Visible to the public CMU SoS Lablet Quarterly Executive Summary - April 2022Conflict Detection Enabled

Submitted by Jamie Presken on Thu, 03/17/2022 - 9:09am

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

Jonathan Aldrich

Obsidian: A Language for Secure-by-Construction Blockchain Programs

 

Blockchains have been proposed to support transactions on distributed, shared state, but hackers have exploited security vulnerabilities in existing programs. We applied user-centered design in the creation of Obsidian, a new language that uses typestate and linearity to support stronger safety guarantees than current approaches for programming blockchain systems.

 

COMMUNITY ENGAGEMENTS

The Obsidian project has partnered support from the Ethereum Foundation. Obsidian currently supports the Hyperledger Fabric blockchain platform. We will build a proof-of-concept version of Obsidian for Ethereum. The ultimate goal is to make Obsidian a viable alternative to Solidity for Ethereum developers so that Ethereum users can obtain the usability and security benefits of using Obsidian.

 

Lujo Bauer

Securing Safety-Critical Machine Learning Algorithms

Adversarial training for malware classifiers: We continued previous work on training more robust malware classifiers using adversarial training and submitted a paper describing our findings to USENIX Security. We're continuing to study what is the most effective way to train such classifiers. Although we previously substantially sped up the construction of adversarial examples for the training process, this remains a bottleneck, and we're investigating what is the best tradeoff among how much time to spend in constructing each adversarial example (which can vary in several dimensions) vs the number of examples with which to train the classifier.

More effective, more principled attacks on ML classifiers: We conducted additional experiments to demonstrate the utility of our attack in additional settings and resubmitted a paper describing this work to ICML. We continue refining the attack, including in response to initial reviews from ICML.

 

Lorrie Cranor

Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory

The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.

The SBO addresses the hard problem of "Understanding and Accounting for Human Behavior" by collecting data directly from people's own home computers, thereby capturing people's computing behavior "in the wild."

  1. Paper Accepted: Adulthood is trying each of the same six passwords that you use for everything: The scarcity and ambiguity of security advice on social media. Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. To appear in CSCW 2022.

•           In this project, we study the extent to which security- and privacy-related information is presented to users through their social media or "friends".

•           This relates to the hard problem of understanding and accounting for real human behavior. By analyzing the actual social media logs of participants, we study the extent to which this information is exposed to users and how different aspects of this information impacts people's security behaviors measured across the type of browsing they do, password use habits, and other system-related behaviors.

 

  1. Paper Published: How Do Home Computer Users Browse the Web? Kyle Crichton, Nicolas Christin, and Lorrie Cranor. Published in the Feb 2022 issue of the ACM Transactions on the Web journal. https://dl.acm.org/doi/10.1145/3473343

•           Using data collected through the SBO, we provide new insights into how users browse the internet

•           First, we compare our data to previous studies conducted over the past two decades and identify changes in user browsing and navigation. Most notably, we observe a substantial increase in the use of multiple browser tabs to switch between pages.

•           Using the more detailed information provided by the SBO, we identify and quantify a critical measurement error inherent in previous server-side measurements that do not capture when users switch between browser tabs. This issue leads to an incomplete picture of user browsing behavior and an inaccurate measurement of user navigation and dwell time.

•           In addition, we observe that users exhibit a wide range of browsing habits that do not easily cluster into different categories, a common assumption made in research study design and software development.

•           We find that browsing the web consumes the majority of users' time spent on their computer eclipsing the use of all other software on their machine.

•           While browsing, we show that users spend the majority of their time browsing a few popular websites, but also spend a disproportionate amount of time on low-visited websites on the edges of the internet.

•           We find that users navigating to these low-visited sites are much more likely to interact with riskier content like adware, alternative health and science information, and potentially illegal streaming and gambling sites.

•           Finally, we identify the primary gateways that are used to navigate to these low-visited sites and discuss the implications for future research.

 

David Garlan

Model-Based Explanation For Human-in-the-Loop Security

As part of our work on applying machine learning techniques to help with explainability described above, we submitted a paper to the Journal of Software and Systems that describes ExTrA, and approach an approach to analyzing architectural design spaces that addresses these limitations and provides a basis for explaining design tradeoffs. The approach employs dimensionality reduction techniques employed in machine learning pipelines like Principal Component Analysis (PCA) and Decision Tree Learning (DTL) to enable architects to understand how design decisions contribute to the satisfaction of extra-functional properties across the design space. Our results show feasibility of the approach in two case studies and evidence that combining complementary techniques like PCA and DTL is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces. This enhances explainability of designs by reducing the number of dimensions that need to be considered in an explanation. The approach currently focuses on software architecture design, but we are working on how to apply this to explaining adaptation plans for self-protecting systems.

 

Joshua Sunshine

Security Science Research Experience for Undergraduates

 

The Security Science Research Experience for Undergraduates funded four students to work with Carnegie Mellon researchers in Summer 2021:

  1. Benito Geordie, Rice University, "Democratizing and Decentralizing Collaborative Web Apps." Advisor: Heather Miller.
  2. Crystal Li, University of Pittsburgh, "User Awareness of Social Media Algorithms." Advisor: Daniel Klug.
  3. Megan Li, Harvey Mudd College, "Usable Consent Interfaces." Advisor: Lorrie Cranor.
  4. Sophia Roshal, Cornell University, "Wyvern: Designing a Next-Generation Programming Language." Advisor: Jonathan Aldrich.

 

Groups: