Publications
32 results found
Sahraei A, Demetriou S, Sobhgol A, et al., 2023, XFaaS: Hyperscale and Low Cost Serverless Functions at Meta, Pages: 231-246
Function-as-a-Service (FaaS) has become a popular programming paradigm in Serverless Computing. As the responsibility of resource provisioning shifts from users to cloud providers, the ease of use of FaaS for users may come at the expense of extra hardware costs for cloud providers. Currently, there is no report on how FaaS platforms address this challenge and the level of hardware utilization they achieve.This paper presents the FaaS platform called XFaaS in Meta's hyperscale private cloud. XFaaS currently processes trillions of function calls per day on more than 100,000 servers. We describe a set of optimizations that help XFaaS achieve a daily average CPU utilization of 66%. Based on our anecdotal knowledge, this level of utilization might be several times higher than that of typical FaaS platforms.Specifically, to eliminate the cold start time of functions, XFaaS strives to approximate the effect that every worker can execute every function immediately. To handle load spikes without over-provisioning resources, XFaaS defers the execution of delay-tolerant functions to off-peak hours and globally dispatches function calls across datacenter regions. To prevent functions from overloading downstream services, XFaaS uses a TCP-like congestion-control mechanism to pace the execution of functions.
Huang H-Y, Demetriou S, Hassan M, et al., 2023, Evaluating User Behavior in Smartphone Security: A Psychometric Perspective, 19th Symposium on Usable Privacy and Security (SOUPS), Publisher: USENIX ASSOC, Pages: 509-524
Saokar H, Demetriou S, Magerko N, et al., 2023, ServiceRouter: Hyperscale and Minimal Cost Service Mesh at Meta, 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Publisher: USENIX ASSOC, Pages: 969-985
Grubic B, Wang Y, Petrochko T, et al., 2023, Conveyor: One-Tool-Fits-All Continuous Software Deployment at Meta, 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Publisher: USENIX ASSOC, Pages: 325-342
Loureiro-Koechlin C, Cordoba-Pachon JR, Coventry L, et al., 2022, Vision: Design Fiction for Cybersecurity Using Science Fiction to Help Software Developers Anticipate Problems, Pages: 79-84
Security and privacy issues are an ever-increasing problem for software systems. To address them, software developers must anticipate the problems that their developed systems may face, using a process we call 'threat assessment'. Unfortunately, given the shortage of security experts, and the need to 'think laterally', threat assessment is very difficult for many development teams. One possibility is to use stories, known as 'Design Fiction,' to help developers visualize different contexts and future use for their software. But such stories are themselves difficult to write. A recent pilot project investigated using a broad-brush threat model and fiction samples derived from existing science fiction literature to help developers create threat assessments for Health Internet-of-Things devices. The preliminary results are encouraging, and open the possibility of developing a method to support developers in threat assessment in any domain.
Hau Z, Demetriou S, Lupu EC, 2022, Using 3D shadows to detect object hiding attacks on autonomous vehicle perception, 43rd IEEE Symposium on Security and Privacy (SP), Publisher: IEEE, Pages: 229-235, ISSN: 2639-7862
Autonomous Vehicles (AVs) are mostly reliant on LiDAR sensors which enable spatial perception of their surroundings and help make driving decisions. Recent works demonstrated attacks that aim to hide objects from AV perception, which can result in severe consequences. 3D shadows, are regions void of measurements in 3D point clouds which arise from occlusions of objects in a scene. 3D shadows were proposed as a physical invariant valuable for detecting spoofed or fake objects. In this work, we leverage 3D shadows to locate obstacles that are hidden from object detectors. We achieve this by searching for void regions and locating the obstacles that cause these shadows. Our proposed methodology can be used to detect an object that has been hidden by an adversary as these objects, while hidden from 3D object detectors, still induce shadow artifacts in 3D point clouds, which we use for obstacle detection. We show that using 3D shadows for obstacle detection can achieve high accuracy in matching shadows to their object and provide precise prediction of an obstacle’s distance from the ego-vehicle.
