The phenomenal growth of the Internet of Things (IoT) has highlighted the security and privacy concerns associated with these devices. The research literature on the security architectures of IoT makes evident that we need to define and formalize a framework to secure the communications among these devices. To do so, it is important to focus on a zero-trust framework that will work on the principle premise of "trust no one, verify everyone" for every request and response.

In this thesis, we emphasize the immediate need for such a framework and propose a zero-trust communication model for IoT that addresses security and privacy concerns. We employ the existing cryptographic techniques to implement the framework so that it can be easily integrated into the current network infrastructures. The framework provides an end-to-end security framework for users and devices to communicate with each other privately. It is often stated that it is difficult to implement high-end encryption algorithm within the limited resource of an IoT device. For our work, we built a temperature and humidity sensor using NodeMCU V3 and were able to implement the framework and successfully evaluate and document its efficient operation. We defined four areas for evaluation and validation, namely, security of communications, memory utilization of the device, response time of operations, and cost of its implementation. For every aspect we defined a threshold to evaluate and validate our findings. The results are satisfactory and are documented. Our framework provides an easy-to-use solution where the security infrastructure acts as a backbone for every communication to and from the IoT devices.

Program size and complexity have dramatically increased over time.  To reduce their work-load, developers began to utilize package managers.  These packages managers allow third-party functionality, contained in units called packages, to be quickly imported into a project.  Due to their utility, packages have become remarkably popular. The largest package repository, npm, has more than 1.2 million publicly available packages and serves more than 80 billion package downloads per month.  In recent years,  this popularity has attracted the attention of malicious users. Attackers have the ability to upload packages which contain malware. To increase the number of victims, attackers regularly leverage a tactic called typosquatting, which involves giving the malicious package a name that is very similar to the name of a popular package.  Users who make a typo when trying to install the popular package fall victim to the attack and are instead served the malicious payload. The consequences of typosquatting attacks can be catastrophic. Historical typosquatting attacks have exported passwords, stolen cryptocurrency, and opened reverse shells.This thesis focuses on typosquatting attacks in package repositories.  It explores the extent to which typosquatting exists in npm and PyPI (the de facto standard package repositories for Node.js and Python, respectively), proposes a practical defense against typosquatting attacks, and quantifies the efficacy of the proposed defense.  The presented solution incurs an acceptable temporal overhead of 2.5% on the standard package installation process and is expected to affect approximately 0.5% of all weekly package downloads. Furthermore, it has been used to discover a particularly high-profile typosquatting perpetrator, which was then reported and has since been deprecated by npm.  Typosquatting is an important yet preventable problem.  This thesis recommends pack-ages creators to protect their own packages with a technique called defensive typosquatting and repository maintainers to protect all users through augmentations to their package managers or automated monitoring of the package namespace.

High-order numerical methods for solving PDEs have the potential to deliver higher solution accuracy at a lower cost than their low-order counterparts.  To fully leverage these high-order computational methods, they must be paired with a discretization of the domain that accurately captures key geometric features.  In the presence of curved boundaries, this requires a high-order curvilinear mesh.  Consequently, there is a lot of interest in high-order mesh generation methods.  The majority of such methods warp a high-order straight-sided mesh through the following three step process.  First, they add additional nodes to a low-order mesh to create a high-order straight-sided mesh.  Second, they move the newly added boundary nodes onto the curved domain (i.e., apply a boundary deformation).  Finally, they compute the new locations of the interior nodes based on the boundary deformation.  We have developed a mesh warping framework based on optimal weighted combinations of nodal positions.  Within our framework, we develop methods for optimal affine and convex combinations of nodal positions, respectively.  We demonstrate the effectiveness of the methods within our framework on a variety of high-order mesh generation examples in two and three dimensions.  As with many other methods in this area, the methods within our framework do not guarantee the generation of a valid mesh.  To address this issue, we have also developed two high-order mesh untangling methods.  These optimization-based untangling methods formulate unconstrained optimization problems for which the objective functions are based on the unsigned and signed angles of the curvilinear elements.  We demonstrate the results of our untangling methods on a variety of two-dimensional triangular meshes.

Scheduling of real-time tasks involves analytically determining whether each task in a group of periodic tasks can finish before its deadline. This problem is well understood for unicore platforms and there are exact schedulability tests which can be used for this purpose. However, in multicore platforms, sharing of hardware resources between simultaneously executing real-time tasks creates non-deterministic coupling between them based on their requirement of the shared hardware resource(s) which significantly complicates the schedulability analysis. The standard practice is to over-estimate the worst-case execution time (WCET) of the real-time tasks, by a constant factor (e.g, 2x), when determining schedulability on these platforms. Although widely used, this practice has two serious flaws. Firstly, it can make the schedulability analysis overly pessimistic because all tasks do not interfere with each other equally. Secondly, recent findings have shown that for tasks that do get affected by shared resource interference, they can experience extreme (e.g., >300X) WCET increases on commercial-of-the-shelf (COTS) multicore platforms, in which case, a schedulability analysis incorporating a blanket interference factor of 2x for every task cannot give accurate results. Apart from the problem of WCET estimation, the established schedulability analyses for multicore platforms are inherently pessimistic due to the effect of carry-in jobs from high priority tasks. Finally, the increasing integration of hardware accelerators (e.g., GPU) on SoCs complicates the problem further because of the nuances of scheduling on these devices which is different from traditional CPU scheduling.

In the wake of the Facebook data breach scandal, users begin to realize how vulnerable their per-sonal data is and how blindly they trust the online social networks (OSNs) by giving them an inordinate amount of private data that touch on unlimited areas of their lives. In particular, stud-ies show that users sometimes reveal too much information or unintentionally release regretful messages, especially when they are careless, emotional, or unaware of privacy risks. Additionally, friends on social media platforms are also found to be adversarial and may leak one’s private in-formation. Threats from within users’ friend networks – insider threats by human or bots – may be more concerning because they are much less likely to be mitigated through existing solutions, e.g., the use of privacy settings. Therefore, we argue that the key component of privacy protection in social networks is protecting sensitive/private content, i.e. privacy as having the ability to control dissemination of information. A mechanism to automatically identify potentially sensitive/private posts and alert users before they are posted is urgently needed.

In this dissertation, we propose a context-aware, text-based quantitative model for private information assessment, namely PrivScore, which is expected to serve as the foundation of a privacy leakage alerting mechanism. We first solicit diverse opinions on the sensitiveness of private information from crowdsourcing workers, and examine the responses to discover a perceptual model behind the consensuses and disagreements. We then develop a computational scheme using deep neural networks to compute a context-free PrivScore (i.e., the “consensus” privacy score among average users). Finally, we integrate tweet histories, topic preferences and social contexts to generate a per-sonalized context-aware PrivScore. This privacy scoring mechanism could be employed to identify potentially-private messages and alert users to think again before posting them to OSNs. Such a mechanism could also benefit non-human users such as social media chatbots.​

Dynamic binary translation is the process of translating instruction code from one architecture to another while it executes, i.e., dynamically. As modern applications are becoming larger, more complex and more dynamic, the tools to manipulate these programs are also becoming increasingly complex. DynamoRIO is one such dynamic binary translation tool that targets the most common IA-32 (a.k.a. x86) architecture on the most popular operating systems - Windows and Linux. DynamoRIO includes applications ranging from program analysis and understanding to profiling, instrumentation, optimization, improving software security, and more. However, even considering all of these optimization techniques, DynamoRIO still has the limitations of performance and memory usage, which restrict deployment scalability. The goal of my thesis is to break down the various aspects which contribute to the overhead burden and evaluate which factors directly contribute to this overhead. This thesis will discuss all of these factors in further detail. If the process can be streamlined, this application will become more viable for widespread adoption in a variety of areas. We have used industry standard Mi benchmarks in order to evaluate in detail the amount and distribution of the overhead in DynamoRIO. Our statistics from the experiments show that DynamoRIO executes a large number of additional instructions when compared to the native execution of the application. Furthermore, these additional instructions are involved in building the basic blocks, linking, trace creation, and resolution of indirect branches, all of which in return contribute to the frequent exiting of the code cache. We will discuss in detail all of these overheads, show statistics of instructions for each overhead, and finally show the observations and analysis in this defense.

The Internet of Things is been a rapidly growing field that offers improved data collection, analysis and automation as solutions for everyday problems. A smart-city is one major example where these solutions can be applied to issues with urbanization. And while these solutions can help improve the quality of live of the citizens, there are always security & privacy risks. Data collected in a smart-city can infringe upon the privacy of users and reveal potentially harmful information. One example is a surveillance system in a smart city. Research shows that people are less likely to commit crimes if they are being watched. Video footage can also be used by law enforcement to track and stop criminals. But it can also be harmful if accessible to untrusted users. A malicious user who can gain access to a surveillance system can potentially use that information to harm others. There are researched methods that can be used to encrypt the video feed, but then it is only accessible to the system owner. Polls show that public opinion of surveillance systems is declining even if they provide increased security because of the lack of transparency in the system. Therefore, it is vital for the system to be able to do its intended purpose while also preserving privacy and holding malicious users accountable. 

To help resolve these issues with privacy & accountability and to allow for collaboration, we propose Corvus, an IoT surveillance system that targets smart communities. Corvus is a collaborative blockchain based surveillance system that uses context-based image captioning to anonymously describe events & people detected. These anonymous captions are stored on the immutable blockchain and are accessible by other users. If they find the description from another camera relevant to their own, they can request the raw video footage if necessary. This system supports collaboration between cameras from different networks, such as between two neighbors with their own private camera networks. This paper will explore the design of this system and how it can be used as a privacy-preserving, but translucent & accountable approach to smart-city surveillance. Our contributions include exploring a novel approach to anonymizing detected events and designing the surveillance system to be privacy-preserving and collaborative.