Visible to the public SoS Quarterly Summary Report - UMD - April 2017

Lablet Summary Report

A). Fundamental Research
The UMD lablet involves several projects looking at different aspects of the five hard problems.

Levin is conducting Internet-wide measurements of network-related services such as PKI and DNS. Regarding PKI: browsers must periodically download revocation information from CAs; unfortunately, browser developers are reluctant to do this, as it consumes bandwidth and potentially increases page-load times. He has developed techniques for more efficiently disseminating revocation information. Included in our design is a novel data structure we call an In-n-Out Bloom Filter, which yields extremely compact representations of all certificates on the web. Our results show that we are able to represent all 8.7M certificate revocations and roughly 30M revocations in total in approximately 8MB -- roughly 8 bits per revocation. By comparison, Google's CRLSet uses 100 bits per revocation, and Mozilla's OneCRL uses 1990 bits per revocation. This work demonstrates that it is now worthwhile to reinvestigate the trade-offs of complete and universal delivery of revocation information.This work was accepted to IEEE Security & Privacy 2017, the leading conference in computer security. Further information is available at

Mazurek is exploring how users process security advice. This work led to several publications, including at ACM CCCS 2016 and ACM CHI 2017. In one study, they conducted a nearly census-representative survey of 526 US internet users. Their results indicate that there is a digital divide in where users obtain advice: users with higher internet skills, and users with higher education levels, typically receive advice from more authoritative sources (e.g., the workplace) than do less skilled or less educated users. Based on discussions with Greg Shannon (Chief Scientist at CERT and former Cybersecurity Advisor to the Whitehouse Office of Science and Technology Policy) following the presentation of this work, they are conducting a mixed-methods study to evaluate and improve messages for promoting two-factor authentication. We are in the process of recruiting participants for the interview-and-design portion of the study, during which participants will be invited to react to different 2FA messages and sketch new ones that they feel would make them more likely to enable 2FA. Based on the results of this portion of the study, we will design three new 2FA messages and evaluate these messages using both experimental and survey approaches.

In addition, Mazurek and her students evaluated a security edutainment video they created. Their preliminary experimental evaluation found that the edutainment video was more effective at increasing participants' intent to update their software than was text-based security advice. This suggests that edutainment may be a promising new direction for educating users about security. A paper describing this work was submitted to the USENIX Security 2017 conference.

Van Horn et al. are investigating compositional-verification techniques using language-based mechanisms for specifying and enforcing program properties called contracts. Initial results confirm that behavioral properties of programs can be verified using this approach and they are now trying to scale the approach to cover multi-language programs and security properties. This team recently made a theoretical breakthrough by showing how to efficiently generate counterexamples witnessing contract violations. This is important for testing and debugging software that uses contracts. They have been able to prove that their method is both sound and relatively complete.

Dumitras et al. are working to design more-informative metrics to quantify security of deployed systems. This work addresses the hard problem of developing quantifiable metrics for assessing the security of systems, and understanding how those metrics evolve in the real world. In cloud infrastructures, service providers are contractually prohibited from accessing the content of customer virtual machines, which makes it challenging for them to protect their infrastructures from malware infections. We extracted 614 features (e.g. hypercalls, hardware performance counters, page table access patterns) from traces generated by three tools (linux perf, xenperf, xentrace). We further analyze these time series, for example to extract the number, density and distance betweek peaks in the signal, resulting in 1,139,016 total features. We conducted experiments with 2,362 benign and malicious programs, and we achieved 89.2% true positives, with a 1.0% false positive rate in malware detection. We also characterized several high-level malicious behaviors that are reflected in the low level hypervisor features, which allow our system to detect them reliably. Currently, we are looking to expand this investigation by evaluating the scalability of our system in a cloud environment. A paper describing this work was submitted to USENIX Security'17.

Subrahmanian et al. are exploring dynamics of malware infection and software patching. The effectiveness of machine-learning techniques, used for security tasks such as malware detection, primarily depends on the manual feature engineering process, based on human knowledge and intuition. However, given attackers' efforts to evade detection and the growing volume of security reports and publications, the human-driven feature engineering likely draws from a fraction of the relevant knowledge. They developed methods to to engineer such features automatically, by mining natural language documents such as research papers, industry reports and hacker forums. Building on ideas from cognitive psychology, we implemented natural language processing techniques that mirror the human process of reasoning about what malware samples have in common and that address security-specific challenges and opportunities. As a proof of concept, they trained a classifier with automatically engineered features for detecting Android malware, and achieved a performance comparable to that of a state-of-the-art malware detector, which uses manually engineered features. Their techniques can suggest informative features that are absent from the manually engineered set, and can link the features generated to human-understandable concepts that describe malware behaviors.

Cukier and Maimon are applying a criminological viewpoint to develop a better understand of attackers' behavior. Using honeypots deployed at the University of Maryland, they are studying how different system-level aspects affect intruders' behavior. This quarter, they completed statistical analyses of experimental data detailing repeat victimization by system trespassers on targeted honeypot computers. Criminological literature was evaluated using Routine Activity Theory (RAT) to better frame the research, in contrast with previous lines of inquiry using these data. This information was then applied to a series of experimental data ranging from April 1, 2015 to September 19, 2016. This experiment randomly assigned infiltrated target computers to have a certain type (administrative or non-administrative) and number (1 or 10) of users to appear on the system at the same time as the system trespasser. The experimental conditions can be described succinctly as follows: control, one user (no admin), one user (admin), multiple users (no admin), multiple users (admin). As RAT pertains primarily to the opportunities to offend and preconditions of offending, a new dependent variable was considered, specifically the number of attack instances against a given honeypot over the period of deployment. The analyses assessed associations of various predictors on the number of sessions for each honeypot using a negative binomial regression. This method was most appropriate given the Poisson distribution of the new dependent variable since session count is a count variable and the model accounts for potential overdispersion. Of note, a series of models were developed in which the session count was predicted using binary indicators for the number of users per condition (with either the single user, multiple user, or control condition as the omitted reference category) and the presence of any keystrokes (at the honeypot level) as predictors. Results indicated that when contrasted with the control condition, honeypots with more than one user and the presence of any keystroke were associated with a statistically significant increase in sessions per honeypot. Experimental conditions with only one user present were not statistically distinguishable from the control in this case.

Aviv and Golbeck are focusing on using empirical studies (including surveys) to understand users' perceptions of security and usability. The overarching goal is to apply what they learn to predict user perceptions, and to use those predictions to design better policies, better user interfaces, and more-secure systems generally. This would enable the design of systems in which users' perceptions of security match some known metric of security, thus inducing security by design. In the last quarter, they have completed the prototype for the shoulder-surfing study and are preparing to launch in-lab studies and on-line studies; data should be collected an analyzed by the next report. Additionally, they are advancing a new project in understanding humans' interaction with password policies that require frequent changing of passwords, as is the case within the DoD, by analyzing those policies, data collected from the institutions password portal, and designing studies to assess the mental models associated with how users change their passwords. Work on measuring Cueing Language has evolved into a new project that is focused on users' perceptions of privacy on mobile devices and how that perception affects choices of mobile authentication.

Papamanthou, Mazurek, and Tiwari are undertaking qualitative studies of users and developers in an effort to discover factors that encourage or discourage privacy and security by design. This work is directed at the broader goal of understanding human behavior and its impact on security. Most recently, the team collected and analyzed real participant data and submitted a work-in-progress paper to USEC 2017 about the results.

Baras and Golbeck are studying the fundamental notion of trust, and seeking to develop appropriate models that can be applied to study the dynamics of small groups of parties exploring mechanisms for collaboration based on their local policies. They have used game theory to characterize the costs and benefits of collaboration as a function of the level of trust, and have proved formally the conjecture that "trust is a lubricant for cooperation." This work directly addresses the hard problem of policy-governed secure collaboration, among others. In one recent work, they explored the problem of making decisons based on recommender systems. Due to the popularity of online social networks and the influence of social relationships in decision making, the idea of social recommendation has been introduced and has attracted increasing attention. Trust relationships are exploited in such systems for rating prediction and recommendation, which has been shown to have the potential for improving the quality of the recommender and alleviating the issue of data sparsity, cold start, and adversarial attacks. Their work aimed to give a formal basis for trust evaluation in social networks in order to provide a better knowledge base for trust-aware recommender systems. They modeled the trust relationship as a 2-dimensional vector, and applied a semiring framework to combine trust evidence for predicting indirect trust. Both trust and distrust are considered, and conflict resolution is supported. By analyzing Epinions datasets, they verified experimentally the existence of transitivity in trust relationships; which is one of the basic properties on which the semiring framework is founded. Additionally, from the dataset they also discovered empirically that sign reciprocity exists for positive trust relationships.

