CS 691i

This is a systems security paper whose main objective is to present a framework for the evaluation of the security and privacy of wireless IMD’s (Implantable medical devices).  An outline of the security and privacy design goals for IMDs is presented.  Conflicts between security/privacy goals and safety/utility goals of IMD designs are discussed and future research directions are proposed.

This paper has a bit of a different flavor from the other papers we have discussed in this seminar.  It is informal, and its main objective is to bring to attention of various research communities, such as computer science, electrical and computer engineering, and medicine, the issues involved in the design of IMDs.  The authors of this paper do a good job of describing major safety and utility goals followed by major privacy and security goals.  Then, the authors discuss the inherent tensions between the goals of privacy and security and those of safety and utility w. r. t. IMD design.  Currently, this is a very important topic as, while the use of IMDs becomes more ubiquitous in US, very little research has been done as far as protection of privacy of users of IMDs goes.  It is a very challenging field of study since some problems do not seem to have any feasible solutions.  For instance, how does one carry out software updates securely without disrupting the state of an IMD which may be a function of the history of the patient carrying that IMD?  Another example, how does one protect patient personal data stored on an IMD and communication of an IMD with IMD monitoring devices while not incurring significant computational penalties?  Good cryptography can be computationally costly.  As an example, authentication of access to IMDs can be done with identity-based encryption, but the latter can be quite expensive.  The authors finish the paper by presenting a long list of possible future work.  This is very exciting point of the paper as it defines new directions which global research communities could follow in an attempt to resolve the issues mentioned above (and perhaps pose new questions).  However, there are a few things that were not clear.  How popular is the use of IMDs in other parts of the world?  The authors mostly used permanent Pacemakers and ICDs as motivating examples throughout the paper, but why are they good examples?  Is it true that the list of issues that come up when designing these devices encompasses all the IMD-design issues that could ever come up?

This is an engineering paper that presents a simple design for an integrated circuit, based on an open-loop structure without any specific components, that allows for true random number generation at higher bit rates compared to what was achieved with classical TRNG in FPGA’s.  Two implementations of this design are discussed, and it is stated that the proposed design passes the NIST test for randomness.

The main idea of the design proposed in this paper is to use an open-loop design.  Currently widely used architectures consist of either a closed-loop to address metastability or two oscillators which complicate the overall design.  Although these designs pass the NIST tests, they are not very efficient and allow, in principle, for learning of the sequence thereby making prediction feasible.  The open-loop architecture that is proposed in this paper, however, provides for more efficient random generation of bits and uses simpler structure.  The authors discuss two implementations where the first one is based on a basic delay chain where every delay element output is sampled by its own D Flip-Flop and the second one is based on an improved version of the basic delay chain with a latch from a looped FPGA Look Up Table instead of D Flip-Flop.  In general, it seems like the topic discussed in this paper is very much relevant to security and privacy and is very applicable to the real world applications.  There is a definite need for dedicated circuitry which makes this method more cost effective than the method described in Dan Holcomb’s paper that we discussed earlier in the season.  There does not seem to be a thorough discussion of the applications in this paper.  Is it feasible to implement such a device on such devices as RFID tags, smartcards, smartphones, PDA, etc.?  Also, this paper does not address any possible hardware attacks, such as inserting a glitch for instance.  What kind of standard hardware attacks are possible on this device, and how would one counter them?  Have any security weaknesses that could be exploited by an adversary been introduced with the new design?

This is an engineering paper that presents a design for an integrated circuit whose switching behavior is independent of data or sequence of data being processed.  This design was implemented and shown via experimental analysis to be resistant to side-channel attacks. 

The main idea of the design proposed in the paper is to not produce any side-channel information that could be used by malicious parties.  This is different from a previously-popular approach of hiding side-channel information by de-correlating power consumption.  With a rapid growth in non-trivial diverse cryptographic protocols this research is very applicable in the real world as the security of circuits that adhere to such designs is independent of the underlying cryptographic algorithm.  The authors describe how a regular CMOS standard cell design flow was transformed into ‘secure’ circuit that they tested against known power-analysis attack.  AES was implemented on regular and ‘secure’ circuits.  Experimental results show that the ’secure’ circuit is much harder, albeit not impossible, to compromise than the regular result.  However, the proposed design requires quite bit more resources such as power, area, etc., than the regular design which makes it an unlikely candidate for wide deployment.  There does not seem to be a discussion of future work and applications to current-day devices such RFID tags, smartcards, smartphones, PDA, etc.  How would one go about making such designs more power efficient, less bulky?

This is an engineering paper that describes an experiment of harnessing energy for an ALB-2484 battery-assisted RFID tag from vibrations mimicking a wooden staircase with resonant frequency of 52Hz. Analysis shows that, in comparison to Crossbow MPR500CA Mica2Dot Mote, ALB-2484 requires 88% less power and 90% less time to charge.

This paper addresses a fascinating field of power harvesting that, as authors explain, has many real-world applications such as real-time inventory management, environmental monitoring, etc. The idea is that a battery-assisted passive RFID tag, while being assisted by a battery, can harness energy from ambient fluctuations. However, it seems as though this report documents a relatively limited amount of experimentation. Only a single battery-assisted passive tag was experimented with, and it was compared only to a single experiment performed (at the same resonant frequency by the same people) on a particular mote sensor. What about experimenting with different frequencies for different motes and tags? Piezoelectric power generator was used for converting mechanical vibrations into electrical potential that could be used to charge a power conditioning circuit. However, there are other power-harvesting techniques, such as harvesting from electromagnetic waves, but there was no mention of them in this paper. Only small discussion of related work is presented. Also, discussion of future work and new questions that this research may pose is missing. Can energy harnessed from ambient vibration be used to recharge batteries? Can a single tag be designed to be able to harness energy from multiple different vibration sources with different frequencies?

General Questions:

1. In case of a two-user barter, is there a way one user could provide false claims as to the quality of the other user’s data?

2. How effective is the banishing of the user account as a punishment for double-spending?

Text-Specific Questions:

Section 1: How ‘unlikely’ is the repeat of BitTorrent’s success in applications such as onion routing, distributed backup, lookup, and computation? What does ‘significantly more’ mean in the phrase ‘equitable exchange would make the system significantly more robust…’?

Section 2: How long exactly ‘may’ it take to converge on a set of similar-bandwidth peers in a large, high-churn torrent? When can this take forever? By exactly how much ‘may’ a currency-based approach limit the amount of altruism available for slow nodes? How much exactly ‘may’ this impact the performance?

Section 3: The authors state that as long as sellers receive frequent updates to the list of users who are allowed to spend money off-line, a user would not be able to double-spend many times. How frequent to the updates have to be? How many times can a user double-spend in the worst case?

This is a systems paper in which authors propose and analyze an extension to the BitTorrent protocol which requires users to buy and/or barter shared pieces of data. It is shown how endorsed e-cash can be an efficient solution to accountability in P2P networks without compromising the privacy of the peers while allowing for scalability. The authors analyze the efficiency and economical issues of their extension and discuss other possible applications such as onion routing, distributed lookup, storage and computation.

The first two parts of this paper give a good motivation and explain in relatively good detail how BitTorrent protocol works. However, many statements are made without thorough explanation. Please refer to the question section of my BLOG for the list of questions. The authors explain well the goals of the currency such as fungibility, fair exchange, anonymity, but they do not elaborate on their efficiency goal. They discuss research that has been done on e-cash and conclude that endorsed e-cash suits their goals the best. Sections 4 and 5 are dedicated to describing the details of the currency-based design of buying and bartering. The biggest unanswered question here is: how scalable is a P2P network of it heavily relies on centralized entities such as the bank and the arbiter? In the analysis section the authors show that utilizing endorsed e-cash may be impractical as opposed to file bartering. Also, as discussed in Sect. 7, money introduction may cause inflation leading to a monetary crash. The biggest unanswered questions w. r. t. utilizing money in P2P systems are: How does one control money circulation and how complex does the client behavior become with variable pricing? The paper is well structured, but there is no specific section on future work. Given that this is a workshop paper, and the fact that there are still many unanswered questions it would make sense to clearly list future work goals together with contributions in the conclusions section. Generally, this is an interesting paper, and the idea of using money in P2P networks for accountability is very exciting as it has many applications. However, it is not at all clear if this could ever work in real life. Also, it would strengthen the paper if the authors addressed their protocols w. r. t. P2P file-sharing networks other than BitTorrent.

1. Could such methods for harvesting randomness from manufacture variation be ever used for one-time-pad type of cryptography or is this only good for setting up keys, randomizing encrypted data, etc?

2. Was there ever a thought of using these fingerprints for identity-based encryption, or is this too expensive?

3. Are there any other ways of measuring how close binary strings are together besides the Hamming Distance?

4. What is the meaning of the distribution of HD for matching and non-matching fingerprints in Figures 5-6?

5. What is the meaning of the distribution of pair-wise HD between 256-byte fingerprints Fig 7?

6. How feasible would it be to use this method in IC’s used in stationary and portable devices?

7. Would using a TRNG be cheaper than using a PRNG on a resource-constrained device? Is there a security vs efficiency trade off?

8. Given that by measuring latent prints one could obtain a known print, is it possible for anyone with proper apparatus to obtain a device’s id? If yes, would it not be then straight forward to compromise that device’s privacy?

This is a systems/engineering paper that proposes a procedure for using SRAM state of volatile CMOS storage at initial power-up to produce physical fingerprints as well as generate true random numbers. True randomness is captured without the use of any dedicated circuitry. The proposed procedure is tested on 512-kbyte SRAM chips and Intel’s WISP’s; statistical analysis is used to show reliability.

The motivation part of the introduction needs to be strengthened by examples and references. Why should one believe that NEARLY ALL IC applications require and/or could benefit from a static identifier? Generally, this paper is well-structured, but it would make more sense to have a separate section that describes experimental details step-by-step, rather than having the latter scattered over the introduction and other sections. The related-work section is quite good. Advantages and disadvantage of fingerprinting are well-discussed w. r. t. identification techniques that use non-volatile memory. The author cares to explain various methods for harvesting thermal and shot noise as a source of randomness [Kinnimet '02, Sunar '07, Tokunaga '07]. The concept behind using SRAM initial states is relatively well explained. Method of using Hamming-Distance for fingerprint matching results is verified with experiments which show 100% accuracy for both experiments. Nice result. However, some aspects of analysis are missing. For obtaining a known fingerprint, when the initial state of SRAM is much affected by noise, more trials are used. What does ‘more’ mean here (Sect. 3B)? Same question goes for when the procedure is verified on WISPS for fingerprint quality (Sect. 4B-2). The authors show that their fingerprinting method is not as precise but less costly than the fingerprinting method discussed in recent literature [Su et all]. Equations 5-6 are not clearly explained. Estimates for how many bytes would be sufficient to uniquely identify 26 million SRAM chips and 11 million WISP circuits (Sect. 4B) need to be justified more rigorously. Same comment goes for the period estimation of the TRNG, Section 5. TRNG method is verified experimentally w. r. t. a model and compared to a method discussed by Tokunaga et al. The model for process variation that causes thermal noise voltage on a single-capacitor circuit node is verified experimentally (Fig. 8). It is shown that the captured randomness is due to physically random noise by showing the dependency of min-entropy of the SRAM state of experiments and theoretical model (Fig. 9) on temperature. This is good, but assumptions and logic used to simplify and derive the model for process variation causing the thermal noise voltage on a single-capacitor circuit node need to be justified (Sect. 5A-2). The discrepancies between model and experiment are not rigorously supported. Measurements mentioned in Fig. 10 caption are not explained in the paper. Overall, it seems like the topic discussed in this paper is relevant to security and privacy of IC’s of today. No need for dedicated circuitry makes the method described in this paper less cost effective than other methods discussed in recent literature. However, applications and future work are not very well-discussed. What would be the next step? How feasible would it be to use this method in IC’s used in stationary and portable devices? Unfortunately, there are quite a few grammatical and spelling errors throughout the paper. Some sentences are awkward or simply unnecessary.