Trusted hardware components are essential when protecting the security of our devices and privacy of our online activities. Several kinds of trusted hardware components are widely available, most notably Trusted Execution Environments (TEEs) and Secure Hardware Tokens. Increasing availability of such hardware prompts a natural question: How can systems benefit from these trusted hardware components? In this dissertation, we design four systems (COMIT, PDoT, CACTI, and VICEROY) that have enhanced security and privacy properties due to the integration of trusted hardware components. We identify and address the key challenges and issues that arise during the integration process. By evaluating proof-of-concept implementations of the four systems, we show that they meet necessary security, privacy, latency, throughput, and deployment requirements.

Content-Centric Networking (CCN) is a networking paradigm alternative to today’s IP-based Internet Architecture. One fundamental goal of CCN is to include security and privacy as part of its design. CCN adheres to a simple request and response protocol. Consumers issue interests for named content objects. Routers forward these interests toward content producers. Once the desired content is located, it is returned to the consumer along the same path, in reverse, of corresponding interests. CCN routers can unilaterally cache content to reduce end-to-end latency and bandwidth consumption for future duplicate interests. In this dissertation, we study several security and privacy issues introduced by opportunistic caching in CCN. Specifically, we investigate the influence of caching on consumer and producer privacy, content poisoning attacks, and accounting. For each issue, we describe its root causes, discuss potential countermeasures, and present some experimental results. We conclude that, despite its networking benefits, router caching triggers some important security and privacy problems.

Several prominent privacy laws require service providers to let consumers request access, correction, or deletion of their personal data. Compliance with such laws necessitates the verification of consumers' identities. This is not a problem for consumers who already have an account with a service provider since they can authenticate themselves via a successful account log-in, e.g., using username/password, or two-factor authentication. However, there are no such methods for accountless consumers, even though service providers (e.g., data aggregators) routinely accumulate data on consumers without accounts. Currently, accountless consumers are asked to share Personally Identifiable Information (PII) with service providers, which is privacy-invasive.

This paper proposes \textit{\piva: a \pivatextunderline} using \textit{Private List Intersection (PLI)} and its variants. First, we introduce PLI, a close relative of \textit{private set intersection (PSI)}, a well-known cryptographic primitive that allows two or more mutually distrusting parties to compute the intersection of their private input sets. PLI takes advantage of the (ordered and fixed) list structure of the parties' private sets. As a result, PLI can be made more efficient than PSI. We also explore PLI variants: PLI-cardinality (PLI-CA), threshold-PLI (t-PLI), and threshold-PLI-cardinality (t-PLI-CA), all of which yield less information than PLI. These variants are progressively better suited for addressing the accountless consumer authentication problem. We prototype \piva and evaluate its performance, using regular PSI and garbled circuits as the basis for comparison. Results show that our PLI and PLI-CA constructions are more efficient than a garbled circuit approach, in both computation and communication overheads. While the garbled circuit-based implementations of t-PLI and t-PLI-CA have a faster execution time, our constructions greatly outperform garbled circuits in terms of bandwidth, with the garbled circuit-based implementation of t-PLI requiring $16\times$ the bandwidth of our construction. Additionally, the constructed t-PLI protocol is faster than existing threshold PSI protocols, taking advantage of the ordered property of lists. All implementation and evaluation are available in \cite{anon_piva}.

This dissertation addresses "distributed cryptography" in the presence of "almost" asynchrony. Many machines collaborate to accomplish some goal -- whether agreeing on a bit, secure group messaging, or computing a function of their inputs -- over a network that is not guaranteed to deliver messages within a known time constraint. The applications in this dissertation explore new tradeoffs on the spectrum of synchronous to asynchronous executions, adversarial advantages, and efficiency.

First, we explore consensus protocols in both a poorly-studied permissioned model and a novel permissionless model. Consensus protocols require that all parties agree on the same output bit, and that the output is constrained by their inputs. In the permissioned model, we study optimal constraints on highly efficient, sublinear-round protocols, where somewhat faulty but otherwise correct parties must produce outputs consistent with fully functional, honest parties. In the permissionless model we ask under what synchronization conditions consensus is possible at all, and illustrate the power of a technique common to most Proof-of-X primitives to achieve consensus in a very weakly synchronized model.

