Award-Winning Papers Provide New Insights Into Data Security

April 23, 2014

College of Computer and Information Science (CCIS) student and faculty authors were recently recognized among the best at two leading information security conferences.

“Efficient Private File Retrieval by Combining ORAM and PIR,” a joint effort by third-year PhD student Travis Mayberry, Research Assistant Professor Erik-Oliver Blass, and Professor, Associate Dean, and Director of Graduate Programs Agnes Chan, earned the Distinguished Paper Award at the 20th annual Network & Distributed System Security Symposium, an event focused on groundbreaking research related to the latest security topics.

“This is one of the top security conferences internationally, so the award is a great honor,” says Chan. “What distinguishes this research is the combination of two very well-known techniques. Travis has done a great job and should be given a lot of the credit, as should Erik. For Travis, it is an honor because he was competing not just with students, but also with professionals.”

In their paper, the CCIS researchers described how efficiency and performance are improved significantly by combining Private Information Oblivious RAM and Private Information Retrieval (PIR)—two traditional cryptographic techniques—to protect data on the Cloud from being accessed by an untrusted storage provider.

“Each technique has been around for a long time, but they weren’t practical to use because of their communication cost and computation time. In combination, the two can overcome their individual weaknesses,” Blass says. “This is a big step toward making them practical to use.”

The work that led to the paper was also notable for bridging theory and practice. Blass explains, “It has a solid conceptual and mathematical framework, but it’s also practical, and we evaluated the use of the technique in Amazon’s Cloud.”

For Mayberry, the research will form a centerpiece of his doctoral dissertation, and his continuing work will build on their findings so far. He says, “We’re exploring several different avenues to improve the technique and see how it fits into the landscape of research.”

Blass was recognized with a second “best paper” award at the Annual Computer Security Applications Conference for his contributions to “Implementation and Implications of a Stealth Hard-Drive Backdoor.” Blass coauthored the paper with several other researchers in the United States and Europe, including his former colleagues at EURECOM in France, where he held a senior researcher position before joining Northeastern University in 2012.

Their paper demonstrated the existence of a “back door” that makes it possible for a computer’s hard drive—essentially a storage device—to be maliciously compromised. Blass says, “People assume the hardware components of a computer are trustworthy or, if they’re compromised by an adversary, that the impact will be confined. We found that this assumption is wrong.”

To test this thinking, Blass and his fellow researchers purchased an off-the-shelf hard drive and compromised it by designing and installing a new malicious firmware. Surprisingly, they determined that a remote attacker could establish communication with the compromised disk and extract data.

“This communication channel is quite robust and practical. It’s a usable back door that a remote adversary can exploit,” Blass says.

Worse yet, standard antivirus and malware detection techniques cannot detect the malicious firmware. That leads Blass to offer advice to any company concerned about data security or dealing with highly sensitive information. He says, “Supply chains of manufacturers are not 100 percent secure. In a security-critical environment, you want to validate that the firmware is truly benign.”