Hledikova A, Woszczyk D, Acman A, et al., 2022, Data Augmentation for Dementia Detection in Spoken Language, Interspeech Conference, Publisher: ISCA-INT SPEECH COMMUNICATION ASSOC, Pages: 2858-2862, ISSN: 2308-457X
- Author Web Link
- Cite
- Citations: 1
Ismail Khan S, Woszczyk D, You C, et al., 2021, Characterizing Improper Input Validation Vulnerabilities ofMobile Crowdsourcing Services, Annual Computer Security Applications Conference
Woszczyk D, Lee A, Demetriou S, 2021, Open, sesame! Introducing access control to voice services, 1st Workshop on Security and Privacy for Mobile AI (MAISP), Publisher: ACM, Pages: 7-12
Personal voice assistants (VAs) are shown to be vulnerable against record–and–replay, and other acoustic attacks which allow an adversary to gain unauthorized control of connected devices within a smart home. Existing defenses either lack detection and management capabilities or are too coarse-grained to enable flexible policies on par with other computing interfaces. In this work, we present Sesame, a lightweight framework for edge devices which is the first to enable fine-grained access control of smart-home voice commands. Sesame combines three components: Automatic SpeechRecognition, Natural Language Understanding (NLU) and a Policymodule. We implemented Sesame on Android devices and demonstrate that our system can enforce security policies for both Alexa and Google Home in real-time (362ms end-to-end inference time), with a lightweight (<25MB) NLU model which exhibits minimal accuracy loss compared to its non-compact equivalent.
You C, Hau Z, Demetriou S, 2021, Temporal Consistency Checks to Detect LiDAR Spoofing Attacks on Autonomous Vehicle Perception, Pages: 13-18
LiDAR sensors are used widely in Autonomous Vehicles for better perceiving the environment which enables safer driving decisions. Recent work has demonstrated serious LiDAR spoofing attacks with alarming consequences. In particular, model-level LiDAR spoofing attacks aim to inject fake depth measurements to elicit ghost objects that are erroneously detected by 3D Object Detectors, resulting in hazardous driving decisions. In this work, we explore the use of motion as a physical invariant of genuine objects for detecting such attacks. Based on this, we propose a general methodology, 3D Temporal Consistency Check (3D-TC2), which leverages spatiotemporal information from motion prediction to verify objects detected by 3D Object Detectors. Our preliminary design and implementation of a 3D-TC2 prototype demonstrates very promising performance, providing more than 98% attack detection rate with a recall of 91% for detecting spoofed Vehicle (Car) objects, and is able to achieve real-time detection at 41Hz.
Hau Z, Co KT, Demetriou S, et al., 2021, Object removal attacks on LiDAR-based 3D object detectors, NDSS 2021 Workshop, Publisher: Internet Society
LiDARs play a critical role in Autonomous Vehicles' (AVs) perception and their safe operations. Recent works have demonstrated that it is possible to spoof LiDAR return signals to elicit fake objects. In this work we demonstrate how the same physical capabilities can be used to mount a new, even more dangerous class of attacks, namely Object Removal Attacks (ORAs). ORAs aim to force 3D object detectors to fail. We leverage the default setting of LiDARs that record a single return signal per direction to perturb point clouds in the region of interest (RoI) of 3D objects. By injecting illegitimate points behind the target object, we effectively shift points away from the target objects' RoIs. Our initial results using a simple random point selection strategy show that the attack is effective in degrading the performance of commonly used 3D object detection models.
Hau Z, Co KT, Demetriou S, et al., 2021, Object Removal Attacks on LiDAR-based 3D Object Detectors
LiDARs play a critical role in Autonomous Vehicles' (AVs) perception andtheir safe operations. Recent works have demonstrated that it is possible tospoof LiDAR return signals to elicit fake objects. In this work we demonstratehow the same physical capabilities can be used to mount a new, even moredangerous class of attacks, namely Object Removal Attacks (ORAs). ORAs aim toforce 3D object detectors to fail. We leverage the default setting of LiDARsthat record a single return signal per direction to perturb point clouds in theregion of interest (RoI) of 3D objects. By injecting illegitimate points behindthe target object, we effectively shift points away from the target objects'RoIs. Our initial results using a simple random point selection strategy showthat the attack is effective in degrading the performance of commonly used 3Dobject detection models.
Hau Z, Demetriou S, Muñoz-González L, et al., 2021, Shadow-Catcher: Looking into Shadows to Detect Ghost Objects in Autonomous Vehicle 3D Sensing., Publisher: Springer, Pages: 691-711
Demetriou S, Jain P, 2020, Determination of a next state of multiple IoT devices within an environment, US 10778516 B2
Examples herein relate to determining a next state in which to transition multiple IoT devices within an environment. Examples disclose determining, via operation of a state machine, a current state of the multiple IoT devices within the environment. The state machine receives contextual information. Based on the current state and the contextual information, the state machine determine a next state of the multiple IoT devices in which to transition of the multiple IoT devices within the environment.
