Visible to the public Human Behavior and Cyber Vulnerabilities - UMD - January 2015

Submitted by tdumitra on Thu, 01/08/2015 - 6:40am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): VS Subrahmanian
Researchers: Sonam Sobti, Tudor Dumitras, Marshini Chetty, Aditya Prakash

 

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Understanding and Accounting for Human Behavior

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

PROJECT SYNOPSIS
When a vulnerability is exploited, software vendors often release patches fixing the vulnerability. However, our prior research has shown that some vulnerabilities continue to be exploited more than four years after their disclosure. Why? We posit that there are both technical and sociological reasons for this. On the technical side, it is unclear how quickly security patches are disseminated, and how long it takes to patch all the vulnerable hosts on the Internet. On the sociological side, users/administrators may decide to delay the deployment of security patches. Our goal in this task is to validate and quantify these explanations. Specifically, we seek to characterize the rate of vulnerability patching, and to determine the factors--both technical and sociological--that influence the rate of applying patches.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

  1. Liang Zhang, David Choffnes, Tudor Dumitras, Dave Levin, Alan Mislove, Aaron Schulman, and Christo Wilson. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. In Proceedings of the ACM Internet Measurement Conference (IMC'14), Vancouver, Canada, Nov 2014. http://cps-vo.org/node/17111

ACCOMPLISHMENT HIGHLIGHTS

This quarter we published one paper and we gave one presentation:

  • Our paper on the SSL certificate reissues and revocations was published at IMC'14. In this paper we showed that, even though the software vulnerable to Heartbleed was patched relatively quickly, the certificates were not reissued, or were reissued but not revoked, leaving systems vulnerable to man-in-the-middle attacks. This study highlighted that our current PKI is ill prepared for handling mass revocations resulting from wide-spread vulnerabilities like Heartbleed. More information is available at http://www.umiacs.umd.edu/~tdumitra/blog/2014/11/05/certificate-reissues-and-revocations-in-the-wake-of-heartbleed/
  • We presented our ongoing work at the SoS lablet meeting at UMD in October
Groups: