repeating portion. The single-antenna device determines a difference of phase and amplitude of the repeating portion and further determines whether the signal is transmitted from a trusted source based at least in part on the difference of phase and amplitude of the repeating portion.}, } @Misc{pierson:closetalker-patent2, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}}, howpublished = {U.S. Patent 11,894,920}, year = 2024, month = {February}, day = 6, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent2/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, Continuation of 11,153,026; Issued 2024-02-06}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @InProceedings{perez:identification, author = {Beatrice Perez and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {{Identification and Classification of Electronic Devices Using Harmonic Radar}}, booktitle = {{Proceedings of the Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT)}}, year = 2023, month = {June}, pages = {248--255}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/DCOSS-IoT58021.2023.00050}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-identification/index.html}, abstract = { Smart home electronic devices invisibly collect, process, and exchange information with each other and with remote services, often without a home occupants' knowledge or consent. These devices may be mobile or fixed and may have wireless or wired network connections. Detecting and identifying all devices present in a home is a necessary first step to control the flow of data, but there exists no universal mechanism to detect and identify all electronic devices in a space. In this paper we present ICED (Identification and Classification of Electronic Devices), a system that can (i) identify devices from a known set of devices, and (ii) detect the presence of previously unseen devices. ICED, based on harmonic radar technology, collects measurements at the first harmonic of the radar's transmit frequency. We find that the harmonic response contains enough information to infer the type of device. It works when the device has no wireless network interface, is powered off, or attempts to evade detection. We evaluate performance on a collection of 17 devices and find that by transmitting a range of frequencies we correctly identify known devices with 97.6\% accuracy and identify previously unseen devices as `unknown' with 69.0\% balanced accuracy.}, } @InProceedings{perez:range, author = {Beatrice Perez and Cesar Arguello and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {{Evaluating the practical range of harmonic radar to detect smart electronics}}, booktitle = {{Proceedings of the IEEE Military Communications Conference (MILCOM)}}, year = 2023, month = {October}, pages = {528--535}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MILCOM58377.2023.10356371}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-range/index.html}, abstract = {Prior research has found that harmonic radar systems are able to detect the presence of electronic devices, even if the devices are powered off. These systems could be a powerful tool to help mitigate privacy invasions. For example, in a rental property devices such as cameras or microphones may be surreptitiously placed by a landlord to monitor renters without their knowledge or consent. A mobile harmonic radar system may be able to quickly scan the property and locate all electronic devices. The effective range of these systems for detecting consumer-grade electronics, however, has not been quantified. We address that shortcoming in this paper and evaluate a prototype harmonic radar system. We find the system, a variation of what has been proposed in the literature, is able to reliably detect some devices at a range of about two meters. We discuss the effect of hardware on the range of detection and propose an algorithm for automated detection.}, } @Misc{pierson:wanda-patent2, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Apparatus for securely configuring a target device}}, howpublished = {U.S. Patent 11,683,071}, year = 2023, month = {June}, day = 20, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent2/index.html}, note = {Continuation of U.S. Patent 10,574,298. Priority date 2015-06-23; Filed 2020-01-20; Allowed 2023-02-10; Issued 2023-06-20}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{mare:saw-patent, author = {Shrirang Mare and David Kotz and Ronald Peterson}, title = {{Effortless authentication for desktop computers using wrist wearable tokens}}, howpublished = {U.S. Patent 11,574,039}, year = 2023, month = {February}, day = 7, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw-patent/index.html}, note = {Priority date 2018-07-20; International application Filed 2019-07-19; National stage Filed 2021-01-20; Issued 2023-02-07}, abstract = {A system and method for authenticating users of a digital device includes an authentication device attached to an authorized user. The authentication device includes one or more motion sensors and acts as a user identity token. To authenticate with a digital device, the user performs one or more interactions with the digital device using the hand associated with the authentication device. The digital device correlates the inputs received due to the interactions with the user's hand and/or wrist movement, as measured by the authentication device. Access to the digital device is allowed if the inputs and movements are correlated.}, } @InProceedings{hardin:amanuensis2, author = {Taylor Hardin and David Kotz}, title = {{Amanuensis: provenance, privacy, and permission in TEE-enabled blockchain data systems}}, booktitle = {{Proceedings of the IEEE International Conference on Distributed Computing Systems}}, year = 2022, month = {July}, pages = {144--156}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/ICDCS54860.2022.00023}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-amanuensis2/index.html}, abstract = { Blockchain technology is heralded for its ability to provide transparent and immutable audit trails for data shared among semi-trusted parties. With the addition of smart contracts, blockchains can track and verify arbitrary computations -- which enables blockchain users to verify the provenance of information derived from data through the blockchain. This provenance comes at the cost of data confidentiality and user privacy, however, which is unacceptable for many sensitive applications. The need for verifiable yet confidential data sharing and computation has led some to add trusted execution environment (TEE) hardware to blockchain platforms. By moving sensitive operations (e.g., data decryption and analysis) off of the blockchain and into a TEE, they get both the confidentiality of TEEs and the transparency of blockchains without the need to completely trust any one party in the data-sharing ecosystem.In this paper, we build on our TEE-enabled blockchain data-sharing system, Amanuensis, to ensure the freshness of access-control lists shared between the blockchain and TEE, and to improve the privacy of users interacting within the system. We also detail how TEE-based remote attestation help us to achieve information provenance -- specifically, how to achieve information provenance in the context of the Intel SGX trusted execution environment. Finally, we present an evaluation of our system, in which we test several real-world machine-learning applications (logistic regression, kNN, SVM) to determine the run-time overhead of information confidentiality and provenance. Each machine-learning program exhibited a slowdown between 1.1 and 2.8x when run inside of our confidential environment, and took an average of 59 milliseconds to verify the provenance of an input data set.}, } @PhdThesis{hardin:thesis, author = {Taylor Hardin}, title = {{Information Provenance for Mobile Health Data}}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-thesis/index.html}, abstract = { Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Many believe that combining the data produced by these mHealth apps and devices may give healthcare-related service providers and researchers a more holistic view of an individual's health, increase the quality of service, and reduce operating costs. For such mHealth data to be considered useful though, data consumers need to be assured that the authenticity and the integrity of the data has remained intact --- especially for data that may have been created through a series of aggregations and transformations on many input data sets. In other words, \emph{information provenance} should be one of the main focuses for any system that wishes to facilitate the sharing of sensitive mHealth data. Creating such a trusted and secure data sharing ecosystem for mHealth apps and devices is difficult, however, as they are implemented with different technologies and managed by different organizations. Furthermore, many mHealth devices use ultra-low-power micro-controllers, which lack the kinds of sophisticated Memory Management Units (MMUs) required to sufficiently isolate sensitive application code and data. \par In this thesis, we present an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. To this end, we devise a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. Then we address the security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) with our health-data system, Amanuensis, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. Finally, we look at identity privacy and data freshness issues introduced by the use of blockchain and TEEs. Namely, we present a privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain. }, } @MastersThesis{malik:thesis, author = {Namya Malik}, title = {{SPLICEcube Architecture: An Extensible Wi-Fi Monitoring Architecture for Smart-Home Networks}}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/malik-thesis/index.html}, abstract = { The vision of smart homes is rapidly becoming a reality, as the Internet of Things and other smart devices are deployed widely. Although smart devices offer convenience, they also create a significant management problem for home residents. With a large number and variety of devices in the home, residents may find it difficult to monitor, or even locate, devices. A central controller that brings all the home's smart devices under secure management and a unified interface would help homeowners and residents track and manage their devices.\par We envision a solution called the SPLICEcube whose goal is to detect smart devices, locate them in three dimensions within the home, securely monitor their network traffic, and keep an inventory of devices and important device information throughout the device's lifecycle. The SPLICEcube system consists of the following components: 1) a main \emph{cube}, which is a centralized hub that incorporates and expands on the functionality of the home router, 2) a \emph{database} that holds network data, and 3) a set of support \emph{cubelets} that can be used to extend the range of the network and assist in gathering network data.\par To deliver this vision of identifying, securing, and managing smart devices, we introduce an architecture that facilitates intelligent research applications (such as network anomaly detection, intrusion detection, device localization, and device firmware updates) to be integrated into the SPLICEcube. In this thesis, we design a general-purpose Wi-Fi architecture that underpins the SPLICEcube. The architecture specifically showcases the functionality of the cubelets (Wi-Fi frame detection, Wi-Fi frame parsing, and transmission to cube), the functionality of the cube (routing, reception from cubelets, information storage, data disposal, and research application integration), and the functionality of the database (network data storage). We build and evaluate a prototype implementation to demonstrate our approach is \emph{scalable} to accommodate new devices and \emph{extensible} to support different applications. Specifically, we demonstrate a successful proof-of-concept use of the SPLICEcube architecture by integrating a security research application: an "Inside-Outside detection" system that classifies an observed Wi-Fi device as being inside or outside the home.}, } @Misc{vandenbussche:thesis, author = {Adam Vandenbussche}, title = {{TorSH: Obfuscating consumer Internet-of-Things traffic with a collaborative smart-home router network}}, school = {Dartmouth Computer Science}, year = 2022, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/vandenbussche-thesis/index.html}, note = {Undergraduate Thesis}, abstract = {When consumers install Internet-connected "smart devices" in their homes, metadata arising from the communications between these devices and their cloud-based service providers enables adversaries privy to this traffic to profile users, even when adequate encryption is used. Internet service providers (ISPs) are one potential adversary privy to users' incoming and outgoing Internet traffic and either currently use this insight to assemble and sell consumer advertising profiles or may in the future do so. With existing defenses against such profiling falling short of meeting user preferences and abilities, there is a need for a novel solution that empowers consumers to defend themselves against profiling by ISP-like actors and that is more in tune with their wishes. In this thesis, we present The Onion Router for Smart Homes (TorSH), a network of smart-home routers working collaboratively to defend smart-device traffic from analysis by ISP-like adversaries. We demonstrate that TorSH succeeds in deterring such profiling while preserving smart-device experiences and without encumbering latency-sensitive, non-smart-device experiences like web browsing.}, } @Article{hardin:amanuensis, author = {Taylor Hardin and David Kotz}, title = {{Amanuensis: Information Provenance for Health-Data Systems}}, journal = {Journal of Information Systems Management and Security}, year = 2021, month = {March}, volume = 58, number = 2, articleno = 102460, numpages = 21, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.ipm.2020.102460}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-amanuensis/index.html}, abstract = {Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment, and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Combining the data produced by these mHealth devices may give healthcare providers a more holistic view of a patient's health, increase the level of patient care, and reduce operating costs. Creating a trusted and secure data sharing ecosystem for mHealth devices is difficult, however, as devices are implemented with different technologies and managed by different organizations. To address these issues, we present \emph{Amanuensis:} a concept for a secure, integrated healthcare data system that leverages Blockchain and Trusted Execution Environment (TEE) technologies to achieve information provenance for mHealth data. By using a blockchain to record and enforce data-access policies, we remove the need to trust a single entity with gate-keeping the health data. Instead, participating organizations form a consortium to share responsibility for verifying data integrity and enforcing access policies for data stored in private data silos. Data accesses and computations take place inside of TEEs to preserve data confidentiality and to provide a verifiable attestation report that can be stored on the blockchain for the purpose of information provenance. We evaluate a prototype implementation of Amanuensis -- built using Intel SGX trusted execution hardware and the VeChain Thor blockchain platform -- which shows that Amanuensis is capable of supporting up to 14,256,000 mHealth data sources at \$0.07 per data source per day.}, } @InProceedings{peters:via, author = {Travis Peters and Timothy J. Pierson and Sougata Sen and Jos{\'{e}} Camacho and David Kotz}, title = {{Recurring Verification of Interaction Authenticity Within Bluetooth Networks}}, booktitle = {{Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021)}}, year = 2021, month = {June}, pages = {192--203}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3448300.3468287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-via/index.html}, abstract = {Although user authentication has been well explored, device-to-device authentication -- specifically in Bluetooth networks -- has not seen the same attention. We propose Verification of Interaction Authenticity (VIA) -- a recurring authentication scheme based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. To evaluate our approach we produced a new dataset consisting of more than 300 Bluetooth network traces collected from 20 Bluetooth-enabled smart-health and smart-home devices. In our evaluation, we found that devices can be correctly verified at a variety of granularities, achieving an F1-score of 0.86 or better in most cases.}, } @Article{sen:vibering-j, author = {Sougata Sen and David Kotz}, title = {{VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}}, journal = {Journal of Pervasive and Mobile Computing}, year = 2021, month = {December}, volume = 78, articleno = 101505, numpages = 16, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2021.101505}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-j/index.html}, abstract = {Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as ``smartThings'', collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing's wireless connectivity allows it to transfer that data to its user's trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. \par To address this problem, in this paper, we investigate the use of \emph{vibration}, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call \emph{VibeRing}. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9\% of the time. We show that \emph{VibeRing} can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5\%. We also show that \emph{VibeRing} is robust to the smartThing's constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices. }, } @Misc{gralla:inside-outside, author = {Paul Gralla}, title = {{An inside vs. outside classification system for Wi-Fi IoT devices}}, school = {Dartmouth Computer Science}, year = 2021, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/gralla-inside-outside/index.html}, note = {Undergraduate Thesis}, abstract = {We are entering an era in which Smart Devices are increasingly integrated into our daily lives. Everyday objects are gaining computational power to interact with their environments and communicate with each other and the world via the Internet. While the integration of such devices offers many potential benefits to their users, it also gives rise to a unique set of challenges. One of those challenges is to detect whether a device belongs to one's own ecosystem, or to a neighbor -- or represents an unexpected adversary. An important part of determining whether a device is friend or adversary is to detect whether a device's location is within the physical boundaries of one's space (e.g. office, classroom, home). In this thesis we propose a system that is able to decide with 82\% accuracy whether the location of an IoT device is inside or outside of a defined space based on a small number of transmitted Wi- Fi frames. The classification is achieved by leveraging a machine-learning classifier trained and tested on RSSI data of Wi-Fi transmissions recorded by three or more observers. In an initialization phase the classifier is trained by the user on Wi-Fi transmissions of a variety of locations, inside (and outside). The system can be built with off-the-shelf Wi-Fi observing devices that do not require any special hardware modifications. With the exception of the training period, the system can accurately classify the indoor/outdoor state of target devices without any cooperation from the user or from the target devices.}, } @Misc{pierson:closetalker-patent, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication}}, howpublished = {U.S. Patent 11,153,026}, year = 2021, month = {October}, day = 19, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker-patent/index.html}, note = {Priority date 2017-09-06; WO Filed 2018-09-06, US Filed 2020-02-26, US amendment filed 2021-01-29; Issued 2021-10-19}, abstract = {Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.}, } @TechReport{landwehr:thaw-tr, author = {Carl Landwehr and David Kotz}, title = {{THaW publications}}, institution = {Dartmouth Computer Science}, year = 2020, month = {December}, number = {TR2020-904}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/landwehr-thaw-tr/index.html}, abstract = {In 2013, the National Science Foundation's Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project's bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work's contribution. For more information about THaW, visit thaw.org.}, } @Article{liang:jlighttouch, author = {Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Securely Connecting Wearables to Ambient Displays with User Intent}}, journal = {IEEE Transactions on Dependable and Secure Computing}, year = 2020, month = {July}, volume = 17, number = 4, pages = {676--690}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/TDSC.2018.2840979}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-jlighttouch/index.html}, abstract = {Wearables are often small and have limited user interfaces, hence they often wirelessly interface with a personal smartphone or a personal computer to relay information from the wearable for display. In this paper, we envision a new method LightTouch by which a wearable can establish a secure connection to an ambient display, such as a television or computer monitor, based on the user's intention to connect to the display. Such connections must be secure to prevent impersonation attacks, must work with unmodified display hardware, and must be easy to establish. LightTouch uses standard RF methods for communicating the data to display, securely bootstrapped with a key shared via a brightness channel between the low cost, low power, ambient light sensor of a wearable and the screen of the display. A screen touch gesture is adopted by users to ensure the modulation of screen brightness can be accurately and securely captured by the ambient light sensor. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments we demonstrate that LightTouch is compatible with current display and wearable designs, easy-to-use (5-6 seconds), reliable for connecting displays (98 percent success connection ratio), and secure against impersonation attacks.}, } @InProceedings{sen:vibering, author = {Sougata Sen and David Kotz}, title = {{VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}}, booktitle = {{Proceedings of the International Conference on the Internet of Things (IoT)}}, year = 2020, month = {October}, articleno = 13, numpages = 8, publisher = {ACM}, copyright = {ACM}, ISBN13 = 9781450387583, DOI = {10.1145/3410992.3410995}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering/index.html}, abstract = {With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a \emph{secret}, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5\%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9\% messages successfully with a smart device.}, } @PhdThesis{peters:thesis, author = {Travis Peters}, title = {{Trustworthy Wireless Personal Area Networks}}, school = {Dartmouth Computer Science}, year = 2020, month = {August}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2020-878}, abstract = {\par In the Internet of Things (IoT), everyday objects are equipped with the ability to compute and communicate. These smart things have invaded the lives of everyday people, being constantly carried or worn on our bodies, and entering into our homes, our healthcare, and beyond. This has given rise to wireless networks of smart, connected, always-on, personal things that are constantly around us, and have unfettered access to our most personal data as well as all of the other devices that we own and encounter throughout our day. It should, therefore, come as no surprise that our personal devices and data are frequent targets of ever-present threats. Securing these devices and networks, however, is challenging. In this dissertation, we outline three critical problems in the context of Wireless Personal Area Networks (WPANs) and present our solutions to these problems. \par First, I present our Trusted I/O solution (BASTION-SGX) for protecting sensitive user data transferred between wirelessly connected (Bluetooth) devices. This work shows how in-transit data can be protected from privileged threats, such as a compromised OS, on commodity systems. I present insights into the Bluetooth architecture, Intel's Software Guard Extensions (SGX), and how a Trusted I/O solution can be engineered on commodity devices equipped with SGX. \par Second, I present our work on AMULET and how we successfully built a wearable health hub that can run multiple health applications, provide strong security properties, and operate on a single charge for weeks or even months at a time. I present the design and evaluation of our highly efficient event-driven programming model, the design of our low-power operating system, and developer tools for profiling ultra-low-power applications at compile time. \par Third, I present a new approach (VIA) that helps devices at the center of WPANs (e.g., smartphones) to verify the authenticity of interactions with other devices. This work builds on past work in anomaly detection techniques and shows how these techniques can be applied to Bluetooth network traffic. Specifically, we show how to create normality models based on fine- and course-grained insights from network traffic, which can be used to verify the authenticity of future interactions. }, } @Misc{pierson:wanda-patent, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Apparatus for Securely Configuring A Target Device and Associated Methods}}, howpublished = {U.S. Patent 10,574,298}, year = 2020, month = {February}, day = 25, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-patent/index.html}, note = {Priority date 2015-06-23; Filed 2016-06-23; Issued 2020-02-25}, abstract = {Apparatus and method securely transfer first data from a source device to a target device. A wireless signal having (a) a higher speed channel conveying second data and (b) a lower speed channel conveying the first data is transmitted. The lower speed channel is formed by selectively transmitting the wireless signal from one of a first and second antennae of the source device based upon the first data. The first and second antenna are positioned a fixed distance apart and the target device uses a received signal strength indication (RSSI) of the first signal to decode the lower speed channel and receive the first data.}, } @Misc{liang:lighttouch-patent, author = {Xiaohui Liang and Tianlong Yun and Ron Peterson and David Kotz}, title = {{Secure System For Coupling Wearable Devices To Computerized Devices with Displays}}, howpublished = {U.S. Patent 10,581,606}, year = 2020, month = {March}, day = 3, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch-patent/index.html}, note = {Priority date 2014-08-18, Filed 2015-08-18; Issued 2020-03-03.}, abstract = {A system has a first electronic device with optical sensor, digital radio transceiver, and processor with firmware; this device is typically portable or wearable. The system also has a computerized device with a display, a second digital radio transceiver, and a second processor with firmware. The first and computerized devices are configured to set up a digital radio link when in radio range. The second processor uses a spot on the display to optically transmit a digital message including a secret such as an encryption key or subkey and/or an authentication code adapted for authenticating an encrypting the radio link. The first device receives the digital message via its optical sensor, and uses the digital message to validate and establish encryption on the radio link. In embodiments, the system determines a location of the first device on the display and positions the transmission spot at the determined location.}, } @InProceedings{boateng:experience, author = {George Boateng and Vivian Genaro Motti and Varun Mishra and John A. Batsis and Josiah Hester and David Kotz}, title = {{Experience: Design, Development and Evaluation of a Wearable Device for mHealth Applications}}, booktitle = {{Proceedings of the International Conference on Mobile Computing and Networking (MobiCom)}}, year = 2019, month = {October}, articleno = 31, numpages = 14, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3300061.3345432}, URL = {https://www.cs.dartmouth.edu/~kotz/research/boateng-experience/index.html}, abstract = {Wrist-worn devices hold great potential as a platform for mobile health (mHealth) applications because they comprise a familiar, convenient form factor and can embed sensors in proximity to the human body. Despite this potential, however, they are severely limited in battery life, storage, bandwidth, computing power, and screen size. In this paper, we describe the experience of the research and development team designing, implementing and evaluating Amulet -- an open-hardware, open-software wrist-worn computing device -- and its experience using Amulet to deploy mHealth apps in the field. In the past five years the team conducted 11 studies in the lab and in the field, involving 204 participants and collecting over 77,780 hours of sensor data. We describe the technical issues the team encountered and the lessons they learned, and conclude with a set of recommendations. We anticipate the experience described herein will be useful for the development of other research-oriented computing platforms. It should also be useful for researchers interested in developing and deploying mHealth applications, whether with the Amulet system or with other wearable platforms.}, } @Article{greene:sharehealth, author = {Emily Greene and Patrick Proctor and David Kotz}, title = {{Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control}}, journal = {Journal of Smart Health}, year = 2019, month = {April}, volume = 12, pages = {49--65}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.smhl.2018.01.003}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-sharehealth/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareHealth, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design and prototype implementation of this system make three contributions: (1) they apply cryptographically-enforced access-control measures to stream-based (specifically mHealth) data, (2) they recognize the temporal nature of mHealth data streams and support revocation of access to part or all of a data stream, and (3) they depart from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @InProceedings{hardin:blockchain-survey, author = {Taylor Hardin and David Kotz}, title = {{Blockchain in Healthcare Data Systems: a Survey}}, booktitle = {{Proceedings of the International Conference on Internet of Things: Systems, Management and Security (IOTSMS)}}, year = 2019, month = {October}, pages = {490--497}, publisher = {IEEE}, copyright = {IEEE}, location = {Granada, Spain}, DOI = {10.1109/IOTSMS48152.2019.8939174}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-blockchain-survey/index.html}, abstract = {There has been increasing interest in connecting disjointed Electronic Medical Records, mobile health data, and related health data systems for the purpose of improving preventative and precision medicine, while also providing individuals with greater access and control to their data. Blockchains provide data transparency, immutability, and decentralized trust -- making them a promising solution to the interoperability and security issues faced by such health data systems. Several papers have proposed the use of blockchain technology in healthcare to determine its viability as a solution and to identify potential applications and challenges. We build upon their work by 1) presenting implementation details related to blockchain applications in health data systems, 2) discussing the security, privacy, and performance trade-offs of each, and 3) identifying a set of research questions regarding the use of blockchain technology in health data systems. We find that blockchain-based healthcare research should place greater emphasis on real-world deployments and testing, smart-contract security, efficient and usable audit tools, blockchain governance, and adherence to healthcare data regulations and standards.}, } @InProceedings{kotz:amulet19, author = {David Kotz}, title = {{Amulet: an open-source wrist-worn platform for mHealth research and education}}, booktitle = {{Proceedings of the Workshop on Networked Healthcare Technology (NetHealth)}}, year = 2019, month = {January}, pages = {891--897}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2019.8711407}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-amulet19/index.html}, abstract = {The advent of mobile and wearable computing technology has opened up tremendous opportunities for health and wellness applications. It is increasingly possible for individuals to wear devices that can sense their physiology or health-related behaviors, collecting valuable data in support of diagnosis, treatment, public health, or other applications. From a researcher's point of view, the commercial availability of these ``mHealth'' devices has made it feasible to conduct scientific studies of health conditions and to explore health-related interventions. It remains difficult, however, to conduct systems work or other experimental research involving the hardware, software, security, and networking aspects of mobile and wearable technology. In this paper we describe the Amulet platform, an open-hardware, open-software wrist-worn computing device designed specifically for mHealth applications. Our position is that the Amulet is an inexpensive platform for research and education, and we encourage the mHealth community to explore its potential.}, } @InProceedings{mare:csaw19, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {{Continuous Smartphone Authentication using Wristbands}}, booktitle = {{Proceedings of the Workshop on Usable Security (USEC)}}, year = 2019, month = {February}, numpages = 12, publisher = {Internet Society}, copyright = {the authors}, DOI = {10.14722/usec.2019.23013}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-csaw19/index.html}, abstract = {Many users find current smartphone authentication methods (PINs, swipe patterns) to be burdensome, leading them to weaken or disable the authentication. Although some phones support methods to ease the burden (such as fingerprint readers), these methods require active participation by the user and do not verify the user's identity after the phone is unlocked. We propose CSAW, a continuous smartphone authentication method that leverages wristbands to verify that the phone is in the hands of its owner. In CSAW, users wear a wristband (a smartwatch or a fitness band) with built-in motion sensors, and by comparing the wristband's motion with the phone's motion, CSAW continuously produces a score indicating its confidence that the person holding (and using) the phone is the person wearing the wristband. This score provides the foundation for a wide range of authentication decisions (e.g., unlocking phone, deauthentication, or limiting phone access). Through two user studies (N{$=$}27,11) we evaluated CSAW's accuracy, usability, and security. Our experimental evaluation demonstrates that CSAW was able to conduct initial authentication with over 99\% accuracy and continuous authentication with over 96.5\% accuracy.}, } @InProceedings{pierson:closetalker, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{CloseTalker: secure, short-range ad hoc wireless communication}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2019, month = {June}, pages = {340--352}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3307334.3326100}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-closetalker/index.html}, abstract = {Secure communication is difficult to arrange between devices that have not previously shared a secret. Previous solutions to the problem are susceptible to man-in-the-middle attacks, require additional hardware for out-of-band communication, or require an extensive public-key infrastructure. Furthermore, as the number of wireless devices explodes with the advent of the Internet of Things, it will be impractical to manually configure each device to communicate with its neighbors. \par Our system, CloseTalker, allows simple, secure, ad hoc communication between devices in close physical proximity, while jamming the signal so it is unintelligible to any receivers more than a few centimeters away. CloseTalker does not require any specialized hardware or sensors in the devices, does not require complex algorithms or cryptography libraries, occurs only when intended by the user, and can transmit a short burst of data or an address and key that can be used to establish long-term or long-range communications at full bandwidth. \par In this paper we present a theoretical and practical evaluation of CloseTalker, which exploits Wi-Fi MIMO antennas and the fundamental physics of radio to establish secure communication between devices that have never previously met. We demonstrate that CloseTalker is able to facilitate secure in-band communication between devices in close physical proximity (about 5 cm), even though they have never met nor shared a key.}, } @InProceedings{pierson:snap, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{Proximity Detection with Single-Antenna IoT Devices}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}}, year = 2019, month = {October}, articleno = 21, numpages = 15, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3300061.3300120}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap/index.html}, abstract = {Providing secure communications between wireless devices that encounter each other on an ad-hoc basis is a challenge that has not yet been fully addressed. In these cases, close physical proximity among devices that have never shared a secret key is sometimes used as a basis of trust; devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. \par We present theoretical and practical evaluation of a method called SNAP -- SiNgle Antenna Proximity -- that allows a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our proximity detection technique leverages the repeating nature Wi-Fi's preamble and the behavior of a signal in a transmitting antenna's near-field region to detect proximity with high probability; SNAP never falsely declares proximity at ranges longer than 14 cm.}, } @InProceedings{sen:vibering-poster, author = {Sougata Sen and Varun Mishra and David Kotz}, title = {{Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys}}, booktitle = {{Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)}}, year = 2019, month = {September}, pages = {198--201}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/3341162.3343818}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-poster/index.html}, abstract = {With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9\% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.}, } @InProceedings{hardin:mpu, author = {Taylor Hardin and Ryan Scott and Patrick Proctor and Josiah Hester and Jacob Sorber and David Kotz}, title = {{Application Memory Isolation on Ultra-Low-Power MCUs}}, booktitle = {{Proceedings of the USENIX Annual Technical Conference (USENIX ATC)}}, year = 2018, month = {July}, pages = {127--132}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-mpu/index.html}, abstract = {The proliferation of applications that handle sensitive user data on wearable platforms generates a critical need for embedded systems that offer strong security without sacrificing flexibility and long battery life. To secure sensitive information, such as health data, ultra-low-power wearables must isolate applications from each other and protect the underlying system from errant or malicious application code. These platforms typically use microcontrollers that lack sophisticated Memory Management Units (MMU). Some include a Memory Protection Unit (MPU), but current MPUs are inadequate to the task, leading platform developers to software-based memory-protection solutions. In this paper, we present our memory isolation technique, which leverages compiler inserted code and MPU-hardware support to achieve better runtime performance than software-only counterparts.}, } @Article{liu:vocalresonance, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {{Vocal Resonance: Using Internal Body Voice for Wearable Authentication}}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (UbiComp)}, year = 2018, month = {March}, volume = 2, number = 1, articleno = 19, numpages = 23, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3191751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-vocalresonance/index.html}, abstract = {We observe the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. For many devices, it is critical to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. In this paper we propose the use of vocal resonance, that is, the sound of the person's voice as it travels through the person's body -- a method we anticipate would be suitable for devices worn on the head, neck, or chest. In this regard, we go well beyond the simple challenge of speaker recognition: we want to know who is wearing the device. We explore two machine-learning approaches that analyze voice samples from a small throat-mounted microphone and allow the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone-enabled device is physically on the speaker's body. We collected data from 29 subjects, demonstrate the feasibility of a prototype, and show that our DNN method achieved balanced accuracy 0.914 for identification and 0.961 for verification by using an LSTM-based deep-learning model, while our efficient GMM method achieved balanced accuracy 0.875 for identification and 0.942 for verification.}, } @Article{mare:saw, author = {Shrirang Mare and Reza Rawassizadeh and Ronald Peterson and David Kotz}, title = {{SAW: Wristband-based authentication for desktop computers}}, journal = {Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (IMWUT) (Ubicomp)}, year = 2018, month = {September}, volume = 2, number = 3, articleno = 125, numpages = 29, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3264935}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-saw/index.html}, abstract = {Token-based proximity authentication methods that authenticate users based on physical proximity are effortless, but lack explicit user intentionality, which may result in accidental logins. For example, a user may get logged in when she is near a computer or just passing by, even if she does not intend to use that computer. Lack of user intentionality in proximity-based methods makes them less suitable for multi-user shared computer environments, despite their desired usability benefits over passwords. \par We present an authentication method for desktops called Seamless Authentication using Wristbands (SAW), which addresses the lack of intentionality limitation of proximity-based methods. SAW uses a low-effort user input step for explicitly conveying user intentionality, while keeping the overall usability of the method better than password-based methods. In SAW, a user wears a wristband that acts as the user's identity token, and to authenticate to a desktop, the user provides a low-effort input by tapping a key on the keyboard multiple times or wiggling the mouse with the wristband hand. This input to the desktop conveys that someone wishes to log in to the desktop, and SAW verifies the user who wishes to log in by confirming the user's proximity and correlating the received keyboard or mouse inputs with the user's wrist movement, as measured by the wristband. In our feasibility user study (n{$=$}17), SAW proved quick to authenticate (within two seconds), with a low false-negative rate of 2.5\% and worst-case false-positive rate of 1.8\%. In our user perception study (n{$=$}16), a majority of the participants rated it as more usable than passwords.}, } @InProceedings{peters:bastionsgx, author = {Travis Peters and Reshma Lal and Srikanth Varadarajan and Pradeep Pappachan and David Kotz}, title = {{BASTION-SGX: Bluetooth and Architectural Support for Trusted I/O on SGX}}, booktitle = {{Proceedings of the International Workshop on Hardware and Architectural Support for Security and Privacy (HASP)}}, year = 2018, month = {June}, articleno = 3, numpages = 9, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3214292.3214295}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peters-bastionsgx/index.html}, abstract = {This paper presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. Indeed, we are primarily concerned with protecting I/O from all software adversaries, including privileged software. In this paper we describe the challenges in designing and implementing Trusted I/O at the architectural level for Bluetooth. We propose solutions to these challenges. In addition, we describe our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave.}, } @InProceedings{pierson:snap-poster, author = {Timothy J. Pierson and Travis Peters and Ronald Peterson and David Kotz}, title = {{Poster: Proximity Detection with Single-Antenna IoT Devices}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Computing and Networking (MobiCom)}}, year = 2018, month = {October}, pages = {663--665}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3241539.3267751}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-snap-poster/index.html}, abstract = {Close physical proximity among wireless devices that have never shared a secret key is sometimes used as a basis of trust. In these cases, devices in close proximity are deemed trustworthy while more distant devices are viewed as potential adversaries. Because radio waves are invisible, however, a user may believe a wireless device is communicating with a nearby device when in fact the user's device is communicating with a distant adversary. Researchers have previously proposed methods for multi-antenna devices to ascertain physical proximity with other devices, but devices with a single antenna, such as those commonly used in the Internet of Things, cannot take advantage of these techniques. We investigate a method for a single-antenna Wi-Fi device to quickly determine proximity with another Wi-Fi device. Our approach leverages the repeating nature Wi-Fi's preamble and the characteristics of a transmitting antenna's near field to detect proximity with high probability. Our method never falsely declares proximity at ranges longer than 14 cm.}, } @Article{reza:nocloud, author = {Reza Rawassizadeh and Timothy Pierson and Ronald Peterson and David Kotz}, title = {{NoCloud: Experimenting with Network Disconnection by Design}}, journal = {IEEE Pervasive Computing}, year = 2018, month = {January}, volume = 17, number = 1, pages = {64--74}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2018.011591063}, URL = {https://www.cs.dartmouth.edu/~kotz/research/reza-nocloud/index.html}, abstract = {Application developers often advocate uploading data to the cloud for analysis or storage, primarily due to concerns about the limited computational capability of ubiquitous devices. Today, however, many such devices can still effectively operate and execute complex algorithms without reliance on the cloud. The authors recommend prioritizing on-device analysis over uploading the data to another host, and if on-device analysis is not possible, favoring local network services over a cloud service.}, } @PhdThesis{pierson:thesis, author = {Timothy J. Pierson}, title = {{Secure Short-range Communications}}, school = {Dartmouth Computer Science}, year = 2018, month = {June}, copyright = {Timothy J. Peterson}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2018-845}, abstract = {Analysts predict billions of everyday objects will soon become ``smart'' after designers add wireless communication capabilities. Collectively known as the Internet of Things (IoT), these newly communication-enabled devices are envisioned to collect and share data among themselves, with new devices entering and exiting a particular environment frequently. People and the devices they wear or carry may soon encounter dozens, possibly hundreds, of devices each day. Many of these devices will be encountered for the first time. Additionally, some of the information the devices share may have privacy or security implications. Furthermore, many of these devices will have limited or non-existent user interfaces, making manual configuration cumbersome. This situation suggests that devices that have never met, nor shared a secret, but that are in the same physical area, must have a way to securely communicate that requires minimal manual intervention. In this dissertation we present novel approaches to solve these short-range communication issues. Our techniques are simple to use, secure, and consistent with user intent. We first present a technique called Wanda that uses radio strength as a communication channel to securely impart information onto nearby devices. We focus on using Wanda to introduce new devices into an environment, but Wanda could be used to impart any type of information onto wireless devices, regardless of device type or manufacturer. Next we describe SNAP, a method for a single-antenna wireless device to determine when it is in close physical proximity to another wireless device. Because radio waves are invisible, a user may believe transmissions are coming from a nearby device when in fact the transmissions are coming from a distant adversary attempting to trick the user into accepting a malicious payload. Our approach significantly raises the bar for an adversary attempting such a trick. Finally, we present a solution called JamFi that exploits MIMO antennas and the Inverse-Square Law to securely transfer data between nearby devices while denying more distant adversaries the ability to recover the data. We find JamFi is able to facilitate reliable and secure communication between two devices in close physical proximity, even though they have never met nor shared a key.}, } @Misc{kotz:patent9936877, author = {David Kotz and Ryan Halter and Cory Cornelius and Jacob Sorber and Minho Shin and Ronald Peterson and Shrirang Mare and Aarathi Prasad and Joseph Skinner and Andr{\'{e}}s Molina-Markham}, title = {{Wearable computing device for secure control of physiological sensors and medical devices, with secure storage of medical records, and bioimpedance biometric}}, howpublished = {U.S. Patent 9,936,877; International Patent Application WO2013096954A1}, year = 2018, month = {April}, day = 10, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-patent9936877/index.html}, note = {This patent adds claims to its predecessor; Priority date 2011-12-23; Filed 2017-02-07; Issued 2018-04-10}, abstract = {A wearable master electronic device (Amulet) has a processor with memory, the processor coupled to a body-area network (BAN) radio and uplink radio. The device has firmware for BAN communications with wearable nodes to receive data, and in an embodiment, send configuration data. The device has firmware for using the uplink radio to download apps and configurations, and upload data to a server. An embodiment has accelerometers in Amulet and wearable node, and firmware for using accelerometer readings to determine if node and Amulet are worn by the same subject. Other embodiments use pulse sensors or microphones in the Amulet and node to both identify a subject and verify the Amulet and node are worn by the same subject. Another embodiment uses a bioimpedance sensor to identify the subject. The wearable node may be an insulin pump, chemotherapy pump, TENS unit, cardiac monitor, or other device.}, } @Misc{molina-markham:patent9961547, author = {Andr{\'{e}}s D. Molina-Markham and Shrirang Mare and Ronald Peterson and David Kotz}, title = {{Continuous seamless mobile device authentication using a separate electronic wearable apparatus}}, howpublished = {U.S. Patent 9,961,547}, year = 2018, month = {May}, day = 1, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-patent9961547/index.html}, note = {Priority date 2016-09-30, Filed 2016-09-30; Issued 2018-05-01}, abstract = {A technique performs a security operation. The technique includes receiving first activity data from a mobile device, the first activity data identifying activity by a user that is currently using the mobile device. The technique further includes receiving second activity data from an electronic wearable apparatus, the second activity data identifying physical activity by a wearer that is currently wearing the electronic wearable apparatus. The technique further includes, based on the first activity data received from the mobile device and the second activity data received from the electronic wearable apparatus, performing an assessment operation that provides an assessment result indicating whether the user that is currently using the mobile device and the wearer that is currently wearing the electronic wearable apparatus are the same person. With such a technique, authentication may be continuous but without burdening the user to repeatedly re-enter a password.}, } @InProceedings{hardin:mobisys17, author = {Taylor Hardin and Josiah Hester and Patrick Proctor and Jacob Sorber and David Kotz}, title = {{Poster: Memory Protection in Ultra-Low-Power Multi-Application Wearables}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2017, month = {June}, pages = 170, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089314}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-mobisys17/index.html}, abstract = {Ultra-low-power microcontrollers have historically not offered MPUs; only recently have MPUs become more prevalent, but many lack the functionality for sufficient memory management and protection. Thus, those who develop multi-application, multi-tenant platforms isolate applications using compile-time or run-time software sandboxing (e.g., AmuletOS), imposing limits on application developers and adding time/space overhead to running applications. We have developed methods, however, to leverage the limited MPUs and thereby reduce overhead cost by narrowing the use of software-based approaches.}, } @InProceedings{kotz:safethings, author = {David Kotz and Travis Peters}, title = {{Challenges to ensuring human safety throughout the life-cycle of Smart Environments}}, booktitle = {{Proceedings of the ACM Workshop on the Internet of Safe Things (SafeThings)}}, year = 2017, month = {November}, pages = {1--7}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3137003.3137012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-safethings/index.html}, abstract = {The homes, offices, and vehicles of tomorrow will be embedded with numerous ``Smart Things,'' networked with each other and with the Internet. Many of these Things are embedded in the physical infrastructure, and like the infrastructure they are designed to last for decades -- far longer than is normal with today's electronic devices. What happens then, when an occupant moves out or transfers ownership of her Smart Environment? This paper outlines the critical challenges required for the safe long-term operation of Smart Environments. How does an occupant identify and decommission all the Things in an environment before she moves out? How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts? When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure? When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider? What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety? We present a list of key research questions to address these important challenges.}, } @InProceedings{liang:lighttouch, author = {Xiaohui Liang and Tianlong Yun and Ronald Peterson and David Kotz}, title = {{LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent}}, booktitle = {{Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}}, year = 2017, month = {May}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2017.8057210}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-lighttouch/index.html}, abstract = {Wearables are small and have limited user interfaces, so they often wirelessly interface with a personal smartphone/computer to relay information from the wearable for display or other interactions. In this paper, we envision a new method, LightTouch, by which a wearable can establish a secure connection to an ambient display, such as a television or a computer monitor, while ensuring the user's intention to connect to the display. LightTouch uses standard RF methods (like Bluetooth) for communicating the data to display, securely bootstrapped via the visible-light communication (the brightness channel) from the display to the low-cost, low-power, ambient light sensor of a wearable. A screen `touch' gesture is adopted by users to ensure that the modulation of screen brightness can be securely captured by the ambient light sensor with minimized noise. Wireless coordination with the processor driving the display establishes a shared secret based on the brightness channel information. We further propose novel on-screen localization and correlation algorithms to improve security and reliability. Through experiments and a preliminary user study we demonstrate that LightTouch is compatible with current display and wearable designs, is easy to use (about 6 seconds to connect), is reliable (up to 98\% success connection ratio), and is secure against attacks.}, } @InProceedings{liang:wearsys17, author = {Xiaohui Liang and David Kotz}, title = {{AuthoRing: Wearable User-presence Authentication}}, booktitle = {{Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}}, year = 2017, month = {June}, pages = {5--10}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089357}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-wearsys17/index.html}, abstract = {A common log-in process at computers involves the entry of username and password; log out depends on the user to remember to log out, or a timeout to expire the user session. Once logged in, user sessions may be vulnerable to imposter attacks in which an impostor steps up to the user's unattended computer and inherits the user's access privilege. We propose a ring-based authentication system called ``AuthoRing'', which restricts the imposter attackers from generating new inputs at the computer's mouse and keyboard. During the log-in process, an eligible AuthoRing user wears a digital ring with accelerometers and wireless communication capability. When input is detected at the mouse or keyboard, the computer's AuthoRing system correlates hand-motion data received from the ring with the input data from the computer's window manager, and detects imposter attacks when these data are insufficiently correlated. We implemented the AuthoRing system and evaluated its security, efficiency, and usability; we found that imposter attacks can be effectively detected and the required operations happen quickly with negligible delays experienced by the user.}, } @InProceedings{liu:mobisys17, author = {Rui Liu and Cory Cornelius and Reza Rawassizadeh and Ron Peterson and David Kotz}, title = {{Poster: Vocal Resonance as a Passive Biometric}}, booktitle = {{Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2017, month = {June}, pages = 160, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3081333.3089304}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-mobisys17/index.html}, abstract = {We present a novel, unobtrusive biometric measurement that can support user identification in wearable body-mounted devices: \emph{vocal resonance}, that is, the sound of the person's voice as it travels through the person's body.}, } @InProceedings{liu:wearsys17, author = {Rui Liu and Reza Rawassizadeh and David Kotz}, title = {{Toward Accurate and Efficient Feature Selection for Speaker Recognition on Wearables}}, booktitle = {{Proceedings of the ACM Workshop on Wearable Systems and Applications (WearSys)}}, year = 2017, month = {June}, pages = {41--46}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3089351.3089352}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liu-wearsys17/index.html}, abstract = {Due to the user-interface limitations of wearable devices, voice-based interfaces are becoming more common; speaker recognition may then address the authentication requirements of wearable applications. Wearable devices have small form factor, limited energy budget and limited computational capacity. In this paper, we examine the challenge of computing speaker recognition on small wearable platforms, and specifically, reducing resource use (energy use, response time) by trimming the input through careful feature selections. For our experiments, we analyze four different feature-selection algorithms and three different feature sets for speaker identification and speaker verification. Our results show that Principal Component Analysis (PCA) with frequency-domain features had the highest accuracy, Pearson Correlation (PC) with time-domain features had the lowest energy use, and recursive feature elimination (RFE) with frequency-domain features had the least latency. Our results can guide developers to choose feature sets and configurations for speaker-authentication algorithms on wearable platforms.}, } @InProceedings{pierson:s3, author = {Timothy J. Pierson and Ronald Peterson and David Kotz}, title = {{Secure Information Transfer Between Nearby Wireless Devices}}, booktitle = {{Proceedings of the Mobicom S3 workshop}}, year = 2017, month = {October}, pages = {11--13}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3131348.3131355}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-s3/index.html}, abstract = {Securely transferring data between two devices that have never previously met nor shared a secret is a difficult task. Previous solutions to the problem are susceptible to well-known attacks or may require extensive infrastructure that may not be suitable for wireless devices such as Internet of Things sensors that do not have advanced computational capabilities. \par We propose a new approach: using jamming to thwart adversaries located more than a few centimeters away, while still allowing devices in close physical proximity to securely share data. To accomplish this secure data transfer we exploit MIMO antennas and the Inverse-Square Law.}, } @InProceedings{prasad:enact, author = {Aarathi Prasad and David Kotz}, title = {{ENACT: Encounter-based Architecture for Contact Tracing}}, booktitle = {{Proceedings of the ACM Workshop on Physical Analytics (WPA)}}, year = 2017, month = {June}, pages = {37--42}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3092305.3092310}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-enact/index.html}, abstract = {Location-based sharing services allow people to connect with others who are near them, or with whom they shared a past encounter. Suppose it were also possible to connect with people who were at the same location but at a different time -- we define this scenario as a \emph{close encounter}, i.e., an incident of spatial and temporal proximity. By detecting close encounters, a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We address three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users. Finally, we also consider the challenges of a real-world deployment.}, } @InProceedings{prasad:spice, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {{SPICE: Secure Proximity-based Infrastructure for Close Encounters}}, booktitle = {{Proceedings of the ACM Workshop on Mobile Crowdsensing Systems and Applications (CrowdSense)}}, year = 2017, month = {November}, pages = {56--61}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3139243.3139245}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-spice/index.html}, abstract = {We present a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a \emph{close encounter}. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application.}, } @TechReport{greene:thesis, author = {Emily Greene}, title = {{ShareABEL: Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control}}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {July}, number = {TR2017-827}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-thesis/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareABEL, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design (and prototype implementation) of this system makes three contributions: (1) it applies cryptographically-enforced access-control measures to wearable healthcare data, which pose different challenges than Electronic Medical Records (EMRs), (2) it recognizes the temporal nature of mHealth data streams and supports revocation of access to part or all of a data stream, and (3) it departs from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @TechReport{harmon:thesis, author = {David B. Harmon}, title = {{Cryptographic transfer of sensor data from the Amulet to a smartphone}}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {May}, number = {TR2017-826}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/harmon-thesis/index.html}, abstract = {The authenticity, confidentiality, and integrity of data streams from wearable healthcare devices are critical to patients, researchers, physicians, and others who depend on this data to measure the effectiveness of treatment plans and clinical trials. Many forms of mHealth data are highly sensitive; in the hands of unintended parties such data may reveal indicators of a patient's disorder, disability, or identity. Furthermore, if a malicious party tampers with the data, it can affect the diagnosis or treatment of patients, or the results of a research study. Although existing network protocols leverage encryption for confidentiality and integrity, network-level encryption does not provide end-to-end security from the device, through the smartphone and database, to downstream data consumers. In this thesis we provide a new open protocol that provides end-to-end authentication, confidentiality, and integrity for healthcare data in such a pipeline. \par We present and evaluate a prototype implementation to demonstrate this protocol's feasibility on low-power wearable devices, and present a case for the system's ability to meet critical security properties under a specific adversary model and trust assumptions.}, } @Misc{mare:patent9832206, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Ronald Peterson and David Kotz}, title = {{System, Method and Authorization Device for Biometric Access Control to Digital Devices}}, howpublished = {U.S. Patent 9,832,206; International Patent Application WO2014153528A2}, year = 2017, month = {November}, day = 28, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-patent9832206/index.html}, note = {Priority date 2013-03-21; Filed 2014-03-21; Issued 2017-11-28}, abstract = {A system and method for authenticating and continuously verifying authorized users of a digital device includes an authentication device attached to an arm or wrist of authorized users. The authentication device has an accelerometer, digital radio, a processor configured to provide identity information over the radio, and to transmit motion data. The motion data is received by the digital device and the identity transmitted is verified as an identity associated with an authorized user. Input at a touchscreen, touchpad, mouse, trackball, or keyboard of the digital device is detected, and correlated with the motion data. Access to the digital device is allowed if the detected input and the detected motion data correlate, and disallowed otherwise.}, } @Misc{kotz:patent9595187, author = {David Kotz and Ryan Halter and Cory Cornelius and Jacob Sorber and Minho Shin and Ronald Peterson and Shrirang Mare and Aarathi Prasad and Joseph Skinner and Andr{\'{e}}s Molina-Markham}, title = {{Wearable computing device for secure control of physiological sensors and medical devices, with secure storage of medical records, and bioimpedance biometric}}, howpublished = {U.S. Patent 9,595,187; International Patent Application WO2013096954A1}, year = 2017, month = {March}, day = 14, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-patent9595187/index.html}, note = {Priority date 2011-12-23; Filed 2012-12-24; Issued 2017-03-14}, abstract = {A wearable master electronic device (Amulet) has a processor with memory, the processor coupled to a body-area network (BAN) radio and uplink radio. The device has firmware for BAN communications with wearable nodes to receive data, and in an embodiment, send configuration data. The device has firmware for using the uplink radio to download apps and configurations, and upload data to a server. An embodiment has accelerometers in Amulet and wearable node, and firmware for using accelerometer readings to determine if node and Amulet are worn by the same subject. Other embodiments use pulse sensors or microphones in the Amulet and node to both identify a subject and verify the Amulet and node are worn by the same subject. Another embodiment uses a bioimpedance sensor to identify the subject. The wearable node may be an insulin pump, chemotherapy pump, TENS unit, cardiac monitor, or other device.}, } @InProceedings{hester:amulet-demo, author = {Josiah Hester and Travis Peters and Tianlong Yun and Ronald Peterson and Joseph Skinner and Bhargav Golla and Kevin Storer and Steven Hearndon and Sarah Lord and Ryan Halter and David Kotz and Jacob Sorber}, title = {{The Amulet Wearable Platform: Demo Abstract}}, booktitle = {{Proceedings of the ACM Conference on Embedded Networked Sensor Systems (SenSys)}}, year = 2016, month = {November}, pages = {290--291}, publisher = {ACM}, copyright = {ACM}, location = {Stanford, CA}, DOI = {10.1145/2994551.2996527}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hester-amulet-demo/index.html}, abstract = {In this demonstration we present the Amulet Platform; a hardware and software platform for developing energy- and resource-efficient applications on multi-application wearable devices. This platform, which includes the Amulet Firmware Toolchain, the Amulet Runtime, the ARP-View graphical tool, and open reference hardware, efficiently protects applications from each other without MMU support, allows developers to interactively explore how their implementation decisions impact battery life without the need for hardware modeling and additional software development, and represents a new approach to developing long-lived wearable applications. We envision the Amulet Platform enabling long-duration experiments on human subjects in a wide variety of studies.}, } @InProceedings{hester:amulet, author = {Josiah Hester and Travis Peters and Tianlong Yun and Ronald Peterson and Joseph Skinner and Bhargav Golla and Kevin Storer and Steven Hearndon and Kevin Freeman and Sarah Lord and Ryan Halter and David Kotz and Jacob Sorber}, title = {{Amulet: An Energy-Efficient, Multi-Application Wearable Platform}}, booktitle = {{Proceedings of the ACM Conference on Embedded Networked Sensor Systems (SenSys)}}, year = 2016, month = {November}, pages = {216--229}, publisher = {ACM}, copyright = {ACM}, location = {Stanford, CA}, DOI = {10.1145/2994551.2994554}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hester-amulet/index.html}, abstract = {Wearable technology enables a range of exciting new applications in health, commerce, and beyond. For many important applications, wearables must have battery life measured in weeks or months, not hours and days as in most current devices. Our vision of wearable platforms aims for long battery life but with the flexibility and security to support multiple applications. To achieve long battery life with a workload comprising apps from multiple developers, these platforms must have robust mechanisms for app isolation and developer tools for optimizing resource usage. \par We introduce the Amulet Platform for constrained wearable devices, which includes an ultra-low-power hardware architecture and a companion software framework, including a highly efficient event-driven programming model, low-power operating system, and developer tools for profiling ultra-low-power applications at compile time. We present the design and evaluation of our prototype Amulet hardware and software, and show how the framework enables developers to write energy-efficient applications. Our prototype has battery lifetime lasting weeks or even months, depending on the application, and our interactive resource-profiling tool predicts battery lifetime within 6-10\% of the measured lifetime.}, } @Article{kotz:agenda, author = {David Kotz and Carl A. Gunter and Santosh Kumar and Jonathan P. Weiner}, title = {{Privacy and Security in Mobile Health~-- A Research Agenda}}, journal = {IEEE Computer}, year = 2016, month = {June}, volume = 49, number = 6, pages = {22--30}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MC.2016.185}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-agenda/index.html}, abstract = {Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges.}, } @InProceedings{pierson:wanda-demo, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Demo: Wanda, securely introducing mobile devices}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2016, month = {June}, pages = 113, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2938559.2938581}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-demo/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We developed Wanda -- a `magic wand' that accomplishes all three of the above goals -- and will demonstrate a prototype implementation.}, } @TechReport{pierson:wanda-tr, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Wanda: securely introducing mobile devices -- Extended version}}, institution = {Dartmouth Computer Science}, year = 2016, month = {February}, number = {TR2016-789}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-tr/index.html}, note = {Expanded version of the INFOCOM 2016 paper by the same title.}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation. This Tech Report contains supplemental information to our INFOCOM 2016 paper titled, ``Wanda: securely introducing mobile devices.'' Much of the additional information is in Section II, III, and VI.}, } @InProceedings{pierson:wanda, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {{Wanda: securely introducing mobile devices}}, booktitle = {{Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}}, year = 2016, month = {April}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2016.7524366}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals \emph{simply}, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation.}, } @PhdThesis{mare:thesis, author = {Shrirang Mare}, title = {{Seamless Authentication for Ubiquitous Devices}}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Shrirang Mare}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-793.}, abstract = {User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people's authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users. \par First, we present the findings of a user study we conducted to understand people's authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants' lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it. \par Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user's wristband and the user's phone) share their knowledge (e.g., about user's interaction with the phone) to verify the user's identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method's usability and security from the system and the user's perspective. Based on the evaluation, our authentication method shows promise for reducing users' authentication burden for desktops and smartphones.}, } @PhdThesis{prasad:thesis, author = {Aarathi Prasad}, title = {{Privacy-preserving controls for sharing mHealth data}}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-794.}, abstract = {Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.}, } @TechReport{wang:auth, author = {Bingyue Wang}, title = {{Learning Device Usage in Context: A Continuous and Hierarchical Smartphone Authentication Scheme}}, institution = {Dartmouth Computer Science}, year = 2016, month = {March}, number = {TR2016-790}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/wang-auth/index.html}, abstract = {Popular smartphone authentication schemes, such as PIN-based or biometrics-based authentication methods, require only an initial login at the start of a usage session to authorize the user to use all the apps on the phone during the entire session. Those schemes fail to provide continuous protection of the smartphone after the initial login. They also fail to meet the hierarchy of security requirements for different apps under different contexts. In this study, we propose a continuous and hierarchical authentication scheme. We believe that a user's app-usage patterns depend on his location context. As such, our scheme relies on app-usage patterns in different location context to continuously establish the log probability density (LPD) of the authenticity of the current user. Based on different LPD thresholds corresponding to different security requirements, the current user either has a LPD higher than the threshold, which grants him continuous access to the phone or the app, or he has a LPD lower than the threshold, which locks him out of the phone or the app immediately. We test our scheme on 4,600 subjects from the Device Analyzer Dataset. We found that our scheme could correctly identify the authenticity of the majority of the subjects. However, app-usage patterns with or without location context yielded similar performances, indicating that user contexts did not contribute further information to establish user behavioral patterns. Based on our scheme, we propose a hypothetical Android app which would provide continuous and hierarchical authentication for the smartphone users.}, } @Article{kotz:frontiers, author = {David Kotz and Kevin Fu and Carl Gunter and Avi Rubin}, title = {{Security for Mobile and Cloud Frontiers in Healthcare}}, journal = {Communications of the ACM}, year = 2015, month = {August}, volume = 58, number = 8, pages = {21--23}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/2790830}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-frontiers/index.html}, abstract = {Designers and developers of healthcare information technologies must address preexisting security vulnerabilities and undiagnosed future threats.}, } @Article{shin:anonytiles, author = {Minho Shin and Cory Cornelius and Apu Kapadia and Nikos Triandopoulos and David Kotz}, title = {{Location Privacy for Mobile Crowd Sensing through Population Mapping}}, journal = {Sensors}, year = 2015, month = {June}, volume = 15, number = 7, pages = {15285--15310}, publisher = {open access}, copyright = {the authors}, DOI = {10.3390/s150715285}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-anonytiles/index.html}, abstract = {Opportunistic sensing allows applications to ``task'' mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street or users' mobile phones to locate (Bluetooth-enabled) objects in their vicinity. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk: even if identifying information has been removed from a report, the accompanying time and location can reveal sufficient information to de-anonymize the user whose device sent the report. We propose and evaluate a novel spatiotemporal blurring mechanism based on tessellation and clustering to protect users' privacy against the system while reporting context. Our technique employs a notion of probabilistic k-anonymity; it allows users to perform local blurring of reports efficiently without an online anonymization server before the data are sent to the system. The proposed scheme can control the degree of certainty in location privacy and the quality of reports through a system parameter. We outline the architecture and security properties of our approach and evaluate our tessellation and clustering algorithm against real mobility traces.}, } @TechReport{cornelius:voice-tr, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {{Vocal resonance as a biometric for pervasive wearable devices}}, institution = {Dartmouth Computer Science}, year = 2014, month = {February}, number = {TR2014-747}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-voice-tr/index.html}, abstract = {We anticipate the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. In our vision, the user can simply wear the desired set of devices, and they ``just work''; no configuration is needed, and yet they discover each other, recognize that they are on the same body, configure a secure communications channel, and identify the user to which they are attached. This paper addresses a method to achieve the latter, that is, for a wearable device to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We use vocal resonance, that is, the sound of the person's voice as it travels through the person's body. By collecting voice samples from a small wearable microphone, our method allows the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone device is physically on the speaker's body. We collected data from 25 subjects, demonstrate the feasibility of a prototype, and show that our method works with 77\% accuracy when a threshold is chosen a priori.}, } @InProceedings{cornelius:wearable, author = {Cory Cornelius and Ronald Peterson and Joseph Skinner and Ryan Halter and David Kotz}, title = {{A wearable system that knows who wears it}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2014, month = {June}, pages = {55--67}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2594369}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-wearable/index.html}, abstract = {Body-area networks of pervasive wearable devices are increasingly used for health monitoring, personal assistance, entertainment, and home automation. In an ideal world, a user would simply wear their desired set of devices with no configuration necessary: the devices would discover each other, recognize that they are on the same person, construct a secure communications channel, and recognize the user to which they are attached. In this paper we address a portion of this vision by offering a wearable system that unobtrusively recognizes the person wearing it. Because it can recognize the user, our system can properly label sensor data or personalize interactions. \par Our recognition method uses bioimpedance, a measurement of how tissue responds when exposed to an electrical current. By collecting bioimpedance samples using a small wearable device we designed, our system can determine that (a)the wearer is indeed the expected person and (b) the device is physically on the wearer's body. Our recognition method works with 98\% balanced-accuracy under a cross-validation of a day's worth of bioimpedance samples from a cohort of 8 volunteer subjects. We also demonstrate that our system continues to recognize a subset of these subjects even several months later. Finally, we measure the energy requirements of our system as implemented on a Nexus S smart phone and custom-designed module for the Shimmer sensing platform.}, } @InProceedings{liang:healthtech14, author = {Xiaohui Liang and David Kotz}, title = {{Securely Connecting Wearable Health Devices to External Displays}}, booktitle = {{Proceedings of the USENIX Summit on Health Information Technologies}}, year = 2014, month = {August}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/liang-healthtech14/index.html}, note = {No paper -- workshop presentation only}, abstract = {Wearable health technology is becoming a hot commodity as it has the potential to help both patients and clinicians continuously monitor vital signs and symptoms. One popular type of wearable devices are worn on human wrist and are equipped with sensors to passively perform sensing tasks. Their constrained user interface, however, is ineffective to display the sensory data for users. We envision connecting a wrist-worn device to a display device, such as a television, so the user is able to view the sensory data. Such connections must be secure to prevent the sensory data from being eavesdropped by other devices, must be made only when the user intends, and must be easy even when a new display is encountered (such as in a medical clinic, or a hotel room). In this presentation, we will discuss the secure wearable/display connection problem by revisiting existing methods and hardware designs of wrist-worn devices and display devices. We then present possible solutions that leverage the built-in hardware components of wrist-worn devices to implement, secure, intentional, easy connections to ambient display devices.}, } @Article{mare:hns-j, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {{Hide-n-Sense: preserving privacy efficiently in wireless mHealth}}, journal = {Mobile Networks and Applications (MONET)}, year = 2014, month = {June}, volume = 19, number = 3, pages = {331--344}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/s11036-013-0447-x}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-j/index.html}, note = {Special issue on Wireless Technology for Pervasive Healthcare}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Furthermore, individuals can become better engaged in monitoring and managing their own health. Although some work on mHealth sensing has addressed security, achieving strong privacy for low-power sensors remains a challenge. We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties at the link layer, with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized Message Authentication Codes; and asymmetric resource requirements, in recognition of the limited resources in tiny mHealth sensors. Second, we demonstrate its feasibility by implementing a prototype on a Chronos wrist device, and evaluating it experimentally. Third, we provide a security, privacy, and energy analysis of our system.}, } @TechReport{mare:zebra-tr, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {{ZEBRA: Zero-Effort Bilateral Recurring Authentication (Companion report)}}, institution = {Dartmouth Computer Science}, year = 2014, month = {May}, number = {TR2014-748}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra-tr/index.html}, note = {This project has been renamed CSAW.}, abstract = {We describe and evaluate Zero-Effort Bilateral Recurring Authentication (ZEBRA) in our paper that appears in IEEE Symposium on Security and Privacy, May 2014. In this report we provide a more detailed comparative evaluation of ZEBRA against other related authentication schemes. The abstract of the paper follows. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @InProceedings{mare:zebra14, author = {Shrirang Mare and Andr{\'{e}}s Molina-Markham and Cory Cornelius and Ronald Peterson and David Kotz}, title = {{ZEBRA: Zero-Effort Bilateral Recurring Authentication}}, booktitle = {{Proceedings of the IEEE Symposium on Security \& Privacy}}, year = 2014, month = {May}, pages = {705--720}, publisher = {IEEE}, copyright = {the authors}, DOI = {10.1109/SP.2014.51}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-zebra14/index.html}, note = {This project has been renamed CSAW.}, abstract = {Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. \par To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. In our experiments ZEBRA performed continuous authentication with 85\% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90\% of users and identified all adversaries within 50 s.}, } @InProceedings{mm:amulet-poster, author = {Andr{\'{e}}s Molina-Markham and Ronald A. Peterson and Joseph Skinner and Ryan J. Halter and Jacob Sorber and David Kotz}, title = {{Poster: Enabling Computational Jewelry for mHealth Applications}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2014, month = {June}, pages = {374--375}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2601454}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mm-amulet-poster/index.html}, abstract = {We are developing wearable devices as the foundation for a consistently present and highly available body-area mHealth network. Our vision is that a small device, such as a bracelet or pendant, will provide the availability and reliability properties essential for successful body-area mHealth networks. We call this class of device computational jewelry, and expect it will be the next frontier of mobile systems. We prototyped our first piece of computational jewelry, which we call Amulet, to enable our previously proposed vision. It runs applications that may collect sensor data from built-in sensors or from other devices, analyze and log the data, queue information for later upload, and interact with the wearer. Independent developers can develop applications that can be vetted and installed on an Amulet.}, } @InProceedings{molina-markham:wmmadd, author = {Andr{\'{e}}s Molina-Markham and Ronald Peterson and Joseph Skinner and Tianlong Yun and Bhargav Golla and Kevin Freeman and Travis Peters and Jacob Sorber and Ryan Halter and David Kotz}, title = {{Amulet: A secure architecture for mHealth applications for low-power wearable devices}}, booktitle = {{Proceedings of the Workshop on Mobile Medical Applications-- Design and Development (WMMADD)}}, year = 2014, month = {November}, pages = {16--21}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2676431.2676432}, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-wmmadd/index.html}, abstract = {Interest in using mobile technologies for health-related applications (mHealth) has increased. However, none of the available mobile platforms provide the essential properties that are needed by these applications. An mHealth platform must be (i) secure; (ii) provide high availability; and (iii) allow for the deployment of multiple third-party mHealth applications that share access to an individual's devices and data. Smartphones may not be able to provide property (ii) because there are activities and situations in which an individual may not be able to carry them (e.g., while in a contact sport). A low-power wearable device can provide higher availability, remaining attached to the user during most activities. Furthermore, some mHealth applications require integrating multiple on-body or near-body devices, some owned by a single individual, but others shared with multiple individuals. In this paper, we propose a secure system architecture for a low-power bracelet that can run multiple applications and manage access to shared resources in a body-area mHealth network. The wearer can install a personalized mix of third-party applications to support the monitoring of multiple medical conditions or wellness goals, with strong security safeguards. Our preliminary implementation and evaluation supports the hypothesis that our approach allows for the implementation of a resource monitor on far less power than would be consumed by a mobile device running Linux or Android. Our preliminary experiments demonstrate that our secure architecture would enable applications to run for several weeks on a small wearable device without recharging.}, } @InProceedings{prasad:mobisys-poster, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {{Poster: Balancing Disclosure and Utility of Personal Information}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2014, month = {June}, pages = {380--381}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2601448}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-mobisys-poster/index.html}, abstract = {The ubiquity of smartphones and mobile and wearable devices allow people to collect information about their health, wellness and lifestyle and share with others. If it is not clear what they need to share to receive benefits, \emph{subjects} (people whose information is collected) might share too much, thus disclosing unnecessary private information. On the other hand, concerned about disclosing personal information, subjects might share less than what the recipient needs and lose the opportunity to enjoy the benefits. This balance of disclosure and utility is important when the subject wants to receive some benefits, but is concerned about disclosing private information. \par We address this problem of balancing disclosure and utility of personal information collected by mobile technologies. We believe subjects can decide how best to share their information if they are aware of the benefits and risks of sharing. We developed ShareBuddy, a privacy-aware architecture that allows recipients to request information and specify the benefits the subjects will receive for sharing each piece of requested information; the architecture displays these benefits and warns subjects about the risks of sharing. We describe the ShareBuddy architecture in this poster.}, } @Article{tan:dist, author = {Keren Tan and Chris McDonald and Bennet Vance and Chrisil Arackaparambil and Sergey Bratus and David Kotz}, title = {{From MAP to DIST: the evolution of a large-scale WLAN monitoring system}}, journal = {IEEE Transactions on Mobile Computing}, year = 2014, month = {January}, volume = 13, number = 1, pages = {216--229}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/TMC.2012.237}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-dist/index.html}, abstract = {The edge of the Internet is increasingly becoming wireless. Therefore, monitoring the wireless edge is important to understanding the security and performance aspects of the Internet experience. We have designed and implemented a large-scale WLAN monitoring system, the Distributed Internet Security Testbed (DIST), at Dartmouth College. It is equipped with distributed arrays of ``sniffers'' that cover 210 diverse campus locations and more than 5,000 users. In this paper, we describe our approach, designs and solutions for addressing the technical challenges that have resulted from efficiency, scalability, security, and management perspectives. We also present extensive evaluation results on a production network, and summarize the lessons learned.