Visible to the public CMU SoS Lablet Quarterly Executive Summary - July 2022Conflict Detection Enabled

Submitted by Jamie Presken on Thu, 07/07/2022 - 8:59am

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

Jonathan Aldrich

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

Blockchains have been proposed to support transactions on distributed, shared state, but hackers have exploited security vulnerabilities in existing programs. We applied user-centered design in the creation of Obsidian, a new language that uses typestate and linearity to support stronger safety guarantees than current approaches for programming blockchain systems.

 

COMMUNITY ENGAGEMENTS

The Obsidian project has partnered support from the Ethereum Foundation. Obsidian currently supports the Hyperledger Fabric blockchain platform. We will build a proof-of-concept version of Obsidian for Ethereum. The ultimate goal is to make Obsidian a viable alternative to Solidity for Ethereum developers so that Ethereum users can obtain the usability and security benefits of using Obsidian.

 

Lujo Bauer

Securing Safety-Critical Machine Learning Algorithms

Adversarial training for malware classifiers: We continued previous work on training more robust malware classifiers using adversarial training and submitted a paper describing our findings to USENIX Security. We're continuing to study what is the most effective way to train such classifiers. Although we previously substantially sped up the construction of adversarial examples for the training process, this remains a bottleneck, and we're investigating what is the best tradeoff among how much time to spend in constructing each adversarial example (which can vary in several dimensions) vs the number of examples with which to train the classifier.

More effective, more principled attacks on ML classifiers: We conducted additional experiments to demonstrate the utility of our attack in additional settings and resubmitted a paper describing this work to ICML. We continue refining the attack, including in response to initial reviews from ICML.

 

 

Lorrie Cranor

Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory

The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.

 

PUBLICATIONS

N/A this quarter

 

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

The SBO addresses the hard problem of “Understanding and Accounting for Human Behavior” by collecting data directly from people’s own home computers, thereby capturing people’s computing behavior “in the wild.”

 

Paper Accepted: On recruiting and retaining users for security-sensitive longitudinal measurement panels. Akira Yamada, Kyle Crichton, Yukiko Sawaya, Jin-Dong Dong, Sarah Pearman, Ayumu Kubota, and Nicolas Christin. To appear at SOUPS 2022 (August 2022).

  • Long-term measurement studies, like the SBO, which collect highly-detailed information about user behavior can be quite intrusive to the participant, making recruitment and retention difficult for researchers.
  • Comparing three different longitudinal studies; the SBO, data collected through a browser security toolbar, and a mobile application similar to the SBO; we assess (1) how the incentives offered to participants affects the sample recruited and (2) what factors influence user retention.
  • We find that minimizing interference with the user’s device, finding the right balance of communication with participants, following up with inactive users, and providing tangible benefits for participation help retain participants.

Paper Published: Adulthood is trying each of the same six passwords that you use for everything: The scarcity and ambiguity of security advice on social media. Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. Appeared in CSCW 2022 (April 2022).

  • In this project, we study the extent to which security- and privacy-related information is presented to users through their social media or "friends".
  • This relates to the hard problem of understanding and accounting for real human behavior. By analyzing the actual social media logs of participants, we study the extent to which this information is exposed to users and how different aspects of this information impacts people's security behaviors measured across the type of browsing they do, password use habits, and other system-related behaviors.

 

 

David Garlan

Model-Based Explanation For Human-in-the-Loop Security

PUBLICATIONS

"Modeling and Analysis of Explanation for Secure Industrial Control Systems," Sridhar Adepu, Nianyu Li, Eunsuk Kang and David Garlan. Accepted for Publication to the ACM Transacations of Autonomous and Adaptive Systems, July 2022.

 

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

Many self-adaptive systems benefit from human involvement and oversight, where a human operator can provide expertise not available to the system and detect problems that the system is unaware of. One way of achieving this synergy is by placing the human operator on the loop - i.e., providing supervisory oversight and intervening in the case of questionable adaptation decisions. To make such interaction effective, an explanation can play an important role in allowing the human operator to understand why the system is making certain decisions and improve the level of knowledge that the operator has about the system. This, in turn, may improve the operator's capability to intervene and if necessarily, override the decisions being made by the system. However, explanations may incur costs, in terms of delay in actions and the possibility that a human may make a bad judgement. Hence, it is not always obvious whether an explanation will improve overall utility and, if so, what kind of explanation should be provided to the operator.We define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of explanation content, effect, and cost. We use a dynamic system adaptation approach that leverages a probabilistic reasoning technique to determine when an explanation should be used in order to improve overall system utility. We evaluated our explanation framework in the context of a realistic industrial control system with adaptive behaviors.

 

 

Joshua Sunshine

Security Science Research Experience for Undergraduates

 

ACCOMPLISHMENTS

The Security Science Research Experience for Undergraduates is funding four students to work with Carnegie Mellon Researchers in Summer 2022:

  1. Emily Chang, University of Virginia, "picoCTF Cybersecurity & Education Research through Online Gaming," Advisors: Hanan Hibshi and Maverick Woo.
  2. Patrick May, College of Wooster, "Developer Awareness of Secure Programming Practices." Advisor: Hanan Hibshi.
  3. Lyric Sampson, Alabama A&M University, "AI Ethics in Open Source," Advisors: James Herbsleb and Laura Dabbish
  4. Daniel Verdi do Amarante, University of Richmond, "Natural Test Case Generation Using Deep Learning," Advisors: Rohan Padhye and Vincent Hellendoorn

We are currently in the process of planning two events for the entire cohort of 49 students about research at the NSA: 1) A talk by NSA researchers about research at the NSA. 2) Talks by the REUSE students to NSA researchers about their summer projects.

 

Groups: