Carnegie Mellon University

Blue IEEE logo on white background

May 20, 2024

Researchers to Present at the IEEE Symposium on Security and Privacy

By Michael Cunningham

A few electrical and computer engineering faculty affiliated with CyLab will present their research on topics ranging from mobile money practices in Africa to uncovering and identifying side-channel and evasion attacks at the 45th Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy. Held in San Francisco on May 20-22, the event is the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field.

Here, we’ve compiled a list of the papers co-authored by ECE and CyLab Security and Privacy Institute members that are being presented at the event.

The Role of User-Agent Interactions on Mobile Money Practices in Kenya and Tanzania
Karen Sowon, Carnegie Mellon University; Edith Luhanga, Carnegie Mellon University - Africa; Lorrie Cranor, Carnegie Mellon University; Giulia Fanti, Carnegie Mellon University; Conrad Tucker, Carnegie Mellon University; Assane Gueye, Carnegie Mellon University - Africa

Abstract: Digital financial services have catalyzed financial inclusion in Africa. Commonly implemented as a mobile wallet service referred to as mobile money (MoMo), the technology provides enormous benefits to its users, some of whom have long been unbanked. While the benefits of mobile money services have largely been documented, the challenges that arise—especially in the interactions between human stakeholders—remain relatively unexplored. In this study, we investigate the practices of mobile money users in their interactions with mobile money agents. We conduct 72 structured interviews in Kenya and Tanzania (n=36 per country). The results show that users and agents design workarounds in response to limitations and challenges that users face within the ecosystem. These include advances or loans from agents, relying on the useragent relationships in place of legal identification requirements, and altering the intended transaction execution to improve convenience. Overall, the workarounds modify one or more of what we see as the core components of mobile money: the user, the agent, and the transaction itself. The workarounds pose new risks and challenges for users and the overall ecosystem. The results suggest a need for rethinking privacy and security of various components of the ecosystem, as well as policy and regulatory controls to safeguard interactions while ensuring the usability of mobile money.

PIANO: Extremely Simple, Single-Server PIR with Sublinear Server Computation
Mingxun Zhou, Andrew Park, Elaine Shi, Wenting Zheng; Carnegie Mellon University

Abstract: We construct a sublinear-time single-server preprocessing Private Information Retrieval (PIR) scheme with an optimal tradeoff between client storage and server computation (up to poly-logarithmic factors). Our scheme achieves amortized O˜(√n) server and client computation and O(√n) online communication per query, and requires Oeλ(√n) client storage. Unlike prior single-server PIR schemes that rely on heavy cryptographic machinery such as Homomorphic Encryption, our scheme relies only on Pseudo-Random Functions (PRF). To the best of our knowledge, PIANO is the first practical single-server sublinear-time PIR scheme, and we outperform the state of-the-art single-server PIR by 10×−300×. In comparison with the best known two-server PIR scheme, PIANO enjoys comparable performance but our construction is considerably simpler. Experimental results show that for a 100GB database and with 60ms round-trip latency, PIANO achieves 93ms response time, while the best known prior scheme requires 11s or more.

Pryde: A Modular Generalizable Workflow for Uncovering Evasion Attacks Against Stateful Firewall Deployments
Authors: Soo-jin Moon, Carnegie Mellon University; Milind Srivastava, Carnegie Mellon University; Yves Bieri, Compass Security; Ruben Martins, Carnegie Mellon University; Vyas Sekar, Carnegie Mellon University

Abstract: Stateful firewalls (SFW) play a critical role in securing our network infrastructure. Incorrect implementation of the intended stateful semantics can lead to evasion opportunities, even if firewall rules are configured correctly. Uncovering these opportunities is challenging due to the (1) black-box and proprietary nature of firewalls; (2) diversity of deployments; and (3) complex stateful semantics. To tackle these challenges, we present Pryde. Pryde uses a modular model-guided workflow that generalizes across black-box firewall implementations and deployment-specific settings to generate evasion attacks. Pryde infers a behavioral model of the stateful firewall in the presence of potentially non-TCP-compliant packet sequences. It uses this model in conjunction with attacker capabilities and victim behavior to synthesize custom evasion attacks. Using Pryde, we identify more than 6,000 unique attacks against 4 popular firewalls and 4 host networking stacks, many of which cannot be uncovered by prior work on censorship circumvention and black-box fuzzing.