Huang H-Y, Demetriou S, Banerjee R, et al., 2020, Smartphone security behavioral scale: a new psychometric measurement for smartphone security, Publisher: arXiv
Despite widespread use of smartphones, there is no measurement standardtargeted at smartphone security behaviors. In this paper we translate awell-known cybersecurity behavioral scale into the smartphone domain and showthat we can improve on this translation by following an establishedpsychometrics approach surveying 1011 participants. We design a new 14-itemSmartphone Security Behavioral Scale (SSBS) exhibiting high reliability andgood fit to a two-component behavioural model based on technical versus socialprotection strategies. We then demonstrate how SSBS can be applied to measurethe influence of mental health issues on smartphone security behaviorintentions. We found significant correlations that predict SSBS profiles fromthree types of MHIs. Conversely, we are able to predict presence of MHIs usingSSBS profiles.We obtain prediction AUCs of 72.1% for Internet addiction,75.8%for depression and 66.2% for insomnia.
Wang X, Yuan K, Zhou X, et al., 2020, External resource control of mobile devices, US 10685142 B2
The present disclosure provides a security enhanced channel control system useable on a wireless device comprising a policy module including at least one processor and memory, the policy module configured to store, in the memory, one or more security policies and apply a compliance check to a first system layer and a second system layer; and a first policy base stored in the memory of the policy module, the first policy base being associated with a mandatory access control (“MAC”) base and defining one more security polices for access to a plurality of channels associated with the first and second system layers. The policy module cooperates with the first policy base to establish one or more access control rules that are applied to at least one of the plurality of channels to preclude an unauthorized application from accessing at least one of the channels.
Mo F, Shamsabadi AS, Katevas K, et al., 2020, DarkneTZ: towards model privacy at the edge using trusted execution environments, Publisher: arXiv
We present DarkneTZ, a framework that uses an edge device's Trusted ExecutionEnvironment (TEE) in conjunction with model partitioning to limit the attacksurface against Deep Neural Networks (DNNs). Increasingly, edge devices(smartphones and consumer IoT devices) are equipped with pre-trained DNNs for avariety of applications. This trend comes with privacy risks as models can leakinformation about their training data through effective membership inferenceattacks (MIAs). We evaluate the performance of DarkneTZ, including CPUexecution time, memory usage, and accurate power consumption, using two smalland six large image classification models. Due to the limited memory of theedge device's TEE, we partition model layers into more sensitive layers (to beexecuted inside the device TEE), and a set of layers to be executed in theuntrusted part of the operating system. Our results show that even if a singlelayer is hidden, we can provide reliable model privacy and defend against stateof the art MIAs, with only 3% performance overhead. When fully utilizing theTEE, DarkneTZ provides model protections with up to 10% overhead.
Jain P, Demetriou S, Kyu-Han K, 2019, Determining car positions, US 10380889 B2
Examples provided herein describe a method for determining car positions. For example, a physical processor of an edge computing device may receive position data for a legacy car and information about a make and model of the legacy car. The first edge device may also receive, from a sensor-rich car, a set of sensor data about a set of observed cars in the vicinity of the sensor-rich car, a set of position data for the set of observed cars, and a set of visual data of the set of observed cars, wherein the set of observed cars includes the legacy car and the sensor-rich car. The edge device may then determine an updated position for the legacy car based on the set of position data for the set of observed cars, the set of visual data, and the set of sensor data and provide the updated position of the legacy car.
Hojjati A, Long Y, Demetriou S, et al., 2019, BEEER: Distributed Record and Replay for Medical Devices in Hospital Operating Rooms, Publisher: ACM, Pages: 1:1-1:10
Demetriou S, Jain P, Han K-H, 2018, CoDrive: improving automobile positioning via collaborative driving, IEEE Conference on Computer Communications (INFOCOM), Publisher: IEEE, Pages: 72-80
An increasing number of depth sensors and surrounding-aware cameras are being installed in the new generation of cars. For example, Tesla Motors uses a forward radar, a front-facing camera, and multiple ultrasonic sensors to enable its Autopilot feature. Meanwhile, older or legacy cars are expected to be around in volumes, for at least the next 10 to 15 years. Legacy car drivers rely on traditional GPS for navigation services, whose accuracy varies 5 to 10 meters in a clear line-of-sight and degrades up to 30 meters in a downtown environment. At the same time, a sensor-rich car achieves better accuracy due to high-end sensing capabilities. To bridge this gap, we propose CoDrive, a system to provide a sensor-rich car's accuracy to a legacy car. We achieve this by correcting GPS errors of a legacy car on an opportunistic encounter with a sensor-rich car. CoDrive uses smartphone GPS of all participating cars, RGB-D sensors of sensor-rich cars, and road boundaries of a traffic scene to generate optimization constraints. Our algorithm collectively reduces GPS errors, resulting in accurate reconstruction of a traffic scene's aerial view. CoDrive does not require stationary landmarks or 3D maps. We empirically evaluate CoDrive which is shown to achieve a 90% and a 30% reduction in cumulative GPS error for legacy and sensor-rich cars respectively, while preserving the shape of the traffic.
