Technical Papers at CMU Quarterly Meeting 2017

Science of Security Lablet Quarterly Meeting

Pittsburgh, PA

July 11, 2017

Research Presentations at Lablet Quarterly Meeting 

The summer 2017 quarterly Science of Security (SoS) Lablet meeting was held at Carnegie Mellon University on July 10 and 11. Each Lablet presented an update on the results of research they have performed and five technical papers were presented. A synopsis of each presentation is offered here. 

These presentations are available for viewing on the Science of Security Virtual Organization website at: https://cps-vo.org/SoSLmtg/CMU/2017   

Click on the title of the talk to recover the slide presentation.

Technical Papers

Sayan Mitra(UIUC), presenter, with Geir Dullerud (UIUC) and Swarat Chaudhuri (Rice) (UIUC) “Optimal State Estimation and Model Detection and Applications to Security and Privacy”  This project‘s objectives are to develop rigorous, model-based approaches for analyzing security metrics of large cyber-physical systems such as power systems, traffic control systems, and autonomous vehicles.  In order to make the approaches scale to large models, the researchers are developing foundational results on compositional analysis.  They also seek to formalize and characterize trade-offs between security/privacy on the one hand and performance and accuracy on the other.  They investigated the this problem from a perspective of topological entropy, introduced the notion of estimation entropy ℎRS,; showed it is impossible to monitor at bitrates below ℎRS.  The upper bound on estimation entropy is ℎRS, ≤ L + a n.  Detection algorithms with optimal bit-rate operate up to the entropy upper bound.

Chris Theisen  (NC State). “Prioritizing Security Efforts with a Risk-Based Attack Surface Approximation(RASA)”   One prioritization technique is to identify the attack surface.  Crashes are empirical evidence of data paths through software with flaws.  Code that is covered by RASA are therefore more likely to have vulnerabilities, as there is evidence of flaws on RASA, and are more likely to be exploited, as they’re on known traversable paths. Vulnerabilities are five times as likely to be in code that crashes than not. We are recovering the majority of vulnerabilities—94%.  Future work will include comparing four vulnerability prediction models with RASA.

Jonathan Aldrich (CMU), presenter, with Michael Coblenz, Whitney Nelson, Brad Myers and Joshua Sunshine. “Immutability for Integrity: Combining Language Theory and the Science of Usability in Glacier” Assessment of research systems, particularly Java, showed root problems: “we tend to build things that are too complex”   The team built GLACIER: “Great Languages Allow Class Immutability Enforced Readily” to create simple, strong transitive immutability as an annotation system and checker for Java.  They concluded, after testing, that GLACIER illustrates an effective approach to improving guidelines by using mathematical models to ensure correctness and power of tools and leveraging usability science to ensure benefit from that power in practice.

Lorrie Cranor (CMU), presenter and Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Serge Egelman, and Alain Forget.  “Observing Passwords in Their Natural Habitat” focuses on the problems of password reuse.  The researchers ask how people manage all their passwords and collect empirical data to scientifically examine this problem. By using the Security Behavior Observatory to collect password data from home computer users, they were able to scientifically characterize user password behavior, moving beyond previous analyses that have been mostly anecdotal and based on speculation.  After collecting data, they concluded that reuse is rampant, that users seem to cope with password demands through reuse strategies, use a mixture of reuse strategies, and password managers may not be helping very much.  Most of the issues are behavioral.

Octavian Suciu (UMD), presenter, with Carl Sabottke and Tudor Dumitraș. “Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-world Exploits” seeks to predict exploits active in the wild.   The growing number of vulnerabilities reported each year prompted the researchers to address whether Twitter analytics can be used for early detection.  Conclusions and results included the design of a Twitter-based exploit detector that can be used for patching prioritization and risk assessment.  Early detection of exploits active in the wild is possible, but performance depends on the quality of ground truth.   Exploit detection under adversarial interference yields a security system without secrets.

Lablet Research Summaries

Michel Cukier (UMD) displayed a matrix of research by hard problem and gave specific examples from  learning secure behavior; fiction as a learning experience; user centric designs for security; application of criminal justice theory to cybersecurity; measuring vulnerability patching; trustworthy and composable software; and trust. 

Bill Sanders and Sayan Mitra (UIUC) described research into a hypothesis testing framework for network security; anonymous messaging; data driven model-based decision making; static-dynamic analysis of security metrics for CPS; data driven security models and analysis including preventive detection of attacks using probabilistic graphical models; science of human circumvention of security, monitoring, and a fusion and response framework to provide cyber resiliency. 

Laurie Williams (NCSU) outlined projects directly related to the five hard problems.  These included research into automated synthesis of resilient architectures; redundancy for network intrusion prevention systems; smart isolation in large-scale computing infrastructures; formal specifications and analysis of security-critical norms and policies; runtime reasoning about norm conflicts; scientific understanding of policy complexity; human information processing analysis of online deception detection; embedding anti-phishing training within cybersecurity warnings; leveraging the effects of cognitive function on input device analysis to distinguish human users from bots; systemization of knowledge in intrusion detection systems; and attack surface and defense in depth metrics. She also spoke about efforts in community building, co-authorship, and the development and use of rigorous scientific methodologies. 

Bill Scherlis (CMU) described his Lablet’s goal as to advance scientific coherence through methods, validation, and productivity and to broaden the cybersecurity technical community via educational engagement and conferences such as HotSoS. Specific research projects focus on advancing the process and methods by which science is done-systematization of processes and include security for highly configurable systems; multi-model run time analysis—focused on resiliency and related to anomaly detection, architectures and information flows; science of secure frameworks—software in a framework-based ecosystem; secure composition of systems and policies in low-level systems software; formal methods for composing policies; modules for resource control; and the Security Behavior Observatory.