SoS Quarterly Summary Report - UMD - January 2016
Lablet Summary Report
A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.
Levin is conducting Internet-wide measurements of how online certificates are being managed, including such factors as how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, he found that CDNs (content distribution networks)--which serve content for many of the most popular websites--appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., that no one shares their private keys). They are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general.
Mazurek is exploring how users process security advice. Her preliminary work has found that cybersecurity advice comes from a wider variety of sources than does physcial-security advice and, perhaps as a consequence, users are generally less confident about whether cybersecurity advice is trustworthy. The study also found that while women and older people report more physical-security behaviors than others, they do not report more digital-security behaviors. These results were presented as a poster at SOUPS 2015. In this quarter, she completed analysis of a qualitative study, and the results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. Particpants elected not to follow advice for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely. The results were summarized in a paper currently in submission.
Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete. A paper describing these results was presented at PLDI 2015 and prior work, published at ICFP 2014, was submitted to a special issue of the Journal of Functional Programming. In January 2016, Van Horn presented a tutorial on this material at the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).
Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. The research team has formalized several security metrics derived from field data, including the count of vulnerabilities exploited and the size of the attack surface actually exercised in real-world attacks, and evaluated these metrics on nearly 300 million reports of intrusion-protection telemetry, collected on more than six million hosts. In this quarter, they submitted a paper on estimating and predicting the reliability of complex software in the field. As they function within a complex and evolving software ecosystem, user-mode applications may crash because of multiple reasons, such as resource corruption by other programs (e.g. drivers, plugins), broken dependencies, or hardware and general configuration problems. They developed a statistical method for separating the effects of different factors and for identifying crash predictors for Windows applications. They then applied this method to data collected from a sample of 150,000 real hosts to measure crash rates in the field and to assess the relative influence of different factors. Building on their empirical observations, they identified several challenges for identifying the most important factors through in-house testing and outlined several directions for improving software reliability.
Subrahmanian et al. are exploring dynamics of malware infection. During this quarter, they completed work on predicting the number of hosts infected by a piece of malware. In particular, they developed a prototype system called CCAFE (Country Cyber Attack Forecast Engine) which allows an analyst to examine a country's detection and patching abilities, as well as to see predictions of the number of hosts that might be infected in that country by over 50 different types of malware. A paper on this was was accepted at WSDM'16. In other work, they explored the relationship between behavior of humans authorized to use a host and the number of cyber-attacks on that host. A paper on this topic was accepted to ACM TIST'16.
Cukier and Maimon are applying a criminological viewpoint to develop a better understand attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they explored the effect of a last-login banner (displaying various times of the last logon to the system) with regards to the commands typed onto the system by an intruder. Initial investigation indicated that the most common commands typed were CD (to change the directory), LS (to list the contents of the directory), and W (to show who is logged onto the system). Investigating whether the login banner affected trespasser actions showed that the CD and LS commands had significant differences for login banner versus no login banner. Specifically, system trespassers who viewed login banners with times closer to the time they entered the system were significantly less likely to type the CD command; while system trespassers who viewed login banners with times closer to the time they entered the system were significantly more likely to type the LS command. There were no significant effects for the W command. These results indicate there may be some deterrent effect of the presence of the last login banner (system trespassers were less likely to use a changing command and more likely to use a passive viewing command, thereby limiting the amount of damage to the system). Overall, the findings show support for the idea that a last login banner may affect system trespasser behavior when on a system. Such findings should be further evaluated in order to determine the extent of this relationship and the appropriate policy recommendations for the use of last login type banners in cybersecurity.
Aviv and Golbeck are focusing on using empirical studies (surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In one recent work, they have studied perceptions of security and usability for Android's graphical password mechanism. They found that users' perceptions of security are unaffected by spatial shifting, but greatly affected by "complexity." Most surprisingly, they were able to predict perceptions and found that none of the tested features alone impacted perceptions, but rather the total length of the password was the most predictive of security perceptions. Followup work has looked at the effect of grid sizes on perceptions of security. Results of this work were reported in a paper accepted to ACSAC 2015, a poster presented at SOUPS 2015, and, most recently, a paper accepted to the Usable Security Workshop (USEC).
Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. They have completed interviews with mobile-application developers focused on cultural and workplace dynamics, and are now beginning analysis of the data collected during those interviews. They are also working on contextual privacy software ("Bubbles") whose goal is to make information sharing more transparent and user-friendly. They have implemented a version of the Bubbles contextual privacy software, and have signed up a third-party, commercial application to pilot the evaluation of the Bubbles platform. The third-party application -- Bluehub Health -- enables patients to get copies of their medical records from hospitals and then share it with other doctors on a per-encounter basis. Bluehub Health provides a compelling use case and at the same time, a good test for Bubbles' distributed, mandatory access control . In addition, they have trained another team of third-party developers in using Bubbles' API -- that team is porting Bluehub Health to Bubbles now and can be hired by future third-party app developers in porting their apps to Bubbles quickly. The team has recently obtained IRB approval and is ready to start a usability study on Amazon Turk.
Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. Their work was published or accepted to appear in several venues, including the Journal of Trust Management.
Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. In accomplishments this quarter we have completed the proof of security for a a new voting protocol. Interestingly, a formal analysis showed that a previously published version of the protocol admitted an attack in which a corrupted election authority could prevent a voter from voting. That vulnerability has been fixed by adding specific timing requirements into the protocol.
B). Community Interaction
David Levin presented results about PKI administration at several non-academic venues, including at the RTCM (Radio Technical Commission for Maritime Services) conference, the NMEA (National Maritime Electronics Association) conference, and the CyberSci Summit. The audiences consisted of a wide range of practitioners who are influential in developing communication policies at both institutional and international levels.
Graduate student Elissa Redmiles received a "data grant" from the Data&Society institute in part due to her work on the lablet.
Adam Aviv served on the program committees of the Usable Security Worksop (USEC '16) and Privacy Enhancing Technology Symposium (PETS '16), and served as Workshop and Tutorrial Chair at the Symposium on Usable Security and Privacy (SOUPS '16). He also gave several invited talks about his research.
David Van Horn was invited to speak at the University of Chile in January 2016 on his recent work done as part of the lablet.
Jonathan Katz is serving as program chair for Crypto 2016.
Michael Hicks is serving as program chair for the 2016 Computer Security Foundations Workshop. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at pl-enthusiast.net
Poovi Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She has been contributing to a description of end-to-end independently-verifiable voting systems meant for non-technical readers including election officials. The project report was released on July 11, 2015: "The Future of Voting: End-to-End Verifiable Internet Voting - Specification and Feasibility Study", see https://www.usvotefoundation.org/E2E-VIV
Marshini Chetty gave talks on her research results at the Center for Information and Technology Policy (CITP) at Princeton and to the HCI group at the Jacobs-Institute at CornellTech in November.
John Baras gave an invited plenary talk titled "Security and Trust for Networked Cyber Physical Systems (Net-CPS)" at the 2015 Cyber-Security and Privacy Winter School (2015 CySeP), October 21-23, 2015, in Stockholm, Sweden.
John Baras participated heavily in the NIST-organized public working group on Cyber-Physical Systems (CPS) and in particular with the subgroup working on security problems and formulations for CPS.
C). Educational
Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.
Adam Aviv is developing a senior-level elective on cybersecurity, as well as one focusing on usable security.
In January 2016, Van Horn presented a tutorial on formal-method tools and techniques at the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) in St. Petersburg, Florida.
David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He will also work to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs."
Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.