PhD position in the IoT devices’ supply chain analysis

Cybersecurity Group

Deadline for receipt of applications: October 30, 2024 23:59 AoE (31 October 2024, 13:59h Europe/Madrid Time)

The Cybersecurity (https://networks.imdea.org/es/equipo/grupos-de-investigacion/cybersecurity-group/) and Internet Analytics Groups (https://networks.imdea.org/es/equipo/grupos-de-investigacion/internet-analytics-group/)  at IMDEA Networks Institute have a joint opening for one PhD student in the area of IoT Cybersecurity. The successful candidate will design novel methods for the analysis of vulnerabilities and harmful behaviours in IoT products and their software supply chain in the context of the PARASITE project.

A software bill of materials (SBOM) is a list of the software components in a given project and their corresponding version numbers and other metadata. The SBOM can be used to track updates and known security vulnerabilities for each component in the software project’s dependencies. It is also helpful for auditing purposes as it ensures that only authorized dependencies are included in a software project. However, there is a lack of methods and tools to effectively and accurately detect vulnerable dependencies in IoT products and software.

The candidate will develop and apply scalable and efficient software analysis pipelines enhanced with Machine Learning techniques to 1) identify supply chain elements and dependencies in IoT firmware (e.g., extract Software Bill of Materials, SBOMs), 2) detect and analyze vulnerabilities and weak/malicious actors in the supply chain, and 3) assess products compliance with the requirements of the new EU Cyber Resilience Act.

The candidate will make fundamental contributions to unsolved technical and enforcement challenges that the new EU Cyber Resilience Act will bring and to the long and impactful track records of the IAG and Cybersecurity groups in the field of software analysis, cybersecurity, and privacy [See bibliographic references 1-10 below]. The PhD student will have privileged access to various cutting-edge software analysis tools, and to a big data analysis platform with substantial computing resources for their processing.

The position offers:

  • hands-on training in software analysis and reversing
  • a unique opportunity to work with large-scale IoT firmware and vulnerability databases
  • a vibrant, collaborative, multi-cultural and English-speaking research environment
  • the prospect to publish applied research at top-tier venues in cybersecurity and networking
  • an advantageous path to a successful career in industry or academia [11].
  • the high quality of life of the region of Madrid, Spain.

The position requires:

  • a B.Sc. in Computer Science, Telecommunications or related field, with a solid academic record. Postgraduate studies (holding a M.Sc. or being currently enrolled in one) will be a plus.
  • Good programming skills (e.g., C/C++, Java, and Python) and experience in (or an interest for working in) the area of cybersecurity while conducting practical research.
  • Software and data analysis skills are recommended, especially in the area of static and dynamic analysis of software, binary analysis and reverse engineering.
  • fluency in written and spoken English,
  • enthusiasm for interdisciplinary research with real-world impact.

Inquiries on the position can be directed to the thesis supervisors via email, Dr. Guillermo Suarez-Tangil (guillermo.suarez-tangil “at” imdea.org) or Dr. Narseo Vallina-Rodriguez (narseo.vallina “at” imdea.org)

Candidates shall submit by the call deadline a CV, a motivation letter, and the contact details of two references through the IMDEA Networks Institute hiring portal, at https://careers.networks.imdea.org/.

 

Bibliographic References of Relevant Group Research Outputs:

[1.] “In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes.” A. Girish, T. Hu, V. Prakash, D. J. Dubois, S. Matic, D. Huang, S. Egelman, J. Reardon, J. Tapiador, D. Choffnes, N. Vallina-Rodriguez  In Proc. of the 2023 ACM on Internet Measurement Conference, 2023.

[2.] SkillVet: Automated Traceability Analysis of Amazon Alexa Skills. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. IEEE Trans. on Dependable and Secure Computing. 2022.

[3.]  IoTLS: Understanding TLS Usage in Consumer IoT Devices. M. Paracha, D. Dubois, N. Vallina-Rodriguez, D. Choffnes. Proc. of the ACM IMC, 2021

[4.]  Trouble over-the-air: An analysis of fota apps in the android ecosystem. Blázquez, E., Pastrana, S., Feal, Á., Gamba, J., Kotzias, P., Vallina-Rodriguez, N., & Tapiador, J.  IEEE Symposium on Security and Privacy (SP) 2021

[5.] An Analysis of Pre-installed Android Software. J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, N. Vallina-Rodriguez IEEE Symposium on S&P’20 (BEST PRACTICAL PAPER AWARD, AEPD EMILIO ACED AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD)

[6.] Measuring Alexa Skill Privacy Practices Across Three Years. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. ACM Web Conference, 2022

[7.] Exploring the security and privacy risks of chatbots in messaging services J Edu, C Mulligan, F Pierazzi, J Polakis, G Suarez-Tangil, J Such. Proc. ACM IMC 2022

[8.] 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions Systems. J. Reardon, A. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, S. Egelman. USENIX Security, 2019 (USENIX’19 DISTINGUISHED PAPER AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD, AEPD EMILIO ACED)

[9.] Characterizing Linux-based malware: Findings and recent trends. Carrillo-Mondéjar, J.,, Martínez, J.L., Suarez-Tangil, G.. Future Generation Computer Systems, 2020.

[10.] Androdialysis: Analysis of android intent effectiveness in malware detection. Feizollah, A., Anuar, N. B., Salleh, R., Suarez-Tangil, G., & Furnell, S. (2017).  Computers & security, 65, 121-134

[11] https://networks.imdea.org/team/imdea-networks-team/alumni-network

 

This contract is part of the project PID2022-143304OB-I00 (PARASITE) funded by MCIN/AEI /10.13039/501100011033/ and by the ERDF, A way of making Europe

Equal Employment Opportunity:

IMDEA Networks Institute aims to increase the proportion of women and therefore qualified female applicants are explicitly encouraged to apply. Until a balanced ratio of men and women has been achieved at the institute, preference will be given to women if applicants have similar qualifications. IMDEA Networks Institute actively promotes diversity and equal opportunities. Applicants are not to be discriminated against in personnel selection procedures on the grounds of gender, ethnicity, religion or ideology, age, sexual orientation (anti-discrimination). People with disabilities who have the relevant qualifications are expressly invited to apply

Apply Now!
  1. Remember to select the following option: PhD: PhD Student positions [2025]
  2. Deadline for receipt of applications: October 30, 2024 23:59 AoE (31 October 2024, 13:59h Europe/Madrid Time)
  3. If necessary choose as supervisor Guillermo SUAREZ-TANGIL