PhD position in the analysis of IoT Firmware and its supply chain

Cybersecurity Group

Deadline for receipt of applications: April 14, 2024 23:59 AoE (15 April 2024, 13:59h Europe/Madrid Time)

The Cybersecurity and Internet Analytics Groups  at IMDEA Networks Institute has a joint opening for one PhD student in the area of IoT Cybersecurity. The successful candidate will analyse large-scale firmware images to detect vulnerabilities and harmful behaviours in IoT products and their software supply chain in the context of the PARASITE project.

The candidate will develop and apply scalable and efficient static and dynamic software analysis pipelines enhanced with Machine Learning techniques to 1) identify supply chain elements and dependencies in IoT firmware (Software Bill of Materials, SBOMs), 2) detect and analyze vulnerabilities and weak/malicious actors in the supply chain, 3) assess products compliance with the requirements of the new EU Cyber Resilience Act, or 4) produce empirical models to inform potential mitigations and certification and risk management methods.

The candidate will make fundamental contributions to unsolved technical and enforcement challenges that the new EU Cyber Resilience Act will bring and to the long and impactful track records of the IAG and Cybersecurity groups in the field of software analysis, cybersecurity, and privacy [See bibliographic references 1-10 below]. The PhD student will have privileged access to various cutting-edge software analysis tools, and to a big data analysis platform with substantial computing resources for their processing.

 The position offers:

• hands-on training in software analysis and reversing
• a unique opportunity to work with large-scale IoT firmware and vulnerability databases
• a vibrant, collaborative, multi-cultural and English-speaking research environment
• the prospect to publish applied research at top-tier venues in cybersecurity and networking
• an advantageous path to a successful career in industry or academia [11].
• the high quality of life of the region of Madrid, Spain.

The position requires:

• a B.Sc. in Computer Science, Telecommunications or related field, with a solid cademic record. Postgraduate studies (holding a M.Sc. or being currently enrolled in one) will be a plus.
• Good programming skills (e.g., C/C++, Java, and Python) and experience in (or an interest for working in) the area of cybersecurity while conducting practical research.
• Software and data analysis skills are recommended, especially in the area of static and dynamic analysis of software, binary analysis and reverse engineering.
• fluency in written and spoken English,
• enthusiasm for interdisciplinary research with real-world impact.

Inquiries on the position can be directed to the thesis supervisors via email, Dr. Guillermo Suarez-Tangil (guillermo.suarez-tangil “at” imdea.org) or Dr. Narseo Vallina-Rodriguez (narseo.vallina “at” imdea.org)

Candidates shall submit by the call deadline a CV, a motivation letter, and the contact details of two references through the IMDEA Networks Institute hiring portal, at https://careers.networks.imdea.org/.

Bibliographic References of Relevant Group Research Outputs:

[1.] “In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes.” A. Girish, T. Hu, V. Prakash, D. J. Dubois, S. Matic, D. Huang, S. Egelman, J. Reardon, J. Tapiador, D. Choffnes, N. Vallina-Rodriguez  In Proc. of the 2023 ACM on Internet Measurement Conference, 2023.

[2.] SkillVet: Automated Traceability Analysis of Amazon Alexa Skills. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. IEEE Trans. on Dependable and Secure Computing. 2022.

[3.]  IoTLS: Understanding TLS Usage in Consumer IoT Devices. M. Paracha, D. Dubois, N. Vallina-Rodriguez, D. Choffnes. Proc. of the ACM IMC, 2021

[4.]  Trouble over-the-air: An analysis of fota apps in the android ecosystem. Blázquez, E., Pastrana, S., Feal, Á., Gamba, J., Kotzias, P., Vallina-Rodriguez, N., & Tapiador, J.  IEEE Symposium on Security and Privacy (SP) 2021

[5.] An Analysis of Pre-installed Android Software. J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, N. Vallina-Rodriguez IEEE Symposium on S&P’20 (BEST PRACTICAL PAPER AWARD, AEPD EMILIO ACED AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD)

[6.] Measuring Alexa Skill Privacy Practices Across Three Years. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. ACM Web Conference, 2022

[7.] Exploring the security and privacy risks of chatbots in messaging services J Edu, C Mulligan, F Pierazzi, J Polakis, G Suarez-Tangil, J Such. Proc. ACM IMC 2022

[8.] 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions Systems. J. Reardon, A. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, S. Egelman. USENIX Security, 2019 (USENIX’19 DISTINGUISHED PAPER AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD, AEPD EMILIO ACED)

[9.] Characterizing Linux-based malware: Findings and recent trends. Carrillo-Mondéjar, J.,, Martínez, J.L., Suarez-Tangil, G.. Future Generation Computer Systems, 2020.

[10.] Androdialysis: Analysis of android intent effectiveness in malware detection. Feizollah, A., Anuar, N. B., Salleh, R., Suarez-Tangil, G., & Furnell, S. (2017).  Computers & security, 65, 121-134

[11] https://networks.imdea.org/team/imdea-networks-team/alumni-network

  This contract is part of the project PID2022-143304OB-I00 (PARASITE) funded by MCIN/AEI /10.13039/501100011033/ and by the ERDF, A way of making Europe.

Equal Employment Opportunity

IMDEA Networks Institute aims to increase the proportion of women and therefore qualified female applicants are explicitly encouraged to apply. Until a balanced ratio of men and women has been achieved at the institute, preference will be given to women if applicants have similar qualifications. IMDEA Networks Institute actively promotes diversity and equal opportunities. Applicants are not to be discriminated against in personnel selection procedures on the grounds of gender, ethnicity, religion or ideology, age, sexual orientation (anti-discrimination). People with disabilities who have the relevant qualifications are expressly invited to apply.