SoS Quarterly Summary Report - UMD - April 2016

Lablet Summary Report

A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.

Levin is conducting Internet-wide measurements of how online certificates are being managed, including such factors as how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, he found that CDNs (content distribution networks)--which serve content for many of the most popular websites--appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., that no one shares their private keys). They are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general. In recent work, they have found that up to 90% of certificates on the publicly reachable web are invalid, and are currently exploring reasons why.

Mazurek is exploring how users process security advice. Her preliminary work has found that cybersecurity advice comes from a wider variety of sources than does physcial-security advice and, perhaps as a consequence, users are generally less confident about whether cybersecurity advice is trustworthy. The study also found that while women and older people report more physical-security behaviors than others, they do not report more digital-security behaviors. These results were presented as a poster at SOUPS 2015. In this quarter, she completed analysis of a qualitative study, and the results indicate that people are generally less confident in assessing the credibility of cybersecurity vs. physical security advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is offered as marketing rather than sincerely. These results were accepted for publication at the IEEE Symposium on Security & Privacy 2016.

Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete. A paper describing these results was presented at PLDI 2015 and prior work, published at ICFP 2014, was submitted to a special issue of the Journal of Functional Programming. In January 2016, Van Horn presented a tutorial on this material at the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL).

Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. In this quarter, they submitted a paper on preventing common misuses of cryptographic primitives with design patterns and semantic APIs. While several mature cryptographic frameworks exist, and have been utilized for building complex applications, empirical studies suggest that developers often use these frameworks incorrectly and introduce security vulnerabilities. The key challenge for developers is the fact that current cryptographic frameworks erode abstraction boundaries, as they do not encapsulate all the framework-specific knowledge and expect developers to understand security attacks and defenses. Starting from the documented misuse cases of cryptographic APIs, they infered five developer needs and showed that a good API design would address these needs only partially. Building on this observation, they proposed APIs that are semantically meaningful for developers, showed how these interfaces can be implemented consistently on top of existing frameworks using novel and known design patterns, and proposed build-management hooks for isolating security workarounds needed during the development and test phases. Through two case studies, they showed that those APIs can be utilized to implement non-trivial client-server protocols and that they provide a better separation of concerns than existing frameworks.

Subrahmanian et al. are exploring dynamics of malware infection and software patching. During this quarter, they submitted papers to SOUPS 2016 and USENIX Security 2016. In the latter paper, they looked at creating analytical models for the vulnerability patching process. To do this, they utilized the corpus of daily measurements of patching for 1.6K vulnerabilities, which they previously collected within this project, and separated the impact of user and vendor behavior on patching delays. They also evaluated the resulting vulnerability states of hosts. Their modeling of users and the empirical evaluation of this model over vulnerability states of hosts revealed a peculiar relationship between vendors and end-users: the users' promptness in applying software patches, and vendors' policies in facilitating the installation of updates, while both contributing to the hosts' security posture, are over-shadowed by other characteristics such as the frequency of vulnerability disclosures and the vendors' swiftness in deploying patches to their consumers.

Cukier and Maimon are applying a criminological viewpoint to develop a better understand attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they explored the effect of a last-login banner (displaying various times of the last logon to the system) with regards to the commands typed onto the system by an intruder. Initial investigation indicated that the most common commands typed were CD (to change the directory), LS (to list the contents of the directory), and W (to show who is logged onto the system). Investigating whether the login banner affected trespasser actions showed that the CD and LS commands had significant differences for login banner versus no login banner. Specifically, system trespassers who viewed login banners with times closer to the time they entered the system were significantly less likely to type the CD command; while system trespassers who viewed login banners with times closer to the time they entered the system were significantly more likely to type the LS command. There were no significant effects for the W command. These results indicate there may be some deterrent effect of the presence of the last login banner (system trespassers were less likely to use a changing command and more likely to use a passive viewing command, thereby limiting the amount of damage to the system). Overall, the findings show support for the idea that a last login banner may affect system trespasser behavior when on a system. Such findings should be further evaluated in order to determine the extent of this relationship and the appropriate policy recommendations for the use of last login type banners in cybersecurity.

