BZPEERReading, trust and collaboration for research
Menu

Discover

GraphFollow connections around a paper, topic or saved view.

Workspaces

HomePick up where your research flow left off.InboxHandle requests, replies and notifications from one place.CollectionsCurate reading lists, evidence sets and shareable dossiers.ResearchSee your private provenance graph, trail and imports.CollaborationMove from discovery into focused discussion rooms.PublishDraft, preview and publish full-text research articles.

Network

ExpertsFind specialists worth following or asking for help.CommunitiesJoin research circles organized around shared work.PartnersSee external organizations active around the same topics.

Opportunities

ListingsBrowse roles, calls and collaborations with clearer fit signals.

Account

Log inReturn to your reading and collaboration workspace.Create accountStart saving work, following people and joining teams.
Log inCreate account

Researcher profile

Avishai Wool

Avishai Wool contributes to research discovery and scholarly infrastructure.

ResearcherAffiliation not importedOpen to collaborate
Cryptography and Security

Trust snapshot

Quick read

Trust 19 - Baseline
5works
0followers
1topics
4close collaborators

Actions

Decide how to stay connected

Follow researcher0

Research graph

See the researcher in context

Open full explorer

Inspect adjacent work, topics, institutions and collaborators without jumping out to a separate graph page.

Building this graph slice

BZPEER is loading the nearby papers, people, topics and institutions for this page.

Published work

5 published item(s)

preprint2020arXiv

Hardware Fingerprinting for the ARINC 429 Avionic Bus

ARINC 429 is the most common data bus in use today in civil avionics. However, the protocol lacks any form of source authentication. A technician with physical access to the bus is able to replace a transmitter by a rogue device, and the receivers will accept its malicious data as they have no method of verifying the authenticity of messages. Updating the protocol would close off security loopholes in new aircraft but would require thousands of airplanes to be modified. For the interim, until the protocol is replaced, we propose the first intrusion detection system that utilizes a hardware fingerprinting approach for sender identification for the ARINC 429 data bus. Our approach relies on the observation that changes in hardware, such as replacing a transmitter or a receiver with a rogue one, modify the electric signal of the transmission. Because we rely on the analog properties, and not on the digital content of the transmissions, we are able to detect a hardware switch as soon as it occurs, even if the data that is being transmitted is completely normal. Thus, we are able to preempt the attack before any damage is caused. In this paper we describe the design of our intrusion detection system and evaluate its performance against different adversary models. Our analysis includes both a theoretical Markov-chain model and an extensive empirical evaluation. For this purpose, we collected a data corpus of ARINC 429 data traces, which may be of independent interest since, to the best of our knowledge, no public corpus is available. We find that our intrusion detection system is quite realistic: e.g., it achieves near-zero false alarms per second, while detecting a rogue transmitter in under 50ms, and detecting a rogue receiver in under 3 seconds. In other words, technician attacks can be reliably detected during the pre-flight checks, well before the aircraft takes off.

0 citations0 reviewsNo code linkedOpen access
preprint2020arXiv

Online Password Guessability via Multi-Dimensional Rank Estimation

Human-chosen passwords are the a dominant form of authentication systems. Passwords strength estimators are used to help users avoid picking weak passwords by predicting how many attempts a password cracker would need until it finds a given password. In this paper we propose a novel password strength estimator, called PESrank, which accurately models the behavior of a powerful password cracker. PESrank calculates the rank of a given password in an optimal descending order of likelihood. PESrank estimates a given password's rank in fractions of a second---without actually enumerating the passwords---so it is practical for online use. It also has a training time that is drastically shorter than previous methods. Moreover, PESrank is efficiently tweakable to allow model personalization in fractions of a second, without the need to retrain the model; and it is explainable: it is able to provide information on why the password has its calculated rank, and gives the user insight on how to pick a better password. Our idea is to cast the question of password rank estimation in a probabilistic framework used in side-channel cryptanalysis. We view each password as a point in a $d$-dimensional search space, and learn the probability distribution of each dimension separately. The dimensions represent the base word, plus a dimension for each possible transformation such as adding a suffix or using a capitalization pattern. Using this model, password strength estimation is analogous to side-channel rank estimation. We implemented PERrank in Python and conducted an extensive evaluation study of it. We also integrated it into the registration page of a course at our university. Even with a model based on 905 million passwords, the response time was well under 1 second, with up to a 1-bit accuracy margin between the upper bound and the lower bound on the rank.

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

A Security Analysis and Revised Security Extension for the Precision Time Protocol

The Precision Time Protocol (PTP) aims to provide highly accurate and synchronised clocks. Its defining standard, IEEE 1588, has a security section ("Annex K") which relies on symmetric-key secrecy. In this paper we present a detailed threat analysis of the PTP standard, in which we highlight the security properties that should be addressed by any security extension. During this analysis we identify a sequence of new attacks and non-cryptographic network-based defenses that mitigate them. We then suggest to replace Annex K's symmetric cryptography by an efficient elliptic-curve Public-Key signatures. We implemented all our attacks to demonstrate their effectiveness, and also implemented and evaluated both the network and cryptographic defenses. Our results show that the proposed schemes are extremely practical, and much more secure than previous suggestions.

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. We introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the Statechart from a captured traffic stream. Our unsupervised learning algorithm builds a Discrete-Time Markov Chain (DTMC) from the stream. Next it splits the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then it creates a sub-graph for each cycle, and extracts Euler cycles for each sub-graph. The final Statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, that appear in more than one cycle, and also for symbols that appear more than once in a cycle. We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting Statechart modeled the traces with a low median false-alarm rate of 0.483%. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in compare to a naive single-DFA model

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

Secure Containers in Android: the Samsung KNOX Case Study

Bring Your Own Device (BYOD) is a growing trend among enterprises, aiming to improve workers' mobility and productivity via their smartphones. The threats and dangers posed by the smartphones to the enterprise are also ever-growing. Such dangers can be mitigated by running the enterprise software inside a "secure container" on the smartphone. In our work we present a systematic assessment of security critical areas in design and implementation of a secure container for Android using reverse engineering and attacker-inspired methods. We do this through a case-study of Samsung KNOX, a real-world product deployed on millions of devices. Our research shows how KNOX security features work behind the scenes and lets us compare the vendor's public security claims against reality. Along the way we identified several design weaknesses and a few vulnerabilities that were disclosed to Samsung.

0 citations0 reviewsNo code linkedOpen access