We then explore asynchronous, concurrent group messaging and provide a framework for reasoning about group keys that simplifies their security proofs. In concurrent group messaging, parties send application messages while also continuously updating the group key; in an asynchronous network, there may be many simultaneous latest group keys due to concurrent evolutions by different parties. Using our framework, we prove security of a novel protocol that achieves better security properties in asynchronous networks than any previous protocol.

Finally, we analyze timed cryptographic primitives and introduce a novel model for proving security of arbitrarily composed timed primitives. The model permits an adversary to operate an asynchronous network, but the adversary is bounded in depth to model realistic passage of time.

For each application, we discuss or prove how the constraints applied to the asynchronous model make the problem tractable, and explain how the resulting models represent progress towards cryptography that could be deployed.

Internet-of-Things (IoT), “smart”, and Cyber-Physical Systems (CPS) devices have become increasingly popular and commonplace over the past two decades. Some of them perform safety-critical tasks and collect sensitive information, e.g., smoke detectors, temperature sensors, heart rate monitors, and fitness trackers. However, due to their stringent cost, size, and energy constraints, they are equipped with few (or no) security features. This makes them vulnerable to attacks. Some prior work proposed security architectures (such as remote attestation, proof of execution, and secure reset/erasure) to detect and mitigate malware on them. However, these approaches either partially mitigate the problem and/or require new hardware that is unrealistic for low-end devices.

This dissertation presents four hybrid (hardware/software co-design) root-of-trust (RoT) architectures that mitigate various attacks with small hardware modifications: TinyCFA, DIALED, VERSA, and CASU. TinyCFA and DIALED are passive RoTs that detect runtime (control-flow and data-only) attacks by proposing new control-flow and data-flow attestation architectures respectively. Whereas, VERSA and CASU are active RoTs that prevent sensor data privacy leakage and code-injection attacks based on hardware-enforced access control mechanisms. We implement and evaluate these architectures on low-end microcontrollers (e.g., TI MSP430) and show that they are suitable for resource-constrained IoT. We also formally verify the hardware implementation of VERSA and CASU, thus showing that they meet all stated security requirements.

The importance of privacy has been growing steadily for over 25 years. Increasingly popularareas (such as IoT, cryptocurrencies and genomics) have attracted and fueled new types of privacy-focused attacks and exploits. This dissertation focuses on the lifecycle of secrets (or data) -- from initial entry to use, to present attacks and defenses that utilize emerging technologies. We start by presenting a side-channel attack that targets password entry. This attack uses thermal residues (that results from human fingertips touching the keyboard) to recover recently entered passwords on external keyboards. Then, we present a privacy-preserving CAPTCHA alternative that mimics the rate-limiting nature of CAPTCHAs. To skip CAPTCHAs, clients generate rate-proofs when the rate at which they have performed an action (e.g., visit a website, sign up for an email account) is below a server-supplied threshold. Rate-proofs, generated by client-side Trusted Execution Environments (TEEs), assure servers that clients are not acting in an abusive manner. We also propose a scalable data ownership framework in which clients with no accounts on a website can prove ownership of data collected from them. Although data ownership proofs are possible using traditional authentication methods (e.g., passwords), there is no accepted way of achieving this for acountless clients. This framework completes the missing piece of verifiable consumer requests which are used to exercise data rights (access/modify/delete) granted by recent data protection regulations such as GDPR and CCPA. A client-side TEE can be used to store a secret that can initiate these requests. The use of TEEs, as shown in these two work, allows us to secure and privacy-protect secrets/data after entry. Lastly, we present a cryptograpy-based solution for range queries in the genomics domain. This ensures the authenticity and integrity of the genome of the individual while minimizing the exposed data to testers. It uses a variety of techniques ranging from zero-knowledge range proofs and digital signatures to continual linking of elements inspired by literature on range queries on databases. We use the genomics domain to show how privacy can be achieved if there are no TEEs.

