Information Security Workshop – May 5, 2015

Information Security for the Connected World logo banner.

As connected devices permeate our lives, it is crucial that the computer infrastructure we rely on so heavily be secure and reliable. Two trends promise to make information security even more important in the future. First, computers are finding their way into new and exciting applications: from smart building controls, to autonomous robots, to medical devices, computing imparts both agility and unpredictability. Second, nearly every computer is connected in some way to another: from short-range wireless protocols, to increasingly ubiquitous cellular data and high-speed broadband, it is faster than ever to share data or compromise personal privacy. At the heart of whether the benefits that drive these trends will outweigh their inherent risks is whether we can engineer these systems to be secure and reliable. This workshop will explore the security benefits and risks of these trends, how they can be addressed, and how multidisciplinary problems can bring together researchers from disparate fields to meet the challenges of achieving security in a connected world.

Information Security in a Connected World: Agenda

TimeSessionTitle - Click for abstract and bio
10:00-10:15Welcome address - Farid Najm
10:15-11:15
  • Deepa Kundur - ECE
  • Dimitrios Hatzinakos - ECE
  • Cyber-Physical System Security of Energy Infrastructure
    Medical Biometrics Enabling Security Solutions
    11:15-11:45Coffee break - posters & demos
    11:45-12:45
  • Tim Barfoot - UTIAS
  • Plinio Morita - UHN
  • Long-Term Visual Route Following for Mobile Robots
    Cyber Security and Connected Healthcare
    12:45-1:45Lunch
    1:45-2:45
  • Avi Goldfarb - Rotman
  • Eyal de Lara - Computer Science
  • Privacy and Innovation
    Protecting Mobile Devices from Memory Attacks
    2:45-3:15Coffee break - posters & demos
    3:15-4:00
  • David Lie
  • Closing remarks & discussion
  • Smartphone Security: Challenges and Opportunities
    Deepa Kundur
    Cyber-Physical System Security of Energy Infrastructure

    Abstract: The scale and complexity of the smart grid, along with its increased connectivity and automation, make the task of its cyber protection challenging. Recently, smart grid researchers and standards bodies have begun to develop technological requirements and potential solutions for protecting cyber infrastructure. However, grid protection remains daunting to asset owners because of resources limitations. Important questions arise when identifying priorities for design and protection: Which cyber components, if compromised, can lead to significant power delivery disruption? What grid topologies are inherently robust to classes of cyber attack? Is the additional information available through advanced information technology worth the increased security risk? We assert that a key research challenge in addressing these fundamental questions lies in the effective understanding of the cyber-physical synergy of the smart grid. This gives rise to the problem of cyber-physical system security. In this talk, we introduce this emerging problem in the context of the smart grid and present dynamical systems-based frameworks for modeling cyber-physical interactions. We demonstrate how our approaches enable the identification of emergent vulnerabilities and the evaluation of the relative impacts of communication failure on the flow of electricity. The overall framework facilitates more comprehensive risk analysis and guidelines for resilient smart grid development.

    Bio: Deepa Kundur is a Professor at The Edward S. Rogers Sr. Department of Electrical & Computer Engineering at the University of Toronto. A native of Toronto, Canada, she received the B.A.Sc., M.A.Sc., and Ph.D. degrees all in Electrical and Computer Engineering in 1993, 1995, and 1999, respectively, from the University of Toronto. From September 1999 to December 2002 she was an Assistant Professor in The Edward S. Rogers Sr. Department of Electrical & Computer Engineering at the University of Toronto and returned in September 2012 to hold the title of Professor. She currently serves as Associate Chair in the Division of Engineering Science. From January 2003 to December 2012 she was a faculty member in Electrical & Computer Engineering at Texas A&M University. Dr. Kundur’s research interests include cyber-physical security of the electric smart grid, cyber-physical system theory, security and privacy of social and sensor networks, multimedia security, and computer forensics.

    Dimitrios Hatzinakos
    Medical Biometrics Enabling Security Solutions

    Abstract: A growing number of security solutions is based on biometric recognition technologies for identity authentication, secure monitoring systems, data communication and access control. However, the commonly used biometric modalities such as the fingerprint, iris and face, are venerable to circumvention, replay and obfuscation attacks. On the other hand, medical biometrics which include a novel set of modalities such as the electrocardiogram (ECG), the electroencephalogram (EEG), Oto-acoustic emissions (OAE), the Phonocardiogram (PCG), among others, are robust to these attacks because they are internal to the body and therefore difficult to steal or forge. Furthermore, they offer inherent liveness detection and possibility of continuous authentication since they can provide a fresh biometric reading every couple of seconds. This presentation describes research work with medical biometrics at the Biometrics Security Laboratory, University of Toronto. It includes the acquisition, pre-processing, enrollment, template generation, matching and classification of various medical biometric modalities. Important challenges such as template variability and stabilization arising from the time dependent nature of the underlying signals will be addressed. The long term objective is to establish medical biometrics, either as a stand alone or a multi-biometrics component, as viable solution to real time security applications in health care, field monitoring and access control applications.

    Bio: Dimitrios Hatzinakos received the Diploma degree from the University of Thessaloniki, Greece, in 1983, the MASc degree from the University of Ottawa, Canada, in 1986 and the PhD degree from Northeastern University, Boston, MA, in 1990, all in Electrical Engineering. In September 1990 he joined the Department of Electrical and Computer Engineering, University of Toronto, where now he holds the rank of Professor with tenure. He has served as Chair of the Communications Group of the Department during the period July 1999 to June 2004. From 2004-2014, he held the Bell Canada Chair in Multimedia, at the University of Toronto. Also, he is the co-founder and since 2009 the Director of the Identity, Privacy and Security Institute (IPSI) at the University of Toronto. His research interests and expertise are in the areas of Multimedia Signal Processing, Multimedia Security, Multimedia Communications and Biometric Systems. He is author/co-author of more than 250 papers in technical journals and conference proceedings, he has contributed to 17 books and he has 7 patents in his areas of interest. He is a Fellow of the Engineering Institute of Canada (EIC). From 2008 till 2013, he served as an Associate Editor for the IEEE Transactions on Mobile Computing. Also, he has served as an Associate Editor for the IEEE Transactions on Signal Processing from 1998 till 2002 and Guest Editor for the special issue of Signal Processing, Elsevier, on Signal Processing Technologies for Short Burst Wireless Communications which appeared in October 2000. He was a member of the IEEE Statistical Signal and Array Processing Technical Committee (SSAP) from 1992 till 1995 and Technical Program co-Chair of the 5th Workshop on Higher-Order Statistics in July 1997. He is a senior member of the IEEE, the Professional Engineers of Ontario (PEO), and the Technical Chamber of Greece.

    Tim Barfoot
    Long-Term Visual Route Following for Mobile Robots

    Abstract: In this talk I will describe a particular approach to visual route following for mobile robots that we have developed, called Visual Teach & Repeat (VT&R), and what I think the next steps are to make this system usable in real-world applications. We can think of VT&R as a simple form of simultaneous localization and mapping (without the loop closures) along with a path-tracking controller; the idea is to pilot a robot manually along a route once and then be able to repeat the route (in its own tracks) autonomously many, many times using only visual feedback. VT&R is useful for such applications as load delivery (mining), sample return (space exploration), and perimeter patrol (security). Despite having demonstrated this technique for over 500 km of driving on several different robots, there are still many challenges we must meet before we can say this technique is ready for real-world applications. These include (i) visual scene changes such as lighting, (ii) physical scene changes such as path obstructions, and (iii) vehicle changes such as tire wear. I’ll discuss our progress to date in addressing these issues and the next steps moving forward. There will be lots of videos.

    Bio: Dr. Timothy Barfoot (Associate Professor, University of Toronto Institute for Aerospace Studies—UTIAS) holds the Canada Research Chair (Tier II) in Autonomous Space Robotics and works in the area of guidance, navigation, and control of mobile robots for space and terrestrial applications. He is interested in developing methods to allow mobile robots to operate over long periods of time in large-scale, unstructured, three-dimensional environments, using rich onboard sensing (e.g., cameras and laser rangefinders) and computation. Dr. Barfoot took up his position at UTIAS in May 2007, after spending four years at MDA Space Missions, where he developed autonomous vehicle navigation technologies for both planetary rovers and terrestrial applications such as underground mining. He is an Ontario Early Researcher Awardholder and a licensed Professional Engineer in the Province of Ontario. He sits on the editorial boards of the International Journal of Robotics Research and the Journal of Field Robotics. He is currently serving as the General Chair of Field and Service Robotics (FSR) 2015, which will be held in Toronto.

    Plinio Morita
    Cyber Security and Connected Healthcare

    Abstract: On a note distributed to several hospitals in 2014, the FBI cautioned that “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” Yet, networked systems in healthcare are responsible for controlling medical devices at home, transmitting critical patient and prescribed drug data, as well as creating an integrated hospital. Not a decade ago, medical devices were self-contained platforms limited to suffering from external EM interference. Today, modern medical devices like home hemodialysis machines or implantable insulin pumps now allow remote connections for dose adjustments, library updates, or remote monitoring. On a grander scale, large hospital networks, or sometimes even EMR systems that connect an entire country, relay large amounts of patient data through the web, rendering these systems highly vulnerable to cyber attacks. In this presentation, we will discuss the current healthcare scenario and the existing security flaws that will need to be addressed in the upcoming years. As our healthcare model evolves towards distributed healthcare and homecare, medical technology will become more reliant on remote access and larger amounts of patient data will be transmitted through open networks. Hence the need for a careful and thorough plan to address cyber security issues in healthcare and to create resilient systems.

    Bio: Plinio Morita is a post-doctoral fellow working at Healthcare Human Factors, University Health Network. He has conducted research programs in Canada, Japan, Spain and Brazil focusing on human factors engineering, trust, interface design, teamwork, human performance, risk management, patient safety, technology assessment, and clinical engineering. Plinio obtained his undergraduate and Masters in Biomedical Engineering from the University of Campinas in Brazil. In 2007, he spent a year in Spain working for the Spanish Ministry of Health evaluating health technologies. In 2013, Plinio spent three months in Japan at Kyoto University conducting cross-cultural research in perception mechanisms of interpersonal trust. In 2014, he obtained his PhD degree in Human Factors Engineering from the University of Waterloo. Plinio’s major research contributions focus on the improvement of social interactions of humans in team environments and human-system interactions, and on fostering positive behavioural changes through mobile health apps. He is also an Adjunct Lecturer at the Institute of Health Policy, Management and Evaluation at the University of Toronto.

    Avi Goldfarb
    Privacy and Innovation

    Abstract: Information and communication technologies now enable firms to collect detailed and potentially intrusive data about their customers both easily and cheaply. This data is useful. Advances in machine learning, statistics, and computer science mean that data is a key input into innovation in a variety of industries. Because companies find data about individuals useful, privacy concerns are no longer limited to government surveillance and public figures’ private lives. Instead, privacy concerns and privacy regulation affect the extent and direction of innovation. This does not mean that regulation is bad. Innovation will not happen if consumers are uncomfortable sharing data with companies. Instead, it means that any regulation, and any use of data by firms, should consider the role privacy plays in innovation. Privacy policy is now a fundamental part of innovation policy, and privacy strategy is now a fundamental part of innovation strategy.

    Bio: Avi Goldfarb is Professor of Marketing at Rotman. Much of his research focuses on understanding the impact of information technology on marketing, on universities, and on the economy. His research has also explored the value of brands and the role of experience in managerial decision-making. Avi has published over 50 articles in a variety of outlets in economics, marketing, statistics, computing, and law.

    Eyal de Lara
    Protecting Mobile Devices from Memory Attacks

    Abstract: Smartphones and tablets are easily lost or stolen making them susceptible to an inexpensive class of memory attacks, such as cold-boot attacks, using a bus monitor to observe the memory bus, and DMA attacks. This talk demonstrates that the ARM System-on-Chip (SoC) architecture used by today’s smartphones and tablets is amenable to a new security approach – storing users’ sensitive data on the SoC itself rather than in DRAM. By storing the secrets on the ARM SoC, we make physical attacks more difficult to mount because they need to target the SoC to retrieve secrets, which is much more expensive.

    Bio: Eyal de Lara is an Associate Professor in the Department of Computer Science at the University of Toronto. Eyal received his Ph.D. and M.Sc. from Rice University in 2002 and 1999, and a B.Sc. from the Instituto Tecnologico de Monterrey in 1995. His research interests include distributed systems and mobile computing. His research has been recognized with an IBM Faculty Award and the Canadian Association of Computer Science Outstanding Young Computer Science Researcher Prize.

    David Lie
    Smartphone Security: Challenges and Opportunities

    Abstract: In this talk I will present some recent work my group has been doing to both make smartphones more secure and to use smartphones to secure other aspects of people’s lives. First, I will talk about PScout, a system we built to better understand Android’s permission system. With PScout, we were able to study properties of the permission system. PScout has also been used by other researchers. Second, I will talk about two systems we have built that demonstrate uses for smartphones to improve authentication over the Internet and protect the security of data stored in the cloud.

    Bio: David Lie received his B.S. from the University of Toronto in 1998, and his M.S. and Ph.D from Stanford University in 2001 and 2004 respectively. He is currently an Associate Professor in the Department of Electrical and Computer Engineering at the University of Toronto and the Canada Research Chair in Secure and Reliable Computer Systems. While at Stanford, David founded and led the XOM (eXecute Only Memory) Processor Project, which supports the execution of tamper and copy-resistant software. He was the recipient of a best paper award at SOSP for this work. David is also a recipient of the MRI Early Researcher Award. More recently, he and his students have developed the PScout Android Permission mapping tool, whose datasets have been downloaded over 10,000 times and used in dozens of subsequent papers. David has served on various program committees including OSDI, ASPLOS, Usenix Security and IEEE Security & Privacy. Currently, his interests are focused on securing mobile platforms, cloud computing security and increasing the reliability of software.