Deadline for receipt of applications: October 30, 2024 23:59 AoE (31 October 2024, 13:59h Europe/Madrid Time)
The Cybersecurity (https://networks.imdea.org/es/equipo/grupos-de-investigacion/cybersecurity-group/) and Internet Analytics Groups (https://networks.imdea.org/es/equipo/grupos-de-investigacion/internet-analytics-group/) at IMDEA Networks Institute have a joint opening for one PhD student in the area of IoT Cybersecurity. The successful candidate will design novel methods for the analysis of vulnerabilities and harmful behaviours in IoT products and their software supply chain in the context of the PARASITE project.
A software bill of materials (SBOM) is a list of the software components in a given project and their corresponding version numbers and other metadata. The SBOM can be used to track updates and known security vulnerabilities for each component in the software project’s dependencies. It is also helpful for auditing purposes as it ensures that only authorized dependencies are included in a software project. However, there is a lack of methods and tools to effectively and accurately detect vulnerable dependencies in IoT products and software.
The candidate will develop and apply scalable and efficient software analysis pipelines enhanced with Machine Learning techniques to 1) identify supply chain elements and dependencies in IoT firmware (e.g., extract Software Bill of Materials, SBOMs), 2) detect and analyze vulnerabilities and weak/malicious actors in the supply chain, and 3) assess products compliance with the requirements of the new EU Cyber Resilience Act.
The candidate will make fundamental contributions to unsolved technical and enforcement challenges that the new EU Cyber Resilience Act will bring and to the long and impactful track records of the IAG and Cybersecurity groups in the field of software analysis, cybersecurity, and privacy [See bibliographic references 1-10 below]. The PhD student will have privileged access to various cutting-edge software analysis tools, and to a big data analysis platform with substantial computing resources for their processing.
Inquiries on the position can be directed to the thesis supervisors via email, Dr. Guillermo Suarez-Tangil (guillermo.suarez-tangil “at” imdea.org) or Dr. Narseo Vallina-Rodriguez (narseo.vallina “at” imdea.org)
Candidates shall submit by the call deadline a CV, a motivation letter, and the contact details of two references through the IMDEA Networks Institute hiring portal, at https://careers.networks.imdea.org/.
Bibliographic References of Relevant Group Research Outputs:
[1.] “In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes.” A. Girish, T. Hu, V. Prakash, D. J. Dubois, S. Matic, D. Huang, S. Egelman, J. Reardon, J. Tapiador, D. Choffnes, N. Vallina-Rodriguez In Proc. of the 2023 ACM on Internet Measurement Conference, 2023.
[2.] SkillVet: Automated Traceability Analysis of Amazon Alexa Skills. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. IEEE Trans. on Dependable and Secure Computing. 2022.
[3.] IoTLS: Understanding TLS Usage in Consumer IoT Devices. M. Paracha, D. Dubois, N. Vallina-Rodriguez, D. Choffnes. Proc. of the ACM IMC, 2021
[4.] Trouble over-the-air: An analysis of fota apps in the android ecosystem. Blázquez, E., Pastrana, S., Feal, Á., Gamba, J., Kotzias, P., Vallina-Rodriguez, N., & Tapiador, J. IEEE Symposium on Security and Privacy (SP) 2021
[5.] An Analysis of Pre-installed Android Software. J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, N. Vallina-Rodriguez IEEE Symposium on S&P’20 (BEST PRACTICAL PAPER AWARD, AEPD EMILIO ACED AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD)
[6.] Measuring Alexa Skill Privacy Practices Across Three Years. J. Edu, X. Ferrer-Aran, J. Such, G. Suarez-Tangil. ACM Web Conference, 2022
[7.] Exploring the security and privacy risks of chatbots in messaging services J Edu, C Mulligan, F Pierazzi, J Polakis, G Suarez-Tangil, J Such. Proc. ACM IMC 2022
[8.] 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions Systems. J. Reardon, A. Feal, P. Wijesekera, A. Elazari Bar On, N. Vallina-Rodriguez, S. Egelman. USENIX Security, 2019 (USENIX’19 DISTINGUISHED PAPER AWARD, CNIL-INRIA PRIVACY RESEARCH AWARD, AEPD EMILIO ACED)
[9.] Characterizing Linux-based malware: Findings and recent trends. Carrillo-Mondéjar, J.,, Martínez, J.L., Suarez-Tangil, G.. Future Generation Computer Systems, 2020.
[10.] Androdialysis: Analysis of android intent effectiveness in malware detection. Feizollah, A., Anuar, N. B., Salleh, R., Suarez-Tangil, G., & Furnell, S. (2017). Computers & security, 65, 121-134
[11] https://networks.imdea.org/team/imdea-networks-team/alumni-network
This contract is part of the project PID2022-143304OB-I00 (PARASITE) funded by MCIN/AEI /10.13039/501100011033/ and by the ERDF, A way of making Europe
IMDEA Networks Institute aims to increase the proportion of women and therefore qualified female applicants are explicitly encouraged to apply. Until a balanced ratio of men and women has been achieved at the institute, preference will be given to women if applicants have similar qualifications. IMDEA Networks Institute actively promotes diversity and equal opportunities. Applicants are not to be discriminated against in personnel selection procedures on the grounds of gender, ethnicity, religion or ideology, age, sexual orientation (anti-discrimination). People with disabilities who have the relevant qualifications are expressly invited to apply