Research

Anyone is welcome to get involved in research projects with NebraskaCYBER by contacting our faculty or staff members heading any of our projects. Any level of experience is welcome and some projects may pay as well.

Within the NSA designation as a Center of Academic Excellence, we currently target three specific focus areas:

1. Secure Networking and Distributed Computing (mobile, cloud, encryption)
2. Secure Software Development
3. Secure Embedded and Industrial Control Systems

Based upon the above focus areas, we present these research projects currently ongoing within the IA faculty at UNO:

Secure Networking and Distributed Computing (mobile, cloud, encryption)

This focus area is concerned with methods for transporting the data back and forth from the cloud, how the data might be housed securely while there, and how to retrieve it using encryption. Under this focus area also falls our efforts on quantum cryptography and hacking. An interesting side area receiving focus within our group is the security of wearable mobile platforms and how these interact with data storage requirements and external web applications.

• Secure Cloud Storage: One of the aims of this project is to leverage a distributed cloud infrastructure to securely store customer data. The idea is that the compromise or unavailability of a cloud service provider should not compromise the data. At the same time the distribution of data over multiple providers should not cause significant overhead in terms of processing and storage. Our research targets developing new algorithms that are efficient and support verifiability as well as homomorphism.
• Wearable Security and Privacy: The objectives of this research are to a) understand human behaviors towards commercial, medical, and programmable wearables and b) develop, evaluate, and open-source a test-bed and research framework that can be used to explore, analyze, and mitigate cyber-physical security and privacy problems in wearable devices and applications (apps). Wearables are small, cyber-physical systems that can be used for a variety of purposes including collecting biometrics, monitoring the environment around, and/or movement of, a user, and providing additional user interfaces (UIs) for mobile applications.
  Wearable apps are a target rich landscape for attackers because they span multiple cyber-physical domains that encompass many possible points where security and privacy can violated. These domains include the physical wearable device, the air waves between the device and the smartphone, the logical ecosystem on the mobile device (including memory, data, and other apps on the phone), the 3G/4G network the mobile device operates in, and any web resources the app is connected to. Despite copious amounts of research in each individual domain, holistic inter-domain investigations of security and privacy issues and human behaviors across wearable domains are not well understood. Tool support for investigating inter-domain wearable issues is also lacking, limiting researcher and developer efforts towards vulnerability discovery and penetration testing.
  Our research targets these gaps and creates a data collection and test-bed platform for capturing user behaviors and exploring and mitigating security and privacy problems in wearables.
• Quantum Cryptography and Hacking: Quantum cryptography promises to provide perfect secrecy for communication. Such technology will undoubtedly be invaluable for the military operations, financial institutions and data centers, eventually perhaps for the average consumers as well. Our research focuses on developing secure key exchange technologies given practical limitations of hardware technology and finding vulnerabilities in existing protocols in order to secure them against hacking attempts.

Secure Software Development

A current problem with software security is that the “security” part is frequently added on after the software is complete, as opposed to being a part of the software design life cycle. This focus area deals with constructing software that is secure from the initial development efforts through the deployment. Secure software is obviously important in all systems, but of particular importance in areas such as aviation or mission critical infrastructure.

• Study of Software Vulnerabilities: A lot can be learned from a vulnerability. The Common Weakness Enumeration (CWE) is a community-developed dictionary of software weakness types. However, given the large size of the CWE, understanding a weakness, its preceding software faults, resources/locations that it occurs in, and following consequences presents a huge cognitive overload. This work looks at the process of building a semantic template for each weakness type in the CWE and later using the template to study artifacts related to confirmed vulnerabilities in large open source code repositories.
• Tracing Software Weaknesses to Regulatory Controls: Most information systems are highly software intensive and so are vulnerable to attacks that exploit software weaknesses—a significant source of risk for any mission or business process. This risk can be managed by assuring that software will operate as expected in different threat environments: that it will resist most attacks and tolerate those attacks it can’t resist, containing the damage and recovering as soon as possible to normal operational levels. However, when they’re incorporating new systems, stakeholders generally tailor security controls based on system needs, and software security receives much less attention than it deserves. This means that systems are allowed to mature with unmitigated software deficiencies and flaws. On top of this, new software features and capabilities evolve much more rapidly than systems do—during security testing and evaluation, software components are often many development versions ahead of system maturity, so software assurance is, almost by necessity, incomplete. To address these issues we are researching the following topics:
  1. A systematic method to map common software weakness to security controls. In particular, generate a comprehensive mapping of software weaknesses to the NIST 800-53 control baselines.
  2. Identify a mechanism to produce baseline scores for software weaknesses for use in prioritization and selection based on federal security control baselines (Low, Moderate, High). As a pilot, SCADA systems will be used to provide the business value and technical context for such scoring for a subset of common weaknesses.
  We have chosen NIST 800-53 controls for this project, but, we expect our methodology to be applicable to other control extracted from DISA Application Security STIGs, HIPAA, PCI or ISO/IEC 27034. Working with NIST 800-53 controls will immediately benefit the federal community.
• Developing and Validating a Software Assurance Maturity Workforce Assessment Instrument: The primary research goal of this project is to develop a methodology for performance-based assessment instrument for software assurance tasks such as code review. A secondary research goal of this project is to explore fundamental research questions regarding the adequacy of concept inventories to probe misconceptions in cybersecurity knowledge. This proposed project will fulfill the following objectives: First, develop a reliable and valid concept inventory for buffer overflows. Second, create, prototype, and document a method for accelerating the development of concept inventories that can be applied to assess workforce maturity for software assurance tasks.

Secure Embedded and Industrial Control Systems

Of particular importance to humans, this area includes control systems for water treatment, transportation, energy, and other sectors. These control systems are distributed and utilize a number of embedded devices in the form of control units. Here our focus is on reverse engineering of the systems to hunt for vulnerabilities which might be exploited by adversaries.

• Reverse engineering of the CIP and EtherNet/IP protocols: Within our lab environment, a great deal of significant research is being done in EtherNet/IP and CIP. CIP is the Common Industrial Protocol, used by several vendors in the industrial control world. CIP is in turn carried by EtherNet/IP, the Industrial Protocol on Ethernet Networking (not the usual IP of the Internet world). By reverse engineering these protocols we have made several findings: SCADA system data is sent in clear text, which means outsiders could become privy, for example, to the normal control of industrial plants. We have developed several attacks against both EtherNet/IP and CIP, including the capability of launching denial-of-service attacks, man-in-the-middle attacks, and the ability to spoof authentication credentials. This means that outsiders with network access can exchange messages with the equipment once an authenticated session is hijacked or initiated. We have reported some of these findings to ICS-CERT, the industrial control system response team.
• Small PLC Reprogramming: Certain industrial control systems contain small operating systems which are sophisticated enough to include web servers, which then can be used for an operator interface. Our reverse engineering research allowed us to replace the files within the device, thus presenting the user with whatever information we wanted the user to see. By reprogramming the interface in this way we can also eliminate the need to authenticate the user, building in a “back door”.
• SCADA Tamper Detection System: SCADAHawk™ is a prototype system developed at UNO using Java language and the NetBeans GUI builder for the user interface. It monitors SCADA events to learn common event sequences and compare them against real-time operations for detecting behavior anomalies. The results of this research demonstrate several novel technologies used for SCADA system tamper detection. Continuous Low Level Event Collection and Tamper-detection during Operational Realization (COLLECTORs) are used for monitoring signals either from the hardware or software; “Snap-Shot” learning algorithms are then used to learn, monitor and detect abnormal behavior.
• SCADA Specific to Transportation: An additional SCADA exploration area was the use of critical infrastructure protection relative to airport security. In conjunction with a European company in the airport security domain, we examined specific equipment in an international airport and interviewed the IT staff. We were surprised to discover that relative to other critical infrastructure domains, the airport domain is relatively secure as far as SCADA is concerned. Interestingly though, this was mainly due to the lack of SCADA equipment in critical areas rather than to any particular vulnerabilities. We continue to work with ServiceTec, an IT security provider for this sector.
• Exploration of Language-Driven Compliance: We created a novel approach to precisely specify constraints mandated by regulatory requirements on a control system, and implemented software to monitor the corresponding compliance status in near-real-time. Our research focused on the design of a language that bridges the gap between abstract regulatory policies and the realities of implementation. Essentially, each regulatory check, a “policy monitor”, is authored in a new language we are developing called ADACS (Autonomous component-based policy Description Language for Anomaly monitoring in Control Systems). The semantics of our language are closer to discrete real-time system interactions expressed as events encoded in XML messages, and the language is compiled into binaries of a general-purpose language that is portable across many hardware and software platforms.
• Improvements in Quasigroup Encryption for SCADA: Protection of critical infrastructure systems needs to be multiple-pronged, and another research area has been on the development of link encryption schemes to provide low-cost and low-overhead link encryption for the SCADA domain. This work uses Quasigroup encryption, a fast table-driven block encryption scheme developed at UNO. We are currently in the process of developing the Intellectual Property for a hardware module, written in a hardware description language, which will implement this secure communications method.
• Creation of a Low-Cost Hardware-in-the-loop Device: Most courses on IT security focus on infrastructure and process, stopping short of fully understanding the security considerations related to the applications that actually control these processes. In order to safely research critical infrastructure systems and the PLCs that control them, the UNO IA research lab needs to be able to switch between different sectors (e.g. water supply, power grid, oil pipelines, traffic control, sewage, etc.) and different control system environments. However, setting up multiple dedicated test environments can be a significant monetary investment. Thus a method was devised for flexibly simulating critical hardware systems, called hardware-in-the-loop (HIL) simulation. HIL simulation is a powerful method for assessing the stability of critical control systems without the risk of testing a fully-live system. We can have a software simulation which drives actual hardware signals into the control equipment. Such devices will rapidly simulate cyber-attack consequences and allow experimentation to minimize impact (defense) or maximize impact (offense).

Other Research Areas

These research aims are not in one of our Center for Academic Excellence Focus Areas, but are also of potential interest.

• CyCast, a cybercrime forecasting system: Many cyberattacks on an asset are related to the Social, Political, Economic, and Cultural (SPEC) turmoil traceable in open intelligence and social media; an increase in the level of comprehension of this knowledge increases the possibility of predicting an impending cyberattack. Large scale and mass cyberattacks often co-exist with SPEC turmoil in the physical world. To better understand the possible interrelationships, we have analyzed a number of cyberattacks and organized them along the SPEC dimensions. We further characterized the attack mechanism, agents, victims, motives and outcomes. Our analysis offers some interesting insights that may lead to new prediction and prevention strategies, and suggest new ways to model and build secure information systems.