Visible to the public CMU Lablet Homepage


The broad goal of the Science of Security Lablet (SOSL) is to identify scientific principles that can lead to approaches to the development, evaluation, and evolution of secure systems at scale. The focus on scalability derives from a recognition that modern software-intensive systems have more components and a greater diversity of suppliers. the theme of scalability includes two principal areas of focus, which are composability and usability. Projects within the SOSL may address diverse and possibly conflicting technical approaches in order to most effectively address the overall thematic goals

Progress in many technical areas can contribute to achieving the overall goals. SOSL projects may draw on multiple technical areas in order to make progress. Examples of contributing technical areas include: safe programming languages, binary and source code analysis, data-intensive systems analysis, self-healing and resilient architecture, assured API and framework compliance, socio-technical ecosystems, development environments, trusted computing, specification and verification, concurrent and distributed systems, requirements and policy, usable security and privacy, intrusion and malware detection, dynamic network analysis, model checking, secure coding practice, secure process separation, verification of cyber-physical systems, and others. Projects within the SOSL will also establish, where possible, collaborations with NSA researchers and others in the community.


William L. Scherlis is a full Professor in the School of Computer Science at Carnegie Mellon. He is the founding director of CMU's PhD Program in Software Engineering and director of CMU's Institute for Software Research (ISR) in the School of Computer Science. His research relates to software assurance, software analysis, and assured safe concurrency ("speed with safety"). Dr. Scherlis joined the CMU faculty after completing a PhD in Computer Science at Stanford University, a year at the University of Edinburgh (Scotland) as a John Knox Fellow, and an A.B. at Harvard University.

Quartely Report Highlights - July 2014

Fundamental Research

[Carley] On the basis of data from a major AV vendor, we able to identify characteristics of countries that are common waypoints for attacks.

[Breaux] An analysis technique based on design patterns and requirements models can help analysts discover and address security issues in proposed designs early in an engineering process.

[Platzer] A technique is developed (a stochastic algorithm) that can facilitate reasoning about large planning and learning problems.

[Garlan, Aldrich, Sunshine] Dynamic adaptation requires extensive runtime monitoring of the operating environment of a system. Techniques are developed to determine optimal placement of runtime monitors to enforce security constraints at runtime.

[Datta, Harper, Jia] Developed a program logic that can support reasoning about adversary-supplied code. The goal is the model ability to sustain service continuity despite attacker actions.

[Acquisti, Cranor, Christin, Telang] Completing development of the sensor platform for the large-scale field study.

[Aldrich, Sunshine, Srisa-an] Developed a technique to support efficient dynamic analysis to detect races at runtime on the basis of up-front static analysis. A catalog of web-related race-related vulnerabilities, based on multiple sources (National Vul DB, Full Disclosure, etc.), will support an appraisal of comprehensiveness of coverage of static and dynamic techniques.

Community Interaction

CMU hosted the first Quarterly Meeting of the new Lablet Community. Approximately 75 people attended from the four universities, multiple subcontractors, and government organizations. Workshop sessions address the planning for updating and disseminating the Hard Problems list, which is intended to provide a key component of the unifying framework for the SoS research undertaken at the Lablets. DIscussions were also held regarding other mechanisms through which the SoS Lablet community could advance the effectiveness and explicitness of the scientific process of cyberseucity research.

Just prior to the Quarterly Meeting, CMU also hosted the CASOS Summer Institute, focusing on network analytics, led by Kathleen Carley and including Juergen Pfeffer. This institute is dedicated to advancing the theory and practice of network analytics.

In addition, Lorrie Cranor was the General Chair for the 10th SOUPS conference (Symposium on Usable Privacy and Security). This conference has served as a premier catalyst for the advancement of scientific practice associated with research related to privacy and to human interfaces associated with security.


CMU ISR is offering a new Masters degree program in Privacy Engineering, led by Lorrie Cranor and Norman Sadeh. Courses are taught by several SoS Lablet faculty including Cranor, Sadeh, and Travis Breaux.

CMU is revamping is undergraduate core course sequence on software engineering, and security topics as well as method-related topics (data analysis, developer studies, and the like) are being augmented. SoS Lablet faculty involved are likely to include Aldrich, Kastner, Breaux, Scherlis, and others.

Partly as a consequence of earlier lablet work, PhD students in several of the CMU PhD programs have made efforts to broaden the range of scientific methods they employ to include a broader range of experimental and data-focused approaches, in addition to the more familiar theoretical work and experimental engineering. This shift is now being recognized in the the structure of the core graduate curriculum.