Improving security for Internet of Things with “big-thinking” research

One aspect of the research at KU will investigate solutions to “side-channel attacks,” which include Spectre and Meltdown, vulnerabilities recently revealedto exist in central processor computer chips manufactured in the past two decades.

“A side-channel attack is a way of communicating that’s unintended,” Alexander said. “When you go on your web browser to a website, that path is intended. Unfortunately, in any computer system there are ways to communicate that are unintended. Those are side-channel attacks. A bad guy can use these vulnerabilities in everything from a state-sponsored attack to taking credit card numbers.”

Other efforts will focus on securing information in the cloud, where data is saved on remote servers instead of a personal or local machine.

“Almost all IoT devices share or store their information in the cloud,” said Alexander. “If you have an IoT in your house, you probably have a hub that talks to the cloud. How do you protect the information coming from your house, take it into the cloud and protect it while it’s there?”

The team also plans to find ways to enhance resilience, improving IoT devices’ ability to withstand unforeseen interruptions, or come back online as soon as interruptions are solved.

“If you think about a car hitting a telephone pole or a switch going bad or a lightning strike — this pulls part of your network offline,” Alexander said. “Resilience means understanding what capabilities you still have when part of your system goes down and making sure your network can recover once the problem is fixed. You as a human being are very resilient. When you cut your finger making dinner, you don’t collapse. Your skin grows back — in a week you don’t even know it happened. What properties does your skin exhibit that we could take and put in computer systems that would allow them to behave in a similar way?”

Alexander and his colleagues also hope to improve trust between computers that theoretically could scale upward to encompass all the computers on the internet.   

“When my computer accesses another computer, how do I trust that computer to be in a good state?” he asked. “If you and I wanted our computers to talk, and I wanted to trust your computer hadn’t been damaged or compromised in some way, that’s doable. Now, think about all the computers on a college campus — that’s still tiny. Now think about all the computers in the world, that’s different. Originally, you could draw all the nodes for the entire internet on the back of a napkin. Now we don’t even know how big it is, it’s so expansive and pervasive.”

Much of the work under the new contract combines expertise in computing and communications with multidisciplinary expertise in human behavior and thinking.

“A lot of cybersecurity is related to human behavior — things as simple as are you using strong passwords, or how are you using the internet?” said Alexander.

Alexander attributes the presence of interdisciplinary centers at KU, such as ITTC, for bringing together investigators from such a wide spectrum of academic specialties around a common set of problems, such as security of the IoT.

“We have people in research centers who otherwise may not talk to each other,” he said. “But when the NSA call for proposals came out, I had a team from departments across campus in my head in an hour — I knew on a first-name basis the people who could help out. That’s way ahead of most places. KU’s prominence as a liberal arts institution made huge contribution.”

The work builds on Alexander’s decade-long experience working on projects with the NSA, as well as a Scholarship for Service program with the NSF. Much of the work under the new effort will help train the next generation of cybersecurity experts and extend their knowledge into the private sector in the region and nationally.

“The majority of our funding goes for research assistants,” Alexander said. “That’s typical for all of our awards. One objective for the NSA is building a cybersecurity community. We will hold a workshop once a year on the Edwards Campus that does outreach to companies that have an interest in the cybersecurity area. We want to bring in companies that we feel are underserved. Part of that will include tutorials and student presentations. Training graduate students and getting them out in the community is something the NSA wants us to do.”