Visible to the public SoS Lablet Annual Report - UMDConflict Detection Enabled

A). Lablet Introduction

The UMD lablet, led by co-PIs Jonathan Katz and Michel Cukier, involves 10 projects looking at different aspects of the five hard problems, with specific focus on the areas of metrics, policy-governed secure collaboration, and human behavior.

The UMD lablet consists of 20 faculty from both UMD and partner institutions. The 15 UMD faculty are drawn from five different departments across campus, including computer science, electrical and computer engineering, infromation studies, criminology, and reliability engineering. The collaborators hail from USNA, Virginia Tech, UT Austin, Indiana University, and The George Washington University.

B). Fundamental Research

Techniques such as information-flow control can offer strong privacy guarantees but have failed to achieve traction among developers. The project "Understanding Developers' Reasoning about Privacy and Security" has been developing an alternative scheme caled "Blox" in which developers partition their apps based on functionality (analogous to a model-view-controller pattern) instead of using labels and information-flow compilers. The team members are conducting studies to understand how users partition access to their content in cloud applications, to better understand the right abstractions that developers should use. A pilot study evaluated the usability of the Blox platform, based on whether it is possible to accurately infer access-control domains using machine-learning techniques. The study demonstrated that the learning techniques are not yet sufficiently accurate, and may require additional supervision to gain accuracy. A paper illustrating the pilot results was submitted to USEC 2017.

The team has been in the process of developing a measurement study to better understand data sharing in cloud platforms. Using the infrastructure platform developed for the first study, the team will collect usage data across multiple services and obtain mappings about how many items are shared with how many people, in what type of groups, and with what longevity. This will enable a characterization of the modern cloud-based access-control space, updating prior work that examined corprorate and peer-to-peer networks.

The project "Measuring and Improving the Management of Today's PKI" focuses on metrics by means of large-scale measurements of the existing public-key infrastructure (PKI) used in today's web. While online use of PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies the following questions: Are administrators doing what users of the Web need them to do in order to ensure security? And, what can be done to help facilitate or automate these tasks? As part of this project, researchers are performing internet-wide measurements of how online certificates are actively being managed, including how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play. In particular, they find that CDNs (content distribution networks)--which serve content for many of the most popular websites--have access to content providers' private keys, violating the fundamental assumption of PKIs (i.e., that no one shares their private keys). We are performing the first widespread analyses of the extent to which websites are sharing their private keys, and exploring what impact this has on the management of the PKI and on users' privacy and security in general. The research group is also developing new systems that help improve clients' ability to stay up-to-date on certificate revocations. They are developing systems that leverage recent initiatives such as Certificate Transparency to more compactly represent revocation data. One such system, CRLite, uses a novel data structure that clients can query to determine whether or not a certificate is revoked; surprisingly, CRLite is able to do so at a cost of less than one byte per certificate. This shows that universal coverage of certificate revocations may at last be within reach.

Work done as part of the "Trust, Recommendation Systems, and Collaboration" project is primarily directed toward the hard problem of policy-governed secure collaboration. The overarching goal of the project is to develop a transformational framework for a science of trust, and its impact on local policies for collaboration, in networked multi-agent systems, which takes human behavior into account from the start, and is validated experimentally. Among other things, work so far has developed novel results regarding the evolution of opinions (or beliefs) over a social network modeled as a signed graph; new models and analytical methods for the investigation of consensus dynamics with both collaborative and non-collaborative node interactions; and new probabilistic models of multi-domain crowdsourcing tasks. The team has also formalized the problem of trust-aware task allocation in crowdsourcing and developed a principled way to solve it; the formulation models the workers' trustworthiness and the costs based on both the question and the worker group. In other work, the team has developed a new framework for modeling trust based on their recently developed foundational model for networked multi-agent systems in which they consider three interacting dynamic, directed graphs on the same underlying set of nodes: a social/agent network, which is relational; an information network, also relational; and a communication network that is physical. The links and nodes are annotated with dynamically changing "weights" representing trust metrics whose formal definition and mathematical representation can take one of several options, e.g., weights can be scalars, vectors, or even policies (i.e., rules). Within this new framework, the team is specifically focusing on the following fundamental problems: (a) Theories and principles governing the spreading dynamics of trust and mistrust among members of a network; (b) Design and analysis of recommendation systems, their dynamics and integrity; (c) Development of a framework for understanding the composition of trust across various networks at the different layers of our basic model; (d) Analysis of the effects of trust on collaboration in networked multi-agent systems, using game-theoretic and economic principles.

The overarching goal of the project "User-Centered Design for Security" was to better understand human behavior within security systems, and to use that knowledge to propose, design, and build better security systems. A system that is designed taking into account limitations on human memory, attention, and cognitive abilities will be easier to use and will thus lead people toward acting in secure ways; systems that force users to carry out inherently difficult tasks lead to people circumventing security guidelines in order to get their tasks done efficiently. The team undertook several efforts in this space, in particular in understanding the security and usability of text and graphical passwords, as well as user opinions and expertise about security-related issues. In the password space, the team designed mechanisms to help people remember passwords more effectively, made progress in understanding mental models of privacy applied to mobile devices and how those models may affect the choice of mobile-authentication technique, and measured the strength of authentication systems to human attackers. Most recently, the latter project focused on shoulder-surfing attacks. Our work in this space has improved the understanding of human-password interaction and how authentication systems can be designed to be more usable and more secure.

The team also studied what users understand about how their personal information is used, how comfortable they are with that, and the role that consent and control play in their opinions. Numerous research projects have documented concerns that users have with data commonly used by recommender systems. We conducted several studies on this topic and found that users are uncomfortable with much data currently used in personalization technologies, that they don't know how to secure that data, and that consent is a critical component to their level of comfort.

The aim of the project "Reasoning about Protocols with Human Participants" is to study protocols -- in particular, electronic-voting protocols -- in which humans are explicitly modeled as participants. In the last year, the team has described security vulnerabilities in the remote voting system Helios, including one that allowed a dishonest voting terminal to change a voter's vote after it obtains the voter's credential. The team also proposed Apollo, a modified version of Helios, that addresses those vulnerabilities. With Apollo-lite, votes not authorized by the voter are detected by the public and prevented from being included in the tally. The full version of Apollo enables a voter to prove that her vote was changed. We also describe a very simple protocol for the voter to interact with any devices she employs to check on the voting system, to enable frequent and easy auditing of encryptions and checking of the bulletin board. Apollo uses some of the ideas of Remotegrity, and we are working on a common framework for definitions and proofs for Remotegrity and Apollo. As part of this project, Vora has also developed a taxonomy of voting systems using some new and some existing definitions, and applied the taxonomy to some of the more prominent voting systems in a survey paper.

The project "Empirical Models for Vulnerability Exploits" is exploring more-informative metrics to quantify security of deployed systems. Work this past year work this year had two thrusts: understanding and mitigating the misuse of cryptographic APIs, and characterizing the utility of hardware or virtualization indicators for detecting attacks against cloud-computing infrastructures.
In the first thrust, the team infered five developer needs and showed that a good API would address those needs only partially. Building on this observation, the team proposed APIs that are semantically meaningful for developers, showed how the necessary interfaces can be implemented consistently on top of existing frameworks, and proposed build-management hooks for isolating security workarounds needed during the development and test phases. Through two case studies, the team showed that those APIs can be utilized to implement non-trivial client-server protocols and that they provide a better separation of concerns than existing frameworks.

In the second thrust, the team investigated the information provided by hardware or virtualization indicators that could be utilized for detecting attacks against cloud-computing infrastructures. In those settings, the service providers are contractually prohibited from accessing the content of customer virtual machines, which makes it challenging for them to protect their infrastructures from malware infections. The research group extracted 614 features from traces generated by three tools, and analyzed them to extract the number, density, and distance betweek peaks in the signal. The group is currently investigating the extent to which these sub-semantic features are useful for detecting malicious activity in customer virtual machines. Earlyresults are promising: on a ground truth wtih 529 malware samples and 529 benign programs, classifiers can be trained with accuracies above 99%.

The project "Human Behavior and Cyber Vulnerabilities" had three thursts over the past year. In the first thrust, a system called FeatureSmith was developed that performs automatic feature engineering by mining the security-research literature. The effectiveness of machine-learning techniques primarily depends on the manual feature-engineering process, which has traditionally been based on human knowledge and intuition. However, given attackers' efforts to evade detection and the growing volume of security reports and publications, human-driven feature engineering likely draws from only a fraction of the relevant knowledge. The team developed methods to engineer such features automatically, by mining natural-language documents such as research papers, industry reports, and hacker forums. As a proof of concept, the research group ised this approach to train a classifier with automatically engineered features for detecting Android malware, and achieved performance comparable to that of a state-of-theart malware detector that uses manually engineered features. In the second thrust, the group finished analysis of their Spring 2016 study of mobile users' preferences towards autoupdates on their phones. This study, involving a survey of 550 Android users, found that those who do not autoupdate their applications tend to take fewer risks, are more security aware, and have had a previous negative experience with software updates. Users' preferences towards autoupdating were also found to be influenced by how satisfied they are with a mobile application, how important the application is to them, and how much they trust the application itself. Finally, results showed that users are more likely to want to autoupdate due to security updates rather than nonsecurity-related updates. These findings led to several recommendations to improve notifications to encourage users to switch to autoupdates.

In the third thrust, we analyzed the performance of malware-family detection techniques. Android is the most widely used mobile OS today, and is also the biggest target for mobile malware. Given the increasing number of malware variants, detecting malware families is crucial for security analysts to reuse signatures of a known family to tackle new malware belonging to that family. During Fall 2016, we developed a thorough and systematic performance comparison of several traditional classification algorithms for the task of detecting Android malware families. We perform our evaluation on DREBIN, the largest public Android malware dataset with labeled families, on which we extract both static features from the code and dynamic features by executing malware samples in a controlled sandbox along with a network simulator. In particular, we defined a large set of features based on both static and dynamic code analysis, and showed that as long as the malware family contained at least 10 samples of malware variants in the training data, we could predict the families to which unlabeled samples belong with high accuracy, irrespective of the accuracy measures considered. Specific accuracy using microF score, macroF score, microAUC and macroAUC were 0.95, 0.89, 0.97, 0.93 respectively.

As part of the project "Does the Presence of Honest Users Affect Intruders' Behavior?," Michel Cukier and David Maimon are applying criminological techniques to develop a better understanding of attacker behavior. One particular highlight of the past year is the examination of previously uninvestigated experimental data--an experiment that randomly assigned infiltrated target computers to have a certain type (administrative or non-administrative) and number (1 or 10) of users to appear on the system at the same time as the system trespasser. Using this data, the team examined whether the number and type of users present on a system reduced the seriousness and frequency of trespassing. Results indicated that the presence of an administrative user (regardless of the number of users) significantly reduced the number of system trespassing events. Additionally, with 10 users present, the presence of an administrative user significantly reduced the total amount of time attackers spent on the compromised system. Interestingly, comparing between conditions with different numbers of users, it was found that the number of users present on the system has no effect on the number of trespassing events or total time spent on the system. These findings together indicate that presence of an administrative user can produce a deterrent effect on system trespassers, while the number of users present on the system has no effect on system trespasser actions. Findings from these analyses were reported and presented during the Hot Topics in the Science of Security (HoTSoS) 2017 annual conference.

"Understanding how Users Process Security Advice" addresses the hard problem of human behavior from the perspective of educational efforts. People encounter a tremendous amount of cybersecurity advice. It would be impossible to follow all the available advice, so people pick and choose which advice to follow and which to ignore in different circumstances. But the advice they pick is not always the most correct or useful. This project examines where people encounter security advice, how they evaluate its trustworthiness, and how they decide which advice to follow or reject. This year, we conducted a large-scale quantitative survey of how users learn about security advice. We also analyzed random-digit-dial national survey data touching on security advice and behaviors, finding a relationship between education level and advice sources. Based on results from last year's work, we hypothesized that edutainment could be an effective mechanism for motivating adoption of software updates. We conducted participatory design workshops to develop a storyline, which was professionally produced as a video. We used a longitudinal study to evaluate edutainment's effect on attitudes toward updates, finding a small but significant improvement for edutainment text relative to traditional security text. We also used participatory design to develop new approaches to motivating two-factor authentication (2FA) adoption. We are conducting preliminary tests on the new design and hoping to test it in the field via a collaboration with a large software company.

As part of the project "Trustworthy and Composable Software Systems with Contracts," researchers are investigating compositional-verification techniques using language-based mechanisms called contracts for specifying and enforcing program properties. Over the past 15 months, we have applied the technique to multi-language programs, security properties, and imperative languages. We have developed a foundational theory, extended it to these settings, and empirically evaluated the effectiveness of our prototype analysis tools.

We made an earlier theoretical breakthrough showing how to generate counterexamples that witness contract violations. This is important for testing and debugging software that uses contracts. We have proved that our method is both "sound" and "relatively complete," which means the approach is powerful and capable of generating a large class of counterexamples. These results were first established in a purely functional setting, but over the past 15 months we have extended the result to higher-order imperative settings. We have worked on integrating this verification technique into a full-featured programming language and interactive development environment and developed pedagogical tools for teaching verified software development. Currently, these tools are being used in an experimental section of the UMD introductory programming sequence.

C). Publications

  • Taejoong Chung, Roland van Rijswijk-Deij, David Choffnes, Alan Mislove, Christo Wilson, Dave Levin, Bruce M. Maggs, "Understanding the Role of Registrars in DNSSEC Deployment," ACM IMC 2017.
  • Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson, "Longitudinal, End-to-End View of the DNSSEC Ecosystem," USENIX Security 2017. This paper received a distinguished paper award at the conference.
  • James Larisch, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson, "CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers," IEEE Security & Privacy 2017. This paper was awarded the IEEE Cybersecurity Award for Innovation.
  • Taejoong Chung, Yabing Liu, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson, "Measuring and Applying Invalid SSL Certificates: The Silent Majority," ACM IMC 2016.
  • Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson, "Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem," ACM Conference on Computer and Communications Security 2016.
  • Jennifer Golbeck, "User Concerns with Personal Routers Used as Public Wi-fi hotspots," IEEE UMECON, 2017.
  • Flynn Wolf, Ravi Kuber, and Adam J. Aviv, "Towards Non-Observable Authentication for Mobile Devices," poster at SOUPS 2016.
  • Sussanna Heidt and Adam J. Aviv, "Refining Graphical Password Strength Meters," poster at SOUPS 2016.
  • Adam J. Aviv, Justin Maguire, and Jeanne Luning-Prack, "Analyzing the Impact of Collection Methods and Demographics for Android's Pattern Unlock," Worskhop on Usable Security (USEC), 2016.
  • Jennifer Golbeck and Matthew Louis Mauriello, "User Perception of Facebook App Data Access: A Comparison of Methods and Privacy Concerns," Future Internet 8(2):9, 2016.
  • J. Benaloh, M. Bernhard, J. A. Halderman, R. L. Rivest, P. Y. A. Ryan, P. B. Stark, V. Teague, P. L. Vora, and D. S. Wallach, "Public evidence from secret ballots," CoRR, abs/1707.08619, 2017. A shorter version of this has been accepted at E-Vote-ID 2017.
  • Richard T. Carback, David Chaum, Jeremy Clark, Aleksander Essex, Travis Mayberry, Stefan Popoveniuc, Ronald L. Rivest, Emily Shen, Alan T. Sherman, Poorvi L. Vora, John Wittrock, and Filip Zagorski, "The Scantegrity Voting System and its Use in the Takoma Park Elections," invited chapter, Real-world Electronic Voting: Design, Analysis and Deployment, edited by Feng Hao and Peter Y. A. Ryan. Published December 2016.
  • Dawid Gawel, Maciej Kosarzecki, Poorvi L. Vora, Hua Wu, and Filip Zagorski, "Apollo - End-to-End Verifiable Internet Voting with Recovery from Vote Manipulation", E-Vote-ID 2016.
  • S. Indela, M. Kulkarni, K. Nayak, and T. Dumitras, "Helping Johnny Encrypt: Toward Semantic Interfaces for Cryptographic Frameworks," ACM Onward! Conference, 2016.
  • S. Indela, M. Kulkarni, K. Nayak, and T. Dumitras, "Toward Semantic Cryptography APIs," IEEE Cybersecurity Development Conference 2016.
  • Z. Zhu and T. Dumitras, "FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature," ACM Conference on Computer and Communications Security 2016.
  • Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek, "Where is the digital divide? Examining the impact of socioeconomics on self-reported security and privacy experiences, " ACM Conference on Human Factors in Computing Systems 2017.
  • Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek., "How I learned to be secure: A census-representative survey of security advice sources and behavior." ACM Conference on Computer and Communications Security 2016.
  • A. Mathur and M. Chetty, "Impact of User Characteristics on Attitudes Towards Automatic Mobile Application Updates, " SOUPS 2017.
  • Phuc C. Nguyen, Sam Tobin-Hochstadt, and David Van Horn, "Higher-order symbolic execution for contract verification and refutation," Journal of Functional Programming, 27(3), 2017.
  • David Darais, Nicholas Labich, Phuc C. Nguyen, and David Van Horn, "Abstracting Definitional Interpreters," Proceedings of the ACM on Programming Languages, 1(12), 2017.

