Visible to the public CMU SoS Lablet Quarterly Executive Summary - October 2022Conflict Detection Enabled

Submitted by Jamie Presken on Tue, 09/13/2022 - 8:08am

A. Fundamental Research
High level report of result or partial result that helped move security science forward-- In most cases it should point to a "hard problem". These are the most important research accomplishments of the Lablet in the previous quarter.

Jonathan Aldrich

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

Blockchains have been proposed to support transactions on distributed, shared state, but hackers have exploited security vulnerabilities in existing programs. We applied user-centered design in the creation of Obsidian, a new language that uses typestate and linearity to support stronger safety guarantees than current approaches for programming blockchain systems.

 

COMMUNITY ENGAGEMENTS

The Obsidian project has partnered support from the Ethereum Foundation. Obsidian currently supports the Hyperledger Fabric blockchain platform. We will build a proof-of-concept version of Obsidian for Ethereum. The ultimate goal is to make Obsidian a viable alternative to Solidity for Ethereum developers so that Ethereum users can obtain the usability and security benefits of using Obsidian.

 

Lujo Bauer

Securing Safety-Critical Machine Learning Algorithms

We demonstrated (and described in a paper that was published at ICML 2022), a new loss function and a new attack method for creating adversarial examples. Both the new loss function and the new attack method attempt to better reflect the attacker's goals in finding adversarial examples: in particular, while current attacks typically clip intermediate perturbations to force attacks to stay within some Lp-norm distance of the original input, our attack method allows the search for adversarial examples to temporarily explore regions beyond the eventual epsilon boundary. We demonstrate experimentally that our new attack method, as well as our new loss function if used within previous-best attacks, finds more adversarial examples than previous-best attacks.

 

Lorrie Cranor

Characterizing user behavior and anticipating its effects on computer security with a Security Behavior Observatory

The purpose is to give our immediate sponsors a body of evidence that the funding they are providing is delivering results that "more than justify" the investment they are making.

 

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

The SBO addresses the hard problem of “Understanding and Accounting for Human Behavior” by collecting data directly from people’s own home computers, thereby capturing people’s computing behavior “in the wild.”

 

Paper Published: On recruiting and retaining users for security-sensitive longitudinal measurement panels. Akira Yamada, Kyle Crichton, Yukiko Sawaya, Jin-Dong Dong, Sarah Pearman, Ayumu Kubota, and Nicolas Christin. Appeared at SOUPS 2022.

  • Long-term measurement studies, like the SBO, which collect highly-detailed information about user behavior can be quite intrusive to the participant, making recruitment and retention difficult for researchers.
  • Comparing three different longitudinal studies; the SBO, data collected through a browser security toolbar, and a mobile application similar to the SBO; we assess (1) how the incentives offered to participants affects the sample recruited and (2) what factors influence user retention.
  • We find that minimizing interference with the user's device, finding the right balance of communication with participants, following up with inactive users, and providing tangible benefits for participation help retain participants.

 

 

David Garlan

Model-Based Explanation For Human-in-the-Loop Security

PUBLIC ACCOMPLISHMENT HIGHLIGHTS

We have developed a framework that uses various statistical approaches commonly used in machine learning for simplifying explanations of plans made in large trade-off spaces. The approach combinds principle component analysis (PCA), decision trees, and classification to understand key factors in deciding which plans to choose. The approach can allow explanations to focus on factors that really impacted the choice of plan, reducing that amount of information and context a human would need to understand to comprehend an explanation. We have several publications about this currently under review.

 

COMMUNITY ENGAGEMENTS (If applicable)

"Humanizing Software Architecture", David Garlan Keynote at the 16th European Conference on Software Architecture, September 19-23, 2022. Prague.

 

Joshua Sunshine

Security Science Research Experience for Undergraduates

 

ACCOMPLISHMENTS

The Security Science Research Experience for Undergraduates is funding four students to work with Carnegie Mellon Researchers in Summer 2022:

  1. Emily Chang, University of Virginia, "picoCTF Cybersecurity & Education Research through Online Gaming," Advisors: Hanan Hibshi and Maverick Woo.
  2. Patrick May, College of Wooster, "Developer Awareness of Secure Programming Practices." Advisor: Hanan Hibshi.
  3. Lyric Sampson, Alabama A&M University, "AI Ethics in Open Source," Advisors: James Herbsleb and Laura Dabbish
  4. Daniel Verdi do Amarante, University of Richmond, "Natural Test Case Generation Using Deep Learning," Advisors: Rohan Padhye and Vincent Hellendoorn

We are currently in the process of planning two events for the entire cohort of 49 students about research at the NSA: 1) A talk by NSA researchers about research at the NSA. 2) Talks by the REUSE students to NSA researchers about their summer projects.

 

Groups: