SoS Quarterly Summary Report - CMU - October 2015
Lablet Summary Report
A). Fundamental Research
Theoretical Foundations - these highlights extend existing methods for modeling that could not previously address the hard security problems.
- Hierarchical feature modeling for interaction discovery. Complex combinations of configurations and intra-feature dependencies can lead to design flaws and errors that can be exploited by attackers. This work aims to model feature complexity and link these models to mean comparisons of vulnerable source files for discovering new vulnerability metrics.
- Effects of composable security on risk perception. Information assurance is routinely based on checklists, which assume a single threat context (often the union of all possible threats and mitigations). This work developed a technique to measure the impact of composing security requirements on perceived security risk in the presence of changing threats.
Adaptations to Security Problems - these highlights apply existing methods to security problems in new ways that have not been done before
- Safely-composable domain specific languages. Prepared SQL statements are a promising technique to avoid or reduce SQL-injection attacks. This work aims to use embedded domain specific languages (DSL) to make it easier for programmers to construct expressions in a DSL dynamically without introducing such vulnerabilities.
Scientific Instrumentation - these highlights demonstrate new research to build the tools needed to conduct security experiments that could not previously have been performed.
- Path-sensitive exploit generation for mobile apps. Inter-component communications are an emerging source of vulnerability in mobile apps. This work resulted in a pluggable framework for automatically generating exploits to test apps, including benchmark apps that can be used to evaluate real-world apps.
- Tools to study long-term, security-related user behavior. The Security Behavior Observatory is now in version 2.0 with new data collection sensors that enable the observation of a large pool of home computer security settings and software "in the wild" to understand how users make security related decisions. This platform is one of the first of its kind and can be used to run controlled experiments, e.g., by testing different experimental interventions aimed at changing long-term user behavior.
B). Community Interaction
Nothing to Report this quarter. See January 2016 quartely summary.
C. Educational
Nothing to Report this quarter. See January 2016 quartely summary.
Groups:
- Approved by NSA
- Scalability and Composability
- Policy-Governed Secure Collaboration
- Metrics
- Resilient Architectures
- Human Behavior
- CMU
- A Language and Framework for Development of Secure Mobile Applications
- Epistemic Models for Security
- Geo-Temporal Characterization of Security Threats
- Highly Configurable Systems
- Multi-Model Run-Time Security Analysis
- Race Vulnerability Study and Hybrid Race Detection
- Science of Secure Frameworks
- Secure Composition of Systems and Policies
- Security Reasoning for Distributed Systems with Uncertainty
- Usable Formal Methods for the Design and Composition of Security and Privacy Policies
- USE: User Security Behavior
- FY14-18
- Oct'15