SoS Musings #7 - Building Blocks for Security Science

SoS Musings #7

Building Blocks for Security Science

Recently NSA announced its winner of the 5th Annual Best Scientific Cybersecurity Paper Competition: “You Get Where You're Looking for: The Impact of Information Sources on Code Security”. The paper seeks to systematically analyze how the use of information resources impacts code security in apps for mobile Android devices. What is uncovered is analyzed against prevailing anecdotal causes.

The contest was created to stimulate security research that would contribute to the building of a Science of Security. The award recognizes papers that display the attributes of scholarly scientific work in the past year and commends the author(s).  

This being the paper competition’s fifth year it raises the question as to its effect. This is a difficult question to answer. One insight may be given by the number of papers whose authors have cited this work in their research. There is much debate as to what number would indicate influence. You can judge for yourselves. The number of citations is as given by Google Scholar.

The initial winner “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords” was awarded in 2013 and has 396 citations. The paper offered careful and rigorous measurements of password use in practice and theoretical contributions to how to measure and model password strength.

The 2013 winning paper "Memory Trace Oblivious Program Execution”, awarded in 2014 has 28 citations. This work leverages programming language techniques to offer efficient memory-trace oblivious program execution, while providing formal security guarantees.

The 2014 winner "Additive and Multiplicative Notions of Leakage and Their Capacities”, awarded in 2015 has 32 citations. It proposes a theory of channel capacity, generalizing the Shannon capacity of information theory, that can apply both to additive and to multiplicative forms of a recently proposed measure known as g-leakage.

Last year’s winner “Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration”, awarded in 2016 has 24 citations. It shows that Nomad, a system that offers vector agnostic defense against known and future side channels, is scalable to large cloud deployments, achieves near-optimal information leakage subject to constraints on migration overhead, and imposes minimal performance degradation for typical cloud applications such as web services and Hadoop MapReduce.

It appears that researchers are using these papers to influence their work! Hopefully they also follow suit and continue to display the attributes of scholarly scientific research.