Strengthening Cybersecurity through Research

Singapore Management University’s Secure Mobile Centre – Tackling cybersecurity risks in mobile computing.

3315Mobile computing has become a fundamental feature in modern day life as people develop an unprecedented reliance on smart phones and tablets. However, along with their ubiquity comes a host of risks that can affect personal privacy, sensitive corporate information and even national security.

Professor Robert Deng from the Singapore Management University (SMU) School of Information Systems (SIS) believes that current approaches to mobile computing security have been ineffective because they fail to consider differences between platforms and applications.

“Mobile devices are power- and resource-limited compared to desktop computers due to their smaller sizes. They are open to more channels such as mobile networks, Bluetooth, Wi-Fi and storage cards. They also have increased functionality due to their ability to download applications. The mobility, connectivity and extensibility of mobile devices mean they require targeted and efficient security solutions,” says Professor Deng, who is also the director of SMU’s Secure Mobile Centre (SMC).

This calls for a new approach to security research in mobile computing, one that he and his colleagues at the SMC aim to develop.

Securing platforms and data

Launched in February 2015, the SMC is funded by Singapore’s National Research Foundation under the National Cybersecurity Research and Development Programme. The centre conducts research under three inter-related programmes, each led by professors from SIS.

[pullquote]A common solution to mitigate users’ privacy concerns is to encrypt their data before it reaches the cloud. [/pullquote]

Helmed by Associate Professor Ding Xuhua, the Mobile Platform Security Programme aims to design a hardware-protected secure environment for mobile devices to safeguard the code, data and execution integrity of critical mobile apps under a compromised operating system.

Associate Professor Gao Debin heads the Mobile Application Security Programme, which studies how mobile malware spreads and how to effectively detect and contain it to minimise damage.

The Mobile Internet Service Security Programme comprises two projects. Led by Professors Robert Deng and Pang Hwee Hwa, the first project focuses on developing practical and secure solutions for sharing encrypted data in the cloud.

“Cloud data storage is becoming increasingly popular. However, since software systems are not guaranteed to be bug-free and hardware platforms are not under the direct control of data owners in the cloud, security risks are abundant. A common solution to mitigate users’ privacy concerns is to encrypt their data before it reaches the cloud. This keeps the data private even if service provider systems are compromised or untrusted,” says Professor Deng.

However, he notes that it is extremely challenging to share large amounts of data that are encrypted using traditional techniques because of the difficulty in distributing decryption keys and managing decryption key revocations. For example, when people leave an organisation, their decryption keys must be revoked so they are no longer able to access the organisation’s data.

The SMC has filed a patent on a new technique that will allow individuals and organisations to share their encrypted data in the cloud in a scalable and efficient manner. This new technique allows efficient decryption on mobile devices and supports user revocation in real-time.

The second project which is headed by Associate Professor Li Yingjiu, focuses on designing secure and usable authentication systems for mobile users.

Mobile platforms that authenticate the face of a legitimate user are not new. They are an attractive alternative to passwords, which are often difficult to remember. However, most face-authentication systems currently in use are intrinsically vulnerable to forgery by means of photos or videos of the legitimate user.

To overcome this problem, researchers at the SMC have developed FaceLive, a system that can differentiate between a photograph or video of a user and a “live” one. FaceLive corroborates facial video information with live motion data from the mobile device to verify an actual live feed from the user. It uses a front-facing camera, an accelerometer and a gyroscope to detect three-dimensional characteristics of a live user’s face by measuring the consistency between head movements captured in a video and those captured through sensors in the mobile device.

FaceLive simply requires users to hold and move their mobile device in front of their face while the front-facing camera captures a video of their face and the sensors simultaneously record motion data about their device. A live user is authenticated if changes in head movement in the video are consistent with movements captured by the device. According to Professor Deng, FaceLive can operate under complex lighting conditions and compensate for a range of cumulative errors that can happen while detecting head movements during face authentication.

Like most systems, FaceLive could be vulnerable to sophisticated attacks, but the system is an improvement on current face-detection software. “Our technique significantly raises the bar for adversaries to perform attacks,” says Professor Li.

Supporting Singapore’s technology aims

Singapore aims to establish itself as a Smart Nation by tapping into the vast potential of technology. “Mobile computing security is an important aspect, for it is essential to ensuring service continuity, integrity and privacy. The application of SMC’s work will also be relevant for a wide range of services ranging from emergency response to critical infrastructure monitoring, e-commerce to e-government services, and strengthening social networks to care for an ageing population,” notes Professor Deng.

He adds that cybersecurity research is inherently multidisciplinary for it involves cryptography, software, hardware, multimedia processing, human-computer interaction, computational cognitive modelling and security policies.

In view of this, the SMC is working closely with key industry players, including ST Electronics (a subsidiary of ST Engineering); international digital security company Gemalto, which produces SIM cards; telecommunications company StarHub; and computer security firm, McAfee Singapore, which is now part of the Intel Security Group.

To bridge research outcomes with practical needs, SMC also collaborates with various government agencies, including the Infocomm Development Authority, the Defence Science and Technology Agency, and the Monetary Authority of Singapore.

SMC’s principal investigators have held in-depth discussions with these government agencies to align their research with Singapore’s technological needs. “The team works very closely with industrial partners and end-user organisations to ensure that the project research and development deliverables not only have excellent academic value but can also be integrated into products and operational systems to create practical value of considerable impact,” says Professor Deng.