Amanuensis: provenance, privacy, and permission in TEE-enabled blockchain data systems

Amanuensis, a TEE-enabled blockchain data-sharing system, allows data providers to set access-control lists for all data and ensures that data remains confidential in an ecosystem comprised of organizations that do not necessarily trust one another. Along with data confidentiality, Amanuensis provides information provenance – the ability to trace the origin of information that may have been derived from a series of aggregations and transformations on many input and intermediary data sets – for data created as the result of a computation. In this paper, we build on Amanuensis to ensure the freshness of access-control lists shared between the blockchain and the trusted execution environment (TEE), and to improve the privacy of users interacting within the system. We also detail how TEE-based remote attestation helps us to achieve information provenance – specifically, how to achieve information provenance in the context of the Intel SGX trusted execution environment. The paper makes three major contributions:

  • assured freshness of access-control lists stored on the blockchain,
  • expanded privacy for users interacting on blockchain, and
  • secured protocol for verifying the provenance of data produced by confidential TEE programs.

Taylor Hardin and David Kotz. Amanuensis: provenance, privacy, and permission in TEE-enabled blockchain data systems. Proceedings of the IEEE International Conference on Distributed Computing Systems, pages 144–156. IEEE, July 2022. doi:10.1109/ICDCS54860.2022.00023. ©Copyright IEEE.

New THaW Dissertation: ‘Information Provenance for Mobile Health Data’

We are proud to announce a THaW team members’ successful dissertation. Dr. Taylor Hardin’s dissertation focuses on an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. 

The dissertation describes a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. The security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) is then addressed with Amanuensis, a health-data system, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. The use of blockchain and TEEs introduce identity privacy and data freshness issues, which are explored. A privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain are presented.

To learn more, check out Dr. Taylor Hardin’s dissertation below. 

Hardin, Taylor A., “Information Provenance for Mobile Health Data” (2022). Dartmouth College Ph.D Dissertations. 79.

VibeRing: An out-of-band channel for sharing secret keys

Health-oriented smart devices, such as a blood-glucose monitor, collect meaningful data when they are in use and in physical contact with their user. The smart device’s (“smartThing’s”) wireless connectivity allows it to transfer that data to its user’s trusted device, for example a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. 

To address this problem, in this paper, we investigate the use of vibration, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call VibeRing. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques.

Sougata Sen and David Kotz. VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys. Journal of Pervasive and Mobile Computing, volume 78, article 101505, 16 pages. Elsevier, December 2021. doi:10.1016/j.pmcj.2021.101505. ©Copyright Elsevier. Revision of sen:vibering.

New THaW Patent

The THaW team is pleased to announce one new patent derived from THaW research. For the complete list of patents, visit our Tech Transfer page.

Abstract: Apparatuses that provide for secure wireless communications between wireless devices under cover of one or more jamming signals. Each such apparatus includes at least one data antenna and at least one jamming antenna. During secure-communications operations, the apparatus transmits a data signal containing desired data via the at least one data antenna while also at least partially simultaneously transmitting a jamming signal via the at least one jamming antenna. When a target antenna of a target device is in close proximity to the data antenna and is closer to the data antenna than to the jamming antenna, the target device can successfully receive the desired data contained in the data signal because the data signal is sufficiently stronger than the jamming signal within a finite secure-communications envelope due to the Inverse Square Law of signal propagation. Various related methods and machine-executable instructions are also disclosed.

Image describes the steps to ensure secure wireless data transfer between devices.

Timothy J. Pierson, Ronald Peterson, and David Kotz. Apparatuses, Methods, and Software For Secure Short-Range Wireless Communication. U.S. Patent 11,153,026, October 19, 2021. Download from

See also: Timothy J. Pierson, Travis Peters, Ronald Peterson, and David Kotz. CloseTalker: secure, short-range ad hoc wireless communication. Proceedings of the ACM International Conference on Mobile Systems, Applications, and Services (MobiSys), pages 340–352. ACM, June 2019. doi:10.1145/3307334.3326100. [Details]

THaW’s Eric Johnson on recent health system cyberattacks

Eric Johnson
Eric Johnson, PhD and dean of Vanderbilt University’s Owen Graduate School of Management

Cyberattacks targeting healthcare systems have been growing in prevalence and are wreaking more havoc with the healthcare industry’s increased dependence on electronic systems. Cyberattacks such as denial-of-service attacks, can have immediate impact on patient care by leaving medical staff without important patient records. The impacts don’t end there. With healthcare systems increasing their cybersecurity protocols in the aftermath of a cyberattack, patient information can be harder to access for those who should be accessing that information. Johnson’s research with co-author S.J. Choi, PhD, shows that at hospitals where security protocols slowed computer access by just a minute or so, people who came in with a heart attack were more likely to die. “When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.” It’s certainly not a stretch, Johnson says, to say that delays from a ransomware attack are likely to have more serious effects.

To read more about the recent cyberattacks on healthcare systems and coverage of THaW research on those topics, check out the THaW press page.

New THaW Paper on Recurring Device Verification

An IoT device user with a blood-pressure monitoring device should have the assurance that the device operates how a blood-pressure monitor should operate. If the monitor is connected to a measurement app that collects, stores, and reports data, but interacts in a way that is inconsistent with typical interactions for this type of device, there may be cause for concern. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Professor Kevin Fu appointed Acting Director of Medical Device Cybersecurity at the U.S. FDA Center for Devices and Radiological Health (CDRH)

Kevin Fu, THaW PI from the University of Michigan, is heading to Washington D.C. for a one-year term as Acting Director of Medical Device Cybersecurity at the U.S. FDA Center for Devices and Radiological Health (CDRH). This role includes an appointment with the Digital Health Center of Excellence (DHCoE).The DHCoE fosters responsible and high-quality digital health innovation.

To learn more about the role, Professor Fu’s numerous achievements in the cross-section of health technologies and cybersecurity, as well as his other notable contributions, check out the University of Michigan’s official press release here.

Congratulations, Professor Fu!

THaW publications

cover sheet of the report

Seven years ago, the National Science Foundation’s Secure and Trustworthy Cyberspace program awarded a grant creating the Trustworthy Health and Wellness (THaW) project. Most project activities have now wound down, after publishing more than a hundred journal papers, conference papers, workshop contributions, dissertations, theses, patents, and more. We just released an annotated bibliography, with all the references organized in a Zotero library that provides ready access to citation materials and abstracts. In the annotated bibliography we organize papers by cluster (category), identify content tags, and give a brief annotation summarizing the work’s contribution. Thanks to Carl Landwehr for leading this important summary of THaW work!

LightTouch – Connecting Wearables to Ambient Displays

Connectivity reached new extremes, when wearable technologies enabled smart device communications to appear where analogue watches, rings, and vision-enhancing glasses used to sit. Risks of sensitive data being wrongly transmitted, as a result of malicious or non-malicious intent, grow alongside these new technologies. To ensure that this continued interconnectivity of smart devices and wearables is safe and secure, the THaW team devised, published, and patented LightTouch. This technology, conceptually compatible with existing smart bracelet and display designs, uses optical sensors on the smart device and digital radio links to create a shared secret key that enables the secure and private connection between devices.

LightTouch makes it easy for a person to securely connect their wearable device to a computerized device they encounter, for the purpose of viewing information from their device and possibly sharing that information with nearby acquaintances. To learn more, check out this recent Spotlight in IEEE Computer, or click the links below to read the journal article, the patent specifics, or the conference presentation.

Xiaohui Liang, Ronald Peterson, and David Kotz. Securely Connecting Wearables to Ambient Displays with User IntentIEEE Transactions on Dependable and Secure Computing 17(4), pages 676–690, July 2020. IEEE. DOI: 10.1109/TDSC.2018.2840979

Xiaohui Liang, Tianlong Yun, Ron Peterson, and David Kotz. Secure System For Coupling Wearable Devices To Computerized Devices with Displays, March 2020. USPTO; U.S. Patent 10,581,606; USPTO. Download from — Priority date 2014-08-18, Grant date 2020-03-03.

Xiaohui Liang, Tianlong Yun, Ronald Peterson, and David Kotz. LightTouch: Securely Connecting Wearables to Ambient Displays with User Intent. In IEEE International Conference on Computer Communications (INFOCOM), May 2017. IEEE. DOI: 10.1109/INFOCOM.2017.8057210


How to curtail oversensing in the home

Recent THaW paper:

Future homes are an IoT hotspot that will be particularly at risk. Sensitive information such as passwords, identification, and financial transactions are abundant in the home—as are sensor systems such as digital assistants, smartphones, and interactive home appliances that may unintentionally capture this sensitive information. For example, how motion sensors can capture nearby sounds, including words and keystrokes. We call this oversensing: where authorized access to sensor data provides an application with superfluous and potentially sensitive information. Manufacturers and system designers must employ the principle of least privilege at a more fine-grained level and with awareness of how often different sensors overlap in the sensitive information they leak. We project that directing technical efforts toward a more holistic conception of sensor data in system design and permissioning will reduce risks of oversensing.

Connor Bolton, Kevin Fu, Josiah Hester, and Jun Han. How to curtail oversensing in the homeCommunications of the ACM 63(6), pages 20–24, June 2020. ACM. DOI: 10.1145/3396261