In recent years, embedded and cyber-physical systems (CPS), under the guise of Internet-of-

Things (IoT), have entered many aspects of daily life. Despite many benefits, this develop-

ment also greatly expands the so-called attack surface and turns these newly computerized

gadgets into attractive attack targets. One key component in securing IoT devices is malware

detection, which is typically attained with (secure) remote attestation. Remote attestation

is a distinct security service that allows a trusted verifier to verify the internal state of a

remote untrusted device. Remote attestation is especially relevant for low/medium-end em-

bedded devices that are incapable of protecting themselves against malware infection. As

safety-critical IoT devices become commonplace, it is crucial for remote attestation not to

interfere with the device’s normal operations. In this dissertation, we identify major issues in

reconciling remote attestation and safety-critical application needs. We show that existing

attestation techniques require devices to perform uninterruptible (atomic) operations during

attestation. Such operations can be time-consuming and thus may be harmful to the device’s

safety-critical functionality. On the other hand, simply relaxing security requirements of re-

mote attestation can lead to other vulnerabilities. To resolve this conflict, this dissertation

presents the design, implementation, and evaluation of several mitigation techniques. In par-

ticular, we propose two light-weight techniques capable of providing interruptible attestation

modality. In contrast to traditional techniques, our proposed techniques allow interrupts to

occur during attestation while ensuring malware detection via shuffled memory traversals or

memory locking mechanisms. Another type of techniques pursued in this dissertation aims

to minimize the real-time computation overhead during attestation. We propose using peri-

odic self-measurements to measure and record the device’s state, resulting in more flexible

scheduling of the attestation process and also in no real-time burden as part of its interaction

with verifier. This technique is particularly suitable for swarm settings with a potentially

large number of safety-critical devices. Finally, we develop a remote attestation HYDRA

architecture, based on a formally verified component, and use it as a building block in our

proposed mitigation techniques. We believe that this architecture may be of independent

interest.

Preserving data privacy is a formidable challenge in today’s interconnected and data-centric world. Individuals are surrounded by “smart” devices that collect and generate massive amounts of sensitive data. Moreover, organizations collect personalized data, including private information, to provide more functionalities and better quality for their data-driven services. Therefore, ensuring data privacy throughout its lifecycle, i.e., from generation to consumption, is paramount.To this end, this dissertation tackles several challenges to attain such end-to-end data privacy. We first investigate lower-end devices to preserve data privacy from its generation, and propose two secure architectures: one for mid-range devices with memory management unit and the other for low-end devices with no security features. Then, we revisit cryptographic computing, a promising privacy-enhancing technology for data in use, focusing on input correctness, generalized adversary models, and challenges in real-world applications.

Currently, Turing tests (notably in the form of CAPTCHAs) are used as a claimed barrieragainst bots on the Internet. During the last 20+ years, both CAPTCHAs and attacks against them have evolved in sophistication, in the course of a seemingly endless “arms race”. Many problems that were considered as being hard for AI are now trivial to solve automatically, such as OCR and image labeling. Consequently, most types of modern CAPTCHAs have become ineffective. This prompts a natural question: Is it possible to remotely determine whether an interaction is performed by a human or a computer?

In this dissertation, we conduct three large-scale user studies of modern CAPTCHAs. Thefirst investigates comparative performance of ten popular CAPTCHA types with 1,400 MTurk participants. The second study is a long-term (over a year long) experiment with Google’s reCAPTCHAv2 deployed in a real-world scenario with over 3,600 live and unaware participants. Finally, the third study – with over 1,400 participants – focuses on CAPTCHA-induced activity abandonment. Results from the three studies show that CAPTCHAS:

• are solved slower by humans than bots on average.• have consumed billions of hours of human time. • are generally disliked and cause users to quit. • should be deprecated.

An increasing number of security-critical tasks require human involvement. These tasks assume that the human is the weakest point in the security chain, and are explicitly designed to be as robust as possible while remaining human-usable. Failures in performing such tasks are typically blamed on human error. However, the human’s sensory environment is usually not taken into consideration. The Internet of Things’s emergence has created settings where a user’s sensory inputs can be controlled remotely. To the best of our knowledge, there has been no prior work to evaluate the potential impact of malicious sensory input on human performance of security tasks.

In this dissertation, we evaluate usability of several security-critical tasks under differing forms of adversarial noise. Specifically, we conduct a series of unattended experiments to evaluate the impacts on subject failure rate and task completion times when attempting Bluetooth Pairing, CAPTCHA entry, and short-authentication-string entry when exposed to crafted auditory and visual stimuli. We conclude that there is a rich space for both beneficial sensory stimulation, as well as a broad attack surface for adversaries that control a user’s sensory environment. Additionally, we find that the impacts on task performance caused by unexpected sensory stimulation can be generalized according to the Brain Arousal Model.