Another project I worked on soon after arriving at Duo, this one involved learning about the new WebAuthn standard and figuring out a path forward for Duo in a passwordless (and 2FA-less) world. In particular, Nick Mooney and I built the first WebAuthn client library for Android and used it to build, along with Nick Steele, a prototype passwordless auth mechanism for the Duo Mobile app. Hopefully, as WebAuthn and passwordless authentication gains more traction, we will eventually see the feature show up in the product for everyone to use.
This was one of the two first projects I worked on as a new Duonaut. Mikhail Davidov was already investigating the T2's secure boot process, and asked me to investigate the ccommunication channel between the T2 and the macOS host. After reversing Apple's proprietary XPC protocol, we built tooling that would enable any unprivileged process running on the mac to communicate with services running on the T2 chip. Apple closed this attack vector within weeks of our initial disclosure to them, but researchers willing to disable SIP on a test machine can still leverage our tooling to continue to probe the T2 chip.
This work culminated in presentations both at Black Hat USA and Cisco's Offensive Summit.
This was my first foray into autonomous vehicle security. Building on some prior work with SGX enclaves, I had a neat idea. What if, in autonomous vehicle platooning, we could get each vehicle to agree not to crash into the other vehicles in the platoon, and actually enforce that agreement. This turned into the idea of autonomous vehicle contracts. We explored the necessary consequences of forming these contracts in practice, which led to building a contract chain protocol to negotiate these contracts safely and ensure that, even under attack, these autonomous vehicles would remain safe for their passengers.
This was a simple little side project I performed to evaluate the feasibility of reactive approaches to attacks on autonomous vehicle platoons. Essentially, reactive approaches, such as intrusion detection, can only react as soon as they discover a rogue vehicle has behaved anomalously. This will incur at least some short delay. When combined with differences in vehicle braking deceleration rates, it becomes clear that purely-reactive approaches to platooning safety are insufficient. This motivates our later work on CommPact.
I built a fairly simple graph utility to display how adjusting different initial parameters, such as vehicle speed, deceleration rate, and reaction delay, impact the final theoretical safe following distance. All parameters can be adjusted via slider, and the graph shows how each parameter will affect the necessary following distance, given the currently-selected initial values.
This project started as a way to enhance a home router to provide:
Course project with Tim Trippel. After our previous work attacking Virtual Machine RNG from the hypervisor, we came up with a solution using trusted hardware (Intel SGX) to enable applications to securely perform their needed crypto operations. We built a shared library that instantiates an SGX enclave, provisions keys for use by a TLS library such as OpenSSL, and provides protected crypto operations within the trusted enclave. This approach prevents a malicious OS or hypervisor from subverting the RNG.
Course project with Tim Trippel and Andrew Quinn. Built attacks to programmatically control the output of /dev/random and /dev/urandom, as well as the generation of private keys for Diffie-Hellman key exchanges in Apache2/OpenSSL from the hypervisor, without modification to the Virtual Machine. Explored artifacts of these attacks and proposed detection methods to combat use in the wild.
Worked with Aravind Vadrevu and advised by Alex Halderman and Matthew Hicks. Designed a modified ZMap scanner to send signals to large IP spaces concurrently. Signals detected via smartphone app with image-recognition detecting LED blinks on home routers. Allows determination of IP address using physical side-channel.
EECS 388 (the undergraduate security class) has traditionally had a networking project that includes a component in which the students must crack WEP encryption on a wireless network. I rebuilt the scenario into a PenTest in which the students are responsible for the first three phases of the PenTest lifecycle as they break into a WPA-encrypted wireless network and steal "sensitive company information." The assignment now comes complete with authorization agreement (loosely based on the SANS Pentesting Report ) and a report due to the customer at the conclusion.
Worked with Evan Chavis and advised by Kevin Fu and Peter Honeyman to build a replica hospital network environment, building on minimega and with help and advice from our friends at the UM hospital. Evan has been doing most of the heavy lifting on this one.
Course project with Akshitha Sriraman and Sai Gouravajhala. We designed a system, building on Protean Code and my earlier work replicating FLUSH+RELOAD, that dynamically mitigates cache side channel attacks in real time while under attack, but allows critical cryptographic subroutines to execute in a faster, insecure mode when no attack is present.
Course project with Ofir Weisse and Tim Trippel. We designed an alternative to Split TLS that uses the mechanism of leaking the session key in real-time to the network gateway to allow network traffic introspection while maintaining end-to-end encryption between the client and server.
Kevin Fu had a great idea for a new PhD student. Spend 4 weeks reimplementing a recent conference paper to