f Chunyi Peng's Research

Chunyi Peng's Research

  • MobileInsight: In-device mobile network monitor and analyzer: Tool (source code), Dataset (>240GB)
  • Mobility Management in Cellular Networks
       Misconfigurations (MMDiAG) : SIGMETRICS'16, HotMobile'16
       Multi-Carrier Roaming : iCellular (NSDI'16)
  • Security issues in Control-plane and Data-Plane in 4G LTE Cellular Networks: Voice Security (CCS'15, CNS'15)
       Voice solutions for Next-Generation Mobile Networks: HotMobile'16 Mobicom'13
  • Security Loopholes and Defense in Mobile Data Charging in 3G/4G Cellular Networks: SecMDC (CCS'14, Mobisys'13, CCS'12, MobiCom'12)
  • Control-plane Protocol Verification in 4G/3G Cellular Networks: CNetVerifier (SIGCOMM'14,TON'15)
  • All Things Light
       Unobtrusive Screen-to-Camera communication: InFrame (MobiSys'15 HotNets-XIII), ARTCode(Ubicomp'16)
       Other Visible Light Communication and Localization: MobiCom'14 NSDI'14, HotNets-XII

    Ongoing Projects


    Configuration Management for Mobility Support in Cellular Networks [Expand]

    This project investigate security implications of mobile data charging, one essential operation to mobile network carriers and users. We aim to expose vulnerability and loopholes, deduce root causes and propose remedies.
    Full project page: Click here
    This project seeks to study the configuration issues on mobility management of 2G/3G/4G networks, in order to ensure desirable mobility support. The research focuses on assessing two structural properties: stability and reachability .
    The proposed research has three key areas of technical contributions. First, it takes a novel approach to configuration study. It models and analyzes problematic cases and comes up with a taxonomy of instability and unreachability for the mobility configuration problems, and derives triggering conditions for each problematic instance. The fundamental problem lies in its distributed, yet not well-coordinated configuration decision-making. Second, the project covers activities from theory to practice. Given the misconfiguration instances discovered in theory, it further empirically assesses them in operational mobile networks. It seeks to measure their likelihood in reality and quantify their negative impacts on both the user device and the network infrastructure. The diversified root causes are to be analyzed, spanning policy conflicts within a single parameter, inconsistency between different types of parameters, and uncoordinated decisions between the device and the network. Last, the research proposes new solutions to configuration management in mobile networks. This research simplifies the current approach, while retaining its full configurability for parameters. To this end, two design guidelines of minimal replication of decision rules and no multi-hop mobility decision are explored in order to ensure both stability and reachability of mobility support.

    Publications:   SIGMETRICS'16, INFOCOM'16,, HotMobile'16

    iCellular: Device-Customized Cellular Network Access on Commodity Smartphones [Expand]

    Exploiting multi-carrier access offers a promising direction to boost access quality in mobile networks. This project aims to achieve the full potential of this approach through leveraging fine-grained, cellular-specific domain knowledge on commodity phones.
    Full project page: Click here
    In this project, we propose iCellular, which exploits low-level cellular information at the device to improve multi-carrier access. Specifically, iCellular is proactive and adaptive in its multi-carrier selection by leveraging existing end-device mechanisms and standards-complaint procedures. It performs adaptive monitoring to ensure responsive selection and minimal service disruption, and enhances carrier selection with online learning and runtime decision fault prevention. It is readily deployable on smartphones without infrastructure/ hardware modifications. We implement iCellular on commodity phones and harness the efforts of Project Fi to assess multi-carrier access over two US carriers: T-Mobile and Sprint. Our evaluation shows that, iCellular boosts the devices with up to 3.74x throughput improvement, 6.9x suspension reduction, and 1.9x latency decrement over the state-of-the-art selection scheme, with moderate CPU, memory and energy overheads.

    Publications:   NSDI'16

    SecMDC: Secure Mobile Data Charging in 3G/4G Cellular Networks [Expand]

    This project investigate security implications of mobile data charging, one essential operation to mobile network carriers and users. We aim to expose vulnerability and loopholes, deduce root causes and propose remedies.
    Full project page: Click here
    In this project, we propose research study on 3G/4G mobile data charging (MDC) systems from the security perspective. The ultimate goal to secure MDC is to ensure that the right user is charged to the right data volume that (s)he has agreed to consume. This not only safeguards the security of the cellular infrastructure, as well as projects the monetary rights of mobile users. Technically, it is expected to meet the three requirements on Authentication, Authorization and Accounting (AAA). Unfortunately, we find the all three can be breached in practice.
    The overall research covers two parts. The first is to identify security loopholes in the MDC system. We further devise novel attacks that exploit such loopholes and validate them via experiments in operational cellular carriers. The second is to devise defenses that protect from such attacks. These solutions call for concerted effort between the network infrastructure and the mobile device.

    Publications:   CCS'14, MobiSys'13,CCS'12, MobiCom'12

    LTE Voice in Peril: A Security Perspective on VoLTE and CSFB [Expand]

    This project investigate security implications of 4G LTE voice solutions: VoLTE (voice-over-LTE) and CSFB (circuit-switched Fallback). In this project, we seek to disclose whether both schemes might be harmful to mobile users and/or operators from a security perspective. If so, we aim to pinpoint their root causes, uncover the insights of insecurity and devise defenses that protect from such attacks..
    Full project page: Click here
    In this project, we look into voice, a simple utility service, yet vital to both mobile operators and phone users. It has been a killer carrier application decades since its origin. Its legacy design is CS-based. However, as the cellular infrastructure upgrades to LTE, an PS-only, all-IP network, voice service has to go through its fast evolution (completely abandoning the circuit-switched (CS) design to 2G/3G networks. Such major changes exposes new and unexpected threats. Our study stems from a simple rule of thumb in that any major change is probably a source for insecurity. With the nontrivial changes from CS to PS in its core technology, VoLTE may interfere with other system components, thereby inducing new loopholes. For CSFB, it has to trigger 3G-4G handoff, which is originally designed to support mobility and universal coverage, but now is open to any caller, even without permission from the callee.

    Publications:   CCS'15, CNS'15

    CNetVerifer: Control-plane Protocol Verification in 4G/3G Cellular Networks [Expand]

    This project conducts a rigorous study on verifying the correctness of control-plane protocols in 3G/4G networks. We aim to verify the control-plane protocol interactions in multi-dimensions in operational cellular networks: cross-layer (eg, RRC and MM, AS and NAS), cross-domain (CS and PS) and cross-system (4G and 3G). We identify design and operational defects and propose solutions.
    Full project page: Click here
    Control-plane protocols are salient features in cellular networks. Compared with the Internet counterparts, they are much more complex with much richer interactions in all three dimensions: cross-layer, cross-domain and cross-system. In this project, we propose to conduct rigorous study on verifying their correctness in real 3G/4G cellular networks. Our research has two main thrusts. One is to identify design loopholes in the protocols designed by the 3GPP standards. We analyze their misbehaviors, root causes, and performance penalties. We further empirically validate them in operational networks. The second thrust is to devise techniques to alleviate such design problems.

    The core in the project is to combine a formal method (model-checking) and empirical validation. In screening-phase, potential design flaws are disclosed by a cellular-specific model checking in the form of counterexamples. In the validation phase, phone-based experiments are conducted under the hints of counterexamples to validate design flaws and discover operational slips as well.

    Publications:   TON'15 , SIGCOMM'14MobiCom'13



    Past Projects


    InFrame: Hide Data Bits Within Video Frames [Expand]

    This project aims to explore a novel screen-camera communication, along with screen-to-eye video viewing, both over visible light channels. This seeks to empower concurrent delivery of primary video content to users and additional information to devices over screen-to-camera visual links without impairing user-viewing experience.
    Full project page: Click here
    We explore a novel dual-mode visible light communication. Screen not only serves as the primary source of human-friendly information (e.g., video, image, text or any pleasant view), but also as an carrier of machine-friendly data content. The figure illustrates the concept of InFrame. Composite contents are produced (in frames) for the display by multiplexing the video content frames (intended for human viewers) and the data (intended for devices, also in frames). These composite frames can be rendered to human eyes without affecting the viewing experience. The user thus watches the video as usual without sensing the embedded data frames. In the meantime, the data carried by the composite frames can be captured and decoded by the camera to retrieve the embedded side information.

    The key enables for InFrame include: (1) deceive human eyes to hide physically-existing patterns through leveraging perception gap between human vision and camera systems and high-display-rate; (2) combat primary video interference to retrieve patterns with high-throughput and moderate reliability through a novel CDMA interference mitigation mechanism. We also propose concrete techniques to fulfill these ideas.

    Publications:   MobiSys'15, HotNets'14



    Research Support


    I gratefully acknowledge ongoing and past research support from NSF (CNS-1421440, CNS-1421933,CNS-1527613,CNS-1526456), Gifts from Adobe, and the departmental support from OSU.