Aviv and Golbeck are focusing on using empirical studies (surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In one recent work, they have studied perceptions of security and usability for Android's graphical password mechanism. They found that users' perceptions of security are unaffected by spatial shifting, but greatly affected by "complexity." Most surprisingly, they were able to predict perceptions and found that none of the tested features alone impacted perceptions, but rather the total length of the password was the most predictive of security perceptions. Followup work has looked at the effect of grid sizes on perceptions of security. Results of this work were reported in a paper accepted to ACSAC 2015, a poster presented at SOUPS 2015, and, most recently, a paper accepted to the Usable Security Workshop (USEC).

Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. They have completed interviews with mobile-application developers focused on cultural and workplace dynamics, and are now beginning analysis of the data collected during those interviews. They are also working on contextual privacy software ("Bubbles") whose goal is to make information sharing more transparent and user-friendly. They have implemented a version of the Bubbles contextual privacy software, and have signed up a third-party, commercial application to pilot the evaluation of the Bubbles platform. The third-party application -- Bluehub Health -- enables patients to get copies of their medical records from hospitals and then share it with other doctors on a per-encounter basis. Bluehub Health provides a compelling use case and at the same time, a good test for Bubbles' distributed, mandatory access control . In addition, they have trained another team of third-party developers in using Bubbles' API -- that team is porting Bluehub Health to Bubbles now and can be hired by future third-party app developers in porting their apps to Bubbles quickly. The team has recently obtained IRB approval and is ready to start a usability study on Amazon Turk.

Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. Their work was published or accepted to appear in several venues, including the Journal of Trust Management.

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. In accomplishments this quarter we have completed the proof of security for a a new voting protocol. Interestingly, a formal analysis showed that a previously published version of the protocol admitted an attack in which a corrupted election authority could prevent a voter from voting. That vulnerability has been fixed by adding specific timing requirements into the protocol. They have also completed a first draft of a manuscript on a systematization of knowledge of properties of verifiabile elections.

B). Community Interaction

David Levin presented results about PKI administration at several non-academic venues, including at the RTCM (Radio Technical Commission for Maritime Services) conference, the NMEA (National Maritime Electronics Association) conference, and the CyberSci Summit. The audiences consisted of a wide range of practitioners who are influential in developing communication policies at both institutional and international levels. He also presented these results to graduate and undergraduate students at UMD, as well as students and faculty at several other universities.

Adam Aviv served on the program committees of the Usable Security Worksop (USEC '16) and the Privacy Enhancing Technology Symposium (PETS '16), and served as Workshop and Tutorrial Chair at the Symposium on Usable Security and Privacy (SOUPS '16). He also gave several invited talks about his research.

David Van Horn was invited to speak at the University of Chile in January 2016 on his recent work done as part of the lablet.

Jonathan Katz is serving as program chair for Crypto 2016. He is also on the program committee of the Privacy Enhancing Technology Symposium (PETS '16).

In March 2016, Jonathan Katz gave an invited lecture on "Taking the Human Into Account in Cryptographic Design" as part of the Workshop on Human Factors in Cybersecurity Design at Hebrew University, Jerusalem, Israel. This lecture covered the NSA lablet program, as well as the work on voting done by Katz and Vora.

Michael Hicks is serving as program chair for the 2016 Computer Security Foundations Workshop. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at pl-enthusiast.net

Poovi Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She has been contributing to a description of end-to-end independently-verifiable voting systems meant for non-technical readers including election officials. The project report was released on July 11, 2015: "The Future of Voting: End-to-End Verifiable Internet Voting - Specification and Feasibility Study", see https://www.usvotefoundation.org/E2E-VIV

Marshini Chetty gave talks on her research results at the Center for Information and Technology Policy (CITP) at Princeton and to the HCI group at the Jacobs-Institute at CornellTech in November.

C). Educational

Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.

Adam Aviv is developing a senior-level elective on cybersecurity, as well as one focusing on usable security.

In January 2016, Van Horn presented a tutorial on formal-method tools and techniques at the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) in St. Petersburg, Florida.

David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He is also working to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs."

Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.

Five students from the Mazurek's course are developing a participatory design workshop focused on relatable fictional instruction for security behavior. Goals for this design are drawn from results of our qualitative study.