Publications
A Systematic Study of Physical Sensor Attack HardnessH Kim, R Bandyopadhyay, MO Ozmen, ZB Celik, A Bianchi, Y. Kim, D XuIEEE Symposium on Security and Privacy (S&P 2024)
Lightbox: Sensor Attack Detection for Photoelectric Sensors via Spectrum FingerprintingD Kim, M Cho, H Shin, J Kim, J Noh, and Y. KimACM Transactions on Privacy and Security 26 (4), 2023
Delegation of TLS Authentication to CDNs using Revocable Delegated CredentialsD Yoon, T Chung, Y Kim, Y. KimAnnual Computer Security Applications Conference (ACSAC 2023)
BaseComp: A Comparative Analysis for Integrity Protection in Cellular BaseBand SoftwareEunsoo Kim*, Min Woo Baek*, CheolJun Park, Dongkwan Kim, Yongdae Kim, Insu YunUSENIX Conference on Security Symposium (USENIX Security '23)
LTESniffer: An Open-source LTE Downlink/Uplink EavesdropperTuan Dinh Hoang, CheolJun Park, Mincheol Son, Teakkyung Oh, Sangwook Bae, Junho Ahn, BeomSeok Oh, and Yongdae Kim16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '23)
Un-Rocking Drones: Foundations of Acoustic Injection Attacks and Recovery ThereofJinseob Jeong, Dongkwan Kim, Joonha Jang, Juhwan Noh, Changhun Song, and Yongdae KimNetwork and Distributed Systems Security Symposium (NDSS '23)
Preventing SIM Box Fraud Using Device FingerprintingBeomSeok Oh*, Junho Ahn*, Sangwook Bae, Mincheol Son, Yonghwa Lee, Min Suk Kang, and Yongdae Kim (*: co-first author)Network and Distributed Systems Security Symposium (NDSS '23)Research Implications: In 2022, we received USD 5 million in funding from the Korean police to develop a network-based solution to combat voice phishing crime. (Voice phishing resulted in financial losses of over USD 0.5 billion in Korea in 2021.) As part of this project, we are developing multiple solutions. The first solution we have published is to develop methodologies to distinguish SIM Box (a VoIP gateway that converts VoIP call to and from cellular call) from other smartphones. The key idea is that fingerprints, which were constructed from network-layer auxiliary information with more than 31K features, are mostly distinct among 85 smartphones as well as SIM boxes. We are currently under discussion with a major operator to test out solution inside their network.
Paralyzing Drones via EMI Signal Injection on Sensory Communication Channels (Website)Joonha Jang*, ManGi Cho*, Jaehoon Kim, Dongkwan Kim , and Yongdae KimNetwork and Distributed Systems Security Symposium (NDSS '23)(*: co-first author)
HearMeOut: detecting voice phishing activities in AndroidJoongyum Kim, Jihwan Kim, Seongil Wi, Yongdae Kim, and Sooel SonAnnual International Conference on Mobile Systems, Applications and Services (MobiSys '22)
Are There Wireless Hidden Cameras Spying on Me?Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim, Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon LeeAnnual Computer Security Applications Conference (ACSAC '22)
Revisiting binary code similarity analysis using interpretable feature engineering and lessons learnedDongkwan Kim, Eunsoo Kim, Sang Kil Cha, Sooel Son, and Yongdae KimIEEE Transactions on Software Engineering (IEEE TSE '22)
Watching the Watchers: Practical Video Identification Attack in LTE NetworksSangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '22)Research Implications: DCI (Downlink Control Indicator) refers to the control signaling that is transmitted from the BS to the UE. DCI carries information that is used by the UE to decode the downlink data, such as the resource allocation, the modulation and coding scheme used for the data as well as uplink channel assignment. When the UE receives a DCI, it uses the RNTI to determine if the DCI is intended for it. As none of the information in DCI is encrypted, if an attacker can identify a victim’s RNTI, the attacker can obtain the victim’s resource usage or uplink scheduling. Using the victim’s resource usage, an unprivileged adversary equipped with a software-defined radio can 1) identify mobile users who are watching target videos of the adversary’s interest and then 2) infer the video title that each of these users is watching.
DoLTEst: In-depth Downlink Negative Testing Framework for LTE DevicesCheolJun Park*, Sangwook Bae*, BeomSeok Oh, Jiho Lee, Eunkyu Lee, Insu Yun, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '22)(*: co-first author)CVEs: CVE-2019-2289, CVE-2021-25516, CVE-2021-30826Research Implications: DoLTEst is a negative testing framework for finding non-standard-compliant bugs in LTE protocol implementations of UEs. DoLTEst is stateful and covers all optional cases. It generates about 1,800 test cases to check vulnerabilities of UEs. This paper was discussed in a 3GPP SA3 meeting. It is currently open-sourced at https://github.com/SysSec- KAIST/DoLTEst. We uncovered 26 implementation flaws from 43 devices from 5 different baseband manufacturers by using DoLTEst. We have received 3 CVEs (CVE-2019-2289 from Qualcomm, CVE-2021-25516 from Samsung, and CVE-2021-30826 from Apple.) The Qualcomm bug allows an authentication bypass in all baseband processors manufactured by Qualcomm, requiring almost one year to finish the patch process.
The Trilemma of StablecoinYujin Kwon, Jihee Kim, Yongdae Kim, and Dawn SongSocial Science Research Network (SSRN) 2021
Enabling the Large-Scale Emulation of Internet of Things Firmware With Heuristic WorkaroundsDongkwan Kim*, Eunsoo Kim*, Mingeun Kim, Yeongjin Jang, and Yongdae Kim (*: co-first author)IEEE Security & Privacy (IEEE S&P '21)
BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 ProtocolsEunsoo Kim*, Dongkwan Kim*, CheulJun Park, Insu Yun, and Yongdae Kim (*: co-first author)Network and Distributed Systems Security Symposium (NDSS '21)Research Implications: This work checks if we can run comparative static analysis of Baseband binaries and Cellular Specifications. The key intuition is that a message decoder in baseband software embeds the protocol specification in a machine-friendly structure to parse incoming messages. With BaseSpec, we analyzed the implementation of cellular standard L3 messages in 18 baseband firmware images of 9 devices models from one of the top three vendors. It is currently open-sourced at https://github.com/SysSec-KAIST/BaseSpec. BaseSpec identified hundreds of functional or potentially vulnerable mismatches. Investigation of these bugs led to 5 functional errors and 4 memory-related vulnerabilities. These bugs are patched by the vendors.
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic AnalysisMingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae KimAnnual Computer Security Applications Conference (ACSAC '20)CVEs: CVE-2018-19986, CVE-2018-19987, CVE-2018-19988, CVE-2018-19989, CVE-2018-19990, CVE-2018-20114, CVE-2019-11399, CVE-2019-11400, CVE-2019-20082, CVE-2019-20084, CVE-2019-6258
The System That Cried Wolf: Sensor Security Analysis of Wide-area Smoke Detectors for Critical InfrastructureHocheol Shin, Juhwan Noh, Dohyun Kim, and Yongdae KimACM Transactions on Privacy and Security (ACM TOPS), Vol. 23 No. 3, Article 15, 2020
Amnesiac DRAM: A Proactive Defense Mechanism Against Cold Boot AttacksHoseok Seol, Min-Hye Kim, Yongdae Kim, Taesoo Kim, and Lee-Sup KimIEEE Transactions on Computers (To appear)
SoK: A Minimalist Approach to Formalizing Analog Sensor SecurityChen Yan, Hocheol Shin, Connor Bolton, Wenyuan Xu, Yongdae Kim, and Kevin FuIEEE Symposium on Security and Privacy (IEEE S&P '20)
이통통신 보안의 현재와 미래김용대 (Yongdae Kim)정보보호학회지 (KIISC), Vol 29, No. 5, 2019
An Eye for an Eye: Economics of Retaliation in Mining PoolsYujin Kwon, Hyoungshick Kim, Yung Yi, Yongdae KimACM Advances in Financial Technology (ACM AFT '19)
Impossibility of Full Decentralization in Permissionless BlockchainsYujin Kwon, Jian Liu, Minjeong Kim, Dawn Song, Yongdae KimACM Advances in Financial Technology (ACM AFT '19)
Who Spent My EOS? On the (In)Security of Resource Management of EOS.IOSangsup Lee, Daejun Kim, Dongkwan Kim, Sooel Son, Yongdae KimUSENIX Workshop on Offensive Technologies (USENIX WOOT '19)
Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTEHojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, Songmin Kim, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '19)Research Implications: 4G and 5G cellular networks do not provide protection for the integrity of broadcasting, paging, or some unicasting messages, making them vulnerable to Man-in-the-Middle (MitM) attacks. An MitM attacker can hijack and modify these unauthenticated messages by implementing a fake base station (FBS) and a fake user equipment (UE). To the victim UE and the victim BS, the FBS and the fake UE should look like a legitimate BS and UE, respectively. Implementing a fully functional cellular MitM attacker is a complex task, as none of the academic papers have successfully done so. Therefore, instead of implementing this type of attacker, we implemented signal overshadowing, where the attacker overwrites the broadcast message from the base station to UEs (i.e. downlink). It took a total of two years to implement this attack, as the overshadowing signal had to be sent with precise timing and frequency. Our intention was to spark renewed discussions on how to protect these unauthenticated cellular messages within standard bodies. The initial response from GSMA was disappointing as they viewed this work as only academically interesting. However, it turned out to be important for both academia and standard bodies. After it was initially discussed in 2019 Reno 97th 3GPP meeting (S3-194063), a lot of documents (and probably discussions) tried to address this attack accross multiple 3GPP meetings: TSGS3_100Bis-e (S3-202556, S3-202738, S3-202740), TSGS3_100e (S3-202026, S3-202109, S3-202150), TSGS3_101e (S3-202983, S3-202984, S3-203158, S3-203160, S3-203364, S3-203447), TSGS3_102Bis-e (S3-211345), TSGS3_102e (S3-210131, S3-210778, S3-210783), TSGS3_103e (S3-212351), TSGS3_104e (S3-212748, S3-213244), TSGS3_105e (S3-214408), and TSGS3_107e (S3-221266). In addition, the attack is extended to sigover attack over unicast channel by us, layer 2 messages by Tan et. al. and uplink channel by Erni et. al.
Doppelgängers on the Dark Web: A Large-scale Assessment on Phishing Hidden Web ServicesChanghoon Yoon, Kwanwoo Kim, Yongdae Kim, Seungwon Shin, and Sooel SonThe World Wide Web Conference (WWW ’19)
Is Stellar As Secure As You Think?Minjeong Kim, Yujin Kwon, Yongdae KimIEEE Security and Privacy on the Blockchain (IEEE S&B '19)Webpage: https://sites.google.com/view/stellar-analysisMedia: CoinTelegraph: Stellar’s Blockchain Briefly Goes Offline, Confirming the Project Lacks Decentralization Safety vs. Liveness in the Stellar Network, David MazièresResearch Implications: We show that all of the nodes in Stellar cannot run Stellar consensus protocol if only two nodes fail. In MAY 15, 2019 5:00 AM (UTC/GMT), Stellar actually stopped as we forecasted, as reported by CoinTelegraph.
Tractor Beam: Safe-hijacking of Consumer Drones with Adaptive GPS SpoofingJuhwan Noh, Yujin Kwon, Yunmok Son, Hocheol Shin, Dohyun Kim, Jaeyeong Choi, Yongdae KimACM Transactions on Privacy and Security (ACM TOPS), Vol. 22, No. 2, Article 12, 2019
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash?Yujin Kwon, Hyoungshick Kim, Jinwoo Shin, Yongdae KimIEEE Symposium on Security and Privacy (IEEE S&P '19)
Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark WebSeunghyeon Lee, Changhoon Yoon, Heedo Kang, Yeonkeun Kim, Yongdae Kim, Dongsu Han, Sooel Son, and Seungwon ShinNetwork and Distributed Systems Security Symposium (NDSS '19)
Hidden Figures: Comparative Latency Analysis of Cellular Networks with Fine-grained State Machine Models Sangwook Bae, Mincheol Son, Sooel Son, and Yongdae Kim ACM International Workshop on Mobile Computing Systems and Applications (ACM HotMobile '19)
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae KimIEEE Symposium on Security and Privacy (IEEE S&P '19)CVEs: CVE-2019-5307, CVE-2019-20783Research Implications: For the first time, we tested carrier network as an academia. We sent negative test cases (i.e. test cases that are prohibited by the standard, e.g. messages with wrong message authentication code) to the operator network or smartphones, in order to see if they are dropped by the receiving parties. As a result, we uncovered 51 vulnerabilities (36 new and 15 previously known). Check LTEFuzz site for details. Immediately after the paper is published online, we’ve received inquiries from many operators if we can visit their site to test their networks. Unfortunately, we could not provide service to commercial operators, as students did not want to provide commercial services. We’ve also communicated with device vendors such as Apple, Samsung, Qualcomm, LG, Huawei, and Ericsson helping their patching process. Cellular security companies such as P1Security and Positive Technologies now provide protocol security testing. We have received two CVEs (CVE-2019-20783 from LG and CVE-2019-5307 from Huawei.) This was also featured in multple media outlets, such as ZDNet, SecurityWeek, Huawei, Engadget, Tech Xplore, Security Affairs, E-Crypto, Cybersecurity Insiders, Israel Defense, ITPro, UK, TGDaily, Gizmodo, and DailyMail, UK. LTEFuzz paper was discussed in three SA3 meetings: TSGS3_95_Reno (S3-191230), TSGS3_97_Reno (S3-194063). TSGS3_101e (S3-202878).
Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee and Yongdae Kim IEEE Transactions on Mobile Computing (IEEE TMC), Vol. 17, No. 10, 2018Research Implications: We collected 6.4M control plane messages from 28 operators in 11 countries using 95 USIMs by generating 52K voice call events. Through this extensive dataset, we aimed to understand and confirm Pr2. We examined each control plane message to identify operators with abnormal processing times, sequence of events, or signaling failures. This study revealed a total of 7 bugs that occurred in only a few operators. For instance, a UE in a US operator experienced out-of-service for 11 seconds due to location update collisions. We confirmed that comparative analysis between operators is an effective way to detect performance bugs and their root causes. Unfortunately, we are unable to release this dataset as it contains personal information.
GyrosFinger: Fingerprinting Drones for Location Tracking based on the Outputs of MEMS Gyroscopes Yunmok Son, Juhwan Noh, Jaeyeong Choi and Yongdae Kim ACM Transactions on Privacy and Security (ACM TOPS), Vol. 21, No. 2, Article 10, 2018
GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier Byeongdo Hong, Sangwook Bae, and Yongdae Kim Network and Distributed Systems Security Symposium (NDSS '18)Research Implications: In LTE, a mechanism called GUTI_Reallocation is employed, which forcibly changes the GUTI after each instance of its exposure in a message. This requirement, though, does not enforce either the linkability or unpredictability of the changing IDs. We verified if this is the case with a large dataset we built (a dataset containing 6.4M control plane messages from 28 operators in 11 countries). Out of 28 carriers, 20 carriers have at least one byte fixed (GUTI is 4 byte long), allowing the attacker to fingerprint a particular user. More detailed analysis on 4 carriers showing seemingly random assignment reveals that the attacker can make the GUTI unchanged after invoking GUTI_reallocation multiple times within a short time period. This paper played an important role to add unpredictability of GUTI in LTE, discussed in S3-220075. Now in 5G, unpredictability in GUTI after every exposure is mandatory. Unfortunately, a recent report about China and our measurement in Korea show that this is not the case.
Be Selfish and Avoid Dilemmas: Fork After Withholding (FAW) Attacks on Bitcoin Yujin Kwon, Dohyun Kim, Yunmok Son, Eugene Vasserman, and Yongdae Kim ACM Conference on Computer and Communications Security (ACM CCS '17)
Illusion and Dazzle: Adversarial Optical Channel Exploits against Lidars for Automotive Applications Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim Conference on Cryptographic Hardware and Embedded Systems (CHES '17) Research Implications: This analyzes the security of Velodyne VLP-16, which can be used for self-driving cars. We showed that one can either blind it or generate fake dots (even closer than the attackers). AFAWK, none of the LIDARs still protect against our attacks. (Please let us know if you find one.)
When Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks Hyunwook Hong, Hyunwoo Choi, Dongkwan Kim, Hongil Kim, Byeongdo Hong, Jiseong Noh, and Yongdae Kim IEEE European Symposium on Security and Privacy (IEEE EuroS&P '17)Research Implications: This is the first study analyzing security of middleboxes within cellular networks.
Enabling Automatic Protocol Behavior Analysis for Android Applications Jeongmin Kim, Hyunwoo Choi, Hun Namkung, Woohyun Choi, Byungkwon Choi, Hyunwook Hong, Yongdae Kim, Jonghyup Lee, Dongsu Han International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT '16)
PIkit: A New Kernel-Independent Processor-Interconnect Rootkit Wonjun Song, Hyunwoo Choi, Junhong Kim, Eunsoo Kim, Yongdae Kim, and John Kim USENIX Conference on Security Symposium (USENIX Security '16)
Sampling Race: Bypassing Timing-based Analog Active Sensor Spoofing Detection on Analog-digital Systems Hocheol Shin, Yunmok Son, Youngseok Park, Yujin Kwon, and Yongdae Kim USENIX Workshop on Offensive Technologies (USENIX WOOT '16)
This ain't your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park, Yunmok Son, Hocheol Shin, Dohyun Kim, and Yongdae Kim USENIX Workshop on Offensive Technologies (USENIX WOOT '16)
Doppelganger in Bitcoin Mining Pools: An Analysis of the Duplication Share Attack Yujin Kwon, Dohyun Kim, Yunmok Son, Jaeyeong Choi, Yongdae Kim World Conference on Information Security Applications (WISA '16)
Pay As You Want: Bypassing Charging System in Operational Cellular Networks Hyunwook Hong, Hongil Kim, Byeongdo Hong, Dongkwan Kim, Hyunwoo Choi, Eunkyu Lee and Yongdae Kim World Conference on Information Security Applications (WISA '16)
Dissecting Customized Protocols: Automatic Analysis for Customized Protocols based on IEEE 802.15.4 Kibum Choi, Yunmok Son, Juhwan Noh, Hocheol Shin, Jaeyeong Choi and Yongdae Kim ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec '16) Best Paper Award
Timing Attacks on Access Privacy in Information Centric Networks and Countermeasures Aziz Mohaisen, Hesham Mekky, Xinwen Zhang, Haiyong Xie and Yongdae Kim IEEE Transactions on Dependable and Secure Computing (IEEE TDSC), vol.12 no.6, 2015
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim*, Dongkwan Kim*, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim ACM Conference on Computer and Communications Security (ACM CCS '15) (*: co-first author)CVEs: CVE-2015-6614, VU#943167Research Implications: This is our first security testing paper. Using 60 security test cases in 5 operators (3 in Korea, 2 in the US), we found 10 new vulnerabilities (4 accounting bypasses, 2 caller spoofing attacks, 2 DoS attacks, and so on). The vulnerabilities were jointly disclosed with the US Cyber Emergency Response Team (US Cert) as VU#943167. At the time, none of the US operators acknowledged the vulnerabilities, but they later patched them silently. After this investigation, we received funding from SK Telecom to start investigating security of LTE networks. We were invited to make a presentation at GSMA, the organization of the operators. The findings were covered by multiple media outlets, such as IT World, Nexus Security Bulletin, DSLReports, Softpedia, tom’s guide, Pocketnow, FierceMobileIT, Techworm, Neowin, and Network World.
Frying PAN: Dissecting Customized Protocol for Personal Area Network Kibum Choi, Yunmok Son, Jangjun Lee, Suryeon Kim, and Yongdae Kim International Workshop on Information Security Applications (WISA '15)
Security Analysis of FHSS-type Drone Controller Hocheol Shin, Kibum Choi, Youngseok Park, Jaeyeong Choi, and Yongdae Kim International Workshop on Information Security Applications (WISA '15) Research Implications: We found that FHSS implemented by FrSky has a weakness. In particular, we found that it repeats the hopping sequence after 141 random hopping. This means that after observing RF channel over 1.5 seconds, one can exactly predict the future hoping sequence.
BurnFit: Analyzing and Exploiting Wearable Devices Dongkwan Kim, Suwan Park, Kibum Choi, and Yongdae Kim International Workshop on Information Security Applications (WISA '15) Best Paper Award
Extractocol: Automatic Extraction of Application-level Protocol Behaviors for Android Applications Hyunwoo Choi, Jeongmin Kim, Hyunwook Hong, Yongdae Kim, Jonghyup Lee, and Dongsu Han ACM Conference on Special Interest Group on Data Communication. (ACM SIGCOMM '15, poster)
Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, Yongdae Kim USENIX Conference on Security Symposium. (USENIX Security '15) Research Implications: This paper shows that sound can knock drone down. Playing sound on resonance frequency of gyroscope sensor in IMU of a drone causes significant fluctuation of rotor speeds due to the popular control algorithm called PID. This was the 1st time we realized "anti-drone" solution is important. In 2020, Sandia National Lab has published a report "Assessing the Vulnerability of Unmanned Aircraft Systems to Directed Acoustic Energy" to see if "sound" can be an effective anti-drone solution.
Hijacking the Vuze BitTorrent network: all your hop are belong to us Eric Chan-Tin, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim IET Information Security, vol.9, no.4, 2015
Bittersweet ADB: Attacks and Defenses Sungjae Hwang, Sungho Lee, Yongdae Kim, Sukyoung Ryu ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '15)
Revisiting Security of Proportional Fair Scheduler in Wireless Cellular Networks Hanjin Park, Yung Yi, Yongdae Kim Elsevier Computer Networks, vol. 75, Part A, pp. 55-74, 2014
Run Away If You Can: Persistent Jamming Attacks against Channel Hopping Wi-Fi Devices in Dense Networks Il-Gu Lee, Hyunwoo Choi, Yongdae Kim, Seungwon Shin, Myungchul Kim International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2014)
Trustworthy Distributed Computing on Social Networks Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim IEEE Transactions on Services Computing, vol.7, no.3, 2014
Analyzing Security of Korean USIM-based PKI Certificate Service Shinjo Park, Suwan Park, Insu Yun, Dongkwan Kim, Yongdae Kim International Workshop on Information Security Applications (WISA 2014)
Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission Younghwan Go, Jongil Won, Denis Foo Kune, Eunyoung Jeong, Yongdae Kim, and Kyoungsoo Park Network and Distributed System Security Symposium (NDSS '14)Research Implications: Cellular networks have different accounting mechanisms for data and voice. Data usage is typically tracked and billed based on bandwidth usage, while voice usage is tracked and billed based on the duration of the call. Different countries have different accounting policy. For example, Korean government prohibits operators to charge TCP-retransmitted packets [5], and as per our measurements from different countries, we discovered that Korea is the only country with this policy. We show that an attacker may exploit such policy to bypass data charging, by implementing a proxy server that manipulates TCP sequence number. To mitigate this issue, we also implement [a practical DPI (Deep Packet Inspection) system, which can detect such attack. We discovered that Korean operators are more concerned with over-charging than charging bypass. This is because over-charging can result in penalties from the government. The bug has not been patched so far AFAWK.
Impact of Malicious TCP Retransmission on Cellular Traffic Accounting Younghwan Go, Denis Foo Kune, Shinae Woo, Kyoungsoo Park, and Yongdae Kim Annual Wireless of the Students, by the Students, for the Students Workshop (ACM S3 '13)
Peer Pressure: Exerting Malicious Influence on Routers at a Distance Max Schuchard, Christopher Thompson, Nicholas Hopper, and Yongdae Kim IEEE International Conference on Distributed Computing Systems (IEEE ICDCS '13)
Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors Denis Foo Kune, John Backes, Shane Clark, Wenyuan Xu, Dan Kramer, Matthew Reynolds, Kevin Fu, and Yongdae Kim IEEE Symposium on Security and Privacy (IEEE S&P '13)Research Implications: This is the first (EE + Security paper) and (Sensing-and-actuation security paper) from SysSec. EMI injection of healthy person's heart waveform into the wire stops pacemaker. This is the first paper shows that sensing values could be manilpulated over wire.
Trustworthy Distributed Computing on Social Networks Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
Dynamix: Anonymity on Dynamic Social Structures Abedelaziz Mohaisen, Huy Tran, Ting Zhu, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
Protecting Access Privacy of Cached Contents in Information Centric Networks Abedelaziz Mohaisen, Xinwen Zhang, Max Schuchard, Haiyong Xie, Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
SocialCloud: Using Social Networks for Building Distributed Computing Services A. Mohaisen, H. Tran, A. Chandra, and Y. Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13) , Also available at Technical Report, CS Department, University of Minnesota 2011 Media: MIT Technical Review, The Verge, MSN.COM, Data News
Towards Accurate Accounting of Cellular Data for TCP Retransmission Younghwan Go, Denis Foo Kune, Shinae Woo, KyoungSoo Park, and Yongdae Kim ACM International Workshop on Mobile Computing Systems and Applications (ACM HotMobile '13)
Private over-threshold aggregation protocols Myungsun Kim, Abedelaziz Mohaisen, Jung Hee Cheon, and Yongdae Kim International Conference on Information Security and Cryptology (ICISC '12)
Towards a safe Integrated Clinical Environment: A communication security perspective Denis Foo Kune, Eugene Vasserman, Krishna Venkatasubramanian, Yongdae Kim, Insup Lee ACM Workshop on Medical Communication Systems (ACM MedCOMM '12)
Measuring Bias in the Mixing Time of Social Graphs due to Graph Sampling Abedelaziz Mohaisen, Pengkui Luo, Yanhua Li, Yongdae Kim, Zhi-Li Zhang Military Communications Conference (MILCOM '12).
One-way indexing for plausible deniability in censorship resistant storage Eugene Y. Vasserman, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim USENIX Workshop on Free and Open Communications on the Internet (USENIX FOCI '12)
On the Mixing Time of Directed Social Graphs and Security Implications Abedalaziz Mohaisen, Huy Tran, Nicholas Hopper, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (AsiaCCS '12)
Private Top-k Aggregation Protocols Myungsun Kim, Abedelaziz Mohaisen, Jung Hee Cheon, and Yongdae KimIACR Cryptology ePrint Archive, 2012
Location leaks on the GSM air interface D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim Network and Distributed Systems Security Symposium (NDSS '12)Nominated for the best paper awardMedia: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, InquisitrResearch Implications: This was our first cellular security paper. We demonstrated that the TMSI remains unchanged in 2G and 3G. By repeatedly calling a victim, an attacker can determine if the victim is in the same cell by intersecting TMSIs contained in unencrypted paging messages, breaking subscriber location privacy. Wireless and unencrypted paging messages allow this binding between phone number and the temporary ID. This paper was discussed in three 3GPP SA3 meetings held in 2017 across multiple documents: TSG3_086_Sophia 1 (S3-170205, S3-170333, S3-170458). TSGS3_86b_Busan (S3-170758), and TSGS3_87_Ljubljana (S3-171294).
Taking Routers Off Their Meds: Unstable Routers and the Buggy BGP Implementations That Cause Them M. Schuchard, C. Thompson, N. Hopper, Y. Kim Technical Report, CS Department, University of Minnesota, 2011
Censorship resistant overlay publishing E. Y. Vasserman, V. Heorhiadi, Y. Kim, N. Hopper Technical Report, CS Department, University of Minnesota, 2011
i-Code: A New Approach to Practical Network Coding for Content Distribution H. J. Kang, A. Yun, E. Y. Vasserman, Y. Kim Technical Report, CS Department, University of Minnesota 2011
The Frog-Boiling Attack: Limitations of Secure Network Coordinate Systems E. Chan-Tin, V. Heorhiadi, Y. Kim, and N. Hopper ACM Transactions on Information and System Security (ACM TISSEC), Vol. 14, No. 3, Article 27, 2011
Mistaking friends for foes: An analysis of a social network-based Sybil defense in mobile networks A. Mohaisen, T. AbuHmed, H. J. Kang, D. Nyang, Y. Kim ACM International Conference on Ubiquitous Information Management and Communication (ACM ICUIMC '11)
Understanding social networks properties for trustworthy computing A. Mohaisen, H. Tran, N. Hopper, and Y. Kim Workshop on Simplifying Complex Networks for Practitioners (SIMPLEX '11) (Invited Paper)
Keep your friends close: Incorporating trust into social network-based Sybil defenses A. Mohaisen, N. Hopper, Y. Kim IEEE Conference on Computer Communications (IEEE INFOCOM'11)
Losing Control of the Internet: Using the data plane to attack the control plane M. Schuchard, E. Vasserman, A. Mohaisen, D. F. Kune, N. Hopper, and Y. Kim Network and Distributed Systems Security Symposium (NDSS '11)Media: New Scientist, Slashdot, ZDNet, CBS News, Minnesota Daily, Metro, Gizmodo, The Register
Exploring In-Situ Sensing Irregularity in Wireless Sensor Networks J. Hwang, T. He, and Y. Kim. IEEE Transactions on Parallel and Distributed Systems (IEEE TPDS), vol. 21, issue 4, pp. 547-561, 2010
On Homomorphic Signatures for Network Coding A. Yun, J. Cheon, Y. Kim IEEE Transactions on Computers (IEEE TC) (brief contribution), vol. 59, issue 9, 2010
Recruiting New Tor Relays with BRAIDS R. Jansen, N. Hopper, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10)
Measuring the mixing time of social graphs A. Mohaisen, A. Yun, and Y. Kim ACM Internet Measurement Conference (ACM IMC '10)
Balancing the Shadows M. Schuchard, A. Dean, V. Heorhiadi, Y. Kim, and N. Hopper Workshop on Privacy in the Electronic Society (WPES '10)
Efficient Cryptographic Primitives for Private Data Mining M. Shaneck, and Y. Kim IEEE Hawaii International Conference on System Sciences (IEEE HICSS '10)
Timing attacks on PIN Input Devices D. Foo Kune, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
Losing Control of the Internet: Using the Data Plane to Attack the Control Plane M. Schuchard, A. Mohaisen, E. Vasserman, D. F. Kune, Y. Kim, and N. Hopper ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
Secure Encounter-based Social Networks: Requirements, Challenges, and Designs A. Mohaisen, E. Vasserman, M. Schuchard, D. F. Kune, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
The Distributed Virtual Network for High Fidelity, Large Scale Peer to Peer Network Simulation Denis Foo Kune, Tyson Malchow, James Tyra, Nicholas J. Hopper, Yongdae Kim University of Minnesota, Technical report, 2010.
Attacking the Kad Network - Real World Evaluation and High Fidelity Simulation using DVN - E. Chan-Tin, P. Wang, J. Tyra, T. Malchow, D. Foo Kune, N. Hopper, Y. Kim Wiley Security and Communication Networks, 2009.
Membership-concealing overlay networks E. Vasserman, R. Jansen, J. Tyra, N. Hopper, Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '09)
Scalable onion routing with Torsk J. McLachlan, A. Tran, N. Hopper, Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '09)
On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage A. Yun, C. Shi, Y. Kim ACM Cloud Computing Security Workshop (ACM CCSW '09)
Hashing it out in public: Common failure modes of DHT-based anonymity schemes A. Tran, N. Hopper, Y. Kim Workshop on Privacy in the Electronic Society (WPES '09)
The Frogboiling attack: limitations of anomaly detection for secure network coordinates E. Chan-Tin, D. Feldman, N. Hopper, Y. Kim International Conference on Security and Privacy in Communication Networks (SecureComm '09)
Why Kad Lookup Fails H. -J. Kang, E. Chan-Tin, N. Hopper, Y. Kim IEEE International Conference on Peer-to-Peer Computing (P2P), 2009
Research Implications: eMule folks have patched and improved their routing reliabilty. ------------------------ Dec, 7. 2009 ------------------------
.: Added a quick intermediate fix to make certain Kad lookups more reliable, improving the (search/source-) results in some cases [based on research from http://www-users.cs....hopper/kad.pdf]
Towards Complete Node Enumeration in a Peer-to-Peer Botnet B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim ACM Symposium on Information, Computer & Communication Security (ACM AsiaCCS '09)
Secure Localization with Phantom Node Detection J. Hwang, T. He, Y. Kim Ad Hoc Networks, Volume 6, Issue 7 (September 2008) Elsevier.
Provably Secure Timed-Release Public Key Encryption. J. Cheon, N. Hopper, Y. Kim, I. Osipkov,(alphabetical order. Main author of the paper is I. Osipkov.) ACM Transactions on Information Systems Security (ACM TISSEC), Volume 11 , Issue 2 (March 2008).
Attacking the Kad Network P. Wang, J. Tyra, E. Chan-Tin, T. Malchow, D. Foo Kune, N. Hopper, and Y. Kim. International Conference on Security and Privacy in Communication Networks (SecureComm '08)Research Implications: eMule folks have patched and improved their routing security. ------------------------ Jun, 27. 2008 ------------------------.: Several changes were made to Kad in order to defy routing attacks researched by University of Minnesota guys [Peng Wang, James Tyra, Eric Chan-Tin, Tyson Malchow, Denis Foo Kune, Nicholas Hopper, Yongdae Kim], in particular:.: Kad contacts will only be able to update themself in others routing tables if they provide the proper key (supported by 0.49a+ nodes) in order to make it impossible to hijack them.: Kad uses now a three-way-handshake (or for older version a similar check) for new contacts, making sure they do not use a spoofed IP.: Unverified contacts are not used for routing tasks and a marked with a special icon in the GUI
Building Trust in Storage Outsourcing: Secure Accounting of Utility Storage V. Kher and Y. Kim IEEE International Symposium on Reliable Distributed Systems (IEEE SRDS '07)
Exploring In-Situ Sensing Area Modeling for Wireless Sensor Networks J. Hwang, T. He, Y. Kim. ACM Conference on Embedded Networked Sensor Systems (ACM SenSys '07)
Combating doublespending using cooperative P2P systems I. Osipkov, E. Vasserman, N. Hopper and Y. Kim. IEEE Conference on Distributed Computing Systems (IEEE ICDCS '07)
Realistic Sensing Area Modeling. J. Hwang, Y. Gu, T. He, and Y. Kim. IEEE Conference on Computer Communications (IEEE INFOCOM '07)
Detecting Phantom Nodes in Wireless Sensor Networks. J. Hwang, T. He, and Y. Kim. IEEE Conference on Computer Communications (IEEE INFOCOM '07)
Robust Accounting in Decentralized P2P Storage Systems. I. Osipkov, P. Wang, N. Hopper and Y. Kim. IEEE Conference on Distributed Computing systems (IEEE ICDCS '06)
Authenticated Key-Insulated Public Key Encryption and Timed-Release Cryptography. J. -H. Cheon, N. Hopper, Y. Kim and I. Osipkov. Financial Cryptography and Data Security (FC '06)
Experiences in Building an Object-Based Storage System based on the OSD T-10 Standard D. Du, D. He, C. Hong, J. Jeong, V. Kher, Y. Kim, Y. Lu, A. Raghuveer, S. Sharafkandi NASA/IEEE Conference on Mass Storage Systems and Technologies (MSST '06)
SGFS: Secure, Efficient and Policy-based Global File Sharing (Short Paper) V. Kher, E. Seppanen, C. Leach, Y. Kim NASA/IEEE Conference on Mass Storage Systems and Technologies (MSST '06)
Privacy Protection in PKIs: A Separation-of-Authority Approach. T. Kwon, J. Cheon, Y. Kim, J. Lee International Workshop on Information Security Applications (WISA '06)
Privacy Preserving Nearest Neighbor Search M. Shaneck, Y. Kim, V. Kumar IEEE International Workshop on Privacy Aspects of Data Mining (IEEE PADM '06)
Myrmic: Secure and Robust DHT Routing P. Wang, N. Hopper, I. Osipkov, and Y. Kim UMN DTC Research Report 2006/20, November 2006.
Strengthening Password-Based Authentication Protocols Against Online Dictionary Attacks P. Wang, Y. Kim, V. Kher, T. Kwon International Conference on Applied Cryptography and Network Security (ACNS '05)
Securing Distributed Storage: Challenges, Techniques, and Systems V. Kher and Y. Kim ACM Workshop On Storage Security and Survivability (ACM StorageSS '05) (invited paper)
Remote Software-based Attestation for Wireless SensorsM. Shaneck, K. Mahadevan, V. Kher, and Y. Kim. European Conference on Security and Privacy in Ad-Hoc and Sensor Networks (ESAS '05)
A Machine Learning Framework for Network Anomaly Detection using SVM and GA T. Shon, Y. Kim, C. Lee, J. Moon IEEE Information Assurance Workshop (IEEE IAW '05)
On the Performance of Group Key Agreement Protocols Y. Amir, Y. Kim, C. Nita-Rotaru, G. Tsudik ACM Transaction on Information and System Security (ACM TISSEC), Vol. 7, No. 3, Aug. 2004.
Robust Contributory Key Agreement in Secure Spread Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton, G. Tsudik IEEE Transaction on Parallel and Distributed System (IEEE TPDS), Vol. 15, No. 5, May 2004.
Communication-Efficient Group Key Agreement Y. Kim, A. Perrig, G. Tsudik IEEE Transaction on Computers (IEEE TC), Vol. 53, No. 7, Jul. 2004.
Tree-based Group Key Agreement Y. Kim, A. Perrig, G. Tsudik ACM Transaction on Information and System Security (ACM TISSEC), Vol. 7, No. 1, Feb. 2004.
Design and implementation of a secure multi-agent marketplace A. Jaiswal, Y. Kim, M. Gini Electronic Commerce Research and Application (ECRA), Volume 3, Issue 4, Winter, Elsevier Science, 2004
Batch Verifications with ID-Based Signatures H. Yoon, J. Cheon, Y. Kim International Conference on Information Security and Cryptology (ICISC '04)
Revisiting Random Key Pre-distribution Schemes for Wireless Sensor Networks J. Hwang, Y. Kim ACM Workshop on Security of Ad Hoc and Sensor Networks (ACM SASN ’04).
Secure Group Key Management for Storage Area Networks Y. Kim, F. Maino, M. Narasimha, K. Rhee, G. Tsudik IEEE Communications Magazine, Vol. 41, No. 8, Aug. 2003.
Admission Control in Collaborative Groups Y. Kim, D. Mazzochi, G. Tsudik IEEE International Symposium on Network Computing and Applications (IEEE NCA '03)
An Efficient Tree-Based Group Key Agreement Using Bilinear Map. S. Lee, Y. Kim, K. Kim, D. Ryu International Conference on Applied Cryptography and Network Security (ACNS '03)
Decentralized Authentication Mechanism for Object-based Storage Devices V. Kher, Y. Kim IEEE Security in Storage Workshop (IEEE SISW '03)
Security Model for a Multi-Agent Marketplace A. Jaiswal, Y. Kim, M. Gini International Conference on Electronic Commerce (ICEC '03)
Admission Control in Peer Groups Y. Kim, G. Tsudik Large-Scale Network Security Workshop ? New Directions in Scalable Cyber-Security in Large-Scale Networks: Deployment Obstacles, Virginia, Mar. 2003
On the Performance of Group Key Agreement Protocols Y. Amir, Y. Kim, C. Nita-Rotaru, G. Tsudik IEEE International Conference on Distributed Computing Systems (IEEE ICDCS '02)
Secure Group Services for Storage Area Networks Y. Kim, F. Maino, M. Narasimha, G. Tsudik IEEE Security in Storage Workshop (IEEE SISW '02)
Communication-Efficient Group Key Agreement Y. Kim, A. Perrig, G. Tsudik IFIP TC11 Sixteenth International Conference on Information Security (IFIP/SEC '01)
Exploring Robustness in Group Key Agreement Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton and G. Tsudik International Conference on Distributed Computing Systems (IEEE ICDCS '01)Nominated for the best paper award
Simple and Fault-tolerant Group Key Agreement Scheme Y. Kim, A. Perrig, G. Tsudik ACM Conference on Computer and Communications Security (ACM CCS '00)
Secure Group Communication in Asynchronous Networks with Failures: Integration and Experiments Y. Amir, G. Ateniese, D. Hasse, Y. Kim, C. Nita-Rotaru, T. Schlossnagle, J. Schultz, J. Stanton and G. Tsudik International Conference on Distributed Computing Systems (IEEE ICDCS '00)
The Design of a Group Key Agreement API G. Ateniese, O. Chevassut, D. Hasse, Y. Kim and G. Tsudik DARPA Information Survivability Conference and Exposition (DISCEX '00)
On the Design of Stream Ciphers and a Hash Function Suitable to Smart Card Application Y. Kim, S. Lee, and S. Park Smart Card Research and Advanced Application (CARDIS '96)
How to Use Exponent Permutations in Cryptography: Classifications and Applications S. Park, S. Chee, K. Kim, Y. Kim, and S. Lee International Conference on Cryptology and Information Security (CANS '96)
On the Security of Lin-Chang-Lee Public Key Cryptosystem S. Park, Y. Kim, and K. Kim Journal of the Korean Institute of Information Security and Cryptography (JKIISC), 1996.
Lightbox: Sensor Attack Detection for Photoelectric Sensors via Spectrum FingerprintingD Kim, M Cho, H Shin, J Kim, J Noh, and Y. KimACM Transactions on Privacy and Security 26 (4), 2023
Delegation of TLS Authentication to CDNs using Revocable Delegated CredentialsD Yoon, T Chung, Y Kim, Y. KimAnnual Computer Security Applications Conference (ACSAC 2023)
BaseComp: A Comparative Analysis for Integrity Protection in Cellular BaseBand SoftwareEunsoo Kim*, Min Woo Baek*, CheolJun Park, Dongkwan Kim, Yongdae Kim, Insu YunUSENIX Conference on Security Symposium (USENIX Security '23)
LTESniffer: An Open-source LTE Downlink/Uplink EavesdropperTuan Dinh Hoang, CheolJun Park, Mincheol Son, Teakkyung Oh, Sangwook Bae, Junho Ahn, BeomSeok Oh, and Yongdae Kim16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '23)
Un-Rocking Drones: Foundations of Acoustic Injection Attacks and Recovery ThereofJinseob Jeong, Dongkwan Kim, Joonha Jang, Juhwan Noh, Changhun Song, and Yongdae KimNetwork and Distributed Systems Security Symposium (NDSS '23)
Preventing SIM Box Fraud Using Device FingerprintingBeomSeok Oh*, Junho Ahn*, Sangwook Bae, Mincheol Son, Yonghwa Lee, Min Suk Kang, and Yongdae Kim (*: co-first author)Network and Distributed Systems Security Symposium (NDSS '23)Research Implications: In 2022, we received USD 5 million in funding from the Korean police to develop a network-based solution to combat voice phishing crime. (Voice phishing resulted in financial losses of over USD 0.5 billion in Korea in 2021.) As part of this project, we are developing multiple solutions. The first solution we have published is to develop methodologies to distinguish SIM Box (a VoIP gateway that converts VoIP call to and from cellular call) from other smartphones. The key idea is that fingerprints, which were constructed from network-layer auxiliary information with more than 31K features, are mostly distinct among 85 smartphones as well as SIM boxes. We are currently under discussion with a major operator to test out solution inside their network.
Paralyzing Drones via EMI Signal Injection on Sensory Communication Channels (Website)Joonha Jang*, ManGi Cho*, Jaehoon Kim, Dongkwan Kim , and Yongdae KimNetwork and Distributed Systems Security Symposium (NDSS '23)(*: co-first author)
HearMeOut: detecting voice phishing activities in AndroidJoongyum Kim, Jihwan Kim, Seongil Wi, Yongdae Kim, and Sooel SonAnnual International Conference on Mobile Systems, Applications and Services (MobiSys '22)
Are There Wireless Hidden Cameras Spying on Me?Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim, Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon LeeAnnual Computer Security Applications Conference (ACSAC '22)
Revisiting binary code similarity analysis using interpretable feature engineering and lessons learnedDongkwan Kim, Eunsoo Kim, Sang Kil Cha, Sooel Son, and Yongdae KimIEEE Transactions on Software Engineering (IEEE TSE '22)
Watching the Watchers: Practical Video Identification Attack in LTE NetworksSangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '22)Research Implications: DCI (Downlink Control Indicator) refers to the control signaling that is transmitted from the BS to the UE. DCI carries information that is used by the UE to decode the downlink data, such as the resource allocation, the modulation and coding scheme used for the data as well as uplink channel assignment. When the UE receives a DCI, it uses the RNTI to determine if the DCI is intended for it. As none of the information in DCI is encrypted, if an attacker can identify a victim’s RNTI, the attacker can obtain the victim’s resource usage or uplink scheduling. Using the victim’s resource usage, an unprivileged adversary equipped with a software-defined radio can 1) identify mobile users who are watching target videos of the adversary’s interest and then 2) infer the video title that each of these users is watching.
DoLTEst: In-depth Downlink Negative Testing Framework for LTE DevicesCheolJun Park*, Sangwook Bae*, BeomSeok Oh, Jiho Lee, Eunkyu Lee, Insu Yun, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '22)(*: co-first author)CVEs: CVE-2019-2289, CVE-2021-25516, CVE-2021-30826Research Implications: DoLTEst is a negative testing framework for finding non-standard-compliant bugs in LTE protocol implementations of UEs. DoLTEst is stateful and covers all optional cases. It generates about 1,800 test cases to check vulnerabilities of UEs. This paper was discussed in a 3GPP SA3 meeting. It is currently open-sourced at https://github.com/SysSec- KAIST/DoLTEst. We uncovered 26 implementation flaws from 43 devices from 5 different baseband manufacturers by using DoLTEst. We have received 3 CVEs (CVE-2019-2289 from Qualcomm, CVE-2021-25516 from Samsung, and CVE-2021-30826 from Apple.) The Qualcomm bug allows an authentication bypass in all baseband processors manufactured by Qualcomm, requiring almost one year to finish the patch process.
The Trilemma of StablecoinYujin Kwon, Jihee Kim, Yongdae Kim, and Dawn SongSocial Science Research Network (SSRN) 2021
Enabling the Large-Scale Emulation of Internet of Things Firmware With Heuristic WorkaroundsDongkwan Kim*, Eunsoo Kim*, Mingeun Kim, Yeongjin Jang, and Yongdae Kim (*: co-first author)IEEE Security & Privacy (IEEE S&P '21)
BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 ProtocolsEunsoo Kim*, Dongkwan Kim*, CheulJun Park, Insu Yun, and Yongdae Kim (*: co-first author)Network and Distributed Systems Security Symposium (NDSS '21)Research Implications: This work checks if we can run comparative static analysis of Baseband binaries and Cellular Specifications. The key intuition is that a message decoder in baseband software embeds the protocol specification in a machine-friendly structure to parse incoming messages. With BaseSpec, we analyzed the implementation of cellular standard L3 messages in 18 baseband firmware images of 9 devices models from one of the top three vendors. It is currently open-sourced at https://github.com/SysSec-KAIST/BaseSpec. BaseSpec identified hundreds of functional or potentially vulnerable mismatches. Investigation of these bugs led to 5 functional errors and 4 memory-related vulnerabilities. These bugs are patched by the vendors.
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic AnalysisMingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae KimAnnual Computer Security Applications Conference (ACSAC '20)CVEs: CVE-2018-19986, CVE-2018-19987, CVE-2018-19988, CVE-2018-19989, CVE-2018-19990, CVE-2018-20114, CVE-2019-11399, CVE-2019-11400, CVE-2019-20082, CVE-2019-20084, CVE-2019-6258
The System That Cried Wolf: Sensor Security Analysis of Wide-area Smoke Detectors for Critical InfrastructureHocheol Shin, Juhwan Noh, Dohyun Kim, and Yongdae KimACM Transactions on Privacy and Security (ACM TOPS), Vol. 23 No. 3, Article 15, 2020
Amnesiac DRAM: A Proactive Defense Mechanism Against Cold Boot AttacksHoseok Seol, Min-Hye Kim, Yongdae Kim, Taesoo Kim, and Lee-Sup KimIEEE Transactions on Computers (To appear)
SoK: A Minimalist Approach to Formalizing Analog Sensor SecurityChen Yan, Hocheol Shin, Connor Bolton, Wenyuan Xu, Yongdae Kim, and Kevin FuIEEE Symposium on Security and Privacy (IEEE S&P '20)
이통통신 보안의 현재와 미래김용대 (Yongdae Kim)정보보호학회지 (KIISC), Vol 29, No. 5, 2019
An Eye for an Eye: Economics of Retaliation in Mining PoolsYujin Kwon, Hyoungshick Kim, Yung Yi, Yongdae KimACM Advances in Financial Technology (ACM AFT '19)
Impossibility of Full Decentralization in Permissionless BlockchainsYujin Kwon, Jian Liu, Minjeong Kim, Dawn Song, Yongdae KimACM Advances in Financial Technology (ACM AFT '19)
Who Spent My EOS? On the (In)Security of Resource Management of EOS.IOSangsup Lee, Daejun Kim, Dongkwan Kim, Sooel Son, Yongdae KimUSENIX Workshop on Offensive Technologies (USENIX WOOT '19)
Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTEHojoon Yang, Sangwook Bae, Mincheol Son, Hongil Kim, Songmin Kim, and Yongdae KimUSENIX Conference on Security Symposium (USENIX Security '19)Research Implications: 4G and 5G cellular networks do not provide protection for the integrity of broadcasting, paging, or some unicasting messages, making them vulnerable to Man-in-the-Middle (MitM) attacks. An MitM attacker can hijack and modify these unauthenticated messages by implementing a fake base station (FBS) and a fake user equipment (UE). To the victim UE and the victim BS, the FBS and the fake UE should look like a legitimate BS and UE, respectively. Implementing a fully functional cellular MitM attacker is a complex task, as none of the academic papers have successfully done so. Therefore, instead of implementing this type of attacker, we implemented signal overshadowing, where the attacker overwrites the broadcast message from the base station to UEs (i.e. downlink). It took a total of two years to implement this attack, as the overshadowing signal had to be sent with precise timing and frequency. Our intention was to spark renewed discussions on how to protect these unauthenticated cellular messages within standard bodies. The initial response from GSMA was disappointing as they viewed this work as only academically interesting. However, it turned out to be important for both academia and standard bodies. After it was initially discussed in 2019 Reno 97th 3GPP meeting (S3-194063), a lot of documents (and probably discussions) tried to address this attack accross multiple 3GPP meetings: TSGS3_100Bis-e (S3-202556, S3-202738, S3-202740), TSGS3_100e (S3-202026, S3-202109, S3-202150), TSGS3_101e (S3-202983, S3-202984, S3-203158, S3-203160, S3-203364, S3-203447), TSGS3_102Bis-e (S3-211345), TSGS3_102e (S3-210131, S3-210778, S3-210783), TSGS3_103e (S3-212351), TSGS3_104e (S3-212748, S3-213244), TSGS3_105e (S3-214408), and TSGS3_107e (S3-221266). In addition, the attack is extended to sigover attack over unicast channel by us, layer 2 messages by Tan et. al. and uplink channel by Erni et. al.
Doppelgängers on the Dark Web: A Large-scale Assessment on Phishing Hidden Web ServicesChanghoon Yoon, Kwanwoo Kim, Yongdae Kim, Seungwon Shin, and Sooel SonThe World Wide Web Conference (WWW ’19)
Is Stellar As Secure As You Think?Minjeong Kim, Yujin Kwon, Yongdae KimIEEE Security and Privacy on the Blockchain (IEEE S&B '19)Webpage: https://sites.google.com/view/stellar-analysisMedia: CoinTelegraph: Stellar’s Blockchain Briefly Goes Offline, Confirming the Project Lacks Decentralization Safety vs. Liveness in the Stellar Network, David MazièresResearch Implications: We show that all of the nodes in Stellar cannot run Stellar consensus protocol if only two nodes fail. In MAY 15, 2019 5:00 AM (UTC/GMT), Stellar actually stopped as we forecasted, as reported by CoinTelegraph.
Tractor Beam: Safe-hijacking of Consumer Drones with Adaptive GPS SpoofingJuhwan Noh, Yujin Kwon, Yunmok Son, Hocheol Shin, Dohyun Kim, Jaeyeong Choi, Yongdae KimACM Transactions on Privacy and Security (ACM TOPS), Vol. 22, No. 2, Article 12, 2019
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash?Yujin Kwon, Hyoungshick Kim, Jinwoo Shin, Yongdae KimIEEE Symposium on Security and Privacy (IEEE S&P '19)
Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark WebSeunghyeon Lee, Changhoon Yoon, Heedo Kang, Yeonkeun Kim, Yongdae Kim, Dongsu Han, Sooel Son, and Seungwon ShinNetwork and Distributed Systems Security Symposium (NDSS '19)
Hidden Figures: Comparative Latency Analysis of Cellular Networks with Fine-grained State Machine Models Sangwook Bae, Mincheol Son, Sooel Son, and Yongdae Kim ACM International Workshop on Mobile Computing Systems and Applications (ACM HotMobile '19)
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae KimIEEE Symposium on Security and Privacy (IEEE S&P '19)CVEs: CVE-2019-5307, CVE-2019-20783Research Implications: For the first time, we tested carrier network as an academia. We sent negative test cases (i.e. test cases that are prohibited by the standard, e.g. messages with wrong message authentication code) to the operator network or smartphones, in order to see if they are dropped by the receiving parties. As a result, we uncovered 51 vulnerabilities (36 new and 15 previously known). Check LTEFuzz site for details. Immediately after the paper is published online, we’ve received inquiries from many operators if we can visit their site to test their networks. Unfortunately, we could not provide service to commercial operators, as students did not want to provide commercial services. We’ve also communicated with device vendors such as Apple, Samsung, Qualcomm, LG, Huawei, and Ericsson helping their patching process. Cellular security companies such as P1Security and Positive Technologies now provide protocol security testing. We have received two CVEs (CVE-2019-20783 from LG and CVE-2019-5307 from Huawei.) This was also featured in multple media outlets, such as ZDNet, SecurityWeek, Huawei, Engadget, Tech Xplore, Security Affairs, E-Crypto, Cybersecurity Insiders, Israel Defense, ITPro, UK, TGDaily, Gizmodo, and DailyMail, UK. LTEFuzz paper was discussed in three SA3 meetings: TSGS3_95_Reno (S3-191230), TSGS3_97_Reno (S3-194063). TSGS3_101e (S3-202878).
Peeking over the Cellular Walled Gardens - A Method for Closed Network Diagnosis Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee and Yongdae Kim IEEE Transactions on Mobile Computing (IEEE TMC), Vol. 17, No. 10, 2018Research Implications: We collected 6.4M control plane messages from 28 operators in 11 countries using 95 USIMs by generating 52K voice call events. Through this extensive dataset, we aimed to understand and confirm Pr2. We examined each control plane message to identify operators with abnormal processing times, sequence of events, or signaling failures. This study revealed a total of 7 bugs that occurred in only a few operators. For instance, a UE in a US operator experienced out-of-service for 11 seconds due to location update collisions. We confirmed that comparative analysis between operators is an effective way to detect performance bugs and their root causes. Unfortunately, we are unable to release this dataset as it contains personal information.
GyrosFinger: Fingerprinting Drones for Location Tracking based on the Outputs of MEMS Gyroscopes Yunmok Son, Juhwan Noh, Jaeyeong Choi and Yongdae Kim ACM Transactions on Privacy and Security (ACM TOPS), Vol. 21, No. 2, Article 10, 2018
GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier Byeongdo Hong, Sangwook Bae, and Yongdae Kim Network and Distributed Systems Security Symposium (NDSS '18)Research Implications: In LTE, a mechanism called GUTI_Reallocation is employed, which forcibly changes the GUTI after each instance of its exposure in a message. This requirement, though, does not enforce either the linkability or unpredictability of the changing IDs. We verified if this is the case with a large dataset we built (a dataset containing 6.4M control plane messages from 28 operators in 11 countries). Out of 28 carriers, 20 carriers have at least one byte fixed (GUTI is 4 byte long), allowing the attacker to fingerprint a particular user. More detailed analysis on 4 carriers showing seemingly random assignment reveals that the attacker can make the GUTI unchanged after invoking GUTI_reallocation multiple times within a short time period. This paper played an important role to add unpredictability of GUTI in LTE, discussed in S3-220075. Now in 5G, unpredictability in GUTI after every exposure is mandatory. Unfortunately, a recent report about China and our measurement in Korea show that this is not the case.
Be Selfish and Avoid Dilemmas: Fork After Withholding (FAW) Attacks on Bitcoin Yujin Kwon, Dohyun Kim, Yunmok Son, Eugene Vasserman, and Yongdae Kim ACM Conference on Computer and Communications Security (ACM CCS '17)
Illusion and Dazzle: Adversarial Optical Channel Exploits against Lidars for Automotive Applications Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim Conference on Cryptographic Hardware and Embedded Systems (CHES '17) Research Implications: This analyzes the security of Velodyne VLP-16, which can be used for self-driving cars. We showed that one can either blind it or generate fake dots (even closer than the attackers). AFAWK, none of the LIDARs still protect against our attacks. (Please let us know if you find one.)
When Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks Hyunwook Hong, Hyunwoo Choi, Dongkwan Kim, Hongil Kim, Byeongdo Hong, Jiseong Noh, and Yongdae Kim IEEE European Symposium on Security and Privacy (IEEE EuroS&P '17)Research Implications: This is the first study analyzing security of middleboxes within cellular networks.
Enabling Automatic Protocol Behavior Analysis for Android Applications Jeongmin Kim, Hyunwoo Choi, Hun Namkung, Woohyun Choi, Byungkwon Choi, Hyunwook Hong, Yongdae Kim, Jonghyup Lee, Dongsu Han International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT '16)
PIkit: A New Kernel-Independent Processor-Interconnect Rootkit Wonjun Song, Hyunwoo Choi, Junhong Kim, Eunsoo Kim, Yongdae Kim, and John Kim USENIX Conference on Security Symposium (USENIX Security '16)
Sampling Race: Bypassing Timing-based Analog Active Sensor Spoofing Detection on Analog-digital Systems Hocheol Shin, Yunmok Son, Youngseok Park, Yujin Kwon, and Yongdae Kim USENIX Workshop on Offensive Technologies (USENIX WOOT '16)
This ain't your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park, Yunmok Son, Hocheol Shin, Dohyun Kim, and Yongdae Kim USENIX Workshop on Offensive Technologies (USENIX WOOT '16)
Doppelganger in Bitcoin Mining Pools: An Analysis of the Duplication Share Attack Yujin Kwon, Dohyun Kim, Yunmok Son, Jaeyeong Choi, Yongdae Kim World Conference on Information Security Applications (WISA '16)
Pay As You Want: Bypassing Charging System in Operational Cellular Networks Hyunwook Hong, Hongil Kim, Byeongdo Hong, Dongkwan Kim, Hyunwoo Choi, Eunkyu Lee and Yongdae Kim World Conference on Information Security Applications (WISA '16)
Dissecting Customized Protocols: Automatic Analysis for Customized Protocols based on IEEE 802.15.4 Kibum Choi, Yunmok Son, Juhwan Noh, Hocheol Shin, Jaeyeong Choi and Yongdae Kim ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec '16) Best Paper Award
Timing Attacks on Access Privacy in Information Centric Networks and Countermeasures Aziz Mohaisen, Hesham Mekky, Xinwen Zhang, Haiyong Xie and Yongdae Kim IEEE Transactions on Dependable and Secure Computing (IEEE TDSC), vol.12 no.6, 2015
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations Hongil Kim*, Dongkwan Kim*, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim ACM Conference on Computer and Communications Security (ACM CCS '15) (*: co-first author)CVEs: CVE-2015-6614, VU#943167Research Implications: This is our first security testing paper. Using 60 security test cases in 5 operators (3 in Korea, 2 in the US), we found 10 new vulnerabilities (4 accounting bypasses, 2 caller spoofing attacks, 2 DoS attacks, and so on). The vulnerabilities were jointly disclosed with the US Cyber Emergency Response Team (US Cert) as VU#943167. At the time, none of the US operators acknowledged the vulnerabilities, but they later patched them silently. After this investigation, we received funding from SK Telecom to start investigating security of LTE networks. We were invited to make a presentation at GSMA, the organization of the operators. The findings were covered by multiple media outlets, such as IT World, Nexus Security Bulletin, DSLReports, Softpedia, tom’s guide, Pocketnow, FierceMobileIT, Techworm, Neowin, and Network World.
Frying PAN: Dissecting Customized Protocol for Personal Area Network Kibum Choi, Yunmok Son, Jangjun Lee, Suryeon Kim, and Yongdae Kim International Workshop on Information Security Applications (WISA '15)
Security Analysis of FHSS-type Drone Controller Hocheol Shin, Kibum Choi, Youngseok Park, Jaeyeong Choi, and Yongdae Kim International Workshop on Information Security Applications (WISA '15) Research Implications: We found that FHSS implemented by FrSky has a weakness. In particular, we found that it repeats the hopping sequence after 141 random hopping. This means that after observing RF channel over 1.5 seconds, one can exactly predict the future hoping sequence.
BurnFit: Analyzing and Exploiting Wearable Devices Dongkwan Kim, Suwan Park, Kibum Choi, and Yongdae Kim International Workshop on Information Security Applications (WISA '15) Best Paper Award
Extractocol: Automatic Extraction of Application-level Protocol Behaviors for Android Applications Hyunwoo Choi, Jeongmin Kim, Hyunwook Hong, Yongdae Kim, Jonghyup Lee, and Dongsu Han ACM Conference on Special Interest Group on Data Communication. (ACM SIGCOMM '15, poster)
Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, Yongdae Kim USENIX Conference on Security Symposium. (USENIX Security '15) Research Implications: This paper shows that sound can knock drone down. Playing sound on resonance frequency of gyroscope sensor in IMU of a drone causes significant fluctuation of rotor speeds due to the popular control algorithm called PID. This was the 1st time we realized "anti-drone" solution is important. In 2020, Sandia National Lab has published a report "Assessing the Vulnerability of Unmanned Aircraft Systems to Directed Acoustic Energy" to see if "sound" can be an effective anti-drone solution.
Hijacking the Vuze BitTorrent network: all your hop are belong to us Eric Chan-Tin, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim IET Information Security, vol.9, no.4, 2015
Bittersweet ADB: Attacks and Defenses Sungjae Hwang, Sungho Lee, Yongdae Kim, Sukyoung Ryu ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '15)
Revisiting Security of Proportional Fair Scheduler in Wireless Cellular Networks Hanjin Park, Yung Yi, Yongdae Kim Elsevier Computer Networks, vol. 75, Part A, pp. 55-74, 2014
Run Away If You Can: Persistent Jamming Attacks against Channel Hopping Wi-Fi Devices in Dense Networks Il-Gu Lee, Hyunwoo Choi, Yongdae Kim, Seungwon Shin, Myungchul Kim International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2014)
Trustworthy Distributed Computing on Social Networks Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim IEEE Transactions on Services Computing, vol.7, no.3, 2014
Analyzing Security of Korean USIM-based PKI Certificate Service Shinjo Park, Suwan Park, Insu Yun, Dongkwan Kim, Yongdae Kim International Workshop on Information Security Applications (WISA 2014)
Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission Younghwan Go, Jongil Won, Denis Foo Kune, Eunyoung Jeong, Yongdae Kim, and Kyoungsoo Park Network and Distributed System Security Symposium (NDSS '14)Research Implications: Cellular networks have different accounting mechanisms for data and voice. Data usage is typically tracked and billed based on bandwidth usage, while voice usage is tracked and billed based on the duration of the call. Different countries have different accounting policy. For example, Korean government prohibits operators to charge TCP-retransmitted packets [5], and as per our measurements from different countries, we discovered that Korea is the only country with this policy. We show that an attacker may exploit such policy to bypass data charging, by implementing a proxy server that manipulates TCP sequence number. To mitigate this issue, we also implement [a practical DPI (Deep Packet Inspection) system, which can detect such attack. We discovered that Korean operators are more concerned with over-charging than charging bypass. This is because over-charging can result in penalties from the government. The bug has not been patched so far AFAWK.
Impact of Malicious TCP Retransmission on Cellular Traffic Accounting Younghwan Go, Denis Foo Kune, Shinae Woo, Kyoungsoo Park, and Yongdae Kim Annual Wireless of the Students, by the Students, for the Students Workshop (ACM S3 '13)
Peer Pressure: Exerting Malicious Influence on Routers at a Distance Max Schuchard, Christopher Thompson, Nicholas Hopper, and Yongdae Kim IEEE International Conference on Distributed Computing Systems (IEEE ICDCS '13)
Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors Denis Foo Kune, John Backes, Shane Clark, Wenyuan Xu, Dan Kramer, Matthew Reynolds, Kevin Fu, and Yongdae Kim IEEE Symposium on Security and Privacy (IEEE S&P '13)Research Implications: This is the first (EE + Security paper) and (Sensing-and-actuation security paper) from SysSec. EMI injection of healthy person's heart waveform into the wire stops pacemaker. This is the first paper shows that sensing values could be manilpulated over wire.
Trustworthy Distributed Computing on Social Networks Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
Dynamix: Anonymity on Dynamic Social Structures Abedelaziz Mohaisen, Huy Tran, Ting Zhu, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
Protecting Access Privacy of Cached Contents in Information Centric Networks Abedelaziz Mohaisen, Xinwen Zhang, Max Schuchard, Haiyong Xie, Yongdae Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13)
SocialCloud: Using Social Networks for Building Distributed Computing Services A. Mohaisen, H. Tran, A. Chandra, and Y. Kim ACM Symposium on Information, Computer and Communications Security (ACM AsiaCCS '13) , Also available at Technical Report, CS Department, University of Minnesota 2011 Media: MIT Technical Review, The Verge, MSN.COM, Data News
Towards Accurate Accounting of Cellular Data for TCP Retransmission Younghwan Go, Denis Foo Kune, Shinae Woo, KyoungSoo Park, and Yongdae Kim ACM International Workshop on Mobile Computing Systems and Applications (ACM HotMobile '13)
Private over-threshold aggregation protocols Myungsun Kim, Abedelaziz Mohaisen, Jung Hee Cheon, and Yongdae Kim International Conference on Information Security and Cryptology (ICISC '12)
Towards a safe Integrated Clinical Environment: A communication security perspective Denis Foo Kune, Eugene Vasserman, Krishna Venkatasubramanian, Yongdae Kim, Insup Lee ACM Workshop on Medical Communication Systems (ACM MedCOMM '12)
Measuring Bias in the Mixing Time of Social Graphs due to Graph Sampling Abedelaziz Mohaisen, Pengkui Luo, Yanhua Li, Yongdae Kim, Zhi-Li Zhang Military Communications Conference (MILCOM '12).
One-way indexing for plausible deniability in censorship resistant storage Eugene Y. Vasserman, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim USENIX Workshop on Free and Open Communications on the Internet (USENIX FOCI '12)
On the Mixing Time of Directed Social Graphs and Security Implications Abedalaziz Mohaisen, Huy Tran, Nicholas Hopper, and Yongdae Kim ACM Symposium on Information, Computer and Communications Security (AsiaCCS '12)
Private Top-k Aggregation Protocols Myungsun Kim, Abedelaziz Mohaisen, Jung Hee Cheon, and Yongdae KimIACR Cryptology ePrint Archive, 2012
Location leaks on the GSM air interface D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim Network and Distributed Systems Security Symposium (NDSS '12)Nominated for the best paper awardMedia: Ars Technica, Slashdot, MPR, Fox Twin Cities, Physorg, TG Daily, Network World, e! Science News, Scientific Computing, gizmag, Crazy Engineers, PC Advisor, Mobile Magazine, The CyberJungle, InquisitrResearch Implications: This was our first cellular security paper. We demonstrated that the TMSI remains unchanged in 2G and 3G. By repeatedly calling a victim, an attacker can determine if the victim is in the same cell by intersecting TMSIs contained in unencrypted paging messages, breaking subscriber location privacy. Wireless and unencrypted paging messages allow this binding between phone number and the temporary ID. This paper was discussed in three 3GPP SA3 meetings held in 2017 across multiple documents: TSG3_086_Sophia 1 (S3-170205, S3-170333, S3-170458). TSGS3_86b_Busan (S3-170758), and TSGS3_87_Ljubljana (S3-171294).
Taking Routers Off Their Meds: Unstable Routers and the Buggy BGP Implementations That Cause Them M. Schuchard, C. Thompson, N. Hopper, Y. Kim Technical Report, CS Department, University of Minnesota, 2011
Censorship resistant overlay publishing E. Y. Vasserman, V. Heorhiadi, Y. Kim, N. Hopper Technical Report, CS Department, University of Minnesota, 2011
i-Code: A New Approach to Practical Network Coding for Content Distribution H. J. Kang, A. Yun, E. Y. Vasserman, Y. Kim Technical Report, CS Department, University of Minnesota 2011
The Frog-Boiling Attack: Limitations of Secure Network Coordinate Systems E. Chan-Tin, V. Heorhiadi, Y. Kim, and N. Hopper ACM Transactions on Information and System Security (ACM TISSEC), Vol. 14, No. 3, Article 27, 2011
Mistaking friends for foes: An analysis of a social network-based Sybil defense in mobile networks A. Mohaisen, T. AbuHmed, H. J. Kang, D. Nyang, Y. Kim ACM International Conference on Ubiquitous Information Management and Communication (ACM ICUIMC '11)
Understanding social networks properties for trustworthy computing A. Mohaisen, H. Tran, N. Hopper, and Y. Kim Workshop on Simplifying Complex Networks for Practitioners (SIMPLEX '11) (Invited Paper)
Keep your friends close: Incorporating trust into social network-based Sybil defenses A. Mohaisen, N. Hopper, Y. Kim IEEE Conference on Computer Communications (IEEE INFOCOM'11)
Losing Control of the Internet: Using the data plane to attack the control plane M. Schuchard, E. Vasserman, A. Mohaisen, D. F. Kune, N. Hopper, and Y. Kim Network and Distributed Systems Security Symposium (NDSS '11)Media: New Scientist, Slashdot, ZDNet, CBS News, Minnesota Daily, Metro, Gizmodo, The Register
Exploring In-Situ Sensing Irregularity in Wireless Sensor Networks J. Hwang, T. He, and Y. Kim. IEEE Transactions on Parallel and Distributed Systems (IEEE TPDS), vol. 21, issue 4, pp. 547-561, 2010
On Homomorphic Signatures for Network Coding A. Yun, J. Cheon, Y. Kim IEEE Transactions on Computers (IEEE TC) (brief contribution), vol. 59, issue 9, 2010
Recruiting New Tor Relays with BRAIDS R. Jansen, N. Hopper, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10)
Measuring the mixing time of social graphs A. Mohaisen, A. Yun, and Y. Kim ACM Internet Measurement Conference (ACM IMC '10)
Balancing the Shadows M. Schuchard, A. Dean, V. Heorhiadi, Y. Kim, and N. Hopper Workshop on Privacy in the Electronic Society (WPES '10)
Efficient Cryptographic Primitives for Private Data Mining M. Shaneck, and Y. Kim IEEE Hawaii International Conference on System Sciences (IEEE HICSS '10)
Timing attacks on PIN Input Devices D. Foo Kune, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
Losing Control of the Internet: Using the Data Plane to Attack the Control Plane M. Schuchard, A. Mohaisen, E. Vasserman, D. F. Kune, Y. Kim, and N. Hopper ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
Secure Encounter-based Social Networks: Requirements, Challenges, and Designs A. Mohaisen, E. Vasserman, M. Schuchard, D. F. Kune, and Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '10) (Posters)
The Distributed Virtual Network for High Fidelity, Large Scale Peer to Peer Network Simulation Denis Foo Kune, Tyson Malchow, James Tyra, Nicholas J. Hopper, Yongdae Kim University of Minnesota, Technical report, 2010.
Attacking the Kad Network - Real World Evaluation and High Fidelity Simulation using DVN - E. Chan-Tin, P. Wang, J. Tyra, T. Malchow, D. Foo Kune, N. Hopper, Y. Kim Wiley Security and Communication Networks, 2009.
Membership-concealing overlay networks E. Vasserman, R. Jansen, J. Tyra, N. Hopper, Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '09)
Scalable onion routing with Torsk J. McLachlan, A. Tran, N. Hopper, Y. Kim ACM Conference on Computer and Communications Security (ACM CCS '09)
On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage A. Yun, C. Shi, Y. Kim ACM Cloud Computing Security Workshop (ACM CCSW '09)
Hashing it out in public: Common failure modes of DHT-based anonymity schemes A. Tran, N. Hopper, Y. Kim Workshop on Privacy in the Electronic Society (WPES '09)
The Frogboiling attack: limitations of anomaly detection for secure network coordinates E. Chan-Tin, D. Feldman, N. Hopper, Y. Kim International Conference on Security and Privacy in Communication Networks (SecureComm '09)
Why Kad Lookup Fails H. -J. Kang, E. Chan-Tin, N. Hopper, Y. Kim IEEE International Conference on Peer-to-Peer Computing (P2P), 2009
Research Implications: eMule folks have patched and improved their routing reliabilty. ------------------------ Dec, 7. 2009 ------------------------
.: Added a quick intermediate fix to make certain Kad lookups more reliable, improving the (search/source-) results in some cases [based on research from http://www-users.cs....hopper/kad.pdf]
Towards Complete Node Enumeration in a Peer-to-Peer Botnet B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim ACM Symposium on Information, Computer & Communication Security (ACM AsiaCCS '09)
Secure Localization with Phantom Node Detection J. Hwang, T. He, Y. Kim Ad Hoc Networks, Volume 6, Issue 7 (September 2008) Elsevier.
Provably Secure Timed-Release Public Key Encryption. J. Cheon, N. Hopper, Y. Kim, I. Osipkov,(alphabetical order. Main author of the paper is I. Osipkov.) ACM Transactions on Information Systems Security (ACM TISSEC), Volume 11 , Issue 2 (March 2008).
Attacking the Kad Network P. Wang, J. Tyra, E. Chan-Tin, T. Malchow, D. Foo Kune, N. Hopper, and Y. Kim. International Conference on Security and Privacy in Communication Networks (SecureComm '08)Research Implications: eMule folks have patched and improved their routing security. ------------------------ Jun, 27. 2008 ------------------------.: Several changes were made to Kad in order to defy routing attacks researched by University of Minnesota guys [Peng Wang, James Tyra, Eric Chan-Tin, Tyson Malchow, Denis Foo Kune, Nicholas Hopper, Yongdae Kim], in particular:.: Kad contacts will only be able to update themself in others routing tables if they provide the proper key (supported by 0.49a+ nodes) in order to make it impossible to hijack them.: Kad uses now a three-way-handshake (or for older version a similar check) for new contacts, making sure they do not use a spoofed IP.: Unverified contacts are not used for routing tasks and a marked with a special icon in the GUI
Building Trust in Storage Outsourcing: Secure Accounting of Utility Storage V. Kher and Y. Kim IEEE International Symposium on Reliable Distributed Systems (IEEE SRDS '07)
Exploring In-Situ Sensing Area Modeling for Wireless Sensor Networks J. Hwang, T. He, Y. Kim. ACM Conference on Embedded Networked Sensor Systems (ACM SenSys '07)
Combating doublespending using cooperative P2P systems I. Osipkov, E. Vasserman, N. Hopper and Y. Kim. IEEE Conference on Distributed Computing Systems (IEEE ICDCS '07)
Realistic Sensing Area Modeling. J. Hwang, Y. Gu, T. He, and Y. Kim. IEEE Conference on Computer Communications (IEEE INFOCOM '07)
Detecting Phantom Nodes in Wireless Sensor Networks. J. Hwang, T. He, and Y. Kim. IEEE Conference on Computer Communications (IEEE INFOCOM '07)
Robust Accounting in Decentralized P2P Storage Systems. I. Osipkov, P. Wang, N. Hopper and Y. Kim. IEEE Conference on Distributed Computing systems (IEEE ICDCS '06)
Authenticated Key-Insulated Public Key Encryption and Timed-Release Cryptography. J. -H. Cheon, N. Hopper, Y. Kim and I. Osipkov. Financial Cryptography and Data Security (FC '06)
Experiences in Building an Object-Based Storage System based on the OSD T-10 Standard D. Du, D. He, C. Hong, J. Jeong, V. Kher, Y. Kim, Y. Lu, A. Raghuveer, S. Sharafkandi NASA/IEEE Conference on Mass Storage Systems and Technologies (MSST '06)
SGFS: Secure, Efficient and Policy-based Global File Sharing (Short Paper) V. Kher, E. Seppanen, C. Leach, Y. Kim NASA/IEEE Conference on Mass Storage Systems and Technologies (MSST '06)
Privacy Protection in PKIs: A Separation-of-Authority Approach. T. Kwon, J. Cheon, Y. Kim, J. Lee International Workshop on Information Security Applications (WISA '06)
Privacy Preserving Nearest Neighbor Search M. Shaneck, Y. Kim, V. Kumar IEEE International Workshop on Privacy Aspects of Data Mining (IEEE PADM '06)
Myrmic: Secure and Robust DHT Routing P. Wang, N. Hopper, I. Osipkov, and Y. Kim UMN DTC Research Report 2006/20, November 2006.
Strengthening Password-Based Authentication Protocols Against Online Dictionary Attacks P. Wang, Y. Kim, V. Kher, T. Kwon International Conference on Applied Cryptography and Network Security (ACNS '05)
Securing Distributed Storage: Challenges, Techniques, and Systems V. Kher and Y. Kim ACM Workshop On Storage Security and Survivability (ACM StorageSS '05) (invited paper)
Remote Software-based Attestation for Wireless SensorsM. Shaneck, K. Mahadevan, V. Kher, and Y. Kim. European Conference on Security and Privacy in Ad-Hoc and Sensor Networks (ESAS '05)
A Machine Learning Framework for Network Anomaly Detection using SVM and GA T. Shon, Y. Kim, C. Lee, J. Moon IEEE Information Assurance Workshop (IEEE IAW '05)
On the Performance of Group Key Agreement Protocols Y. Amir, Y. Kim, C. Nita-Rotaru, G. Tsudik ACM Transaction on Information and System Security (ACM TISSEC), Vol. 7, No. 3, Aug. 2004.
Robust Contributory Key Agreement in Secure Spread Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton, G. Tsudik IEEE Transaction on Parallel and Distributed System (IEEE TPDS), Vol. 15, No. 5, May 2004.
Communication-Efficient Group Key Agreement Y. Kim, A. Perrig, G. Tsudik IEEE Transaction on Computers (IEEE TC), Vol. 53, No. 7, Jul. 2004.
Tree-based Group Key Agreement Y. Kim, A. Perrig, G. Tsudik ACM Transaction on Information and System Security (ACM TISSEC), Vol. 7, No. 1, Feb. 2004.
Design and implementation of a secure multi-agent marketplace A. Jaiswal, Y. Kim, M. Gini Electronic Commerce Research and Application (ECRA), Volume 3, Issue 4, Winter, Elsevier Science, 2004
Batch Verifications with ID-Based Signatures H. Yoon, J. Cheon, Y. Kim International Conference on Information Security and Cryptology (ICISC '04)
Revisiting Random Key Pre-distribution Schemes for Wireless Sensor Networks J. Hwang, Y. Kim ACM Workshop on Security of Ad Hoc and Sensor Networks (ACM SASN ’04).
Secure Group Key Management for Storage Area Networks Y. Kim, F. Maino, M. Narasimha, K. Rhee, G. Tsudik IEEE Communications Magazine, Vol. 41, No. 8, Aug. 2003.
Admission Control in Collaborative Groups Y. Kim, D. Mazzochi, G. Tsudik IEEE International Symposium on Network Computing and Applications (IEEE NCA '03)
An Efficient Tree-Based Group Key Agreement Using Bilinear Map. S. Lee, Y. Kim, K. Kim, D. Ryu International Conference on Applied Cryptography and Network Security (ACNS '03)
Decentralized Authentication Mechanism for Object-based Storage Devices V. Kher, Y. Kim IEEE Security in Storage Workshop (IEEE SISW '03)
Security Model for a Multi-Agent Marketplace A. Jaiswal, Y. Kim, M. Gini International Conference on Electronic Commerce (ICEC '03)
Admission Control in Peer Groups Y. Kim, G. Tsudik Large-Scale Network Security Workshop ? New Directions in Scalable Cyber-Security in Large-Scale Networks: Deployment Obstacles, Virginia, Mar. 2003
On the Performance of Group Key Agreement Protocols Y. Amir, Y. Kim, C. Nita-Rotaru, G. Tsudik IEEE International Conference on Distributed Computing Systems (IEEE ICDCS '02)
Secure Group Services for Storage Area Networks Y. Kim, F. Maino, M. Narasimha, G. Tsudik IEEE Security in Storage Workshop (IEEE SISW '02)
Communication-Efficient Group Key Agreement Y. Kim, A. Perrig, G. Tsudik IFIP TC11 Sixteenth International Conference on Information Security (IFIP/SEC '01)
Exploring Robustness in Group Key Agreement Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton and G. Tsudik International Conference on Distributed Computing Systems (IEEE ICDCS '01)Nominated for the best paper award
Simple and Fault-tolerant Group Key Agreement Scheme Y. Kim, A. Perrig, G. Tsudik ACM Conference on Computer and Communications Security (ACM CCS '00)
Secure Group Communication in Asynchronous Networks with Failures: Integration and Experiments Y. Amir, G. Ateniese, D. Hasse, Y. Kim, C. Nita-Rotaru, T. Schlossnagle, J. Schultz, J. Stanton and G. Tsudik International Conference on Distributed Computing Systems (IEEE ICDCS '00)
The Design of a Group Key Agreement API G. Ateniese, O. Chevassut, D. Hasse, Y. Kim and G. Tsudik DARPA Information Survivability Conference and Exposition (DISCEX '00)
On the Design of Stream Ciphers and a Hash Function Suitable to Smart Card Application Y. Kim, S. Lee, and S. Park Smart Card Research and Advanced Application (CARDIS '96)
How to Use Exponent Permutations in Cryptography: Classifications and Applications S. Park, S. Chee, K. Kim, Y. Kim, and S. Lee International Conference on Cryptology and Information Security (CANS '96)
On the Security of Lin-Chang-Lee Public Key Cryptosystem S. Park, Y. Kim, and K. Kim Journal of the Korean Institute of Information Security and Cryptography (JKIISC), 1996.