Visible to the public CMU SoS Lablet Quarterly Executive Summary - July 2019Conflict Detection Enabled

Submitted by Jamie Presken on Wed, 06/05/2019 - 7:18am

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

Obsidian Project (Aldrich)

Highlights. Blockchains have been proposed to support transactions on distributed, shared state, but hackers have exploited security vulnerabilities in existing programs. We applied user-centered design in the creation of Obsidian, a new language that uses typestate and linearity to support stronger safety guarantees than current approaches for programming blockchain systems.

 

Adversarial AI (Lujo Bauer)

Highlights. Bauer presented work supported by this award at the Summer school on real-world crypto and privacy in Sibenik, Croatia, attended by over 100 PhD students.

 

Security Behavior Observatory (Lorrie Cranor)

Background. The Security Behavior Observatory (SBO) addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild." This data is the closest to the ground truth of the users' everyday security and privacy challenges that the research community has ever collected. We expect the insights discovered by analyzing this data will profoundly impact multiple research domains, including but not limited to behavioral sciences, computer security & privacy, economics, and human-computer interaction.

Highlights.

Why people (don't) use password managers effectively. Sarah Pearman, Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. To be published in Proceedings of the Symposium on Usable Privacy and Security(SOUPS 2019). Will be presented in Santa Clara, CA in August 2019.

This paper is a followup to a paper that we published in CCS 2017. We conducted interviews with a separate sample of 30 participants to follow up on previous findings that suggested that people using password managers did not necessarily have stronger passwords or decreased password reuse. Our results suggested that users of built-in password managers may have different underlying motivations for using password tools (i.e., mostly focused on convenience) and may thus use those tools to aid their insecure password habits, whereas people using separately installed password managers seem to be more motivated to prioritize security.

Systems of password authentication are especially affected by the hard problem of understanding and accounting for human behavior, since human behavior and capabilities tend to be directly at odds with what are considered the most secure password practices. This line of research that seeks to understand why users are choosing various existing password tools and why those tools are or are not leading to more secure password practices is crucial for finding usable solutions for managing authentication.

 

Model-Based Project (David Garlan)

Highlights.  As self-security becomes more automated, it becomes harder for humans who interact with the autonomous system to understand the behavior of the systems. Particularly while optimizing for multiple quality objectives and acting under uncertainty, it can be difficult for humans to understand the system behavior generated by an automated planner. We developed an approach with tool support that aims at clarifying system behavior through interactive explanation by allowing end-users to ask Why and Why-Not questions about specific behaviors of the system, and providing answers in the form of contrastive explanation. In this quarter we designed and piloted a human study to understand the effectiveness of explanations to human operators.

Groups: