-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
msc brainstorm: node hijacking protection for embedded devices using TinyML #8157
Comments
Proposal: A Privacy-Preserving Digital Identity System Using DNA Passports and Physical Unclonable Functions (PUFs) Objectives Possible Methodology Expected Outcomes ??? Secure, Decentralized Identity System: A privacy-centric identity model that binds user DNA with device-specific PUF authentication, creating a robust, decentralized system for IoT security. To explore: Multi-layered/fine-grain hierarchies may be a nice addition as many authentication systems work more like "I am this device" instead of "I owe this device". Potential Impact
|
Very scary 😨 😮 😨 Solid science for "identity of the future" in a world that is slowly collapsing into chaos. Passport 2050Advise: re-write. example:
|
13/11/2024: A bit of literature review Lots of DNA is no-coding DNA ( does not encode protein sequences ), however the 1% that does is interesting. Concept: Protein-Based DNA Signature Generator
Problems:
DNA encoding schemes herald a new age in cybersecurity for safeguarding digital assets Cyber Attacks on Power System Automation and Protection and Impact Analysis A novel DNA-based key scrambling technique for image encryption |
Thesis Brainstorm III"Purple teaming of the upcoming EU EBSI passport-grade digital identity" SIEM tools provide forensics, not just a intrusion detection system. This project uses a "capture the flag" experience. This angle uses the hard work of building tooling, new defences, reference architecture, security audit, and possibly new attacks. Security audit should not be in the old format of this vunerability, this config detail. This project will provide a state-of-the-art security audit with risk assessment. For instance, in the scenario that EBSI provides foundation for the digital Euro it impacts risk tolerance. Each deployment level will be analysed, including facilitating tokanization. (blue teaming stuff). Your thesis does not critically depend on successfully breaking EBSI security, but you meticulously create the ecosystem for breaking it. Then you can also propose a security fix. Little investigation shows three unresolved active vulnerabilities to hyperledger Besu ecosystem 😱 Client has incorrect conversion. server side has critical error in 32 bit signed and unsigned types in the calculation of available gas. ToDo:
|
https://www.geeksforgeeks.org/hyperledger-besu-in-blockchain/#limitations-of-hyperledger-besu Brainstorm:
Quantum Threats: Many blockchain systems (Besu too) use cryptographic algorithms/signatures that will eventually become obsolete in a post-quantum world. Post-Quantum Cryptographic Algorithms: Lattice-Based Cryptography Besu platform's ( base platform for EBSI, "The first public sector blockchain infrastructure in Europe") number 1 contributor works at Consensys ( company which also own Metamask and a asteroid mining company ? ) Resolution: too speculative and the threat model a little questionable as current crypto is STILL STRONG and there is a high chance it will work in the future as public/private key is tested for 50+ years AND... we still have today's problems that need to be taken care of ( identity issues, threat actors tracking, etc) 2.Interoperability and Cross-System Security How to make besu hyperledger be interoperable with other blockchains?
Traditional SIEMs: Tools like Splunk, Elastic Stack (ELK), and Graylog are adapted for blockchain monitoring by applying custom rules. Let's try to make something for blockchain specific such as logs, event correlation, not AI preferably. Try to protect the root of trust of europe from vulnerable base platform (Besu). Detach from the untrustworthy platform and create a layer of security. Sprint focus:
URGENCY MODE ON: Time to focus as the graduation deadline is around July 2025! |
Quite a discovery, Hyperledge Besu is captured by Consensys, all top-4 devs. This is an aggressive company, loaded with cash and history of various borderline illegal behaviours. Solid thesis material, turning the Besu untrustworthy platform into the EU EBSI root-of-trust for passport-grade identities. 😨 |
Sprint update:
Lab setup - (I hope soon to be) similar to EBSI
Besu Hyperledger versions in use:
On going: replicate attacks (including CVE-2022-36025, resource exhaustion, etc) Some ideas from this sprint:
"Dynamic runtime complexity throttling in a permissioned Besu-based network" related tools and papers: Slither - solidity contract static analyzer (loops, re-entrancy paterns, etc) Random ideas:
General opinion after 1-2 weeks of working with it: Not too bad, even decent tool, backed up by lots of money. Complicated to setup and a little too "large" in features but overall a decent, enterprise level tool. I do not think there is enough evidence to focus on Besu's infrastructure/ vulnerability finding in a master's thesis as it is enterprise level. Doing SIEM Tooling seems the best way for "hardening the root of trust". Next sprint: SimTools for blockchain on the setup
|
For next sprint. Get Top-3 SIEM tools running. ELk stack, Prometheus, greylog, splunk, etc? |
brainstorm Not afraid of assembly! Defend: July 2025. Phd ambition?!
First, describe the scope and past occurrences of node hijacks.
From Solarwinds to the recent 1.3 million Android TVs in a botnet. Do you aim to protect from unzip fail of firmware update?
Security frameworks. sandbox where you can run anything. IoT device, build Raspberry pi with TinyML as exemplary use-case?
ToDo
Other ideas:
https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions/@@download/fullReport
Zero-Trust Architecture for Legal Entities
update: Cars now have firmware and secure boot. In-line with your 'hacking' passion. Toyota cars get stolen using CANbus attack. There is a Tesla bug hunting bounty. Smartphone app opens your car, passport-grade authentication. Link to insurance and question who was driving the car when damage occurred?? 🤔 (more US thing versus EU where things are decently organised). The science: protecting high-value 'portable' computers and firmware {zero-trust}.
update2: V2X tech for "car wifi" in 5.9 GHz band. Police remotely stopping a car is no longer the realm of Sci-Fi movies. See the trail of a "remote car stopping" from the Czech Technical University in Prague and the BUT in Brno and PR stuff from the USA.
ToDo: a draft 1-page research proposal (e.g. the science focus side)
The text was updated successfully, but these errors were encountered: