Tavish Vaidya


Email(GPG/PGP key): firstname@cs.georgetown.edu
Linkedin: https://www.linkedin.com/in/tavishvaidya
I'm a Ph.D. student at Georgetown University, advised by Prof. Micah Sherr. My primary research area is computer and network security. I am also interested in digital privacy.

Publications


Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), August 2017. (To Appear)
Henri Maxime Demoulin**, Tavish Vaidya**, Isaac Pedisich, Nik Sultana, Yuankai Zhang, Ang Chen, Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr, Clay Shields, and Wenchao Zhou.
**First co-authors
Null
USENIX Workshop on Cyber Security Experimentation and Test (CSET), August 2017. (To appear)
Tavish Vaidya, Eric Burger, Micah Sherr and Clay Shields.
This paper describes a set of experiments we conducted to answer the question: just how prevalent is Internet interception? That is, if we sent our most sensitive information (bank information, passwords, etc.) in the clear, should we expect to regret it? For a little over a year, we sent different types of Internet traffic over unencrypted channels between multiple clients and servers located at geographically diverse locations around the globe. Our messages contained seemingly sensitive and valuable information, including login credentials for banking sites, one-time password reset links, etc. In total, we found no instances in which our information was acted upon by an eavesdropper. This paper details the numerous challenges—technical, legal, and ethical—of setting up and maintaining a year-long, large-scale honeytrap. We discuss some fundamental limitations of such an experiment, and argue why our results should not be misinterpreted to suggest that message encryption is gratuitous.
ACM Workshop on Hot Topics in Networks (HotNets), November 2016.
Ang Chen*, Akshay Sriraman, Tavish Vaidya, Yuankai Zhang, Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr, Clay Shields, and Wenchao Zhou.
*Authors listed in alphabetically, student authors first
This paper presents SplitStack, an architecture targeted at mitigating asymmetric DDoS attacks. These attacks are particularly challenging, since attackers can use a limited amount of resources to trigger exhaustion of a particular type of system resource on the server side. SplitStack resolves this by splitting the monolithic stack into many separable components called minimum splittable units (MSUs). If part of the application stack is experiencing a DDoS attack, SplitStack massively replicates just the affected MSUs, potentially across many machines. This allows scaling of the impacted resource separately from the rest of the application stack, so that resources can be precisely added where needed to combat the attack. We validate SplitStack via a preliminary case study, and show that it outperforms naïve replication in defending against asymmetric attacks.
USENIX Security Symposium, August 2016.
Nicholas Carlini*, Pratyush Mishra, Tavish Vaidya, Yuankai Zhang, Micah Sherr, Clay Shields, David Wagner, and Wenchao Zhou.
*Authors listed in alphabetically, student authors first
Project Webpage: HiddenVoiceCommands.com
Best Paper Award, NYU CSAW'16 Applied Research Competition
Voice interfaces are becoming more ubiquitous and are now the primary input method for many devices. We explore in this paper how they can be attacked with hidden voice commands that are unintelligible to human listeners but which are interpreted as commands by devices. We evaluate these attacks under two different threat models. In the black-box model, an attacker uses the speech recognition system as an opaque oracle. We show that the adversary can produce difficult to understand commands that are effective against existing systems in the black-box model. Under the white-box model, the attacker has full knowledge of the internals of the speech recognition system and uses it to create attack commands that we demonstrate through user testing are not understandable by humans. We then evaluate several defenses, including notifying the user when a voice command is accepted; a verbal challenge-response protocol; and a machine learning approach that can detect our attacks with 99.8% accuracy.
USENIX Workshop on Offensive Technologies (WOOT), August 2015.
Tavish Vaidya, Yuankai Zhang, Micah Sherr and Clay Shields.
Hands-free, voice-driven user input is gaining popularity, in part due to the increasing functionalities provided by intelligent digital assistances such as Siri, Cortana, and Google Now, and in part due to the proliferation of small devices that do not support more traditional, keyboard based input. In this paper, we examine the gap in the mechanisms of speech recognition between human and machine. In particular, we ask the question, do the differences in how humans and machines understand spoken speech lead to exploitable vulnerabilities? We find, perhaps surprisingly, that these differences can be easily exploited by an adversary to produce sound which is intelligible as a command to a computer speech recognition system but is not easily understandable by humans. We discuss how a wide range of devices are vulnerable to such manipulation and describe how an attacker might use them to defraud victims or install malware, among other attacks.
Security Protocols Workshop (SPW), March 2015.
Tavish Vaidya and Micah Sherr.
This position paper explores the threat to individual privacy due to the widespread use of consumer drones. Present day consumer drones are equipped with sensors such as cameras and microphones, and their types and numbers can be well expected to increase in future. Drone operators have absolute control on where the drones fly and what the on-board sensors record with no options for bystanders to protect their privacy. This position paper proposes a policy language that allows homeowners, businesses, governments, and privacy-conscious individuals to specify location access-control for drones, and discusses how these policy-based controls might be realized in practice. This position paper also explores the potential future problem of managing consumer drone traffic that is likely to emerge with increasing use of consumer drones for various tasks. It proposes a privacy preserving traffic management protocol for directing drones towards their respective destinations without requiring drones to reveal their destinations.

Posters

Studying the Pervasiveness of Internet Interception with Honey{POP,SMTP,Telnet}
In USENIX Security Symposium, August 2015.
Tavish Vaidya, Eric Burger, Micah Sherr and Clay Shields.
Helping Users Understand Their Webfootprints
International World Wide Web Conference (WWW), May 2015.
Lisa Singh, Grace Hui Yang, Micah Sherr, Yifang Wei, Andrew Hian-Cheon, Kevin Tian, Janet Zhu, Sicong Zhang, Tavish Vaidya and Elchin Asgarli.

Technical Reports


Tavish Vaidya, November 2014.
Selected Press: MIT Technology Review
Voice interfaces are becoming more ubiquitous and are now the primary input method for many devices. We explore in this paper how they can be attacked with hidden voice commands that are unintelligible to human listeners but which are interpreted as commands by devices. We evaluate these attacks under two different threat models. In the black-box model, an attacker uses the speech recognition system as an opaque oracle. We show that the adversary can produce difficult to understand commands that are effective against existing systems in the black-box model. Under the white-box model, the attacker has full knowledge of the internals of the speech recognition system and uses it to create attack commands that we demonstrate through user testing are not understandable by humans. We then evaluate several defenses, including notifying the user when a voice command is accepted; a verbal challenge-response protocol; and a machine learning approach that can detect our attacks with 99.8% accuracy.
How Private is your Privacy? Threats and Countermeasures for Protecting Digital Privacy
Tavish Vaidya, May 2014.

I stand at the sea, Wonders at wondering: I a universe of atoms; an atom in the universe!
-Richard P. Feynman
Last updated: June 25, 2017.