Scientific Foundations

group_project

Visible to the public TWC: Small: Towards Stealth Networks: Fundamental Limits and Algorithms for Stealth Communications

Submitted by Matthieu Bloch on Wed, 01/03/2018 - 1:31pm

The widespread development of communication networks has profoundly transformed our society, resulting in a significant increase in productivity and efficiency. However, the benefits of this increased connectivity are today also counterbalanced by the ease with which malicious individuals can interfere or tamper with sensitive data and information. The past decade has thus witnessed a growing concern for the issues of privacy, confidentiality, and integrity of communications.

group_project

Visible to the public TWC: Small: Deker: Decomposing Commodity Kernels for Verification

Submitted by Zvonimir Rakamaric on Wed, 01/03/2018 - 1:29pm

The problem of insecure computing environments has large impacts on society: security breaches lead to violations of privacy, financial frauds, espionage, sabotage, lost productivity, and more. These, in turn, result in vast economic damage. A major reason for the severity of these consequences is that many systems run on top of an insecure operating system kernel. The Linux kernel, a de facto industry standard for embedded, mobile, cloud, and supercomputing environments, is often a target for security attacks.

group_project

Visible to the public EAGER: Economic Incentives for Correct Outsourced Computation via Rational Proofs

Submitted by Rosario Gennaro on Wed, 01/03/2018 - 1:12pm

The problem of securely outsourcing data and computation has received widespread attention due to the rise of cloud computing: a paradigm where businesses lease computing resources from a service rather than maintain their own computing infrastructure. These scenarios introduce new security problems: in particular how do we trust the integrity of data and computation that are not under our own control. This project deals with these problems by considering methods, adapted from the world of economics, to incentivize parties to behave correctly during the execution of a computation.

Outcomes Report URL: 
https://www.research.gov/research-portal/appmanager/base/desktop?_nfpb=true&_win...
group_project

Visible to the public TWC: Medium: Collaborative: Developer Crowdsourcing: Capturing, Understanding, and Addressing Security-related Blind Spots in APIs

Submitted by Yuriy Brun on Wed, 01/03/2018 - 10:56am

Despite an emphasis the security community places on the importance of producing secure software, the number of new security vulnerabilities in software increases every year. This research is based on the assumption that software vulnerabilities are caused by misunderstandings, or lack of knowledge, called blind spots, which the developers experience while they are building systems. When building systems, developers often focus more on functional requirements than on non-functional ones, such as security.

group_project

Visible to the public CAREER: Untrusted Computing Base: Detecting and Removing Malicious Hardware

Submitted by Samuel King on Wed, 01/03/2018 - 10:56am

Computer systems security is an arms race between defenders and attackers that has mainly been confined to software technologies. Increases in the complexity of hardware and the rising number of transistors per chip have created opportunities for hardware-based security threats. Among the most pernicious are malicious hardware footholds inserted at design time, which an attacker can use as the basis of a computer system attack. This project explores of the feasibility of foothold attacks and a fundamental design-time methodology for defending against them.

Outcomes Report URL: 
https://www.research.gov/research-portal/appmanager/base/desktop?_nfpb=true&_win...
group_project

Visible to the public TWC: Medium: Collaborative: Data is Social: Exploiting Data Relationships to Detect Insider Attacks

Submitted by Hung Ngo on Wed, 01/03/2018 - 10:49am

Insider attacks present an extremely serious, pervasive and costly security problem under critical domains such as national defense and financial and banking sector. Accurate insider threat detection has proved to be a very challenging problem. This project explores detecting insider threats in a banking environment by analyzing database searches.

group_project

Visible to the public TWC: Medium: Collaborative: Black-Box Evaluation of Cryptographic Entropy at Scale

Submitted by Alex Halderman on Tue, 01/02/2018 - 10:13pm

The ability to generate random numbers -- to flip coins -- is crucial for many computing tasks, from Monte Carlo simulation to secure communications. The theory of building such subsystems to generate random numbers is well understood, but the gap between theory and practice is surprisingly wide. As built today, these subsystems are opaque and fragile. Flaws in these subsystems can compromise the security of millions of Internet hosts.

group_project

Visible to the public CAREER: Separations in Cryptography

Submitted by Mohammad Mahmoody on Tue, 01/02/2018 - 9:48pm

Since the seminal work of Shannon in 1949 cryptography has been founded on unproven computational complexity. The security of cryptographic systems could fall apart if the assumptions behind their design turn out to be false. Thus, it is crucial to base the security of crypto-systems on weakest possible assumptions. A main component of finding minimal assumptions is to ``separate'' cryptographic tasks from assumptions that are weaker than those used in constructions. In light of recent developments in cryptography, the following two directions will be pursued:

group_project

Visible to the public TWC SBE: Option: Frontier: Collaborative: Towards Effective Web Privacy Notice and Choice: A Multi-Disciplinary Prospective

Submitted by Norman Sadeh on Tue, 01/02/2018 - 9:44pm

Natural language privacy policies have become a de facto standard to address expectations of notice and choice on the Web. Yet, there is ample evidence that users generally do not read these policies and that those who occasionally do struggle to understand what they read. Initiatives aimed at addressing this problem through the development of machine implementable standards or other solutions that require website operators to adhere to more stringent requirements have run into obstacles, with many website operators showing reluctance to commit to anything more than what they currently do.