}, } @Article{anthony:sith3, author = {Denise Anthony and Andrew Campbell and Thomas Candon and Andrew Gettinger and Carl A. Gunter and M. Eric Johnson and David Kotz and Lisa Marsch and Andr{\'{e}}s Molina-Markham and Karen Page and Sean Smith}, title = {{Securing Information Technology in Healthcare}}, journal = {IEEE Security \& Privacy}, year = 2013, month = {November}, volume = 11, number = 6, pages = {25--33}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MSP.2013.104}, URL = {https://www.cs.dartmouth.edu/~kotz/research/anthony-sith3/index.html}, note = {Invited paper}, abstract = {Information technology (IT) has great potential to improve healthcare quality while also improving efficiency, and thus has been a major focus of recent healthcare reform efforts. However, developing, deploying and using IT that is both secure and genuinely effective in the complex clinical, organizational and economic environment of healthcare is a significant challenge. Further, it is imperative that we better understand the privacy concerns of patients and providers, as well as the ability of current technologies, policies, and laws to adequately protect privacy. The Securing Information Technology in Healthcare (SITH) workshops were created to provide a forum to discuss security and privacy for experts from a broad range of perspectives, from officers at large healthcare companies, startups and nonprofits, to physicians, researchers and policy makers.}, } @InProceedings{prasad:nethealth13, author = {Aarathi Prasad and Ronald Peterson and Shrirang Mare and Jacob Sorber and Kolin Paul and David Kotz}, title = {{Provenance framework for mHealth}}, booktitle = {{Proceedings of the Workshop on Networked Healthcare Technology (NetHealth)}}, year = 2013, month = {January}, pages = {1--6}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2013.6465599}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-nethealth13/index.html}, abstract = {Mobile health technologies allow patients to collect their health information outside the hospital and share this information with others. But how can data consumers know whether to trust the sensor-collected and human-entered data they receive? Data consumers might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the \emph{provenance} of the data. We propose a provenance framework for mHealth devices, to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive. This paper describes the programming model for this framework, which describes the rules to be implemented for providing provenance-collecting capabilities to an mHealth application.}, } @PhdThesis{cornelius:thesis, author = {Cory T. Cornelius}, title = {{Usable Security for Wireless Body-Area Networks}}, school = {Dartmouth College Computer Science}, year = 2013, month = {September}, copyright = {Cory T. Cornelius}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2013-741}, abstract = {We expect wireless body-area networks of pervasive wearable devices will enable \emph{in situ} health monitoring, personal assistance, entertainment personalization, and home automation. As these devices become ubiquitous, we also expect them to interoperate. That is, instead of closed, end-to-end body-worn sensing systems, we envision standardized sensors that wirelessly communicate their data to a device many people already carry today, the smart phone. However, this ubiquity of wireless sensors combined with the characteristics they sense present many security and privacy problems. \par In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them \emph{just work}. \par These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person's body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting \emph{in situ} data and labeling it properly without interrupting the wearer's activities of daily life, will be vital to the success of these wireless sensors.}, } @InProceedings{cornelius:biometrics-poster, author = {Cory Cornelius and Zachary Marois and Jacob Sorber and Ron Peterson and Shrirang Mare and David Kotz}, title = {{Passive Biometrics for Pervasive Wearable Devices (Poster paper)}}, booktitle = {{Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile)}}, year = 2012, month = {February}, numpages = 1, publisher = {ACM}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-biometrics-poster/index.html}, abstract = {Wearable devices -- like the FitBit, MOTOACTV, and Jawbone UP -- are increasingly becoming more pervasive whether for monitoring health and fitness, personal assistance, or home automation. While pervasive wearable devices have long been researched, we are now beginning to see the fruits of this research in the form of commercial offerings. Today, many of these commercial wearable devices are closed systems that do not interoperate with other devices a person might carry. We believe, however, these commercial offerings signal the coming of wireless body-area networks that will connect these pervasive wearable devices and leverage existing devices a user already owns (e.g., a smartphone). Such wireless body-area networks will allow devices to specialize and utilize the capabilities of other devices in the network. A sensor, for example, might harness the internet connectivity of a smartphone to store its data in the cloud. Utilized in this way, devices will become cheaper because they will only require the components necessary for their speciality, and they will also become more pervasive because they can easily be shared between users. \par In order for such a vision to be successful, these devices will need to seamlessly interoperate with no interaction required of the user. As difficult as it is for users to manage their wireless area networks, it will be even more difficult for a user to manage their wireless body-area network in a truly pervasive world. As such, we believe these wearable devices should form a wireless body-area network that is passive in nature. This means that these pervasive wearable devices will require no configuration, yet they will be able form a wireless body-area network by (1) discovering their peers, (2) recognizing they are attached to the same body, (3) securing their communications, and (4) identifying to whom they are attached. While we are interested in all aspects of these passive wireless body-area networks, we focus on the last requirement: identifying who is wearing a device.}, } @InProceedings{cornelius:impedance, author = {Cory Cornelius and Jacob Sorber and Ronald Peterson and Joe Skinner and Ryan Halter and David Kotz}, title = {{Who wears me? Bioimpedance as a passive biometric}}, booktitle = {{Proceedings of the USENIX Workshop on Health Security and Privacy}}, year = 2012, month = {August}, numpages = 10, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-impedance/index.html}, abstract = {Mobile and wearable systems for monitoring health are becoming common. If such an mHealth system knows the identity of its wearer, the system can properly label and store data collected by the system. Existing recognition schemes for such mobile applications and pervasive devices are not particularly usable -- they require \emph{active} engagement with the person (e.g., the input of passwords), or they are too easy to fool (e.g., they depend on the presence of a device that is easily stolen or lost). \par We present a wearable sensor to passively recognize people. Our sensor uses the unique electrical properties of a person's body to recognize their identity. More specifically, the sensor uses \emph{bioimpedance} -- a measure of how the body's tissues oppose a tiny applied alternating current -- and learns how a person's body uniquely responds to alternating current of different frequencies. In this paper we demonstrate the feasibility of our system by showing its effectiveness at accurately recognizing people in a household 90\% of the time.}, } @Article{cornelius:j-same-body, author = {Cory Cornelius and David Kotz}, title = {{Recognizing whether sensors are on the same body}}, journal = {Journal of Pervasive and Mobile Computing}, year = 2012, month = {December}, volume = 8, number = 6, pages = {822--836}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2012.06.005}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-j-same-body/index.html}, abstract = {In an open mobile health (mHealth) sensing system, users will be able to seamlessly pair sensors with their cellphone and expect the system to just work. This ubiquity of sensors, however, creates the potential for users to accidentally wear sensors that are not paired with their own cellphone. Our method probabilistically detects this situation by finding correlations between embedded accelerometers in the cellphone and sensor. We evaluate our method over a dataset of seven individuals with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracy of 85\%.}, } @InProceedings{prasad:provenance-poster, author = {Aarathi Prasad and Ronald Peterson and Jacob Sorber and David Kotz}, title = {{A Provenance Framework for mHealth}}, booktitle = {{Proceedings of the Workshop for Mobile Systems, Applications, and Services for Healthcare (mHealthSys) Poster Track}}, year = 2012, month = {November}, articleno = 9, numpages = 2, publisher = {ACM}, copyright = {ACM}, location = {Toronto}, DOI = {10.1145/2396276.2396287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-provenance-poster/index.html}, abstract = {How can data consumers know whether to trust the sensor-collected and human-entered data they receive from mHealth devices? What confidence do they have that it is accurate and authentic? Data recipients might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the provenance of the data.We define provenance in mHealth as contextual information that can attest to the authenticity and accuracy of the data and can help the recipient in interpreting the data. To realize this vision, we propose a provenance framework for mHealth. The primary function of the framework is to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive.}, } @InProceedings{sorber:amulet, author = {Jacob Sorber and Minho Shin and Ronald Peterson and Cory Cornelius and Shrirang Mare and Aarathi Prasad and Zachary Marois and Emma Smithayer and David Kotz}, title = {{An Amulet for trustworthy wearable mHealth}}, booktitle = {{Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile)}}, year = 2012, month = {February}, articleno = 7, numpages = 6, publisher = {ACM}, copyright = {ACM}, location = {San Diego, California}, DOI = {10.1145/2162081.2162092}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sorber-amulet/index.html}, abstract = {Mobile technology has significant potential to help revolutionize personal wellness and the delivery of healthcare. Mobile phones, wearable sensors, and home-based tele-medicine devices can help caregivers and individuals themselves better monitor and manage their health. While the potential benefits of this ``mHealth'' technology include better health, more effective healthcare, and reduced cost, this technology also poses significant security and privacy challenges. In this paper we propose \emph{Amulet,} an mHealth architecture that provides strong security and privacy guarantees while remaining easy to use, and outline the research and engineering challenges required to realize the Amulet vision.}, } @InProceedings{sorber:pnt, author = {Jacob Sorber and Minho Shin and Ron Peterson and David Kotz}, title = {{Plug-n-Trust: Practical trusted sensing for mHealth}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2012, month = {June}, pages = {309--322}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2307636.2307665}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sorber-pnt/index.html}, abstract = {Mobile computing and sensing technologies present exciting opportunities for healthcare. Prescription wireless sensors worn by patients can automatically deliver medical data to care providers, dramatically improving their ability to diagnose, monitor, and manage a range of medical conditions. Using the mobile phones that patients already carry to provide connectivity between sensors and providers is essential to keeping costs low and deployments simple. Unfortunately, software-based attacks against phones are also on the rise, and successful attacks on privacy-sensitive and safety-critical applications can have significant consequences for patients. \par In this paper, we describe Plug-n-Trust (PnT), a novel approach to protecting both the confidentiality and integrity of safety-critical medical sensing and data processing on vulnerable mobile phones. With PnT, a plug-in smart card provides a trusted computing environment, keeping data safe even on a compromised mobile phone. By design, PnT is simple to use and deploy, while providing a flexible programming interface amenable to a wide range of applications. We describe our implementation, designed for Java-based smart cards and Android phones, in which we use a split-computation model with a novel path hashing technique to verify proper behavior without exposing confidential data. Our experimental evaluation demonstrates that PnT achieves its security goals while incurring acceptable overhead.}, } @InProceedings{cornelius:same-body, author = {Cory Cornelius and David Kotz}, title = {{Recognizing whether sensors are on the same body}}, booktitle = {{Proceedings of the International Conference on Pervasive Computing (Pervasive)}}, series = {Lecture Notes in Computer Science}, year = 2011, month = {June}, volume = 6696, pages = {332--349}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-642-21726-5_21}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-same-body/index.html}, abstract = {As personal health sensors become ubiquitous, we also expect them to become interoperable. That is, instead of closed, end-to-end personal health sensing systems, we envision standardized sensors wirelessly communicating their data to a device many people already carry today, the cellphone. In an open personal health sensing system, users will be able to seamlessly pair off-the-shelf sensors with their cellphone and expect the system to \emph{just work}. However, this ubiquity of sensors creates the potential for users to accidentally wear sensors that are not necessarily paired with their own cellphone. A husband, for example, might mistakenly wear a heart-rate sensor that is actually paired with his wife's cellphone. As long as the heart-rate sensor is within communication range, the wife's cellphone will be receiving heart-rate data about her husband, data that is incorrectly entered into her own health record. \par We provide a method to probabilistically detect this situation. Because accelerometers are relatively cheap and require little power, we imagine that the cellphone and each sensor will have a companion accelerometer embedded with the sensor itself. We extract standard features from these companion accelerometers, and use a pair-wise statistic -- coherence, a measurement of how well two signals are related in the frequency domain -- to determine how well features correlate for different locations on the body. We then use these feature coherences to train a classifier to recognize whether a pair of sensors -- or a sensor and a cellphone -- are on the same body. We evaluate our method over a dataset of several individuals walking around with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracies over 80\%.}, } @InProceedings{kotz:mHealth-threats, author = {David Kotz}, title = {{A threat taxonomy for mHealth privacy}}, booktitle = {{Proceedings of the Workshop on Networked Healthcare Technology (NetHealth)}}, year = 2011, month = {January}, articleno = 1, numpages = 6, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2011.5716518}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-mHealth-threats/index.html}, abstract = {Networked mobile devices have great potential to enable individuals (and their physicians) to better monitor their health and to manage medical conditions. In this paper, we examine the privacy-related threats to these so-called \emph{mHealth} technologies. We develop a taxonomy of the privacy-related threats, and discuss some of the technologies that could support privacy-sensitive mHealth systems. We conclude with a brief summary of research challenges.}, } @InProceedings{mare:healthsec11, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {{Adaptive security and privacy for mHealth sensing}}, booktitle = {{Proceedings of the USENIX Workshop on Health Security (HealthSec)}}, year = 2011, month = {August}, numpages = 5, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-healthsec11/index.html}, note = {Short paper.}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile Health (mHealth) sensing technologies promise a new opportunity. However, the privacy concerns associated with mHealth sensing are a limiting factor for their widespread adoption. The use of wireless body area networks pose a particular challenge. Although there exist protocols that provide a secure and private communication channel between two devices, the large transmission overhead associated with these protocols limit their application to low-power mHealth sensing devices. We propose an adaptive security model that enables use of privacy-preserving protocols in low-power mHealth sensing by reducing the network overhead in the transmissions, while maintaining the security and privacy properties provided by the protocols.}, } @TechReport{mare:hns-tr, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {{Hide-n-Sense: Privacy-aware secure mHealth sensing}}, institution = {Dartmouth Computer Science}, year = 2011, month = {September}, number = {TR2011-702}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-tr/index.html}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Furthermore, individuals can become better engaged in monitoring and managing their own health. Although some work on mHealth sensing has addressed security, achieving strong privacy for low-power sensors remains a challenge. \par We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized MACs; and an asymmetric resource requirement. Second, we demonstrate a prototype on a Chronos wrist device, and evaluate it experimentally. Third, we provide a security, privacy, and energy analysis of our system.}, } @InProceedings{mare:hns-w, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {{Adapt-lite: Privacy-aware, secure, and efficient mHealth sensing}}, booktitle = {{Proceedings of the Workshop on Privacy in the Electronic Society (WPES)}}, year = 2011, month = {October}, pages = {137--142}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2046556.2046574}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-w/index.html}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Although some work on mHealth sensing has addressed security, achieving strong security and privacy for low-power sensors remains a challenge. \par We make three contributions. First, we propose Adapt-lite, a set of two techniques that can be applied to existing wireless protocols to make them energy efficient without compromising their security or privacy properties. The techniques are: adaptive security, which dynamically modifies packet overhead; and MAC striping, which makes forgery difficult even for small-sized MACs. Second, we apply these techniques to an existing wireless protocol, and demonstrate a prototype on a Chronos wrist device. Third, we provide security, privacy, and energy analysis of our techniques.}, } @Article{shin:anonysense, author = {Minho Shin and Cory Cornelius and Dan Peebles and Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {{AnonySense: A System for Anonymous Opportunistic Sensing}}, journal = {Journal of Pervasive and Mobile Computing}, year = 2011, month = {February}, volume = 7, number = 1, pages = {16--30}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2010.04.001}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-anonysense/index.html}, abstract = {We describe AnonySense, a privacy-aware system for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing \emph{tasks} to be distributed across participating mobile devices, later receiving verified, yet anonymized, sensor data \emph{reports} back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our security goals, threat model, and the architecture and protocols of AnonySense. We also describe how AnonySense can support extended security features that can be useful for different applications. We evaluate the security and feasibility of AnonySense through security analysis and prototype implementation. We show the feasibility of our approach through two plausible applications: a Wi-Fi rogue access point detector and a lost-object finder.}, } @InProceedings{sorber:pnt-poster, author = {Jacob Sorber and Minho Shin and Ron Peterson and David Kotz}, title = {{Poster: Practical Trusted Computing for mHealth Sensing}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2011, month = {June}, pages = {405--406}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1999995.2000058}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sorber-pnt-poster/index.html}, abstract = {Mobile sensing technologies present exciting opportunities for healthcare. Wireless sensors can automatically provide sensor data to care providers, dramatically improving their ability to diagnose, monitor, and manage a wide range of medical conditions. Using mobile phones to provide connectivity between sensors and providers is essential to keeping costs low and deployments simple. Unfortunately, software-based attacks against phones, which can have significant consequences for patients, are also on the rise. \par This poster describes a simple, flexible, and novel approach to protecting both the confidentiality and integrity medical sensing and data processing on vulnerable mobile phones, using plug-in smart cards---even a phone compromised by malware. We describe our design, implementation, and initial experimental results using real smart cards and Android smartphones.}, } @TechReport{arackaparambil:clock-skew-tr, author = {Chrisil Arackaparambil and Sergey Bratus and Anna Shubina and David Kotz}, title = {{On the Reliability of Wireless Fingerprinting using Clock Skews}}, institution = {Dartmouth Computer Science}, year = 2010, month = {January}, number = {TR2010-661}, copyright = {the authors}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/arackaparambil-clock-skew-tr/index.html}, abstract = {Determining whether a client station should trust an access point is a known problem in wireless security. Traditional approaches to solving this problem resort to cryptography. But cryptographic exchange protocols are complex and therefore induce potential vulnerabilities in themselves. We show that measurement of clock skews of access points in an 802.11 network can be useful in this regard, since it provides fingerprints of the devices. Such fingerprints can be used to establish the first point of trust for client stations wishing to connect to an access point. Fingerprinting can also be used in the detection of fake access points. We demonstrate deficiencies of previously studied methods that measure clock skews in 802.11 networks by means of an attack that spoofs clock skews. We then provide means to overcome those deficiencies, thereby improving the reliability of fingerprinting. Finally, we show how to perform the clock-skew arithmetic that enables network providers to publish clock skews of their access points for use by clients.}, } @InProceedings{arackaparambil:clock-skew, author = {Chrisil Arackaparambil and Sergey Bratus and Anna Shubina and David Kotz}, title = {{On the Reliability of Wireless Fingerprinting using Clock Skews}}, booktitle = {{Proceedings of the ACM Conference on Wireless Network Security (WiSec)}}, year = 2010, month = {March}, numpages = 6, pages = {169--174}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1741866.1741894}, URL = {https://www.cs.dartmouth.edu/~kotz/research/arackaparambil-clock-skew/index.html}, abstract = {Determining whether a client station should trust an access point is a known problem in wireless security. Traditional approaches to solving this problem resort to cryptography. But cryptographic exchange protocols are complex and therefore induce potential vulnerabilities in themselves. We show that measurement of clock skews of access points in an 802.11 network can be useful in this regard, since it provides fingerprints of the devices. Such fingerprints can be used to establish the first point of trust for client stations wishing to connect to an access point. Fingerprinting can also be used in the detection of fake access points. \par We demonstrate deficiencies of previously studied methods that measure clock skews in 802.11 networks by means of an attack that spoofs clock skews. We then provide means to overcome those deficiencies, thereby improving the reliability of fingerprinting. Finally, we show how to perform the clock-skew arithmetic that enables network providers to publish clock skews of their access points for use by clients.}, } @InProceedings{cornelius:healthsec10, author = {Cory Cornelius and David Kotz}, title = {{On Usable Authentication for Wireless Body Area Networks}}, booktitle = {{Proceedings of the USENIX Workshop on Health Security (HealthSec)}}, year = 2010, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-healthsec10/index.html}, note = {Position paper}, abstract = {We examine a specific security problem in wireless body area networks (WBANs), what we call the \emph{one body authentication problem}. That is, how can we ensure that the wireless sensors in a WBAN are collecting data about one individual and not several individuals. We explore existing solutions to this problem and provide some analysis why these solutions are inadequate. Finally, we provide some direction towards a promising solution to the problem and how it can be used to create a usably secure WBAN.}, } @InProceedings{mare:healthsec10, author = {Shrirang Mare and David Kotz}, title = {{Is Bluetooth the right technology for mHealth?}}, booktitle = {{Proceedings of the USENIX Workshop on Health Security (HealthSec)}}, year = 2010, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-healthsec10/index.html}, note = {Position paper}, abstract = {Many people believe mobile healthcare (mHealth) would help alleviate the rising cost of healthcare and improve the quality of service. Bluetooth, which is the most popular wireless technology for personal medical devices, is used for most of the mHealth sensing applications. In this paper we raise the question -- Is Bluetooth the right technology for mHealth? To instigate the discussion we discuss some shortcomings of Bluetooth and also point out an alternative solution.}, } @TechReport{peebles:anonytl, author = {Dan Peebles and Cory Cornelius and Apu Kapadia and David Kotz and Minho Shin and Nikos Triandopoulos}, title = {{AnonyTL Specification}}, institution = {Dartmouth Computer Science}, year = 2010, month = {January}, number = {TR2010-660}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peebles-anonytl/index.html}, abstract = {We provide a specification of \emph{AnonyTL}, a domain-specific language that describes sensing tasks for mobile devices in a manner that facilitates automated reasoning about privacy.}, } @InProceedings{tan:saluki, author = {Keren Tan and David Kotz}, title = {{Saluki: a High-Performance Wi-Fi Sniffing Program}}, booktitle = {{Proceedings of the International Workshop on Wireless Network Measurements (WiNMee)}}, year = 2010, month = {May}, pages = {591--596}, publisher = {IEEE}, copyright = {IEEE}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-saluki/index.html}, note = {Invited paper}, abstract = {Building a campus-wide wireless LAN measurement system faces many efficiency, scalability and security challenges. To address these challenges, we developed a distributed Wi-Fi sniffing program called Saluki. Compared to our previous implementation and to other available sniffing programs, Saluki has the following advantages: (1) its small footprint makes it suitable for a resource-constrained Linux platform, such as those in commercial Wi-Fi access points; (2) the frame-capture rate increased more than three-fold over tcpdump with minimal frame loss; (3) all traffic between this sniffer and the back-end server was secured using 128-bit encryption; and (4) the traffic load on the backbone network was reduced to only 30\% of that in our previous implementation. In this paper, we introduce the design and the implementation details of this high-performance sniffing program, along with preliminary evaluation results.}, } @InProceedings{bratus:dist-cset, author = {Sergey Bratus and David Kotz and Keren Tan and William Taylor and Anna Shubina and Bennet Vance and Michael E. Locasto}, title = {{Dartmouth Internet Security Testbed (DIST): building a campus-wide wireless testbed}}, booktitle = {{Proceedings of the Workshop on Cyber Security Experimentation and Test (CSET)}}, year = 2009, month = {August}, numpages = 6, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-dist-cset/index.html}, abstract = {We describe our experiences in deploying a campus-wide wireless security testbed. The testbed gives us the capability to monitor security-related aspects of the 802.11 MAC layer in over 200 diverse campus locations. We describe both the technical and the social challenges of designing, building, and deploying such a system, which, to the best of our knowledge, is the largest such testbed in academia (with the UCSD's Jigsaw infrastructure a close competitor). In this paper we focus on the \emph{testbed setup}, rather than on the experimental data and results.}, } @InProceedings{kapadia:metrosec-challenges, author = {Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {{Opportunistic Sensing: Security Challenges for the New Paradigm}}, booktitle = {{Proceedings of the International Conference on COMmunication Systems and NETworkS (COMSNETS)}}, year = 2009, month = {January}, numpages = 10, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2009.4808850}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kapadia-metrosec-challenges/index.html}, note = {Invited paper}, abstract = {We study the security challenges that arise in \emph{opportunistic people-centric sensing}, a new sensing paradigm leveraging humans as part of the sensing infrastructure. Most prior sensor-network research has focused on collecting and processing environmental data using a static topology and an application-aware infrastructure, whereas opportunistic sensing involves collecting, storing, processing and fusing large volumes of data related to everyday human activities. This highly dynamic and mobile setting, where humans are the central focus, presents new challenges for information security, because data originates from sensors carried by people--- not tiny sensors thrown in the forest or attached to animals. In this paper we aim to instigate discussion of this critical issue, because opportunistic people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new sensing paradigm.}, } @InCollection{minami:handbook, author = {Kazuhiro Minami and David Kotz}, title = {{Distributed proof systems for cross-domain authorization}}, booktitle = {{Information Assurance, Security and Privacy Services}}, editor = {H. Raghav Rao and Shambhu Upadhyaya}, series = {Handbooks in Information Systems}, year = 2009, volume = 4, chapter = 1, publisher = {Emerald Group Publishing Limited}, copyright = {Emerald Group Publishing Limited}, ISBN13 = 9781848551947, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-handbook/index.html}, abstract = {The ability to access information resources across organizational boundaries is vital for today's corporate, military, and educational organizations, which must be able to quickly pool their resources to respond to opportunities and threats. Since each organization protects its resources with its local authorization policies, we need mechanisms for cross-domain authorization to achieve information sharing among multiple organizations. Unfortunately, traditional identity-based authorization approaches are impractical, because the identity of a requester is not a useful clue for authorization in a decentralized environment. Many distributed authorization schemes, therefore, consider a requester's properties (e.g., employer and physical location) to make an authorization decision and use a logic-based approach to specify authorization policies in a flexible way. Such a distributed proof system makes an authorization decision by constructing a proof with information provided by different entities in a distributed environment. In this chapter, we provide an overview of distributed proof systems for cross-domain authorization, while covering major language constructs and proof-constructing algorithms, and introduce an emerging issue of protecting confidential policies and credentials (facts) in a distributed proof system involving multiple security domains since it is unlikely that a principal in one security domain is willing to release all its local information to any principal in other domains. We finally describe our distributed proof system for cross-domain authorization in detail and show how our cryptographic protocol allows mutually untrusted principals to construct a proof in a decentralized way while preserving each principal's security policies.}, } @InCollection{sriram:challenges, author = {Janani Sriram and Minho Shin and David Kotz and Anand Rajan and Manoj Sastry and Mark Yarvis}, title = {{Challenges in Data Quality Assurance in Pervasive Health Monitoring Systems}}, booktitle = {{Future of Trust in Computing}}, editor = {David Gawrock and Helmut Reimer and Ahmad-Reza Sadeghi and Claire Vishik}, year = 2009, month = {July}, chapter = 0, pages = {129--142}, publisher = {Vieweg+Teubner Verlag}, copyright = {Vieweg+Teubner Verlag}, ISBN13 = {978-3-8348-9324-6}, DOI = {10.1007/978-3-8348-9324-6_14}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sriram-challenges/index.html}, abstract = {Wearable, portable, and implantable medical sensors have ushered in a new paradigm for healthcare in which patients can take greater responsibility and caregivers can make well-informed, timely decisions. Health-monitoring systems built on such sensors have huge potential benefit to the quality of healthcare and quality of life for many people, such as patients with chronic medical conditions (such as blood-sugar sensors for diabetics), people seeking to change unhealthy behavior (such as losing weight or quitting smoking), or athletes wishing to monitor their condition and performance. To be effective, however, these systems must provide assurances about the quality of the sensor data. The sensors must be applied to the patient by a human, and the sensor data may be transported across multiple networks and devices before it is presented to the medical team. While no system can guarantee data quality, we anticipate that it will help for the system to annotate data with some measure of \emph{confidence}. In this paper, we take a deeper look at potential health-monitoring usage scenarios and highlight research challenges required to ensure and assess quality of sensor data in health-monitoring systems.}, } @Unpublished{camp:wishlist, author = {Jean Camp and Lorrie Cranor and Nick Feamster and Joan Feigenbaum and Stephanie Forrest and Dave Kotz and Wenke Lee and Patrick Lincoln and Vern Paxson and Mike Reiter and Ron Rivest and William Sanders and Stefan Savage and Sean Smith and Eugene Spafford and Sal Stolfo}, title = {{Data for Cybersecurity Research: Process and `Wish List'}}, year = 2009, month = {June}, day = 10, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/camp-wishlist/index.html}, note = {Informal report}, abstract = {This document identifies data needs of the security research community. This document is in response to a request for a ``data wish list''. Because specific data needs will evolve in conjunction with evolving threats and research problems, we augment the wish list with commentary about some of the broader issues for data usage.}, } @TechReport{bratus:fingerprint-tr, author = {Sergey Bratus and Cory Cornelius and Daniel Peebles and David Kotz}, title = {{Active Behavioral Fingerprinting of Wireless Devices}}, institution = {Dartmouth Computer Science}, year = 2008, month = {March}, number = {TR2008-610}, copyright = {the authors}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-fingerprint-tr/index.html}, abstract = {We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting framework. Our method complements known fingerprinting approaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to conceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.}, } @InProceedings{bratus:fingerprint, author = {Sergey Bratus and Cory Cornelius and David Kotz and Dan Peebles}, title = {{Active Behavioral Fingerprinting of Wireless Devices}}, booktitle = {{Proceedings of the ACM Conference on Wireless Network Security (WiSec)}}, year = 2008, month = {March}, pages = {56--61}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1352533.1352543}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-fingerprint/index.html}, abstract = {We propose a simple active method for discovering facts about the chipset, the firmware or the driver of an 802.11 wireless device by observing its responses (or lack thereof) to a series of crafted non-standard or malformed 802.11 frames. We demonstrate that such responses can differ significantly enough to distinguish between a number of popular chipsets and drivers. We expect to significantly expand the number of recognized device types through community contributions of signature data for the proposed open fingerprinting framework. Our method complements known fingerprinting approaches, and can be used to interrogate and spot devices that may be spoofing their MAC addresses in order to conceal their true architecture from other stations, such as a fake AP seeking to engage clients in complex protocol frame exchange (e.g., in order to exploit a driver vulnerability). In particular, it can be used to distinguish rogue APs from legitimate APs before association.}, } @InProceedings{bratus:streaming-poster, author = {Sergey Bratus and Joshua Brody and David Kotz and Anna Shubina}, title = {{Streaming Estimation of Information-theoretic Metrics for Anomaly Detection (Extended Abstract)}}, booktitle = {{Proceedings of the International Symposium on Recent Advances in Intrusion Detection--- Posters}}, series = {Lecture Notes in Computer Science}, year = 2008, month = {September}, volume = 5230, pages = {412--414}, publisher = {Springer-Verlag}, copyright = {Springer}, address = {Cambridge, MA}, DOI = {10.1007/978-3-540-87403-4_32}, URL = {https://www.cs.dartmouth.edu/~kotz/research/bratus-streaming-poster/index.html}, abstract = {Information-theoretic metrics hold great promise for modeling traffic and detecting anomalies if only they could be computed in an efficient, scalable ways. Recent advances in streaming estimation algorithms give hope that such computations can be made practical. We describe our work in progress that aims to use streaming algorithms on 802.11a/b/g link layer (and above) features and feature pairs to detect anomalies.}, } @InProceedings{cornelius:anonysense, author = {Cory Cornelius and Apu Kapadia and David Kotz and Dan Peebles and Minho Shin and Nikos Triandopoulos}, title = {{AnonySense: Privacy-Aware People-Centric Sensing}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2008, month = {June}, pages = {211--224}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1378600.1378624}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-anonysense/index.html}, abstract = {Personal mobile devices are increasingly equipped with the capability to sense the physical world (through cameras, microphones, and accelerometers, for example) and the network world (with Wi-Fi and Bluetooth interfaces). Such devices offer many new opportunities for cooperative sensing applications. For example, users' mobile phones may contribute data to community-oriented information services, from city-wide pollution monitoring to enterprise-wide detection of unauthorized Wi-Fi access points. This people-centric mobile-sensing model introduces a new security challenge in the design of mobile systems: protecting the privacy of participants while allowing their devices to reliably contribute high-quality data to these large-scale applications. \par We describe AnonySense, a privacy-aware architecture for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing \emph{tasks} that will be distributed across anonymous participating mobile devices, later receiving verified, yet anonymized, sensor data \emph{reports} back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our trust model, and the security properties that drove the design of the AnonySense system. We evaluate our prototype implementation through experiments that indicate the feasibility of this approach, and through two applications: a Wi-Fi rogue access point detector and a lost-object finder.}, } @InProceedings{deshpande:refocusing, author = {Udayan Deshpande and Chris McDonald and David Kotz}, title = {{Refocusing in 802.11 Wireless Measurement}}, booktitle = {{Proceedings of the Passive and Active Measurement Conference (PAM 2008)}}, series = {Lecture Notes in Computer Science}, year = 2008, month = {April}, volume = 4979, pages = {142--151}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-540-79232-1_15}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-refocusing/index.html}, abstract = {The edge of the Internet is increasingly wireless. To understand the Internet, one must understand the edge, and yet the measurement of wireless networks poses many new challenges. IEEE 802.11 networks support multiple wireless channels and any monitoring technique involves capturing traffic on each of these channels to gather a representative sample of frames from the network. We call this procedure \emph{channel sampling}, in which each sniffer visits each channel periodically, resulting in a sample of the traffic on each of the channels. \par This sampling approach may be sufficient, for example, for a system administrator or anomaly detection module to observe some unusual behavior in the network. Once an anomaly is detected, however, the administrator may require a more extensive traffic sample, or need to identify the location of an offending device. \par We propose a method to allow measurement applications to dynamically modify the sampling strategy, \emph{refocusing} the monitoring system to pay more attention to certain types of traffic than others. In this paper we show that refocusing is a necessary and promising new technique for wireless measurement.}, } @InProceedings{kapadia:anonysense, author = {Apu Kapadia and Nikos Triandopoulos and Cory Cornelius and Dan Peebles and David Kotz}, title = {{AnonySense: Opportunistic and Privacy-Preserving Context Collection}}, booktitle = {{Proceedings of the International Conference on Pervasive Computing (Pervasive)}}, series = {Lecture Notes in Computer Science}, year = 2008, month = {May}, volume = 5013, pages = {280--297}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-540-79576-6_17}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kapadia-anonysense/index.html}, abstract = {Opportunistic sensing allows applications to ``task'' mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street, or users' mobile phones to locate (Bluetooth-enabled) objects in their neighborhood. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk---even if a report has been anonymized, the accompanying time and location can reveal sufficient information to deanonymize the user whose device sent the report. \par We propose AnonySense, a general-purpose architecture for leveraging users' mobile devices for measuring context, while maintaining the privacy of the users. AnonySense features multiple layers of privacy protection---a framework for nodes to receive tasks anonymously, a novel blurring mechanism based on tessellation and clustering to protect users' privacy against the system while reporting context, and k-anonymous report aggregation to improve the users' privacy against applications receiving the context. We outline the architecture and security properties of AnonySense, and focus on evaluating our tessellation and clustering algorithm against real mobility traces.}, } @Article{sheng:map, author = {Yong Sheng and Guanling Chen and Hongda Yin and Keren Tan and Udayan Deshpande and Bennet Vance and David Kotz and Andrew Campbell and Chris McDonald and Tristan Henderson and Joshua Wright}, title = {{MAP: A scalable monitoring system for dependable 802.11 wireless networks}}, journal = {IEEE Wireless Communications}, year = 2008, month = {October}, volume = 15, number = 5, pages = {10--18}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MWC.2008.4653127}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sheng-map/index.html}, abstract = {Many enterprises have deployed 802.11 wireless networks for mission-critical operations; these networks must be protected for dependable access. This paper introduces project MAP, which includes a scalable 802.11 measurement system that can provide continuous monitoring of wireless traffic to quickly identify threats and attacks. We discuss the MAP system architecture, design decisions, and evaluation results from a real testbed.}, } @InProceedings{sheng:spoofing, author = {Yong Sheng and Keren Tan and Guanling Chen and David Kotz and Andrew Campbell}, title = {{Detecting 802.11 MAC Layer Spoofing Using Received Signal Strength}}, booktitle = {{Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM)}}, year = 2008, month = {April}, pages = {1768--1776}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2007.239}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sheng-spoofing/index.html}, abstract = {MAC addresses can be easily spoofed in 802.11 wireless LANs. An adversary can exploit this vulnerability to launch a large number of attacks. For example, an attacker may masquerade as a legitimate access point to disrupt network services or to advertise false services, tricking nearby wireless stations. On the other hand, the received signal strength (RSS) is a measurement that is hard to forge arbitrarily and it is highly correlated to the transmitter's location. Assuming the attacker and the victim are separated by a reasonable distance, RSS can be used to differentiate them to detect MAC spoofing, as recently proposed by several researchers. \par By analyzing the RSS pattern of typical 802.11 transmitters in a 3-floor building covered by 20 air monitors, we observed that the RSS readings followed a mixture of multiple Gaussian distributions. We discovered that this phenomenon was mainly due to \emph{antenna diversity}, a widely-adopted technique to improve the stability and robustness of wireless connectivity. This observation renders existing approaches ineffective because they assume a single RSS source. We propose an approach based on Gaussian mixture models, building RSS profiles for spoofing detection. Experiments on the same testbed show that our method is robust against antenna diversity and significantly outperforms existing approaches. At a 3\% false positive rate, we detect 73.4\%, 89.6\% and 97.8\% of attacks using the three proposed algorithms, based on local statistics of a single AM, combining local results from AMs, and global multi-AM detection, respectively.}, } @InProceedings{shin:senseright-poster, author = {Cory Cornelius and Apu Kapadia and David Kotz and Dan Peebles and Minho Shin and Patrick Tsang}, title = {{Poster Abstract: Reliable People-Centric Sensing with Unreliable Voluntary Carriers}}, booktitle = {{Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}}, year = 2008, month = {June}, numpages = 1, publisher = {ACM}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-senseright-poster/index.html}, abstract = {As sensor technology becomes increasingly easy to integrate into personal devices such as mobile phones, clothing, and athletic equipment, there will be new applications involving opportunistic, people-centric sensing. These applications, which gather information about human activities and personal social context, raise many security and privacy challenges. In particular, data integrity is important for many applications, whether using traffic data for city planning or medical data for diagnosis. Although our AnonySense system (presented at MobiSys) addresses privacy in people-centric sensing, protecting data integrity in people-centric sensing still remains a challenge. Some mechanisms to protect privacy provide anonymity, and thus provide limited means for accountability; data integrity becomes even more difficult to protect. \par We propose SenseRight, the first architecture for high-integrity people-centric sensing. The SenseRight approach, which extends and enhances AnonySense, assures integrity of both the sensor data (through use of tamper-resistant sensor devices) and the sensor context (through a time-constrained protocol), maintaining anonymity if desired.}, } @PhdThesis{deshpande:thesis, author = {Udayan Deshpande}, title = {{A Dynamically Refocusable Sampling Infrastructure for 802.11 Networks}}, school = {Dartmouth College Computer Science}, year = 2008, month = {May}, copyright = {Udayan Deshpande}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2008-620}, abstract = {The edge of the Internet is increasingly wireless. Enterprises large and small, homeowners, and even whole cities have deployed Wi-Fi networks for their users, and many users never need to--- or never bother to--- use the wired network. With the advent of high-throughput wireless networks (such as 802.11n) some new construction, even of large enterprise buildings, may no longer be wired for Ethernet. To understand Internet traffic, then, we need to understand the wireless edge. Measuring Wi-Fi traffic, however, is challenging. It is insufficient to capture traffic in the access points, or upstream of the access points, because the activity of neighboring networks, ad hoc networks, and physical interference cannot be seen at that level. To truly understand the MAC-layer behavior, we need to capture frames from the air using Air Monitors (AMs) placed in the vicinity of the network. Such a capture is always a sample of the network activity, since it is physically impossible to capture a full trace: all frames from all channels at all times in all places. We have built a monitoring infrastructure that captures frames from the 802.11 network. This infrastructure includes several ``channel sampling'' strategies that will capture representative traffic from the network. Further, the monitoring infrastructure needs to modify its behavior according to feedback received from the downstream consumers of the captured traffic in case the analysis needs traffic of a certain type. We call this technique ``refocusing''. The ``coordinated sampling'' technique improves the efficiency of the monitoring by utilizing the AMs intelligently. Finally, we deployed this measurement infrastructure within our Computer Science building to study the performance of the system with real network traffic.}, } @InProceedings{deshpande:coordinated, author = {Udayan Deshpande and Chris McDonald and David Kotz}, title = {{Coordinated Sampling to Improve the Efficiency of Wireless Network Monitoring}}, booktitle = {{Proceedings of the IEEE International Conference on Networks (ICON)}}, year = 2007, month = {November}, pages = {353--358}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/ICON.2007.4444112}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-coordinated/index.html}, abstract = {Wireless networks are deployed in home, university, business, military and hospital environments, and are increasingly used for mission-critical applications like VoIP or financial applications. Monitoring the health of these networks, whether it is for failure, coverage or attacks, is important in terms of security, connectivity, cost, and performance. \par Effective monitoring of wireless network traffic, using commodity hardware, is a challenging task due to the limitations of the hardware. IEEE 802.11 networks support multiple channels, and a wireless interface can monitor only a single channel at one time. Thus, capturing all frames passing an interface on all channels is an impossible task, and we need strategies to capture the most representative sample. \par When a large geographic area is to be monitored, several monitoring stations must be deployed, and these will typically overlap in their area of coverage. The competing goals of effective wireless monitoring are to capture as many frames as possible, while minimizing the number of those frames that are captured redundantly by more than one monitoring station. Both goals may be addressed with a sampling strategy that directs neighboring monitoring stations to different channels during any period. To be effective, such a strategy requires timely access to the nature of all recent traffic. \par We propose a coordinated sampling strategy that meets these goals. Our implemented solution involves a central controller considering traffic characteristics from many monitoring stations to periodically develop specific sampling policies for each station. We demonstrate the effectiveness of our coordinated sampling strategy by comparing it with existing independent strategies. Our coordinated strategy enabled more distinct frames to be captured, providing a solid foundation for focused sampling and intrusion detection.}, } @TechReport{johnson:metrosec-challenges-tr, author = {Peter Johnson and Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {{People-Centric Urban Sensing: Security Challenges for the New Paradigm}}, institution = {Dartmouth Computer Science}, year = 2007, month = {February}, number = {TR2007-586}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/johnson-metrosec-challenges-tr/index.html}, abstract = {We study the security challenges that arise in \emph{people-centric urban sensing}, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static topology and an application-aware infrastructure. People-centric urban sensing, however, involves collecting, storing, processing and fusing large volumes of data related to every-day human activities. Sensing is performed in a highly dynamic and mobile environment, and supports (among other things) pervasive computing applications that are focused on enhancing the user's experience. In such a setting, where humans are the central focus, there are new challenges for information security; not only because of the complex and dynamic communication patterns, but also because the data originates from sensors that are carried by a person---not a tiny sensor thrown in the forest or mounted on the neck of an animal. In this paper we aim to instigate discussion about this critical issue---because people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new paradigm of sensor networks.}, } @InProceedings{deshpande:sampling, author = {Udayan Deshpande and Tristan Henderson and David Kotz}, title = {{Channel Sampling Strategies for Monitoring Wireless Networks}}, booktitle = {{Proceedings of the International Workshop on Wireless Network Measurement (WiNMee)}}, year = 2006, month = {April}, numpages = 7, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/WIOPT.2006.1666486}, URL = {https://www.cs.dartmouth.edu/~kotz/research/deshpande-sampling/index.html}, abstract = {Monitoring the activity on an IEEE 802.11 network is useful for many applications, such as network management, optimizing deployment, or detecting network attacks. Deploying wireless sniffers to monitor every access point in an enterprise network, however, may be expensive or impractical. Moreover, some applications may require the deployment of multiple sniffers to monitor the numerous channels in an 802.11 network. In this paper, we explore sampling strategies for monitoring multiple channels in 802.11b/g networks. We describe a simple sampling strategy, where each channel is observed for an equal, predetermined length of time, and consider applications where such a strategy might be appropriate. We then introduce a sampling strategy that weights the time spent on each channel according to the number of frames observed on that channel, and compare the two strategies under experimental conditions.}, } @InProceedings{minami:scalability, author = {Kazuhiro Minami and David Kotz}, title = {{Scalability in a Secure Distributed Proof System}}, booktitle = {{Proceedings of the International Conference on Pervasive Computing (Pervasive)}}, series = {Lecture Notes in Computer Science}, year = 2006, month = {May}, volume = 3968, pages = {220--237}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, address = {Dublin, Ireland}, DOI = {10.1007/11748625_14}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-scalability/index.html}, abstract = {A logic-based language is often adopted in systems for pervasive computing, because it provides a convenient way to define rules that change the behavior of the systems dynamically. Those systems might define rules that refer to the users' context information to provide context-aware services. For example, a smart-home application could define rules referring to the location of a user to control the light of a house automatically. In general, the context information is maintained in different administrative domains, and it is, therefore, desirable to construct a proof in a distributed way while preserving each domain's confidentiality policies. In this paper, we introduce such a system, a secure distributed proof system for context-sensitive authorization and show that our novel caching and revocation mechanism improves the performance of the system, which depends on public key cryptographic operations to protect confidential information in rules and facts. Our revocation mechanism maintains dependencies among facts and recursively revokes across multiple hosts all the cached facts that depend on a fact that has become invalid. Our initial experimental results show that our caching mechanism, which maintains both positive and negative facts, significantly reduces the latency for handling a logical query.}, } @PhdThesis{minami:thesis, author = {Kazuhiro Minami}, title = {{Secure Context-sensitive Authorization}}, school = {Dartmouth College Computer Science}, year = 2006, month = {February}, copyright = {Kazuhiro Minami}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2006-571}, abstract = {Pervasive computing leads to an increased integration between the real world and the computational world, and many applications in pervasive computing adapt to the user's context, such as the location of the user and relevant devices, the presence of other people, light or sound conditions, or available network bandwidth, to meet a user's continuously changing requirements without taking explicit input from the users. \par We consider a class of applications that wish to consider a user's context when deciding whether to authorize a user's access to important physical or information resources. Such a context-sensitive authorization scheme is necessary when a mobile user moves across multiple administrative domains where they are not registered in advance. Also, users interacting with their environment need a non-intrusive way to access resources, and clues about their context may be useful input into authorization policies for these resources. Existing systems for context-sensitive authorization take a logic-based approach, because a logical language makes it possible to define a context model where a contextual fact is expressed with a boolean predicate and to derive higher-level context information and authorization decisions from contextual facts. \par However, those existing context-sensitive authorization systems have a central server that collects context information, and evaluates policies to make authorization decisions on behalf of a resource owner. A centralized solution assumes that all resource owners trust the server to make correct decisions, and all users trust the server not to disclose private context information. In many realistic applications of pervasive computing, however, the resources, users, and sources of context information are inherently distributed among many organizations that do not necessarily trust each other. Resource owners may not trust the integrity of context information produced by another domain, and context sensors may not trust others with the confidentiality of data they provide about users. \par In this thesis, we present a secure distributed proof system for context-sensitive authorization. Our system enables multiple hosts to evaluate an authorization query in a peer-to-peer way, while preserving the confidentiality and integrity policies of mutually untrusted principals running those hosts. We also develop a novel caching and revocation mechanism to support context-sensitive policies that refer to information in dozens of different administrative domains. Contributions of this thesis include the definition of fine-grained security policies that specify trust relations among principals in terms of information confidentiality and integrity, the design and implementation of a secure distributed proof system, a proof for the correctness of our algorithm, and a performance evaluation showing that the amortized performance of our system scales to dozens of servers in different domains.}, } @InProceedings{minami:csa, author = {Kazuhiro Minami and David Kotz}, title = {{Secure Context-sensitive Authorization}}, booktitle = {{Proceedings of the IEEE International Conference on Pervasive Computing and Communications (PerCom)}}, year = 2005, month = {March}, pages = {257--268}, publisher = {IEEE}, copyright = {IEEE}, address = {Kauai, Hawaii}, DOI = {10.1109/PERCOM.2005.37}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-csa/index.html}, abstract = {There is a recent trend toward rule-based authorization systems to achieve flexible security policies. Also, new sensing technologies in pervasive computing make it possible to define context-sensitive rules, such as ``allow database access only to staff who are currently located in the main office.'' However, these rules, or the facts that are needed to verify authority, often involve sensitive context information. This paper presents a secure context-sensitive authorization system that protects confidential information in facts or rules. Furthermore, our system allows multiple hosts in a distributed environment to perform the evaluation of an authorization query in a collaborative way; we do not need a universally trusted central host that maintains all the context information. The core of our approach is to decompose a proof for making an authorization decision into a set of sub-proofs produced on multiple different hosts, while preserving the integrity and confidentiality policies of the mutually untrusted principals operating these hosts.}, } @Article{minami:jcsa, author = {Kazuhiro Minami and David Kotz}, title = {{Secure Context-sensitive Authorization}}, journal = {Journal of Pervasive and Mobile Computing}, year = 2005, month = {March}, volume = 1, number = 1, pages = {123--156}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2005.01.004}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-jcsa/index.html}, abstract = {There is a recent trend toward rule-based authorization systems to achieve flexible security policies. Also, new sensing technologies in pervasive computing make it possible to define context-sensitive rules, such as ``allow database access only to staff who are currently located in the main office.'' However, these rules, or the facts that are needed to verify authority, often involve sensitive context information. This paper presents a secure context-sensitive authorization system that protects confidential information in facts or rules. Furthermore, our system allows multiple hosts in a distributed environment to perform the evaluation of an authorization query in a collaborative way; we do not need a universally trusted central host that maintains all the context information. The core of our approach is to decompose a proof for making an authorization decision into a set of sub-proofs produced on multiple different hosts, while preserving the integrity and confidentiality policies of the mutually untrusted principals operating these hosts. We prove the correctness of our algorithm.}, } @Article{aslam:kerf-news, author = {Javed Aslam and Sergey Bratus and David Kotz and Ronald Peterson and Daniela Rus}, title = {{The Kerf toolkit for intrusion analysis}}, journal = {IAnewsletter}, year = 2005, month = {Summer}, volume = 8, number = 2, pages = {12--16}, publisher = {Information Assurance Technology Analysis Center (IATAC)}, copyright = {IATAC}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-kerf-news/index.html}, } @InProceedings{aslam:kerf-WIP, author = {Javed Aslam and Sergey Bratus and David Kotz and Ron Peterson and Daniela Rus}, title = {{Kerf: Machine Learning to Aid Intrusion Analysts}}, booktitle = {{Proceedings of the USENIX Security Symposium}}, year = 2004, month = {August}, numpages = 1, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-kerf-WIP/index.html}, note = {Work-in-progress report.}, } @TechReport{aslam:toolkit-tr, author = {Javed Aslam and Sergey Bratus and David Kotz and Ron Peterson and Daniela Rus and Brett Tofel}, title = {{The Kerf toolkit for intrusion analysis}}, institution = {Dartmouth Computer Science}, year = 2004, month = {March}, number = {TR2004-493}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-toolkit-tr/index.html}, abstract = {We consider the problem of intrusion analysis and present the Kerf Toolkit, whose purpose is to provide an efficient and flexible infrastructure for the analysis of attacks. The Kerf Toolkit includes a mechanism for securely recording host and network logging information for a network of workstations, a domain-specific language for querying this stored data, and an interface for viewing the results of such a query, providing feedback on these results, and generating new queries in an iterative fashion. We describe the architecture of Kerf, present examples to demonstrate the power of our query language, and discuss the performance of our implementation of this system.}, } @Article{aslam:toolkit, author = {Javed Aslam and Sergey Bratus and David Kotz and Ron Peterson and Daniela Rus and Brett Tofel}, title = {{The Kerf toolkit for intrusion analysis}}, journal = {IEEE Security and Privacy}, year = 2004, month = {November}, volume = 2, number = 6, pages = {42--52}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MSP.2004.113}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-toolkit/index.html}, abstract = {We consider the problem of intrusion analysis and present the Kerf Toolkit, whose purpose is to provide an efficient and flexible infrastructure for the analysis of attacks. The Kerf Toolkit includes a mechanism for securely recording host and network logging information for a network of workstations, a domain-specific language for querying this stored data, and an interface for viewing the results of such a query, providing feedback on these results, and generating new queries in an iterative fashion. We describe the architecture of Kerf, present examples to demonstrate the power of our query language, and discuss the performance of our implementation of this system.}, } @TechReport{baek:survey-tr, author = {Kwang-Hyun Baek and Sean W. Smith and David Kotz}, title = {{A Survey of WPA and 802.11i RSN Authentication Protocols}}, institution = {Dartmouth Computer Science}, year = 2004, month = {November}, number = {TR2004-524}, copyright = {the authors}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/baek-survey-tr/index.html}, abstract = {In the new standards for WLAN security, many choices exist for the authentication process. In this paper, we list eight desired properties of WLAN authentication protocols, survey eight recent authentication protocols, and analyze the protocols according to the desired properties.}, } @TechReport{minami:csa-tr, author = {Kazuhiro Minami and David Kotz}, title = {{Secure Context-sensitive Authorization}}, institution = {Dartmouth Computer Science}, year = 2004, month = {December}, number = {TR2004-529}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-csa-tr/index.html}, abstract = {There is a recent trend toward rule-based authorization systems to achieve flexible security policies. Also, new sensing technologies in pervasive computing make it possible to define context-sensitive rules, such as ``allow database access only to staff who are currently located in the main office.'' However, these rules, or the facts that are needed to verify authority, often involve sensitive context information. This paper presents a secure context-sensitive authorization system that protects confidential information in facts or rules. Furthermore, our system allows multiple hosts in a distributed environment to perform the evaluation of an authorization query in a collaborative way; we do not need a universally trusted central host that maintains all the context information. The core of our approach is to decompose a proof for making an authorization decision into a set of sub-proofs produced on multiple different hosts, while preserving the integrity and confidentiality policies of the mutually untrusted principals operating these hosts. We prove the correctness of our algorithm.}, } @PhdThesis{chen:thesis, author = {Guanling Chen}, title = {{Solar: Building A Context Fusion Network for Pervasive Computing}}, school = {Dartmouth College Computer Science}, year = 2004, month = {August}, copyright = {Guanling Chen}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/chen-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2004-514}, abstract = {The complexity of developing context-aware pervasive-computing applications calls for distributed software infrastructures that assist applications to collect, aggregate, and disseminate contextual data. In this dissertation, we present a Context Fusion Network (CFN), called Solar, which is built with a scalable and self-organized service overlay. Solar is flexible and allows applications to select distributed data sources and compose them with customized data-fusion operators into a directed acyclic information flow graph. Such a graph represents how an application computes high-level understandings of its execution context from low-level sensory data. To manage application-specified operators on a set of overlay nodes called Planets, Solar provides several unique services such as application-level multicast with policy-driven data reduction to handle buffer overflow, context-sensitive resource discovery to handle environment dynamics, and proactive monitoring and recovery to handle common failures. Experimental results show that these services perform well on a typical DHT-based peer-to-peer routing substrate. In this dissertation, we also discuss experience, insights, and lessons learned from our quantitative analysis of the input sensors, a detailed case study of a Solar application, and development of other applications in different domains.}, } @InProceedings{aslam:toolkit-p, author = {Javed Aslam and Sergey Bratus and David Kotz and Ron Peterson and Daniela Rus and Brett Tofel}, title = {{The Kerf toolkit for intrusion analysis (Poster abstract)}}, booktitle = {{Proceedings of the IEEE Workshop on Information Assurance}}, year = 2003, month = {June}, pages = {301--303}, publisher = {IEEE}, copyright = {IEEE}, address = {West Point, NY}, DOI = {10.1109/SMCSIA.2003.1232441}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-toolkit-p/index.html}, abstract = {We consider the problem of intrusion analysis and present the Kerf toolkit, whose purpose is to provide an efficient and flexible infrastructure for the analysis of attacks. The Kerf toolkit includes a mechanism for securely recording host and network logging information for a network of workstations, a domain-specific language for querying this stored data, and an interface for viewing the results of such a query, providing feedback on these results, and generating new queries in an iterative fashion. We describe the architecture of Kerf in detail, present examples to demonstrate the power of our query language, and discuss the performance of our implementation of this system.}, } @TechReport{kotz:dwta-tr, author = {David Kotz and Robert Gray and Daniela Rus}, title = {{Future Directions for Mobile-Agent Research}}, institution = {Dartmouth Computer Science}, year = 2002, month = {January}, number = {TR2002-415}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-dwta-tr/index.html}, note = {Based on a conversation with Jeff Bradshaw, Colin Harrison, Guenter Karjoth, Amy Murphy, Gian Pietro Picco, M. Ranganathan, Niranjan Suri, and Christian Tschudin.}, abstract = {During a discussion in September 2000 the authors examined the future of research on mobile agents and mobile code. (A mobile agent is a running program that can move from host to host in network at times and to places of its own choosing.) In this paper we summarize and reflect on that discussion. It became clear that the field should shift its emphasis toward mobile code, in all its forms, rather than to continue its narrow focus on mobile agents. Furthermore, we encourage the development of modular components, so that application designers may take advantage of code mobility without needing to rewrite their application to fit in a monolithic mobile-agent system. There are many potential applications that may productively use mobile code, but there is no ``killer application'' for mobile agents. Finally, we note that although security is an important and challenging problem, there are many applications and environments with security requirements well within the capability of existing mobile-code and mobile-agent frameworks.}, } @Article{kotz:dwta, author = {David Kotz and Robert Gray and Daniela Rus}, title = {{Future Directions for Mobile-Agent Research}}, journal = {IEEE Distributed Systems Online}, year = 2002, month = {August}, volume = 3, number = 8, numpages = 6, publisher = {IEEE}, copyright = {IEEE}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-dwta/index.html}, note = {Based on a conversation with Jeff Bradshaw, Colin Harrison, Guenter Karjoth, Amy Murphy, Gian Pietro Picco, M. Ranganathan, Niranjan Suri, and Christian Tschudin.}, abstract = {The field of mobile agents should shift its emphasis toward mobile code, in all its forms, rather than continue focusing on mobile agents. The development of modular components will help application designers take advantage of code mobility without having to rewrite their applications to fit in monolithic, mobile agent systems.}, } @TechReport{minami:aclprop-tr, author = {Kazuhiro Minami and David Kotz}, title = {{Controlling access to pervasive information in the ``Solar'' system}}, institution = {Dartmouth Computer Science}, year = 2002, month = {February}, number = {TR2002-422}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/minami-aclprop-tr/index.html}, abstract = {Pervasive-computing infrastructures necessarily collect a lot of context information to disseminate to their context-aware applications. Due to the personal or proprietary nature of much of this context information, however, the infrastructure must limit access to context information to authorized persons. In this paper we propose a new access-control mechanism for event-based context-distribution infrastructures. The core of our approach is based on a conservative information-flow model of access control, but users may express discretionary relaxation of the resulting access-control list (ACL) by specifying relaxation functions. This combination of automatic ACL derivation and user-specified ACL relaxation allows access control to be determined and enforced in a decentralized, distributed system with no central administrator or central policy maker. It also allows users to express their personal balance between functionality and privacy. Finally, our infrastructure allows access-control policies to depend on context-sensitive roles, allowing great flexibility. \par We describe our approach in terms of a specific context-dissemination framework, the Solar system, although the same principles would apply to systems with similar properties.}, } @TechReport{masone:thesis-2002, author = {Christopher P. Masone}, title = {{Role Definition Language (RDL): A Language to Describe Context-Aware Roles}}, institution = {Dartmouth Computer Science}, year = 2002, month = {May}, number = {TR2002-426}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/masone-thesis-2002/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2002-426}, abstract = {As wireless networks become more prevalent, a widening array of computational resources becomes available to the mobile user. Since not all users should have unrestricted access to these resources, a method of access control must be devised. In a context-aware environment, context information can be used to supplement more conventional password-based access control systems. We believe the best way to achieve this is through the use of Context-Aware Role-Based Access Control, a model in which permissions are assigned to entities called roles, each principal is a member of one or more roles, and a role's membership is determined using context information. We designed and implemented RDL (Role-Definition Language), a simple, expressive and somewhat extensible programming language to facilitate the description of roles in terms of context information.}, } @InProceedings{aslam:position, author = {Jay Aslam and Marco Cremonini and David Kotz and Daniela Rus}, title = {{Using Mobile Agents for Analyzing Intrusion in Computer Networks}}, booktitle = {{Proceedings of the Workshop on Mobile Object Systems at ECOOP}}, year = 2001, month = {July}, numpages = 2, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/aslam-position/index.html}, } @InProceedings{howell:end-to-end, author = {Jon Howell and David Kotz}, title = {{End-to-end authorization}}, booktitle = {{Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI)}}, year = 2000, month = {October}, pages = {151--164}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-end-to-end/index.html}, abstract = {Many boundaries impede the flow of authorization information, forcing applications that span those boundaries into hop-by-hop approaches to authorization. We present a unified approach to authorization. Our approach allows applications that span administrative, network, abstraction, and protocol boundaries to understand the end-to-end authority that justifies any given request. The resulting distributed systems are more secure and easier to audit. \par We describe boundaries that can interfere with end-to-end authorization, and outline our unified approach. We describe the system we built and the applications we adapted to use our unified authorization system, and measure its costs. We conclude that our system is a practical approach to the desirable goal of end-to-end authorization.}, } @Article{howell:restricted, author = {Jon Howell and David Kotz}, title = {{Restricted delegation: seamlessly spanning administrative boundaries}}, journal = {ACM Operating Systems Review}, year = 2000, month = {April}, volume = 34, number = 2, pages = {38--39}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/346152.346268}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-restricted/index.html}, } @TechReport{howell:spki-tr, author = {Jon Howell and David Kotz}, title = {{A Formal Semantics for SPKI}}, institution = {Dartmouth Computer Science}, year = 2000, month = {March}, number = {TR2000-363}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-spki-tr/index.html}, abstract = {We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.}, } @InProceedings{howell:spki, author = {Jon Howell and David Kotz}, title = {{A Formal Semantics for SPKI}}, booktitle = {{Proceedings of the European Symposium on Research in Computer Security (ESORICS)}}, series = {Lecture Notes in Computer Science}, year = 2000, month = {October}, volume = 1895, pages = {140--158}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/10722599_9}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-spki/index.html}, abstract = {We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.}, } @PhdThesis{howell:thesis, author = {Jonathan R. Howell}, title = {{Naming and sharing resources across administrative boundaries}}, school = {Dartmouth College Computer Science}, year = 2000, month = {June}, copyright = {Jonathan R. Howell}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Reports TR2000-378, 379, and 380}, abstract = {I tackle the problem of naming and sharing resources across administrative boundaries. Conventional systems manifest the hierarchy of typical administrative structure in the structure of their own mechanism. While natural for communication that follows hierarchical patterns, such systems interfere with naming and sharing that cross administrative boundaries, and therefore cause headaches for both users and administrators. I propose to organize resource naming and security, not around administrative domains, but around the sharing patterns of users. \par The dissertation is organized into four main parts. First, I discuss the challenges and tradeoffs involved in naming resources and consider a variety of existing approaches to naming. \par Second, I consider the architectural requirements for user-centric sharing. I evaluate existing systems with respect to these requirements. \par Third, to support the sharing architecture, I develop a formal logic of sharing that captures the notion of restricted delegation. Restricted delegation ensures that users can use the same mechanisms to share resources consistently, regardless of the origin of the resource, or with whom the user wishes to share the resource next. A formal semantics gives unambiguous meaning to the logic. I apply the formalism to the Simple Public Key Infrastructure and discuss how the formalism either supports or discourages potential extensions to such a system. \par Finally, I use the formalism to drive a user-centric sharing implementation for distributed systems. I show how this implementation enables end-to-end authorization, a feature that makes heterogeneous distributed systems more secure and easier to audit. Conventionally, gateway services that bridge administrative domains, add abstraction, or translate protocols typically impede the flow of authorization information from client to server. In contrast, end-to-end authorization enables us to build gateway services that preserve authorization information, hence we reduce the size of the trusted computing base and enable more effective auditing. I demonstrate my implementation and show how it enables end-to-end authorization across various boundaries. I measure my implementation and argue that its performance tracks that of similar authorization mechanisms without end-to-end structure. \par I conclude that my user-centric philosophy of naming and sharing benefits both users and administrators.}, } @TechReport{howell:calculus-tr, author = {Jon Howell and David Kotz}, title = {{An Access-Control Calculus for Spanning Administrative Domains}}, institution = {Dartmouth Computer Science}, year = 1999, month = {November}, number = {PCS-TR99-361}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-calculus-tr/index.html}, abstract = {In our quest to give users uniform access to resources unimpeded by administrative boundaries, we discovered that we needed transitive sharing among users, with the possibility of restricted access along each sharing link. To achieve that goal, we extend Lampson et al.'s calculus for access control to support restricted delegations. We discuss the advantages of our extension, including the simplification of constructs like ACLs and statement expiration. We also apply our extension to model the Simple Public Key Infrastructure and make suggestions about its future development. Our extended calculus exposes some surprising consequences in such systems that use restricted delegation.}, } @InCollection{gray:security-book, author = {Robert S. Gray and David Kotz and George Cybenko and Daniela Rus}, title = {{D'Agents: Security in a multiple-language, mobile-agent system}}, booktitle = {{Mobile Agents and Security}}, editor = {Giovanni Vigna}, series = {Lecture Notes in Computer Science}, year = 1998, volume = 1419, chapter = 9, pages = {154--187}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, ISBN13 = {978-3-540-68671-2}, DOI = {10.1007/3-540-68671-1}, URL = {https://www.cs.dartmouth.edu/~kotz/research/gray-security-book/index.html}, abstract = {Mobile-agent systems must address three security issues: protecting an individual machine, protecting a group of machines, and protecting an agent. In this chapter, we discuss these three issues in the context of D'Agents, a mobile-agent system whose agents can be written in Tcl, Java and Scheme. (D'Agents was formerly known as Agent Tcl.) First we discuss mechanisms existing in D'Agents for protecting an individual machine: (1) cryptographic authentication of the agent's owner, (2) resource managers that make policy decisions based on the owner's identity, and (3) secure execution environments for each language that enforce the decisions of the resource managers. Then we discuss our planned market-based approach for protecting machine groups. Finally we consider several (partial) solutions for protecting an agent from a malicious machine.}, } @TechReport{howell:snowflake2-tr, author = {Jon Howell and David Kotz}, title = {{Snowflake: Spanning Administrative Domains}}, institution = {Dartmouth Computer Science}, year = 1998, month = {December}, number = {PCS-TR98-343}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-snowflake2-tr/index.html}, abstract = {Many distributed systems provide a ``single-system image'' to their users, so the user has the illusion that they are using a single system when in fact they are using many distributed resources. It is a powerful abstraction that helps users to manage the complexity of using distributed resources. The goal of the Snowflake project is to discover how single-system images can be made to span administrative domains. Our current prototype organizes resources in namespaces and distributes them using Java Remote Method Invocation. Challenging issues include how much flexibility should be built into the namespace interface, and how transparent the network and persistent storage should be. We outline future work on making Snowflake administrator-friendly.}, } @TechReport{silver:thesis, author = {Scott M. Silver}, title = {{Implementation and Analysis of Software Based Fault Isolation}}, institution = {Dartmouth Computer Science}, year = 1996, month = {June}, number = {PCS-TR96-287}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/silver-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report PCS-TR96-287}, abstract = {Extensible applications rely upon user-supplied, untrusted modules to extend their functionality. To remain reliable, applications must isolate themselves from user modules. One method places each user module in a separate address space (process), which uses hardware virtual memory support to isolate the user process. Costly inter-process communication, however, prohibits frequent communication between the application and the untrusted module. We implemented and analyzed a software method for isolating an application from user modules. The technique uses a single address space. We provide a logical address space and per-module access to system resources for each module. Our software technique is a two-step process. First, we augment a module's code so that it cannot access any address outside of an assigned range. Second, we prevent the module from using system calls to access resources outside of its fault domain. \par This method for software isolation has two particular advantages over processes. First, for frequently communicating modules, we significantly reduce context switch time. Thus, we demonstrate near-optimal inter-module communication using software fault isolation. Second, our software-based techniques provide an efficient and expedient solution in situations where only one address space is available (e.g., kernel, or a single-address-space operating system).}, } @Article{kotz:jaddrtrace, author = {David Kotz and Preston Crow}, title = {{The Expected Lifetime of Single-Address-Space Operating Systems}}, journal = {Computing Systems}, year = 1996, month = {Summer}, volume = 9, number = 3, pages = {155--178}, publisher = {MIT Press}, copyright = {USENIX Association}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-jaddrtrace/index.html}, abstract = {Trends toward shared-memory programming paradigms, large (64-bit) address spaces, and memory-mapped files have led some to propose the use of a single virtual-address space, shared by all processes and processors. To simplify address-space management, some have claimed that a 64-bit address space is sufficiently large that there is no need to ever re-use addresses. Unfortunately, there has been no data to either support or refute these claims, or to aid in the design of appropriate address-space management policies. In this paper, we present the results of extensive kernel-level tracing of the workstations on our campus, and discuss the implications for single-address-space operating systems. We found that single-address-space systems will probably not outgrow the available address space, but only if reasonable space-allocation policies are used, and only if the system can adapt as larger address spaces become available.}, } @InProceedings{kotz:addrtrace, author = {David Kotz and Preston Crow}, title = {{The Expected Lifetime of ``Single-Address-Space'' Operating Systems}}, booktitle = {{Proceedings of the ACM SIGMETRICS Conference on Measurement and Modeling of Computer Systems}}, year = 1994, month = {May}, pages = {161--170}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/183019.183036}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-addrtrace/index.html}, abstract = {Trends toward shared-memory programming paradigms, large (64-bit) address spaces, and memory-mapped files have led some to propose the use of a single virtual-address space, shared by all processes and processors. Typical proposals require the single address space to contain all process-private data, shared data, and stored files. To simplify management of an address space where stale pointers make it difficult to re-use addresses, some have claimed that a 64-bit address space is sufficiently large that there is no need to ever re-use addresses. Unfortunately, there has been no data to either support or refute these claims, or to aid in the design of appropriate address-space management policies. In this paper, we present the results of extensive kernel-level tracing of the workstations in our department, and discuss the implications for single-address-space operating systems. We found that single-address-space systems will not outgrow the available address space, but only if reasonable space-allocation policies are used, and only if the system can adapt as larger address spaces become available.}, } @TechReport{kotz:addrtrace-tr, author = {David Kotz and Preston Crow}, title = {{The Expected Lifetime of ``Single-Address-Space'' Operating Systems}}, institution = {Dept. of Math and Computer Science, Dartmouth College}, year = 1993, month = {October}, number = {PCS-TR93-198}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-addrtrace-tr/index.html}, note = {Revised version appeared in SIGMETRICS '94, and revised again on March 15, 1996}, abstract = {Trends toward shared-memory programming paradigms, large (64-bit) address spaces, and memory-mapped files have led some to propose the use of a single virtual-address space, shared by all processes and processors. To simplify address-space management, some have claimed that a 64-bit address space is sufficiently large that there is no need to ever re-use addresses. Unfortunately, there has been no data to either support or refute these claims, or to aid in the design of appropriate address-space management policies. In this paper, we present the results of extensive kernel-level tracing of the workstations on our campus, and discuss the implications for single-address-space operating systems. We found that single-address-space systems will probably not outgrow the available address space, but only if reasonable space-allocation policies are used, and only if the system can adapt as larger address spaces become available.}, }