SoS Quarterly Summary Report - UMD - October 2016

Lablet Summary Report

A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.

Levin is conducting Internet-wide measurements of how online certificates are being managed, including such factors as how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, he found that CDNs (content distribution networks)--which serve content for many of the most popular websites--appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., that no one shares their private keys). They are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general. They have found that half of all organizations share at least one private key with a third-party provider; that a small handful of providers have aggregated a huge fraction of private keys); and that third-party providers tend to be more thorough (but less quick) at reacting to key compromise. These findings have profound impact on the understanding of the trust relationships in the web's PKI. The results of this work were accepted to the ACM Conference on Computer and Communications Security 2016. In other work, they found that almost 88% of SSL/TLS certificates advertised over the past three years are invalid. Because measurement studies generally focus only on valid certificates, this means that the vast majority of certificateshad not been studied. Through their analysis, they demonstrated that invalid SSL certificates can be used to uniquely track over 6.7M devices. This work was accepted to the ACM Internet Measurement Conference (ACM IMC 2016).

Mazurek is exploring how users process security advice. In a previosuly completed analysis of a qualitative study, she and her collaborators found that people are generally less confident in assessing the credibility of cybersecurity vs. physical-security advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is being offered as marketing rather than as technically sound advice. These results were presented at the IEEE Symposium on Security & Privacy 2016. The presentation received a good response, including interesting questions during the presentation and many follow-up inquiries. In other work, she had a poster at SOUPS 2016 showcasing her findings that users with stronger web skills behave more securely than users with weaker web skills, measured via previously validated tools. Since that work was initiated, she and collaborators have conducted a large-scale quantitative study to expand and confirm those results. The paper describing these results was accepted to the ACM Conference on Computer and Communications Security 2016.

Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete.

Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. His paper on preventing common misuses of cryptographic primitives was accepted at Onward! 2016. Starting from the documented misuse cases of cryptographic APIs, he and his colleagues infered five developer needs and showed that a good API design would only address these needs partially. Building on this observation, they proposed APIs that are semantically meaningful for developers, showed how these interfaces can be implemented consistently on top of existing frameworks using novel and known design patterns, and proposed build-management hooks for isolating security workarounds needed during the development and test phases. Through two case studies, they showed that their APIs could be utilized to implement non-trivial client-server protocols, and that they provide a better separation of concerns than existing frameworks. A position paper on this topic was accepted to SecDev'16.

Subrahmanian et al. are exploring dynamics of malware infection and software patching. The effectiveness of machine learning techniques, used for security tasks such as malware detection, primarily depends on the manual feature engineering process. They developed methods to engineer such features automatically, by mining natural-language documents such as research papers, industry reports and hacker forums. As a proof of concept, they trained a classifier with automatically engineered features for detecting Android malware, and achieved a performance comparable to that of a state-of-the-art malware detector, which uses manually engineered features. Their paper describing these results was accepted at CCS'16.

Cukier and Maimon are applying a criminological viewpoint to develop a better understand attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they explored hypotheses regarding the presence of surveillance and the amount of time a trespasser spent on the system. Specifically, it was hypothesized that the presence of an administrative user (compared to a non-administrative user) would reduce the number of times a trespasser returns to the system and the amount of time spent on the system. It was also hypothesized that the presence of one user (compared to multiple) would reduce the number of times a trespasser returns to the system and the amount of time spent on the system. These hypotheses were tested, and results indicate that system trespassers who had target computers with administrative users present returned to the system 20-22 fewer times than those with non-administrative users present and 14 times fewer than those with no users present. Additionally, system trespassers with target computers with an administrative user present spent on average a factor of 3.5x fewer hours on the system than trespassers whose target computers did not have an administrative user present. Unlike the type of user, the number of users present on the system had no effect on the system trespassing events. These findings indicate that the presence of an administrative user (even if it is a fake user) reduces the frequency and seriousness of system trespassing events. Policy recommendations from this could include suggestions to include a fake administrative user on systems at all times in order to deter system trespassers and reduce the consequences of system trespassing.

Aviv and Golbeck are focusing on using empirical studies (including surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In recent work, presented as a poster at SOUPS 2016, they measured the effect of cueing language on user graphical password selection. In particular, they studied the effects of asking users to select a "strong," "secure," or "unique" password, in terms of both strength of the resulting password chosen as well as memorizability of that password. They have submitted two papers to CHI 2016 about recent work on these projects.

Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. Most recently, the team has continued developing a survey to evaluate the usability of the Bubbles platform they have designed. The survey examines a participant's Google Drive, Gmail, and Google Calendar data, and then infers logical groupings of data across all applications that are shared to the same set of users. They then asked participants to evaluate the accuracy of the proposed groupings. They have created a first draft of a paper "FlowTAS: Making Data-centric Mandatory Access Control Practical" and submitted it to ASPLOS 2017. They also plan to submit a user study to SOUPS 2017.

Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. In one recent work, they explored the problem of making decisons based on recommender systems. Due to the popularity of online social networks and the influence of social relationships in decision making, the idea of social recommendation has been introduced and has attracted increasing attention. Trust relationships are exploited in such systems for rating prediction and recommendation, which has been shown to have the potential for improving the quality of the recommender and alleviating the issue of data sparsity, cold start, and adversarial attacks. Their work aimed to give a formal basis for trust evaluation in social networks in order to provide a better knowledge base for trust-aware recommender systems. They modeled the trust relationship as a 2-dimensional vector, and applied a semiring framework to combine trust evidence for predicting indirect trust. Both trust and distrust are considered, and conflict resolution is supported. By analyzing Epinions datasets, they verified experimentally the existence of transitivity in trust relationships; which is one of the basic properties on which the semiring framework is founded. Additionally, from the dataset they also discovered empirically that sign reciprocity exists for positive trust relationships. Their paper on this work and results was accepted for publication in the Proceedings of RecSys 2016.

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. This past quarter Vora had a paper accepted at E-Vote-ID, perhaps the premier conference focusing on electronic voting. Katz and Vora are continuing work on a journal paper for formal specification and proof of security for Remotegrity.

B). Community Interaction

David Levin presented results about PKI administration to international collaborators at the University of Jordan in Amman, Jordan, and also to CloudFlare, one of the largest CDNs to host HTTPS content.

Adam Aviv served on the program comittees of the Privacy Enhancing Technologies Symposium (PETS'17) and the Anual Computer Security Applications Conferernce (ACSAC'16). He is a steering committee member of the Advances in Computer Secuirty Eduction (ASE) Workshop.

David Van Horn has been invited to present a tutorial at the 2016 ACM SIGPLAN International Conference on Functional Programming about his work.

Jonathan Katz is serving as program chair for Crypto 2016-2017 as well as program co-chair for HoTSoS 2017. He is a member of the steering committee for the IEEE Cybersecurity Inititative as well as the Maryland Cybersecurity Council.

Michael Hicks is serving as program chair for the 2016 SecDev conference, whose goal is goal is to encourage and disseminate ideas for secure system development among both academia and industry. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at pl-enthusiast.net

Poovi Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She has been contributing to a description of end-to-end independently-verifiable voting systems meant for non-technical readers including election officials. She gave an invited talk---and participated in a panel---at the Remote Voting Conference 2016, which was organized to explore the possibility of internet voting for Indian elections. She also testified to the MD State Board of Elections in September 2016, regarding its online ballot-delivery system, and participated in a panel about voting irregularities for the monthly seminar of the Washington Statistical Society on October 4, 2016.

John Baras participated heavily in the NIST organized public working group on Cyber-Physical Systems (CPS), and in particular with the subgroup working on security problems and formulations for CPS. He also delivered an invited plenary address at the 35th Chinese Control Conference (CCC2016), July 27, 2016, in Chengdu, China, entitled "Networked Cyber-Physical Systems (Net-CPS)," in which he included his work on trust supported by the NSA SoS Lablet grant.

C). Educational

Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.

Adam Aviv is developing a senior-level elective on cybersecurity, as well as one focusing on usable security.

David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He is also working to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs."

Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.

John Baras has been teaching since 2010 a capstone course entitled "ENES 489P, Hands-on Projects in Systems Engineering". In this project oriented course groups of undergraduates (3-4 students) work on projects inspired form important practical challenges. Several of these projects in the last two years addressed security related questions and challenges.