skip to main content


The NSF Public Access Repository (NSF-PAR) system and access will be unavailable from 11:00 PM ET on Thursday, June 13 until 2:00 AM ET on Friday, June 14 due to maintenance. We apologize for the inconvenience.

Search for: All records

Creators/Authors contains: "Xiao, Yang"

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).
What is a DOI Number?

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

  1. Free, publicly-accessible full text available April 1, 2025
  2. Mobile tracking has long been a privacy problem, where the geographic data and timestamps gathered by mobile network operators (MNOs) are used to track the locations and movements of mobile subscribers. Additionally, selling the geolocation information of subscribers has become a lucrative business. Many mobile carriers have violated user privacy agreements by selling users’ location history to third parties without user consent, exacerbating privacy issues related to mobile tracking and profiling. This paper presents AAKA, an anonymous authentication and key agreement scheme designed to protect against mobile tracking by honest-but-curious MNOs. AAKA leverages anonymous credentials and introduces a novel mobile authentication protocol that allows legitimate subscribers to access the network anonymously, without revealing their unique (real) IDs. It ensures the integrity of user credentials, preventing forgery, and ensures that connections made by the same user at different times cannot be linked. While the MNO alone cannot identify or profile a user, AAKA enables identification of a user under legal intervention, such as when the MNOs collaborate with an authorized law enforcement agency. Our design is compatible with the latest cellular architecture and SIM standardized by 3GPP, meeting 3GPP’s fundamental security requirements for User Equipment (UE) authentication and key agreement processes. A comprehensive security analysis demonstrates the scheme’s effectiveness. The evaluation shows that the scheme is practical, with a credential presentation generation taking∼ 52 ms on a constrained host device equipped with a standard cellular SIM. 
    more » « less
    Free, publicly-accessible full text available February 26, 2025
  3. Recent studies have shown that compromising Bitcoin’s peer-to-peer network is an effective way to disrupt the Bitcoin service. While many attack vectors have been uncovered such as BGP hijacking in the network layer and eclipse attack in the application layer, one significant attack vector that resides in the transport layer is largely overlooked. In this paper, we investigate the TCP vulnerabilities of the Bitcoin system and their consequences. We present Bijack, an off-path TCP hijacking attack on the Bitcoin network that is able to terminate Bitcoin connections or inject malicious data into the connections with only a few prior requirements and a limited amount of knowledge. This results in the Bitcoin network topology leakage, and the Bitcoin nodes isolation. 
    more » « less
    Free, publicly-accessible full text available January 12, 2025
  4. Abstract

    Skin‐interfaced high‐sensitive biosensing systems to detect electrophysiological and biochemical signals have shown great potential in personal health monitoring and disease management. However, the integration of 3D porous nanostructures for improved sensitivity and various functional composites for signal transduction/processing/transmission often relies on different materials and complex fabrication processes, leading to weak interfaces prone to failure upon fatigue or mechanical deformations. The integrated system also needs additional adhesive to strongly conform to the human skin, which can also cause irritation, alignment issues, and motion artifacts. This work introduces a skin‐attachable, reprogrammable, multifunctional, adhesive device patch fabricated by simple and low‐cost laser scribing of an adhesive composite with polyimide powders and amine‐based ethoxylated polyethylenimine dispersed in the silicone elastomer. The obtained laser‐induced graphene in the adhesive composite can be further selectively functionalized with conductive nanomaterials or enzymes for enhanced electrical conductivity or selective sensing of various sweat biomarkers. The possible combination of the sensors for real‐time biofluid analysis and electrophysiological signal monitoring with RF energy harvesting and communication promises a standalone stretchable adhesive device platform based on the same material system and fabrication process.

    more » « less
    Free, publicly-accessible full text available April 18, 2025
  5. Single sign-on (SSO) has provided convenience to users in the web domain as it can authorize a user to access various resource providers (RPs) using the identity provider (IdP)'s unified authentication portal. However, SSO also faces security problems including IdP single-point failure and the privacy associated with identity linkage. In this paper, we present the initial design of an alternative SSO solution called VC-SSO to address the security and privacy problems while preserving SSO's usability. VC-SSO leverages the recently emerged decentralized identifier (DID) and verifiable credential (VC) framework in that a user only needs to authenticate with the IdP once to obtain a VC and then may generate multiple verifiable presentations (VPs) from the VC to access different RPs. This is based on the design that each RP has established a smart contract with the IdP specifying the service agreement and the VP schema for user authorization. We hope the proposed VC-SSO design marks the first step toward a future SSO system that provides strong reliability and privacy to users under adversarial conditions. 
    more » « less
    Free, publicly-accessible full text available November 26, 2024
  6. Abstract Developing an eco-friendly, efficient, and highly selective gold-recovery technology is urgently needed in order to maintain sustainable environments and improve the utilization of resources. Here we report an additive-induced gold recovery paradigm based on precisely controlling the reciprocal transformation and instantaneous assembly of the second-sphere coordinated adducts formed between β-cyclodextrin and tetrabromoaurate anions. The additives initiate a rapid assembly process by co-occupying the binding cavity of β-cyclodextrin along with the tetrabromoaurate anions, leading to the formation of supramolecular polymers that precipitate from aqueous solutions as cocrystals. The efficiency of gold recovery reaches 99.8% when dibutyl carbitol is deployed as the additive. This cocrystallization is highly selective for square-planar tetrabromoaurate anions. In a laboratory-scale gold-recovery protocol, over 94% of gold in electronic waste was recovered at gold concentrations as low as 9.3 ppm. This simple protocol constitutes a promising paradigm for the sustainable recovery of gold, featuring reduced energy consumption, low cost inputs, and the avoidance of environmental pollution. 
    more » « less
    Free, publicly-accessible full text available December 1, 2024
  7. Free, publicly-accessible full text available August 1, 2024
  8. Telephone users are receiving more and more unwanted calls including spam and scam calls because of the transfer-without-verification nature of global telephone networks, which allows anyone to call any other numbers. To avoid unwanted calls, telephone users often ignore or block all incoming calls from unknown numbers, resulting in the missing of legitimate calls from new callers. This paper takes an end-to-end perspective to present a solution to block unwanted calls while allowing users to define the policies of acceptable calls. The proposed solution involves a new infrastructure based on anonymous credentials, which enables anonymous caller authentication and policy definition. Our design decouples caller authentication and call session initiation and introduces a verification code to interface and bind the two processes. This design minimizes changes to telephone networks, reduces latency to call initiation, and eliminates the need for a call-time data channel. A prototype of the system is implemented to evaluate its feasibility. 
    more » « less
    Free, publicly-accessible full text available August 9, 2024
  9. With the proliferation of autonomous safety-critical cyber-physical systems (CPS) in our daily life, their security is becoming ever more important. Remote attestation is a powerful mechanism to enable remote verification of system integrity. While recent developments have made it possible to efficiently attest IoT operations, autonomous systems that are built on top of real-time cyber-physical control loops and execute missions independently present new unique challenges. In this paper, we formulate a new security property, Realtime Mission Execution Integrity (RMEI) to provide proof of correct and timely execution of the missions. While it is an attractive property, measuring it can incur prohibitive overhead for the real-time autonomous system. To tackle this challenge, we propose policy-based attestation of compartments to enable a trade-off between the level of details in measurement and runtime overhead. To further minimize the impact on real-time responsiveness, multiple techniques were developed to improve the performance, including customized software instrumentation and timing recovery through re-execution. We implemented a prototype of ARI and evaluated its performance on five CPS platforms. A user study involving 21 developers with different skill sets was conducted to understand the usability of our solution. 
    more » « less
    Free, publicly-accessible full text available August 9, 2024