BZPEERReading, trust and collaboration for research
Menu

Discover

GraphFollow connections around a paper, topic or saved view.

Workspaces

HomePick up where your research flow left off.InboxHandle requests, replies and notifications from one place.CollectionsCurate reading lists, evidence sets and shareable dossiers.ResearchSee your private provenance graph, trail and imports.CollaborationMove from discovery into focused discussion rooms.PublishDraft, preview and publish full-text research articles.

Network

ExpertsFind specialists worth following or asking for help.CommunitiesJoin research circles organized around shared work.PartnersSee external organizations active around the same topics.

Opportunities

ListingsBrowse roles, calls and collaborations with clearer fit signals.

Account

Log inReturn to your reading and collaboration workspace.Create accountStart saving work, following people and joining teams.
Log inCreate account

Researcher profile

Christof Paar

Christof Paar contributes to research discovery and scholarly infrastructure.

ResearcherAffiliation not importedOpen to collaborate
Cryptography and Securityeess.SPInformation Theorymath.IT

Trust snapshot

Quick read

Trust 19 - UnverifiedVerification L1Unclaimed author
5works
0followers
4topics
4close collaborators

Actions

Decide how to stay connected

Follow researcher0

Identity and collaboration

How to connect with this researcher

Claiming links this public author record to a researcher profile and unlocks direct collaboration workflows.

Log in to claim

Direct collaboration

Open a focused conversation when the fit is right

Claim this author entity first to unlock direct invitations.

Research graph

See the researcher in context

Open full explorer

Inspect adjacent work, topics, institutions and collaborators without jumping out to a separate graph page.

Building this graph slice

BZPEER is loading the nearby papers, people, topics and institutions for this page.

Published work

5 published item(s)

preprint2022arXiv

Analog Physical-Layer Relay Attacks with Application to Bluetooth and Phase-Based Ranging

Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

IRShield: A Countermeasure Against Adversarial Physical-Layer Wireless Sensing

Wireless radio channels are known to contain information about the surrounding propagation environment, which can be extracted using established wireless sensing methods. Thus, today's ubiquitous wireless devices are attractive targets for passive eavesdroppers to launch reconnaissance attacks. In particular, by overhearing standard communication signals, eavesdroppers obtain estimations of wireless channels which can give away sensitive information about indoor environments. For instance, by applying simple statistical methods, adversaries can infer human motion from wireless channel observations, allowing to remotely monitor premises of victims. In this work, building on the advent of intelligent reflecting surfaces (IRSs), we propose IRShield as a novel countermeasure against adversarial wireless sensing. IRShield is designed as a plug-and-play privacy-preserving extension to existing wireless networks. At the core of IRShield, we design an IRS configuration algorithm to obfuscate wireless channels. We validate the effectiveness with extensive experimental evaluations. In a state-of-the-art human motion detection attack using off-the-shelf Wi-Fi devices, IRShield lowered detection rates to 5% or less.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

Reconfigurable Intelligent Surface for Physical Layer Key Generation: Constructive or Destructive?

Physical layer key generation (PKG) is a promising means to provide on-the-fly shared secret keys by exploiting the intrinsic randomness of the radio channel. However, the performance of PKG is highly dependent on the propagation environments. Due to its feature of controlling the wireless environment, reconfigurable intelligent surface~(RIS) is appealing to be applied in PKG. In this paper, in contrast to the existing literature, we investigate both the constructive and destructive effects of RIS on the PKG scheme. For the constructive aspect, we have identified static and wave-blockage environments as two RIS-empowered-PKG applications in future wireless systems. In particular, our experimental results in a static environment showed that RIS can enhance the entropy of the secret key, achieving a key generation rate (KGR) of 97.39 bit/s with a bit disagreement rate (BDR) of 0.083. In multi-user systems where some remote users are in worse channel conditions, the proposed RIS-assisted PKG algorithm improves the sum secret key rate by more than 2 dB, compared to the literature. Furthermore, we point out that RIS could be utilized by an attacker to perform new jamming and leakage attacks and give countermeasures, respectively. Finally, we outline future research directions for PKG systems in light of the RIS.

0 citations0 reviewsNo code linkedOpen access
preprint2021arXiv

Intelligent Reflecting Surface-Assisted Wireless Key Generation for Low-Entropy Environments

Physical layer key generation is a promising candidate for cryptographic key establishment between two wireless communication parties. It offers information-theoretic security and is an attractive alternative to public-key techniques. Here, the inherent randomness of wireless radio channels is used as a shared entropy source to generate cryptographic key material. However, practical implementations often suffer from static channel conditions which exhibit a limited amount of randomness. In the past, considerable research efforts have been made to address this fundamental limitation. However, current solutions are not generic or require dedicated hardware extensions such as reconfigurable antennas. In this paper, we propose a novel wireless key generation architecture based on randomized channel responses from an intelligent reflecting surface (IRS). Due to its passive nature, a cooperative IRS is well-suited to provide randomness for conventional resource-constrained radios. We conduct the first practical studies to successfully demonstrate IRS-based physical-layer key generation with an OFDM system. In a static environment, using a single subcarrier only, our IRS-assisted prototype system achieves a key generation rate (KGR) of 97.39 bps with 6.5% key disagreement rate (KDR) after quantization, while passing standard randomness tests.

0 citations0 reviewsNo code linkedOpen access
preprint2020arXiv

An Exploratory Analysis of Microcode as a Building Block for System Defenses

Microcode is an abstraction layer used by modern x86 processors that interprets user-visible CISC instructions to hardware-internal RISC instructions. The capability to update x86 microcode enables a vendor to modify CPU behavior in-field, and thus patch erroneous microarchitectural processes or even implement new features. Most prominently, the recent Spectre and Meltdown vulnerabilities were mitigated by Intel via microcode updates. Unfortunately, microcode is proprietary and closed source, and there is little publicly available information on its inner workings. In this paper, we present new reverse engineering results that extend and complement the public knowledge of proprietary microcode. Based on these novel insights, we show how modern system defenses and tools can be realized in microcode on a commercial, off-the-shelf AMD x86 CPU. We demonstrate how well-established system security defenses such as timing attack mitigations, hardware-assisted address sanitization, and instruction set randomization can be realized in microcode. We also present a proof-of-concept implementation of a microcode-assisted instrumentation framework. Finally, we show how a secure microcode update mechanism and enclave functionality can be implemented in microcode to realize a small trusted execution environment. All microcode programs and the whole infrastructure needed to reproduce and extend our results are publicly available.

0 citations0 reviewsNo code linkedOpen access