SoS Quarterly Summary Report - UMD - October 2015

Lablet Summary Report

A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.

Two new projects kicked off this year, one titled "Measuring and Improving Management of Today's PKI," led by Dave Levin, and the other titled "Understanding How Users Process Security Advice," led by Michelle Mazurek.

Levin is conducting Internet-wide measurements of how online certificates are being managed, including such factors as how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In recent work he and others find that a surprisingly large fraction (8%) of certificates are revoked, and that obtaining certificate revocation information can often be expensive in terms of latency and bandwidth for clients. They also found that browsers often do not bother to check whether certificates are revoked, especially mobile browsers, which uniformly never check. Finally, they examined the CRLSet infrastructure built into Google Chrome for disseminating revocations, and found that CRLSet only covers 0.35% of all revocations. This work is described in a paper submitted to IMC 2015. He and co-workers have also developed a protocol for more transparent delegation of rights from a website to a CDN, with the property that CDNs are effectively used as a "proxy" and remain unable to alter data between a content provider and a user, or to view confidential data between the two.

Mazurek is exploring how users process security advice. Her preliminary work has found that cybersecurity advice comes from a wider variety of sources than does physcial-security advice and, perhaps as a consequence, users are generally less confident about whether cybersecurity advice is trustworthy. The study also found that while women and older people report more physical-security behaviors than others, they do not report more digital-security behaviors. These results were presented as a poster at SOUPS 2015.

Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete. A paper describing these results was presented at PLDI 2015 and prior work, published at ICFP 2014, was submitted to a special issue of the Journal of Functional Programming.

Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. The research team has formalized several security metrics derived from field data, including the count of vulnerabilities exploited and the size of the attack surface actually exercised in real-world attacks, and evaluated these metrics on nearly 300 million reports of intrusion-protection telemetry, collected on more than six million hosts. In recent work, that appeared at USENIX Security 2015, Dumitras and co-authors conducted a quantitative and qualitative exploration of vulnerability-related information disseminated on Twitter, and showed that such information could be used as a predictor of active exploits up to 2 days ahead of existing data sets. In other work, he and his students applied analytical techniques to characterize download graphs of executable software, and used those characteristics to develop predictors that examine download graphs and of a program and lable the program as either benign or malicious (i.e., malware). Their system for classifying software achieves a 96% true-positive rate, with a 1.0% false-positive rate, and detects malware an average of 9.24 days earlier than existing antivirus
products.

Subrahmanian et al. explored geographical aspects of malware infection. They looked at predicting the number of malware infections in a country given a prior history of attacks. This is an important question which has numerous implications for cyber security, from designing better anti-virus software, to designing and implementing targeted patches, to more accurately measuring the economic impact of breaches. This quarter, they finished work begun in the previous quarter and wrote a paper that addresses this problem using data from Symantec covering more than 1.4 million hosts and 50 malware samples spread across 2 years and multiple countries. They first carefully designed domain-based features from both malware and host perspectives. Next, they improved the DIPS model developed in the previous quarter via a novel set of temporal non-linear features. Finally, they developed ESM, an ensemble-based approach which combines both these methods, as well as a set of other models, to construct a more accurate algorithm. Using extensive experiments spanning multiple malware samples and countries, they show that ESM can effectively predict malware infection ratios over time up to 4 times better than several baselines on various metrics. Furthermore, ESM's performance is stable and robust even when the number of detected infections is low. A paper based on this research was accepted for publication at WSDM 2016.

Cukier and Maimon are applying a criminological viewpoint to develop a better understand attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they applied the idea of deterrence in cyberspace to examine the effect of a last login banner (displaying various times of the last logon to the system) on the progression of an attack of system trespassers. This analysis tested the hypothesis that a last login banner provides a deterrent effect and slows down a system trespassing event, thus decreasing the severity of the event. Initial results indicate all time-related variables were not significantly related to the displayed banner. However, the probability of beginning the first system trespassing event was significantly related to the presence of the login banner. Specifically, trespassers who view login banners with times closer to the time they enter the system are significantly more likely to begin the first trespassing session (i.e., begin typing commands). Interestingly, this indicates that the login banner showing last logon to the system does not provide a deterrent effect, but may in fact be a catalyst for system trespassing. Such findings will be further evaluated in order to provide policy recommendations for the use of last login type banners.

Aviv and Golbeck are focusing on using empirical studies (surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In one recent work, they have studied perceptions of security and usability for Android's graphical password mechanism. They found that users' perceptions of security are unaffected by spatial shifting, but greatly affected by "complexity." Most surprisingly, they were able to predict perceptions and found that none of the tested features alone impacted perceptions, but rather the total length of the password was the most predictive of security perceptions. Followup work has looked at the effect of grid sizes on perceptions of security. Results of this work were reported in a paper accepted to ACSAC 2015, as well as a poster presented at SOUPS 2015.

Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. They have completed interviews with mobile-application developers focused on cultural and workplace dynamics, and are now beginning analysis of the data collected during those interviews. They are also working on contextual privacy software ("Bubbles") whose goal is to make information sharing more transparent and user-friendly. They have implemented a version of the Bubbles contextual privacy software, and have signed up a third-party, commercial application to pilot the evaluation of the Bubbles platform. The third-party application -- Bluehub Health -- enables patients to get copies of their medical records from hospitals and then share it with other doctors on a per-encounter basis. Bluehub Health provides a compelling use case and at the same time, a good test for Bubbles' distributed, mandatory access control . In addition, they have trained another team of third-party developers in using Bubbles' API -- that team is porting Bluehub Health to Bubbles now and can be hired by future third-party app developers in porting their apps to Bubbles quickly.

Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. Their work was published or accepted to appear in several venues, including IEEE Transactions on Control of Network Systems and the IEEE Conference on Decision and Control.

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. In accomplishments this quarter we have completed the specification of a new voting protocol and begun to define its security (privacy and election integrity) properties in the presence of human voters, even if multiple terminals and the election server collude to change the election outcome.

B). Community Interaction

Levin presented results about PKI administration at several non-academic venues, including at the RTCM (Radio Technical Commission for Maritime Services) conference, the NMEA (National Maritime Electronics Association) conference, and the CyberSci Summit. The audiences consisted of a wide range of practitioners who are influential in developing communication policies at both institutional and international levels. Additionally, Levin presented his results to groups of graduate and undergraduate students at UMD.

Michelle Mazurek and Tudor Dumitras spoke at HotSEC 2015 on the increasing prevalance of security research based on private or proprietary data sets and how that impacts the science of security.

Aviv served on the program committees of the Usable Security Worksop (USEC '16) and Privacy Enhancing Technology Symposium (PETS '15, PETS '16). He also gave several invited talks about his research.

Van Horn was invited to present a tutorial on his recent work done as part of the lablet at POPL 2016.

Jonathan Katz gave an invited talk on science of security at the Foundations of Cyber Security and Privacy Symposium hosted by the Max Planck Institute in July 2015.

Jonathan Katz will serve as program chair for Crypto 2016, and is also on the program committees for TCC 2016, NDSS 2016, PETS 2016, and EuroS&P 2016.

Michael Hicks is running another iteration of the "Build It, Break It, Fix It" contest. In contrast to security competitions which encourage teams only to attack systems and find vulnerabilities, the goal of this contest is to encourage writing of secure programs in the first place.

Michael Hicks is serving as program chair for the 2016 Computer Security Foundations Workshop. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at pl-enthusiast.net

Poorvi Vora is on the technical team for the end-to-end verifiable internet voting project of the Overseas Vote Foundation, the largest organization providing services to overseas US voters. Vora was invited to participate in the plenary panel: "Blue Skies / Blank Check" at the annual conference of the Election Verification Network (EVN), which is a nonpartisan network of professionals committed to election integrity. Its membership includes "voting activists, computer scientists, election law and voting rights attorneys, academic experts, election officials, civil rights advocates and more."

Chetty will giving talks on her research results at the Center for Information and Technology Policy (CITP) at Princeton and to the HCI group at the Jacobs-Institute at CornellTech in November

C). Educational

Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.

Adam Aviv sponsored a female high-school student for an 8-week internship. He is also developing a senior-level elective on cybersecurity, as well as one focusing on usable security.

David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He will also work to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs."

Chetty will be developing a usable security class to be taught in Fall 2016.

Tudor Dumitras is offering a course on distributed-systems security that incorporates a discussion of security metrics and empirical studies of security properties.

Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.