Projects
The current research focus of Security and Privacy (SnP) lab is applied cryptography and data security. We have been leveraging various novel techniques (e.g., cryptography, hardware features of flash storage) to protect confidentiality and integrity of mission critical data stored in mobile devices, flash memory, cloud data centers, etc. A few on-oning projects:
Secure Deletion on Sensitive Data (SecDel)
Plausibly Deniable Encryption Storage on Mobile Devices (PDE)
Data Recovery from Malicious Attacks (DRM)
SecDel
Secure Deletion on Sensitive Data
Descriptions:
Securely deleting obsolete data is of paramount importance, as reserving those data may not only endanger data owners’ privacy, but also violate retention regulations like HIPAA, Gramm-Leach-Bliley Act, and Sarbanes-Oxley Act, and GDPR. The goal of this project is to design novel techniques to completely eliminate data from various storage media, including hard disk drives (HDD) and flash memory.
Different from what have been done in the literature of secure deletion, our research is based on two key observations: First, a modern storage system usually consists of multiple layers (e.g., the application layer, the file system layer, and the storage medium layer), and performing secure deletion at the upper layer is usually not able to eliminate the data, since data leakage may be observed at the lower layers. Second, the past existence of the data may leave various “traces” in the storage medium at all layers, which may be utilized by the adversary to derive sensitive information about the data being deleted.
Following the aforementioned observations, we initiate the investigation of a secure deletion framework which, for the first time, can achieve the secure deletion guarantee that, 1) the data deleted cannot be completely or partially recovered, and 2) the adversary cannot learn anything about the deleted data. Such a guarantee cannot be achieved by existing overwriting-based/encryption-based secure deletion approaches.
Publications:
[ASIACCS ’19] Biao Gao, Bo Chen, Shijie Jia, and Luning Xia. eHIFS: An Efficient History Independent File System. The 14th ACM ASIA Conference on Computer and Communications Security (ASIACCS ’19), Auckland, New Zeland, July 2019 (Acceptance rate: 17%).
[Cybersecurity ’18] Qionglu Zhang, Shijie Jia, Bing Chang, Bo Chen. Ensuring Data Confidentiality via Plausibly Deniable Encryption and Secure Deletion - A Survey. Cybersecurity (2018) 1: 1
[ACSAC ’16] Bo Chen, Shijie Jia, Luning Xia, and Peng Liu. Sanitizing Data is Not Enough! Towards Sanitizing Structural Artifacts in Flash Media. 2016 Annual Computer Security Applications Conference (ACSAC ’16), Los Angeles, California, USA, December 2016 (Acceptance rate: 22.8%)
[ASIACCS ’16] Shijie Jia, Luning Xia, Bo Chen, and Peng Liu. NFPS: Adding Undetectable Secure Deletion to Flash Translation Layer. The 11th ACM Asia Conference on Computer and Communications Security (ASIACCS ’16), Xi'an, China, May 30 - June 3, 2016 (Acceptance rate: 20.9%)
[arXiv ’15] Bo Chen, and Radu Sion. "HiFlash: A history independent flash device." arXiv preprint arXiv:1511.05180 (2015)
Posters:
Niusen Chen and Bo Chen. Secure Deletion in Flash Storage Media. 2019 Flash Memory Summit. Santa Clara, California, August 2019.
Niusen Chen and Bo Chen. Towards Secure Deletion in Flash Storage Media. 2019 MTU Workshop to Expose Undergraduate Women to Computer Science Research. Houghton, MI, April 2019.
PDE
Plausibly Deniable Encryption Storage on Mobile Devices
Descriptions:
Mobile computing devices (e.g., smart phones, tablets) are increasingly ubiquitous nowadays. Due to their portability and mobility, more and more people today turn to such devices for daily communications, web browsing, online shopping, electronic banking, etc. This however, leaves large amounts of sensitive personal/corporate data in these devices. To protect sensitive information, all the major mobile operating systems have incorporated a certain level of encryption. A broadly used encryption technique is full disk encryption (FDE), which has been available on Android phones since version 3.0. FDE can defend against a passive attacker who tries to retrieve sensitive information from the data storage. However, it cannot defend against an active attacker, who can capture the device owner, and force the owner to disclose the key used for decrypting the sensitive information. We need a technique which can protect the sensitive data even when the data owner faces such a coercive attack. This is a necessary technique for protecting sensitive data as well as the people who possess them.
Plausibly Deniable Encryption (PDE) has been proposed to defend against adversaries who can coerce users into revealing the encrypted sensitive content. The high-level idea of PDE is: the original sensitive data are encrypted into a cipher-text in such a way that, when using a decoy key, a different reasonable and innocuous plain-text will be generated; only when using the true key, the original sensitive data will be disclosed. Upon being coerced, the victim can simply disclose the decoy key to avoid being tortured. Our goal of this project is to leverage concept of PDE and build deniable storage systems specifically for mobile devices, which would be challenging compared to PDE systems for PC platforms because: First, compared to a PC platform, a mobile platform is usually equipped with limited computational resources and sensitive to energy consumption. In other words, the PDE designs for mobile platforms have much higher requirements in efficiency and energy effectiveness. Therefore, the existing PDE systems built for PC platforms are not immediately applicable to the mobile platforms due to their large overhead. Second, modern mobile devices usually use NAND flash as storage media, and deniability compromise is possible due to flash storage's internal design for handing special nature of flash memory. Compared to mechanical drives, flash memory has a few completely different characteristics, including: 1) Flash memory is update unfriendly. A flash cell cannot be over-written before it has been erased. However, the erase can only be performed on the basis of a large region (i.e., a 128-KB block); 2) Flash memory is vulnerable to wear. A flash cell can only be programmed/erased for a limited number of times before the wear begins to deteriorate its integrity.
Projects:
Hardware-assisted Plausibly Deniable System for Mobile Devices (Supported by US National Science Foundation under Grant No. 1928349)
Publications:
[DSN ’18] Bing Chang, Fengwei Zhang, Bo Chen, Yingjiu Li, Wen Tao Zhu, Yangguang Tian, Zhan Wang, and Albert Ching. MobiCeal: Towards Secure and Practical Plausibly Deniable Encryption on Mobile Devices. The 48th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ’18), June 2018 (Acceptance rate: 28%)
[Cybersecurity ’18] Qionglu Zhang, Shijie Jia, Bing Chang, Bo Chen. Ensuring Data Confidentiality via Plausibly Deniable Encryption and Secure Deletion - A Survey. Cybersecurity (2018) 1: 1.
[ComSec ’18 ] Bing Chang, Yao Cheng, Bo Chen, Fengwei Zhang, Wen Tao Zhu, Yingjiu Li, and Zhan Wang. User-Friendly Deniable Storage for Mobile Devices. Elsevier Computers & Security, vol. 72, pp. 163-174, January 2018
[CCS ’17] Shijie Jia, Luning Xia, Bo Chen, and Peng Liu. DEFTL: Implementing Plausibly Deniable Encryption in Flash Translation Layer. 2017 ACM Conference on Computer and Communications Security (CCS ’17), Dallas, Texas, USA, Oct 30 - Nov 3, 2017 (Acceptance rate: 18%)
[ACSAC ’15] Bing Chang, Zhan Wang, Bo Chen, and Fengwei Zhang. MobiPluto: File System Friendly Deniable Storage for Mobile Devices. 2015 Annual Computer Security Applications Conference (ACSAC ’15), Los Angeles, California, USA, December 2015 (Acceptance rate: 24.4%)
[ISC ’14] Xingjie Yu, Bo Chen, Zhan Wang, Bing Chang, Wen Tao Zhu, and Jiwu Jing. MobiHydra: Pragmatic and Multi-Level Plausibly Deniable Encryption Storage for Mobile Devices. The 17th Information Security Conference (ISC ’14), Hong Kong, China, Oct. 2014
DRM
Data Recovery from Malicious Attacks
Descriptions:
Various attacks (e.g., APT attacks, malware, ransomware) may penetrate networks and systems. They may eventually cause damage to mission-critical data, and significantly affect daily operations of organizations, enterprises, federal agencies as well as military departments. The goal of this project is to design novel techniques to efficiently detect and identify malicious attacks, eliminate attacks, and restore system being hacked to a good previous state. Our major tasks are:
1) Attacks/malware detection and identification. This task aims to detect malicious attacks timely. In addition, the nature of attacks should be identified and reported.
