Visible to the public SoS Lablet Annual Report - UMDConflict Detection Enabled

Submitted by Heather Lucas on Thu, 05/12/2016 - 3:57pm

A). Lablet Introduction

The UMD lablet, led by co-PIs Jonathan Katz and Michel Cukier, involves 10 projects looking at different aspects of the five hard problems, with specific focus on the areas of metrics, policy-governed secure collaboration, and human behavior.

The UMD lablet consists of 20 faculty from both UMD and partner institutions. The 15 UMD faculty are drawn from five different departments across campus, including computer science, electrical and computer engineering, infromation studies, criminology, and reliability engineering. The collaborators hail from USNA, VA Tech, UT Austin, Indiana University, and The George Washington University.

B). Fundamental Research
The project "Understanding Developers' Reasoning about Privacy and Security" is addressing the hard problem of human behavior by developing an information flow control (IFC) platform called Blox which is intended to make it easier and more intuitive for users to control how their personal information is used, shared, and disseminated. The major highlights of the past year are completing a functional prototype of Blox, and conducting a user study on access control in practice. The prototype includes a user interface, similar to Dropbox, for managing data as well as a backend that implements IFC on model-view-controller web applications. Additionally, the team has written a secure templating language that enables the viewing of cross-folder information on the platform without compromising security. This allows developers to retain all their application's functionality when porting an application to Blox, something that other IFC platforms for web applications are unable to do. The team analyzed the porting effort required to add both new and existing applications to the Blox platform. A team of undergraduate students has written an in-browser integrated development environment and calendar application on Blox, illustrating previously missing functionality in the templating language. This work is complemented by a user study analyzing how compatible the Blox platform is with a typical user's workflow. This study pulls information from Mechanical Turk participants' Google Drive, Gmail, and Google Calendar accounts, and uses machine learning to create logical groupings of access-control decisions of data. The accuracy of these groupings is then tested by asking participants to answer a series of questions. The team plans to submit two papers this coming year based on these results.

The project "Measuring and Improving the Management of Today's PKI" focuses on metrics by means of large-scale measurements of the existing public-key infrastructure (PKI) used in today's web. Over the past year, the team has investigated the roles that administrators, content distribution networks (CDNs), and browsers play in the PKI through these measurement studies. One such study focused primarily on certificate revocation, and found that a surprisingly large fraction (8%) of served certificates have been revoked, yet no browsers fully check for revocations, and mobile browsers perform no revocation checks whatsoever. Another study investigated invalid certificates in the Web's PKI, and found that they constitute a shocking 88% of all certificates in a four-years-long dataset; further investigation found that these arise mostly from end-user devices such as home routers, IPTVs, and printers, and the team developed techniques that allow them to track devices by their certificates to observe user mobility and IP address reassignment policies. Finally, the team has been investigating the role that content distribution networks (CDNs) and web-hosting services play in the Web's PKI, having observed that they have access to their customers' private keys (in contrast to what is typically assumed). As part of this work, the team has developed techniques that allow them to "anti-alias" domain names by determining, through machine learning over network data and "whois" data, whether two domain names correspond to the same administrative entity. This study is still in progress, but initial results indicate extensive key sharing in the Web's PKI, which has serious implications on the security of popular Web services.

Work done as part of the "Trust, Recommendation Systems, and Collaboration" project is primarily directed toward the hard problem of policy-governed secure collaboration. The overarching goal of the project is to develop a transformational framework for a science of trust, and its impact on local policies for collaboration, in networked multi-agent systems, which takes human behavior into account from the start and is validated experimentally. Among other things, work so far has developed novel results regarding the evolution of opinions (or beliefs) over a social network modeled as a signed graph; new models and analytical methods for the investigation of consensus dynamics with both collaborative and non-collaborative node interactions; and new probabilistic models of multi-domain crowdsourcing tasks. The team has also formalized the problem of trust-aware task allocation in crowdsourcing and developed a principled way to solve it; the formulation models the workers' trustworthiness and the costs based on both the question and the worker group. In other work, the team performed an experimental study on the concerns, knowledge, and perceptions on privacy among users of the Internet. The primary focus of this work was to understand whether users are continuing to share once they are aware of the privacy risks and have made an informed choice about what they are comfortable sharing, or whether they operating under false assumptions or without the knowledge they need to make an informed choice.

The project "User-Centered Design for Security" has made significant progress in measuring and applying metrics of security to mobile authentication, particularly graphical password systems on Android, and in using those metrics to design systems to improve the human factor in password selection, such as password meters. The team has also completed a paper on user perception and understanding of privacy issues related to personal information sharing in apps. This work focused on Facebook apps and set out to understand how concerned users are about privacy and how well-informed they are about what personal data apps can access. We found that initially, subjects were generally under-informed about what data apps could access from their profiles. After viewing additional information about these permissions, subjects' concern about privacy on Facebook increased. Subjects' understanding of what data apps were able to access increased, although even after receiving explicit information on the topic many subjects still did not fully understand the extent to which apps could access their data.

The goal of the project "Reasoning about Protocols with Human Participants" is to study protocols -- in particular, electronic-voting protocols -- in which humans are explicitly modeled as participants. As such, this task related to the hard problem of human behavior. In the last year, we have been working on two major goals: finalizing the Remotegrity voting protocol and developing proofs of its security properties, and using aspects of Remotegrity to develop a new protocol which improves the dispute-resolution properties of Helios, assuming an honest registrar (credential provider). In Helios currently, the voting terminal can change a vote after it obtains the voter's credential, and although the voter will be aware that her vote was changed, she will be unable to prove it to a third party. In addition to other changes, the new protocol uses Remotegrity's lock-in code to prevent the vote from being changed.

The project "Empirical Models for Vulnerability Exploits" is exploring more-informative metrics to quantify security of deployed systems. This year, the team explored machine-learning techniques for preventing global malware dissemination. Today, few malware families have the ability to propagate autonomously. Instead, they rely on malware-delivery networks, which specialize in helping malware infect millions of hosts worldwide. These malware-delivery techniques largely rely on two key components: (1) drive-by download exploits, which enable the initial malware insertion and (2) downloader trojans, which retrieve additional malware from the Internet. Two main results were obtained. First, the team designed and implemented a system for forecasting which vulnerabilities will be exploited in the wild, using information mined from Twitter. This system can be used to prioritize responses to vulnerability disclosures, or to model risk for cyber-insurance applications. Second, the project introduced a downloader-graph abstraction, which captures the client-side activity of malware delivery networks. Properties of downloader graphs were in turn used to train a classifier that has the potential to expose large parts of the malware-download activity which may otherwise remain undetected.

The project "Human Behavior and Cyber Vulnerabilities" uses an empirical approach to study factors that affect the rate at which security patches are deployed. When a vulnerability is exploited, software vendors often release patches fixing the vulnerability. However, prior research has shown that some vulnerabilities continue to be exploited more than four years after their disclosure. Why? There are both technical and sociological reasons for this. On the technical side, it is unclear how quickly security patches are disseminated, and how long it takes to patch all the vulnerable hosts on the Internet. On the sociological side, users/administrators may decide to delay the deployment of security patches. The goal of this task is to validate and quantify these explanations. Specifically, it seeks to characterize the rate of vulnerability patching, and to determine the factors---both technical and sociological---that influence the rate of applying patches.

As part of the project "Does the Presence of Honest Users Affect Intruders' Behavior?," Michel Cukier and David Maimon are applying criminological techniques to develop a better understanding of attacker behavior. One particular highlight of the past year is the examination of previously uninvestigated experimental data--an experiment that randomly assigned infiltrated target computers to have a certain type (administrative or non-administrative) and number (1 or 10) of users to appear on the system at the same time as the system trespasser. Using this data, the team examined whether the number and type of users present on a system reduced the seriousness and frequency of trespassing. Results indicated that the presence of an administrative user (regardless of the number of users) significantly reduced the number of system trespassing events. Additionally, with 10 users present, the presence of an administrative user significantly reduced the total amount of time attackers spent on the compromised system. Interestingly, comparing between conditions with different numbers of users, it was found that the number of users present on the system has no effect on the number of trespassing events or total time spent on the system. These findings together indicate that presence of an administrative user can produce a deterrent effect on system trespassers, while the number of users present on the system has no effect on system trespasser actions.

"Understanding how Users Process Security Advice" addresses the hard problem of human behavior from the perspective of educational efforts. People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. This project examines where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. This year, the team first completed a qualitative study on this topic. Key findings include that participants evaluate digital-security advice based on the trustworthiness of the advice sources, as compared to evaluating physical-security advice based on their intuitive assessment of the advice content, and that participants reject advice for a variety of reasons including that it contains marketing material or threatens their privacy. More recently, the team also completed data collection and began data analysis for a large-scale quantitative survey designed to validate the findings from the qualitative study, and began development and testing of security behavior interventions based on the findings.

As part of the project "Trustworthy and Composable Software Systems with Contracts," researchers are investigating compositional-verification techniques using language-based mechanisms called contracts for specifying and enforcing program properties. Results confirm that behavioral properties of programs can be verified using this approach, and the team members are now trying to scale the approach to cover multi-language programs and more-complex security properties.

C). Publications

  • Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, and Christo Wilson, "An End-to-End Measurement of Certificate Revocation in the Web's PKI," ACM IMC (Internet Measurement Conference) 2015.
  • Frank Cangialosi, Dave Levin, and Neil Spring, "Ting: Measuring and Exploiting Latencies Between All Tor Nodes," ACM IMC (Internet Measurement Conference) 2015.
  • X. Liu, H. He and J. S. Baras, "Trust-Aware Optimal Crowdsourcing With Budget Constraint," Proceedings 2015 IEEE ICC, June 8-12, 2015, London, UK.
  • G. Shi, A. Proutiere, M. Johansson, J. S. Baras, and K. H. Johansson, "Emergent Behaviors Over Signed Random Dynamical Networks: State-Flipping Model," IEEE Transactions on Control of Network Systems (IEEE TCNS), pp. 142-153, Vol. 2, No. 2, June. 2015.
  • X. Liu, H. He and J. S. Baras, "Crowdsourcing With Multi-Dimensional Trust," Proc. 18th IEEE Intl. Conference on Information Fusion (FUSION 2015), pp. 574-881, Washington DC, July 6-9, 2015.
  • P. Gao, J. S. Baras, and J. Golbeck, "Semiring-Based Trust Evaluation for Information Fusion in Social Network Services," Proceedings 18th IEEE International Conference on Information Fusion (FUSION 2015), pp. 590-596, Washington DC, July 6-9, 2015.
  • H. Miao, P. Gao, M. T. Hadjiaghayi and J. S. Baras, "HyperCubeMap: Optimal Social Network Ad Allocation Using Hyperbolic Embedding," Proceedings 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2015), August 25-28, 2015, Paris, France.
  • X. Liu, and J. S. Baras, "Trust-Aware Crowdsourcing With Domain Knowledge," Proceedings 54th IEEE Conference on Decision and Control (IEEE CDC 2015), Osaka, Japan, December 15-18, 2015.
  • P. Gao, J. S. Baras and Z. Liu, "Bipartite Consensus for Global Trust in Social Network Services," Proceedings 2015 IEEE Global Communications Conference (GLOBECOM 2015), December 6-10, 2015, San Diego, CA.
  • C. Buntain and J. Golbeck, "Trust Transfer Between Contexts," Journal of Trust Management, Vol. 2.1, pp. 1-16, December 2015.
  • G. Shi, A. Proutiere, M. Johansson, J. S. Baras, and K. H. Johansson, "The Evolution of Beliefs over Signed Social Networks," accepted for publication in Operations Research.
  • G. Shi, A. Proutiere, M. Johansson, J. S. Baras, and K. H. Johansson, "Emergent Behaviors over Signed Random Dynamical Networks: Relative State-Flipping Model," accepted for publication in IEEE Transactions on Control of Network Systems (IEEE TCNS), Vol. 3, February 2016.
  • P. Gao, H. Miao, J. S. Baras, and J. Golbeck "Semiring-Based Trust Metric for Social Recommender Systems" submitted to the 10th ACM Conference on Recommender Systems (RecSys 2016), September 15- 19, 2016.
  • Adam J. Aviv, Devon Budzitowski, and Ravi Kuber, "Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock," Proceedings of the Annual Computer Security Conference (ACSAC'15). January 2015.
  • Abdullah Ali, Ravi Kuber, and Adam J. Aviv, "Developing and Evaluating a Gestural and Tactile Mobile Interface to Support User Authentication," iConference '16, March 2016.
  • Adam J. Aviv, Justin Maguire, and Jeanne Luning Prak, "Analyzing the Impact of Collection Methods and Demographics for Android's Pattern Unlock," Proceedings of the Usable Security Workshop (USEC'16). February 2016.
  • Jennifer Golbeck and Matthew Louis Mauriello, "User Perception of Facebook App Data Access: A Comparison of Methods and Privacy Concerns," Future Internet, 8(2), 9. 2016.
  • Richard T. Carback, David Chaum, Jeremy Clark, Aleksander Essex, Travis Mayberry, Stefan Popoveniuc, Ronald L. Rivest, Emily Shen, Alan T. Sherman, Poorvi L. Vora, John Wittrock, and Filip Zagorski. "The Scantegrity Voting System and its Use in the Takoma Park Elections" in Real-world Electronic Voting: Design, Analysis and Deployment, edited by Feng Hao and Peter Y. A. Ryan. Taylor and Francis, in press.
  • C. Sabottke, O. Suciu, and T. Dumitras, "Vulnerability disclosure in the age of social media: Exploiting Twitter for predicting real-world exploits," USENIX Security Symposium (USENIX Security'15), Washington, DC, Aug 2015.
  • B. Kwon, J. Mondal, L. Bilge, J. Jang, and T. Dumitras, "The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics," ACM Conference on Computer and Communications Security (CCS'15), Denver, CO, Oct 2015.
  • Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek, "I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security," Proc. IEEE Security & Privacy, May 2016.
  • Elissa M. Redmiles, Amelia Malone, and Michelle L. Mazurek, "How I Learned To Be Secure: Advice Sources and Personality Factors in Cybersecurity" (poster), Symposium on Usable Privacy and Security (SOUPS), July 2015.
  • Phuc C. Nguyen and David Van Horn, "Relatively Complete Counterexamples for Higher-Order Programs," ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI) 2015.
  • Thomas Gilray, Steven Lyde, Michael D. Adams, Matthew Might, and David Van Horn, "Pushdown Control-Flow Analysis for Free," 43rd ACM Symposium on Principles in Programming Languages (POPL'16), St. Petersburg, Florida, January 2016.
  • Phuc C. Nguyen, Sam Tobin-Hochstadt, and David Van Horn, "Higher-Order Symbolic Execution for Contract Verification and Refutation," Journal of Functional Programming, to appear, 2016.
  • Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras, "The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching," IEEE Symposium on Security and Privacy, 2015.
  • C. Kang, N. Park, B.A. Prakash, E. Serra, and V.S. Subrahmanian, "Ensemble Models for Data-Driven Prediction of Malware Infections," Proc. 9th ACM International Conf. on Web Science and Data Mining (WSDM) 2016.
  • A. Mathur, S. Sobti, J. Engel, V. Chang, and M. Chetty, "They Keep Coming Back Like Zombies: Improving Software Updating Interfaces," to appear in the Symposium for Usable Privacy and Security (SOUPS) 2016.

D). Community Engagements
Dave Levin presented the results of the study on PKI revocation at several academic institutions, including Georgia Tech, UC Riverside, and the Max Planck Institute for Software Systems, as well as to a wide range of non-academic audiences, including the National Maritime Electronics Association (NMEA) and at the ICF International Conference.

John Baras participated heavily in the work of the Transatlantic Summit Project developing frameworks for collaboration and joint funding in the area of CPS. Security challenges, especially including human and technological networked systems, were part of the work.

John Baras gave several invited talks about his work at venues including the 2015 Cyber-Security and Privacy Winter School (October 21-23, 2015, Stockholm, Sweden), the University of Cambridge, the University of Oxford, and the 2015 Conference on Industrial Control Systems - Cyber Security Research (September 17-18, 2015, Ingolstadt, Germany).

Adam Aviv was workshops/tutorial chair for SOUPS, was on the program committee of PETS, and serves on the steering committee for Advances in Computer Security Education. He gave an invited talk about his work at Berkeley.

Jennifer Golbeck gave several invited talks about her work to audiences in industry as well as to K-12 educators/students.

Poorvi Vora gave an invited talk at the The Remote Voting conference in July 2016. The meeting was organized by the Government of India, to discuss the challenges of, and possible solutions for, remote voting by Indian citizens.

Jonathan Katz gave an invited talk on "Usable Cryptography" at the Workshop on Human Factors in Cybersecurity Design (Hebrew University, March 2016), which included a discussion of security proofs for electronic-voting protocols.

Tudor Dumitras gave invited talks about his research at Qualcomm Research, UNC Charlotte, Boston University, Symantec Research Labs, and the AT&T Security Research Center.

Tudor Dumitras and Michelle Mazurek co-led a discussion session at HotSec'15 on security research conducted with non-public data and the impact these research methods have on the science of security.

David Maimon presentated a poster at the annual meeting of the American Society of Criminology (ASC).

Michelle Mazurek is co-leading a tutorial at SOUPS 2016 on the science of password research.

David Van Horn gave a tutorial titled "An Introduction to Redex with Abstracting Abstract Machines" at POPL 2016. He also gave an invited talk about his work at the Dagstuhl Seminar on Language Based Verification Tools for Functional Programs in March 2016.

E). Educational
Mohit Tiwari at UT Austin introduced a three-semester sequence in cybersecurity where first- and second-year undergraduates read security papers, write reviews, and work on projects with graduate students (in addition to standard homeworks). The goal is to introduce students to both systems and theory aspects of cybersecurity.

Dave Levin added content on the PKI revocation and CDN studies to his undergraduate course on computer and network security.

John Baras introduced concepts, models, and algorithmic evaluation of trust in graduate courses on multi-agent control.

Adam Aviv has incorporated elements of his research as capstone projects in his courses. He has also involved several undergraduates in his research.

Jennifer Golbeck, Mike Hicks, and Jonathan Katz have developed a MOOCs on Coursera focusing on usable security, software security, and cryptography, respectively.

Michelle Mazurek developed a new graduate course on human factors in security and privacy that was taught in Spring 2015 and Spring 2016.

David Van Horn has given tutorials on the formal-method tools and techniques he developed in the hopes of advancing the best practices used to develop high-assurance software. He was invited to lecture on the methods at a graduate summer school hosted by the University of Utah in July, 2015. The content of his research has been incorporated into the UMD graduate class "Program Analysis and Understanding". Van Horn presented a tutorial on this material at the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) in St. Petersburg, Florida, in January 2016.

We continue to develop our tool in the pedagogically oriented programming environment accompanying the textbook "How to Design Programs". We are investigating a web interface for the system so that users can experiment with the system without needing to install specialized software.

Groups: