Visible to the public SoS Quarterly Summary Report - UMD - July 2016

Lablet Summary Report

A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.

Levin is conducting Internet-wide measurements of how online certificates are being managed, including such factors as how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, he found that CDNs (content distribution networks)--which serve content for many of the most popular websites--appear to have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., that no one shares their private keys). They are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general. They have found that half of all organizations share at least one private key with a third-party provider; that a small handful of providers have aggregated a huge fraction of private keys); and that third-party providers tend to be more thorough (but less quick) at reacting to key compromise. These findings have profound impact on the understanding of the trust relationships in the web's PKI. The results of this work have been submitted to the ACM Conference on Computer and Communications Security 2016.

Mazurek is exploring how users process security advice. In a previosuly completed analysis of a qualitative study, she and her collaborators found that people are generally less confident in assessing the credibility of cybersecurity vs. physical-security advice. Particpants elect not to follow advice they know about for a variety of reasons, ranging from inconvenience to not understanding why the advice is useful to concerns that the advice will threaten their privacy or is being offered as marketing rather than as technically sound advice. These results were presented at the IEEE Symposium on Security & Privacy 2016. The presentation received a good response, including interesting questions during the presentation and many follow-up inquiries. In other work, she had a poster at SOUPS 2016 showcasing her findings that users with stronger web skills behave more securely than users with weaker web skills, measured via previously validated tools. Since that work was initiated, she and collaborators have conducted a large-scale quantitative study to expand and confirm those results. They completed data analysis in May, and submitted the results to the ACM Conference on Computer and Communications Security 2016.

Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete. A paper describing these results was presented at PLDI 2015 and prior work, published at ICFP 2014, was submitted to a special issue of the Journal of Functional Programming.

Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. His paper on preventing common misuses of cryptographic primitives was conditionally accepted at Onward! 2016. Starting from the documented misuse cases of cryptographic APIs, he and his colleagues infered five developer needs and showed that a good API design would only address these needs partially. Building on this observation, they proposed APIs that are semantically meaningful for developers, showed how these interfaces can be implemented consistently on top of existing frameworks using novel and known design patterns, and proposed build-management hooks for isolating security workarounds needed during the development and test phases. Through two case studies, they showed that their APIs could be utilized to implement non-trivial client-server protocols, and that they provide a better separation of concerns than existing frameworks. To further disseminate this work, they also submitted a position paper on this topic to SecDev'16. Dumitras also presented his work on predicting vulnerability exploits with Twitter analytics ( at the 37th General Meeting of the Messaging, Malware, Mobile Anti-Abuse Working Group (M3AAWG).

Subrahmanian et al. are exploring dynamics of malware infection and software patching. In recent work, they utilized the corpus of daily measurements of patching for 1.6K vulnerabilities, which they previously collected as part of their project, and separated out the impact of user and vendor behavior on the patching delays. They also evaluated the resulting vulnerability states of hosts. Their modeling of users and the empirical evaluation of this model over vulnerability states of hosts revealed a peculiar relationship between vendors and end-users: users' promptness in applying software patches, and vendors' policies in facilitating the installation of updates, while both contributing to the hosts' security posture, are over-shadowed by other characteristics such as the frequency of vulnerability disclosures and the vendors' swiftness in deploying patches to their consumers. The results of this work have been submitted to the ACM Conference on Computer and Communications Security 2016.

Cukier and Maimon are applying a criminological viewpoint to develop a better understand attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they explored hypotheses regarding the presence of surveillance and the amount of time a trespasser spent on the system. Specifically, it was hypothesized that the presence of an administrative user (compared to a non-administrative user) would reduce the number of times a trespasser returns to the system and the amount of time spent on the system. It was also hypothesized that the presence of one user (compared to multiple) would reduce the number of times a trespasser returns to the system and the amount of time spent on the system. These hypotheses were tested, and results indicate that system trespassers who had target computers with administrative users present returned to the system 20-22 fewer times than those with non-administrative users present and 14 times fewer than those with no users present. Additionally, system trespassers with target computers with an administrative user present spent on average a factor of 3.5x fewer hours on the system than trespassers whose target computers did not have an administrative user present. Unlike the type of user, the number of users present on the system had no effect on the system trespassing events. These findings indicate that the presence of an administrative user (even if it is a fake user) reduces the frequency and seriousness of system trespassing events. Policy recommendations from this could include suggestions to include a fake administrative user on systems at all times in order to deter system trespassers and reduce the consequences of system trespassing.

Aviv and Golbeck are focusing on using empirical studies (including surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In recent work, presented as a poster at SOUPS 2016, they measured the effect of cueing language on user graphical password selection. In particular, they studied the effects of asking users to select a "strong," "secure," or "unique" password, in terms of both strength of the resulting password chosen as well as memorizability of that password.

Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. Most recently, the team has continued developing a survey to evaluate the usability of the Bubbles platform they have designed. The survey examines a participant's Google Drive, Gmail, and Google Calendar data, and then infers logical groupings of data across all applications that are shared to the same set of users. They then asked participants to evaluate the accuracy of the proposed groupings. They have submitted a paper describing some of their results to the ACM Conference on Computer and Communications Security 2016.

Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. In one recent work, they explored the problem of making decisons based on recommender systems. Due to the popularity of online social networks and the influence of social relationships in decision making, the idea of social recommendation has been introduced and has attracted increasing attention. Trust relationships are exploited in such systems for rating prediction and recommendation, which has been shown to have the potential for improving the quality of the recommender and alleviating the issue of data sparsity, cold start, and adversarial attacks. Their work aimed to give a formal basis for trust evaluation in social networks in order to provide a better knowledge base for trust-aware recommender systems. They modeled the trust relationship as a 2-dimensional vector, and applied a semiring framework to combine trust evidence for predicting indirect trust. Both trust and distrust are considered, and conflict resolution is supported. By analyzing Epinions datasets, they verified experimentally the existence of transitivity in trust relationships; which is one of the basic properties on which the semiring framework is founded. Additionally, from the dataset they also discovered empirically that sign reciprocity exists for positive trust relationships. Their paper on this work and results was accepted for publication in the Proceedings of RecSys 2016.

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. In accomplishments this quarter they have submitted a paper to E-Vote-ID describing a new voting protocol that addresses a problem with the Helios voting protocol used by several organizations. They have also submitted a paper about why online elections are currently insecure to ACM CCS 2016. They are continuing the work on a journal paper for formal specification and proof of security for Remotegrity.

B). Community Interaction

David Levin presented results about PKI administration at several non-academic venues, including at the RTCM (Radio Technical Commission for Maritime Services) conference, the NMEA (National Maritime Electronics Association) conference, and the CyberSci Summit. The audiences consisted of a wide range of practitioners who are influential in developing communication policies at both institutional and international levels. He also presented these results to graduate and undergraduate students at UMD, as well as students and faculty at several other universities.

Adam Aviv gace an invited talk at the International Computer Science Institute (March 2016). He also served on the program comittees of the Privacy Enhancing Technologies Symposium (PETS'17) and the Anual Computer Security Applications Conferernce (ACSAC'16). He is a steering committee member of the Advances in Computer Secuirty Eduction (ASE) Workshop.

David Van Horn presented his work at the National Institute of Informatics (NII), Japan special meeting on "Higher-Order Model Checking" and the Schloss Dagstuhl, Germany seminar on "Language Based Verification Tools for Functional Programs". He has been invited to present a tutorial at the 2016 ACM SIGPLAN International Conference on Functional Programming.

Jonathan Katz is serving as program chair for Crypto 2016-2017 as well as program co-chair for HoTSoS 2017. He is a member of the steering committee for the IEEE Cybersecurity Inititative.

Michael Hicks is serving as program chair for the 2016 SecDev conference, whose goal is goal is to encourage and disseminate ideas for secure system development among both academia and industry. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at

Poovi Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She has been contributing to a description of end-to-end independently-verifiable voting systems meant for non-technical readers including election officials. She gave an invited talk---and participated in a panel---at the Remote Voting Conference 2016, which was organized to explore the possibility of internet voting for Indian elections.

Marshini Chetty gave talks on her research results at the Center for Information and Technology Policy (CITP) at Princeton and to the HCI group at the Jacobs-Institute at CornellTech in November.

John Baras participated heavily in the NIST organized public working group on Cyber-Physical Systems (CPS), and in particular with the subgroup working on security problems and formulations for CPS. He also took part in the work of the Transatlantic Summit Project, developing frameworks for collaboration and joint funding in the area of CPS.

Graduate student Elissa Redmiles received a "data grant" from the Data&Society institute to study security habits of low-SES Americans, in part due to her work as part of the lablet.

C). Educational

Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.

Adam Aviv is developing a senior-level elective on cybersecurity, as well as one focusing on usable security.

David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He is also working to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs."

Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.

As a project for the Mazurek's Spring 2016 course, five students planned and conducted a participatory design workshop for developing entertaining, relatable educational videos to convince viewers to accept software updates. This was directly inspired by the results of her qualitative study, which suggested that relatable fiction is a strong vehicle for learning security behaviors. The workshop served as a pilot study; a follow-up study that applies participatory design to users recruited in pairs is currently underway. Her goal is to develop a high-quality 5-10 minute storyboard and contract the UMD film club to produce it as a video; she will then evaluate its usefulness for security education.

John Baras has been teaching since 2010 a capstone course entitled "ENES 489P, Hands-on Projects in Systems Engineering". In this project oriented course groups of undergraduates (3-4 students) work on projects inspired form important practical challenges. Several of these projects in the last two years addressed security related questions and challenges.