In highly configurable software systems the configuration space is too big for (re-)certifying every configuration in isolation. In this project, we combine software analysis with network analysis to detect which configuration options interact and which have local effects. Instead of analyzing a system as Linux and SELinux for every combination of configuration settings one by one (>10^2000 even considering compile-time configurations only), we analyze the effect of each configuration option once for the entire configuration space.

CPS employ Networked Control Systems (NCS) to facilitate real-time monitoring and control. Security of the NCS infrastructure is a large problem due to (1) the wide deployment of commercial-off-the-shelf (COTS) computing devices, (2) the connectivity of NCS with the Internet, and (3) the existence of organized motivated attackers. Traditional IT security solutions are used in NCS, they cannot prevent all cyber attacks. Our goal is to complement IT security with resilient algorithms for monitoring and control in order to reduce NCS security risks. Our framework aims at developing algorithms that ensure that the system will be able to continue operation possibly with degraded performace even in the presence of successful attacks.

With the increased use of cyber physical systems in current defense, medical, and energy applications, it is critical for the infrastructure to remain secure. As such, it is important to identify potential security flaws early in the design process in order to produce a consistent, secure and reliable system with minimal fabrication costs. This task can be accomplished using threat modeling. Threat modeling can be separated into two diverse fragments, asset centric and attack centric threat modeling. Asset centric threat modeling takes the point of view of the defender in order to focus on all of ways that a system can be protected from an attack. Attack centric threat modeling on the other hand focuses on the point of view of the attacker, coming up with all of the possible combinations of actions that can result in the compromise of the system. With the interaction of these two perspectives of threat modeling, the system can be tested against possible attack sequences before fabrication, ensuring a high expectation of system security and reliability after development.

This project focuses on developing an attack centric threat modeling tool using the Generic Modeling Environment (GME). The modeling environment is first developed in a consistent manner to a STRIPS planning problem, and then transformed into a single state machine model using the GReAT tool, allowing for the user modeling interface to be integrated with an external planning library. After integrating the model with the Fast Downward Planning library using the GME DSML C# interpreter api, an action plan can be returned, allowing the modeler to identify the possible methods of compromising the system. Furthermore, this attack centric threat modeling tool will be integrated with an asset centric threat modeling tool currently under development, allowing for a full scale threat modeling testbed.
 

Human interaction is an integral part of any system. Users have daily interactions with a system and make many decisions that affect the overall state of security. The fallibility of users has been shown but there is little research focused on the fundamental principles to optimize the usability of security mechanisms. We plan to develop a framework to design, develop and evaluate user interaction in a security context. We will (a) examine current security mechanisms and develop basic principles which can influence security interface design; (b) introduce new paradigms for security interfaces that utilize those principles; (c) design new human-centric security mechanisms for several problem areas to illustrate the paradigms; and (d) conduct repeatable human subject experiments to evaluate and refine the principles and paradigms developed in this research.

A key concern in security is identifying differences between human users and “bot” programs that emulate humans. Users with malicious intent will often utilize wide-spread computational attacks in order to exploit systems and gain control. Conventional detection techniques can be grouped into two broad categories: human observational proofs (HOPs) and human interactive proofs (HIPs). The key distinguishing feature of these techniques is the degree to which human participants are actively engaged with the “proof.” HIPs require explicit action on the part of users to establish their identity (or at least distinguish them from bots). On the other hand, HOPs are passive. They examine the ways in which users complete the tasks they would normally be completing and look for patterns that are indicative of humans vs. bots. HIPs and HOPs have significant limitations. HOPs are susceptible to imitation attacks, in which bots carry out scripted actions designed to look like human behavior. HIPs, on the other hand, tend to be more secure because they require explicit action from a user to complete a dynamically generated test. Because humans have to expend cognitive effort in order pass HIPs, they can be disruptive or reduce productivity. We are developing the knowledge and techniques to enable “Human Subtlety Proofs” (HSPs) that blend the stronger security characteristics of HIPs with the unobtrusiveness of HOPs. HSPs will improve security by providing a new avenue for actively securing systems from non-human users.