Tuncay GS, Demetriou S, Ganju K, et al., 2018, Resolving the predicament of android custom permissions, Network and Distributed System Security Symposium, Publisher: Internet Society, Pages: 1-15
Android leverages a set ofsystem permissionstoprotect platform resources. At the same time, it allows untrustedthird-party applications to declare their owncustom permissionsto regulate access to app components. However, Android treatscustom permissions the same way as system permissions eventhough they are declared by entities of different trust levels. Inthis work, we describe two new classes of vulnerabilities that arisefrom the ‘predicament’ created by mixing system and custompermissions in Android. These have been acknowledged as serioussecurity flaws by Google and we demonstrate how they can beexploited in practice to gain unauthorized access to platformresources and to compromise popular Android apps. To addressthe shortcomings of the system, we propose a new modulardesign called Cusper for the Android permission model. Cusperseparates the management of system and custom permissions andintroduces a backward-compatible naming convention for custompermissions to prevent custom permission spoofing. We validatethe correctness of Cusper by 1) introducing the first formalmodel of Android runtime permissions, 2) extending it to describeCusper, and 3) formally showing that key security propertiesthat can be violated in the current permission model arealwayssatisfied in Cusper. To demonstrate Cusper’s practicality, weimplemented it in the Android platform and showed that it isboth effective and efficient.
Srivastava A, Jain P, Demetriou S, et al., 2017, CamForensics: understanding visual privacy leaks in the wild, ACM Conference on Embedded Network Sensor Systems, Publisher: ACM
Many mobile apps, including augmented-reality games, bar-code readers, and document scanners, digitize information from the physical world by applying computer-vision algorithms to live camera data. However, because camera permissions for existing mobile operating systems are coarse (i.e., an app may access a camera's entire view or none of it), users are vulnerable to visual privacy leaks. An app violates visual privacy if it extracts information from camera data in unexpected ways. For example, a user might be surprised to find that an augmented-reality makeup app extracts text from the camera's view in addition to detecting faces. This paper presents results from the first large-scale study of visual privacy leaks in the wild. We build CamForensics to identify the kind of information that apps extract from camera data. Our extensive user surveys determine what kind of information users expected an app to extract. Finally, our results show that camera apps frequently defy users' expectations based on their descriptions.
Zhang N, Demetriou S, Mi X, et al., 2017, Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going To Be
Inspired by the boom of the consumer IoT market,many device manufacturers, new start-up companies and technologybehemoths have jumped into the space. Indeed, in a spanof less than 5 years, we have experienced the manifestation of anarray of solutions for the smart home, smart cities and even smartcars. Unfortunately, the exciting utility and rapid marketizationof IoTs, come at the expense of privacy and security. Online andindustry reports, and academic work have revealed a number ofattacks on IoT systems, resulting in privacy leakage, property lossand even large-scale availability problems on some of the mostinfluential Internet services (e.g. Netflix, Twitter). To mitigatesuch threats, a few new solutions have been proposed. However,it is still less clear what are the impacts they can have on theIoT ecosystem. In this work, we aim to perform a comprehensivestudy on reported attacks and defenses in the realm of IoTsaiming to find out what we know, where the current studiesfall short and how to move forward. To this end, we first builda toolkit that searches through massive amount of online datausing semantic analysis to identify over 3000 IoT-related articles(papers, reports and news). Further, by clustering such collecteddata using machine learning technologies, we are able to compareacademic views with the findings from industry and other sources,in an attempt to understand the gaps between them, the trendof the IoT security risks and new problems that need furtherattention. We systemize this process, by proposing a taxonomy forthe IoT ecosystem and organizing IoT security into five problemareas. We use this taxonomy as a beacon to assess each IoT workacross a number of properties we define. Our assessment revealsthat despite the acknowledged and growing concerns on IoTfrom both industry and academia, relevant security and privacyproblems are far from solved. We discuss how each proposedsolution can be applied to a problem area and highlight theirstrengths, assum
Lee Y, Li T, Zhang N, et al., 2017, Ghost Installer in the Shadow: Security Analysis of App Installation on Android, 47th IEEE/IFIP Annual International Conference on Dependable Systems and Networks (DSN), Publisher: IEEE, Pages: 403-414, ISSN: 1530-0889
Demetriou S, Zhang N, Lee Y, et al., 2017, HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps, 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), Publisher: ASSOC COMPUTING MACHINERY, Pages: 122-133
- Author Web Link
- Cite
- Citations: 27