Katz and Vora have adapted a protocol for remote electronic voting based on physical objects like scratch-off cards. What is particularly novel here is that the human voter is explicitly modeled as a participant in the protocol, taking into account limitations on the kinds of computations humans can be expected to perform. In this sense, this work related to the general problem of modeling human behavior and appropriately taking human behavior into account when designing security protocols. This past quarter, Vora submitted a journal version of a paper describing a new voting protocol that addresses a problem with the Helios protocol used by the IACR and ACM for their elections. She is also considering a venue for a systematization of knowledge paper (that is completed) on the insecurity of internet voting.. Katz and Vora are continuing work on a journal paper for formal specification and proof of security for Remotegrity.

B). Community Interaction

Mazurek gave a CRA-W distinguished lecture at CAPWIC (capital-area celebration of women in computing) in February 2017.

Graduate student Elissa Redmiles presented her work at the Carnegie Mellon University CUPS lab seminar (CyLab Usable Privacy and Security lab).

Dumitras organized a two-day workshop on data-driven security at UMD in January 2017. The objective of the workshop was to identify hard, open, problems in our field, and to articulate tangible goals for advancing security through data-driven methods.

David Levin presented results about his PKI work to the NSA Laboratory for Telecommunication Science (LTS).

Adam Aviv served on the program comittees of the Privacy Enhancing Technologies Symposium (PETS'17) and NSPW. He is a steering committee member of the Advances in Computer Secuirty Eduction (ASE) Workshop.

Jonathan Katz is serving as program chair for Crypto 2016-2017 as well as program co-chair for HoTSoS 2017. He is a member of the steering committee of the IEEE Cybersecurity Inititative as well as the Maryland Cybersecurity Council.

Michael Hicks is serving as program chair for the 2016 SecDev conference, whose goal is goal is to encourage and disseminate ideas for secure system development among both academia and industry. He also serves on the IDA/CCS program review committee. He has been blogging about programming-language security at

Vora is part of the technical team for the end-to-end verifiable internet voting (E2E VIV) project (examining the feasibility of secure internet voting) of the overseas vote foundation (OVF). She has been contributing to a description of end-to-end independently-verifiable voting systems meant for non-technical readers including election officials. In the past quarter, she served as a technical expert providing affidavits in support of Jill Stein's petition for a manual recount in the 2016 election in the states of Wisconsin and Michigan. She also served as an expert providing testimony to the Maryland State Board of Elections on their proposed audits. She wrote an op-ed article in the Baltimore Sun, with Philip Stark, on why Maryland needed to manually examine paper ballots.

Baras was named an AAAS fellow.

John Baras participated heavily in the NIST organized public working group on Cyber-Physical Systems (CPS), and in particular with the subgroup working on security problems and formulations for CPS. He also delivered an invited plenary address at the 35th Chinese Control Conference (CCC2016), July 27, 2016, in Chengdu, China, entitled "Networked Cyber-Physical Systems (Net-CPS)," in which he included his work on trust supported by the NSA SoS Lablet grant.

C). Educational

Michael Hicks, Jen Golbeck, and Jonathan Katz are offering computer-security MOOCs on Coursera. These courses cover programming-langauge security, cryptography, and usable security.

Adam Aviv is developing a senior-level elective on cybersecurity, as well as one focusing on usable security.

David Van Horn has incorporated his lablet research into his graduate class on "Program Analysis and Understanding." He is also working to incorporate this into the pedagogically oriented programming environment accompanying his textbook "How to Design Programs." Starting in September 2017, he will begin teaching a two-semester sequence of experimental courses as an alternative to the required introduction to programming courses at UMD. The course will feature the use of contracts prominently and will use our tool in the programming environment to help student understand contracts and provide counter-examples during development. If the courses go well, it will replace the existing courses and become the required intro CS sequence.

Michel Cukier leads the ACES undergraduate honors program in cybersecurity, which incorporates a holistic approach to cybersecurity covering technical, policy, and behavioral aspects of the problem.

John Baras has been teaching since 2010 a capstone course entitled "ENES 489P, Hands-on Projects in Systems Engineering". In this project oriented course groups of undergraduates (3-4 students) work on projects inspired form important practical challenges. Several of these projects in the last two years addressed security related questions and challenges. Baras taught a graduate level course the Fall 2016 semester in the Electrical and Computer Engineering Department, ENEE 762, "Stochastic Control," in which he is introducing several problems related to trust and collaboration from the research under this project.