Analysis of Russian Apps for TSPU-Related Risks

193350-Thumbnail Image.png
Description
The landscape of internet freedom and surveillance is constantly evolving, with various countries employing technical measures to control online information and monitor citizens. Russia's internet ecosystem presents a unique case study, with the recent establishment of a domestic Trusted Root

The landscape of internet freedom and surveillance is constantly evolving, with various countries employing technical measures to control online information and monitor citizens. Russia's internet ecosystem presents a unique case study, with the recent establishment of a domestic Trusted Root Certificate Authority (CA) and the ongoing utilization of the "Technical Measures to Combat Threats" (TSPU) devices with government-mandated deployment by internet service providers. This thesis investigates the potential risks associated with these developments, focusing on the vulnerability of Russian Android applications to targeted JavaScript attacks compromising the privacy and security of their users.This analysis of Russian Android applications reveals the existence of the Russian CA certificate embedded into the application packages, enabling the Russian government to intercept and manipulate encrypted TLS traffic. Simulating TSPU behavior with mitmproxy demonstrates the susceptibility of all tested applications to JavaScript injection attacks, allowing targeted government surveillance. This thesis proposes several mitigation strategies and highlights the need for a systemic solution to address the security risks associated with government-controlled CAs in applications, considering Google Play Market restrictions on such certificate inclusion. This thesis contributes to the evolving discussion on internet freedom and cybersecurity in Russia by exposing the unique vulnerabilities faced by users within the Russian digital ecosystem.
Date Created
2024
Agent

WFNAS: Weight-Agnostic Federated Neural Architecture Search

168454-Thumbnail Image.png
Description
Federated Learning (FL) is envisaged to be a promising solution for collaboratively training a machine learning model while keeping the training data decentralized and private. Instead of sharing raw data to the central entity, the participating client devices share focused

Federated Learning (FL) is envisaged to be a promising solution for collaboratively training a machine learning model while keeping the training data decentralized and private. Instead of sharing raw data to the central entity, the participating client devices share focused updates for aggregation to ensure global convergence of the model. Owing to the shortcomings of manually handcrafted neural network architectures, the research community is striving to develop Neural Architecture Search (NAS) approaches to automatically search for optimal networks that fit the clients’ data. Despite the inaccessibility of clients’ data in an FL setting, the federated NAS literature has recently witnessed great progress to apply these NAS techniques to an FL setting. However, one of the key bottlenecks of Federated Learning is the cost of communication between clients and the server, and the state-of-the-art federated NAS techniques search for networks with millions of parameters that require several rounds of communication to find the optimal weight parameters. Also, deploying a network having millions of parameters on edge devices (which are the typical participants in an FL process) is infeasible due to its computational limitations and increased latency. Thus, this work proposes Weight-Agnostic Federated Neural Architecture Search (WFNAS), a novel evolutionary framework to search for well-performing and minimally connected weight-agnostic network architectures in an FL setting. As the connectivity of the networks themselves is the solution, there is no need for weight training and hyperparameter tuning, reducing the communication overhead significantly. The experiments indicate a gain of nearly 40% for orthogonal (vertical FL) data distributions compared to local training. This work is the first federated NAS technique in the literature for vertical FL. Although the experiments are performed in a resource-constrained environment, the aim of this thesis is to show a new direction of research to the FL community.
Date Created
2021
Agent

A Computational Model of Adaptive Capacity to Climate Change

166652-Thumbnail Image.png
Description
Adaptive capacity to climate change is the ability of a system to mitigate or take advantage of climate change effects. Research on adaptive capacity to climate change suffers fragmentation. This is partly because there is no clear consensus around precise

Adaptive capacity to climate change is the ability of a system to mitigate or take advantage of climate change effects. Research on adaptive capacity to climate change suffers fragmentation. This is partly because there is no clear consensus around precise definitions of adaptive capacity. The aim of this thesis is to place definitions of adaptive capacity into a formal framework. I formalize adaptive capacity as a computational model written in the Idris 2 programming language. The model uses types to constrain how the elements of the model fit together. To achieve this, I analyze nine existing definitions of adaptive capacity. The focus of the analysis was on important factors that affect definitions and shared elements of the definitions. The model is able to describe an adaptive capacity study and guide a user toward concepts lacking clarity in the study. This shows that the model is useful as a tool to think about adaptive capacity. In the future, one could refine the model by forming an ontology for adaptive capacity. One could also review the literature more systematically. Finally, one might consider turning to qualitative research methods for reviewing the literature.
Date Created
2022-05
Agent