2) Attacks/malware elimination. This task aims to completely eliminate attacks/malware from the affected system.
3) System restoration. This task aims to enable fast restoration of both external storage and memory.
Projects:
Enabling Secure Data Recovery for Mobile Devices against Malicious Attacks (Supported by US National Science Foundation under Grant No. 1938130)
Publications:
[CODASPY '19] Peiying Wang, Shijie Jia, Bo Chen, Luning Xia and Peng Liu. MimosaFTL: Adding Secure and Practical Ransomware Defense Strategy to Flash Translation Layer. The Ninth ACM Conference on Data and Application Security and Privacy (CODASPY '19), Dallas, TX, USA, March 2019 (Acceptance rate: 23.5%).
[ACSAC ’17] Le Guan, Shijie Jia, Bo Chen, Fengwei Zhang, Bo Luo, Jingqiang Lin, Peng Liu, Xinyu Xing, and Luning Xia. Supporting Transparent Snapshot for Bare-metal Malware Analysis on Mobile Devices. 2017 Annual Computer Security Applications Conference (ACSAC ’17), Orlando, Florida, USA, December 2017 (Acceptance rate: 19.7%) (Distinguished Paper Award)
[SSCI ’17] Kul Prasad Subedi, Daya Ram Budhathoki, Bo Chen, and Dipankar Dasgupta. RDS3: Ransomware Defense Strategy by Using Stealthily Spare Space. The 2017 IEEE Symposium Series on Computational Intelligence (SSCI ’17), Hawaii, USA, Nov. 27 - Dec. 1, 2017.
[JoCS ’17] Bo Chen and Reza Curtmola. Remote Data Integrity Checking with Server-Side Repair. Journal of Computer Security, vol. 25, no. 6, pp. 537-584, 2017
[Elsevier Book ’17] Bo Chen, Reza Curtmola, and Jun Dai. Auditable Version Control Systems in Untrusted Public Clouds. Book Chapter, in Software Architectures for Cloud and Big Data, Ivan Mistrik, Rami Bahsoon, Nour Ali, Maritta Heisel, Bruce Maxim (eds.), Elsevier - Morgan Kaufmann, June 2017
[CRC Book ’16] Reza Curtmola and Bo Chen. Availability, Recovery and Auditing Across Data Centers. Book Chapter, in Cloud Computing Security: Foundations and Challenges, John Vacca (editor), CRC Press, August 2016
[CRC Book ’16] Reza Curtmola and Bo Chen. Integrity Assurance for Data Outsourcing. Book Chapter, in Cloud Computing Security: Foundations and Challenges, John Vacca (editor), CRC Press, August 2016
[CODASPY ’15] Bo Chen, Anil Kumar Ammula, and Reza Curtmola. Towards Server-side Repair for Erasure Coding-based Distributed Storage Systems. The Fifth ACM Conference on Data and Application Security and Privacy (CODASPY ’15), San Antonio, TX, USA, March 2015
[NDSS ’14] Bo Chen and Reza Curtmola. Auditable Version Control Systems. The 21th Annual Network and Distributed System Security Symposium (NDSS ’14), San Diego, CA, USA, Feb. 2014 (Acceptance rate: 18.6%)
[CODASPY ’13] Bo Chen and Reza Curtmola. Towards Self-Repairing Replication-Based Storage Systems Using Untrusted Clouds. The Third ACM Conference on Data and Application Security and Privacy (CODASPY ’13), San Antonio, TX, USA, Feb. 2013 (Acceptance rate: 22.4%) (Outstanding Paper Award)
[SPCC ’12] Bo Chen and Reza Curtmola. Robust Dynamic Provable Data Possession. The Third International Workshop on Security and Privacy in Cloud Computing (SPCC ’12, in conjunction with ICDCS ’12), Macau, China, June 2012
[CCSW ’10] Bo Chen, Reza Curtmola, Giuseppe Ateniese, and Randal Burns. Remote Data Checking for Network Coding-based Distributed Storage Systems. The Second ACM Cloud Computing Security Workshop (CCSW ’10, in conjunction with CCS ’10), Chicago, IL, USA, October 2010
© 2019    Security and Privacy (SnP) Lab @ Michigan Technological University