SoS Quarterly Summary Report - UMD - July 2014

Lablet Summary Report
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

A). Fundamental Research
High level report of result or partial result that helped move security science foward-- In most cases it should point to a "hard problem".

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocol.
Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration.
Shilton et al. have begun undertaking qualitative studies of developers in an effort to discover cultural and workplace dynamics that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security.
Golbeck and Aviv are carrying out empirical studies aimed at understand user perceptions of security in visual systems, with current research focusing on graphical passwords. The overarching research goal is to understand human perceptions of security, which will lead to the design of systems in which perceptions of security match some known metric of security, thus improving security by design. This relates to the hard problem of understanding human behavor and its effects of security.
Cukier and Maimon are applying a criminological viewpoint to develop a better understand of attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. The hard problem being addressed here is understanding human behavior, though from the attackers' points of view.
Subrahmanian et al. are using an empirical approach to study factors that affect the rate at which security patches are deployed. Using 5-year data collected on 8.4 million hosts, available through Symantec's WINE platform, they measured the patch-deployment process of 1,593 vulnerabilities from 10 popular applications. Selected findings include: (1) Patching starts within 7 days of disclosure for 77% of the vulnerabilities and that the median time to patch half of the vulnerable hosts is 45 days. (2) The rate of patching seems to decrease over time, and the median time to reach 95% patch deployment is 429 days, observed for only 28% of vulnerabilities. A longer-term goal is to correlate this data with sociological studies of network administrators, to determine why patches are not deployed more quickly. This work addresses, in part, the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world.
Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. They have formalized several security metrics derived from field data, including the count of vulnerabilities exploited and the size of the attack surface actually exercised in real-world attacks, and evaluated these metrics on nearly 300 million reports of intrusion-protection telemetry, collected on more than six million hosts. They have found several interesting results so far, including (1) the exploitation ratio and the exercised attack surface tend to decrease with newer product releases and with the introduction of security technologies such as sandboxing. (2) Hosts that quickly upgrade to newer product versions tend to have reduced exercised attack-surfaces. This work addresses, in part, the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world.
Van Horn et al. are investigating compositional verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. If successful, this work would impact the hard problem of scalability and composability.
Clarkson and Hicks are attacking the problem of compositional security by trying to develop a verification methodology based on hyperproperties, a generalization of the classical notion of properties. This would enable verification that software systems satisfy security policies, thus providing predictable security and increasing the trustworthiness of software. Security science is also concerned with the establishment of laws that relate policies, attacks, and defenses. This proposed will establish a relationship between policies (hyperproperties) and defense (verification of software), and thus relates to the hard problem of scalability and composability.

B). Community Interaction

UMD held a "kick-off" with members from each of the tasks in the UMD lablet, both from within and outside UMD, gathering to present their planned research and solicit feedback from other members of the lablet.
Katz has been interacting with the other lablets to further characterize and explain the five hard problems currently being studied by the lablets. Several members of the UMD team participated in the Hot-SoS workshop as well as the last quarterly meeting at CMU.
Van Horn has proposed a tutorial on software contracts to be presented at the ACM SIGPLAN-SIGACT Symposium on the Principles of Programming Languages in January 2015 in Mumbai, India. The tutorial, if accepted, would reach a large number of the world's best researchers in language-based security.

C). Educational
Several members of the lablet will be teaching courses in computer security during the Fall semester. Dumitras will be teaching a course on distributed-systems security which will incorporate a discussion of security metrics and empirical studies of security properties.
Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.