An Exploratory Literature Review of Efforts Towards Improving Cybersecurity

166188-Thumbnail Image.png
Description
Data breaches and software vulnerabilities are increasingly severe problems that incur both monetary and reputational costs for companies as well as societal impacts. While companies have clear monetary and legal incentives to mitigate risk of data breaches, companies have significantly

Data breaches and software vulnerabilities are increasingly severe problems that incur both monetary and reputational costs for companies as well as societal impacts. While companies have clear monetary and legal incentives to mitigate risk of data breaches, companies have significantly less incentive to mitigate software product vulnerabilities, and their existing incentive is widely considered insufficient. In this thesis, I initially set out to perform a statistical analysis correlating company characteristics and behavior with the characteristics of the data breaches they suffer, as well as performing a metaanalysis of existing literature. While the attempted statistical analysis was hindered by lack of sufficiently comprehensive free company datasets, I have recorded my efforts in finding suitable databases. I have also performed an exploratory literature review of 15 papers in the field of improving cybersecurity, and identified four blockers to security addressed and three elements of solutions proposed by the papers, as well as derived insights from the distribution of these blockers and elements of solutions in the papers reviewed.
Date Created
2022-05
Agent

A Verifiable Distributed Voting System Without a Trusted Party

161779-Thumbnail Image.png
Description
Cryptographic voting systems such as Helios rely heavily on a trusted party to maintain privacy or verifiability. This tradeoff can be done away with by using distributed substitutes for the components that need a trusted party. By replacing the encryption,

Cryptographic voting systems such as Helios rely heavily on a trusted party to maintain privacy or verifiability. This tradeoff can be done away with by using distributed substitutes for the components that need a trusted party. By replacing the encryption, shuffle, and decryption steps described by Helios with the Pedersen threshold encryption and Neff shuffle, it is possible to obtain a distributed voting system which achieves both privacy and verifiability without trusting any of the contributors. This thesis seeks to examine existing approaches to this problem, and their shortcomings. It provides empirical metrics for comparing different working solutions in detail.
Date Created
2021
Agent

The Voices Behind Robocalls in the Telephone Spam Ecosystem

147544-Thumbnail Image.png
Description

The rampant occurrence of spam telephone calls shows a clear weakness of authentication and security in our telephone systems. The onset of cheap and effective voice over Internet Protocol (VoIP) technology is a major factor in this as our existing

The rampant occurrence of spam telephone calls shows a clear weakness of authentication and security in our telephone systems. The onset of cheap and effective voice over Internet Protocol (VoIP) technology is a major factor in this as our existing telephone ecosystem is virtually defenseless by many features of this technology. Our telephone systems have also suffered tremendously from a lack of a proper Caller ID verification system. Phone call spammers are able to mask their identities with relative ease by quickly editing their Caller ID. It will take a combination of unique innovations in implementing new authentication mechanisms in the telephone ecosystem, novel government regulation, and understanding how the people behind the spam phone calls themselves operate.<br/><br/>This study dives into the robocall ecosystem to find more about the humans behind spam telephone calls and the economic models they use. Understanding how the people behind robocalls work within their environments will allow for more insight into how the ecosystem works. The study looks at the human component of robocalls: what ways they benefit from conducting spam phone calls, patterns in how they identify which phone number to call, and how these people interact with each other within the telephone spam ecosystem. This information will be pivotal to educate consumers on how they should mitigate spam as well as for creating defensive systems. In this qualitative study, we have conducted numerous interviews with call center employees, have had participants fill out surveys, and garnered data through our CallFire integrated voice broadcast system. While the research is still ongoing, initial conclusions in my pilot study interview data point to promising transparency in how the voices behind these calls operate on both a small and large scale.

Date Created
2021-05
Agent

Scuttlebutt and Whuffie: Reputation in Distributed Networks

Description

Secure Scuttlebutt is a digital social network in which the network data is distributed among the users.<br/>This is done to secure several benefits, like offline browsing, censorship resistance, and to imitate natural social networks, but it comes with downsides, like

Secure Scuttlebutt is a digital social network in which the network data is distributed among the users.<br/>This is done to secure several benefits, like offline browsing, censorship resistance, and to imitate natural social networks, but it comes with downsides, like the lack of an obvious implementation of a recommendation algorithm.<br/>This paper proposes Whuffie, an algorithm that tracks each user's reputation for having information that is interesting to a user using conditional probabilities.<br/>Some errors in the main Secure Scuttlebutt network prevent current large-scale testing of the usefulness of the algorithm, but testing on my own personal account led me to believe it a success.

Date Created
2021-05
Agent

Cryptojacking Detection: A Classification and Comparison of Malicious Cryptocurrency Mining Detection Systems

147891-Thumbnail Image.png
Description

Cryptojacking is a process in which a program utilizes a user’s CPU to mine cryptocurrencies unknown to the user. Since cryptojacking is a relatively new problem and its impact is still limited, very little has been done to combat it.

Cryptojacking is a process in which a program utilizes a user’s CPU to mine cryptocurrencies unknown to the user. Since cryptojacking is a relatively new problem and its impact is still limited, very little has been done to combat it. Multiple studies have been conducted where a cryptojacking detection system is implemented, but none of these systems have truly solved the problem. This thesis surveys existing studies and provides a classification and evaluation of each detection system with the aim of determining their pros and cons. The result of the evaluation indicates that it might be possible to bypass detection of existing systems by modifying the cryptojacking code. In addition to this classification, I developed an automatic code instrumentation program that replaces specific instructions with functionally similar sequences as a way to show how easy it is to implement simple obfuscation to bypass detection by existing systems.

Date Created
2021-05
Agent

Keep It In Your Scope: My First Independent Video Game

131123-Thumbnail Image.png
Description
Gamification is used to provide an entertaining alternative to educate an individual on a topic that has proven to be difficult, confusing, or undesirable. This thesis describes the design of a video game whose goal was to provide a way

Gamification is used to provide an entertaining alternative to educate an individual on a topic that has proven to be difficult, confusing, or undesirable. This thesis describes the design of a video game whose goal was to provide a way for coders and non-coders to educate themselves on programming scopes while also being entertained in the process. Reaching the goal required using the puzzle genre to create a concept where programming scopes would serve as the primary mechanic while also using various other programming concepts to complement it. These concepts include variables, values, functions, programming statements, and conditions.
In order to ensure that the game worked both as an educational tool as well as an entertaining one, informal testers were used with various degrees of experience in both coding and video games. After reaching the end of the game, each of the testers demonstrated that they understood the programming concepts in their video game form. However, this understanding came after additional verbal help was supplied and illustrated that the tutorial section of the game would need to be re-worked in order to efficiently demonstrate each concept.
Date Created
2020-05
Agent

Rule-Based Home Automation

131337-Thumbnail Image.png
Description
Apple’s HomeKit framework centralizes control of smart home devices and allows users to create home automations based on predefined rules. For example, a user can add a rule to turn off all the lights in their house whenever they leave.

Apple’s HomeKit framework centralizes control of smart home devices and allows users to create home automations based on predefined rules. For example, a user can add a rule to turn off all the lights in their house whenever they leave. Currently, these rules must be added through a graphical user interface provided by Apple or a third-party app on iOS. This thesis describes how a text-based language provides users with a more expressive means of creating complex home automations and successfully implements such a language. Rules created using this text-based format are parsed and interpreted into rules that can be added directly into HomeKit. This thesis also explores how security features should be implemented with this text-based approach. Since automations are run by the system without user interaction, it is important to consider how the system itself can provide functionality to address the unintended consequences that may result from running an automation. This is especially important for the text-based approach since its increase in expressiveness makes it easier for a user to make a mistake in programming that leads to a security concern. The proposed method for preventing unintended side effects is using a simulation to run every automation prior to actually running the automation on real-world devices. This approach allows users to code some conditions that must be satisfied in order for the automation to run on devices in the home. This thesis describes the creation of such a program that successfully simulates every device in the home. There were limitations, however, with Apple's HomeKit framework, which made it impractical to match the state of simulated devices to real devices in the home. Without being able to match the current state of the home to the current state of the simulation, this method cannot satisfy the goal of ensuring that certain adverse effects will not occur as a result of automations. Other smart home control platforms that provide more extensibility could be used to create this simulation-based security approach. Perhaps as Apple continues to open up their HomeKit platform to developers, this approach may be feasible within Apple's ecosystem at some point in the future.
Date Created
2020-05
Agent