Tuncay GS, Demetriou S, Gunter CA, 2016, Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android, 23rd ACM Conference on Computer and Communications Security (CCS), Publisher: ASSOC COMPUTING MACHINERY, Pages: 104-115
- Author Web Link
- Cite
- Citations: 25
Demetriou S, Merrill W, Yang W, et al., 2015, Free for all! Assessing user data exposure to advertising libraries on android, Network and Distributed System Security (NDSS) Symposium
Demetriou S, Zhou X, Naveed M, et al., 2015, What’s in your dongle and bank account? Mandatory and discretionary protection of android external resources, Network and Distributed System Security Symposium, Publisher: Internet Society, Pages: 1-15
The pervasiveness of security-critical external re- sources (e.g accessories, online services) poses new challenges to Android security. Prior research reveals that given the BLUETOOTH and BLUETOOTH_ADMIN permissions, a malicious app on an authorized phone gains unfettered access to any Bluetooth device (e.g., Blood Glucose meter, etc.). Our study further shows that sensitive text messages from online banking services and social networks (account balance, password reset links, etc.) are completely exposed to any app with either the RECEIVE_SMS or the READ_SMS permission. Similar security risks are present in other channels (Internet, Audio and NFC) extensively used to connect the phone to assorted external devices or services. Fundamentally, the current permission-based Discre- tionary Access Control (DAC) and SEAndroid-based Mandatory Access Control (MAC) are too coarse-grained to protect those resources: whoever gets the permission to use a channel is automatically allowed to access all resources attached to it. To address this challenge, we present in this paper SEACAT, a new security system for fine-grained, flexible protection on external resources. SEACAT supports both MAC and DAC, and integrates their enforcement mechanisms across the Android middleware and the Linux kernel. It extends SEAndroid for specifying policies on external resources, and also hosts a DAC policy base. Both sets of policies are managed under the same policy engine and Access Vector Cache that support policy checks within the security hooks distributed across the framework and the Linux kernel layers, over different channels. This integrated security model was carefully designed to ensure that miscon- figured DAC policies will not affect the enforcement of MAC policies, which manufacturers and system administrators can leverage to define their security rules. In the meantime, a policy management service is offered to the ordinary Android users for setting policies that protect the resour
Naveed M, Zhou X, Demetriou S, et al., 2014, Inside job: understanding and mitigating the threat of external device mis-bonding on android, Network and Distributed System Security Symposium (NDSS 2014), Publisher: Internet Society
We found that today’s Android design allows an app with a Bluetooth permission to gain unauthorized access to any Bluetooth devices (particularly healthcare devices) and also misbind the phone with an attack device to inject data to the official apps of the original devices. We also developed an OS-level protection to address this new challenge.
Naveed M, Zhou X, Demetriou S, et al., 2014, Inside Job: Understanding and Mitigating the Threat of External Device Mis-Bonding on Android
Today’s smartphones can be armed with many types of external devices, such as medical devices and credit card readers, that enrich their functionality and enable them to be used in application domains such as healthcare and retail. This new development comes with new security and privacy challenges. Existing phone-based operating systems, Android in particular, are not ready for protecting authorized use of these external devices: indeed, any app on an Android phone that acquires permission to utilize communication channels like Bluetooth and Near Field Communications is automatically given the access to devices communicating with the phone on these channels. In this paper, we present the first study on this new security issue, which we call external Device Mis-Bonding or DMB, under the context of Bluetooth-enabled Android devices. Our research shows that this problem is both realistic and serious: oftentimes an unauthorized app can download sensitive user data from an Android device and also help the adversary to deploy a spoofed device that injects fake data into the original device’s official app on the phone. Specifically, we performed an in-depth analysis on four popular health/medical devices that collect sensitive user information and successfully built end-to-end attacks that stealthily gathered sensitive user data and fed arbitrary information into the user’s health/medical account, using nothing but Bluetooth permissions and public information disclosed by the phone. Our further study of 68 relevant device-using apps from Google Play confirms that the vast majority of the devices on the market are vulnerable to this new threat. To defend against it, we developed the first OS-level protection, called Dabinder. Our approach automatically generates secure bonding policies between a device and its official app, and enforces them when an app attempts to establish Bluetooth connections with a device and unpair the phone from the device (for res
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.