D). Community Engagements
Jonathan Katz served as the co-program chair for the Crypto 2017 conference.

Arunesh Mathur presented the work on secure software updates to girls ages 10-14 at the AspireIT camp at Princeton High School in Summer 2017.

Elissa Redmiles presented publications at CCS 2016, CHI 2017, and at the 2017 WAY workshop. She presented a poster about the Edutainment project at NDSS 2017. She also presented this work at the Carnegie Mellon University CyLab Usable Privacy and Security seminar.

Elissa Redmiles wrote an article ("Why Installing Software Updates Makes Us WannaCry") for the academic news website The Conversation; the article was picked up by the AP and Scientific American, among other publications.

Mazurek gave a CRA-W distinguished lecture at CAPWIC (Capital-Area Celebration of Women in Computing) in February 2017. She also gave an invited talk on the topic of security behavior and advice at ConPro 2017: Workshop on Technology and Consumer Protection (IEEE S&P Workshops).

Poorvi Vora served as a technical expert providing affidavits in support of Jill Stein's petition for a manual recount in the 2016 election in the states of Wisconsin and Michigan. She also served as an expert providing testimony to the Maryland Board of Elections on their proposed audits. She wrote an op-ed article in the Baltimore Sun, with Philip Stark, on why Maryland needs to manually examine paper ballots. In March 2017, Vora was awarded the Public Engagement Award for her work by the Election Verification Network, the premier network of election integrity experts.

In early 2017, Vora wrote multiple articles and open letters to the Election Commission of India on the security of India's Electronic Voting Machines, which are under considerable public scrutiny after the most recent state elections in India.

Doctoral student Hua Wu presented at E-Vote-ID 2016 and the DC-Area Privacy and Security seminar. He is writing a dissertation proposal which he hopes to defend in Spring 2018. Master's student Siyuan Feng has been admitted to the doctoral program at GWU.

To encourage further research on natural-language processing for security, the data behind FeatureSmith has been released at So far, six academic institutions have requested access.

In January 2017, Dumitras organized a second invitation-only workshop aimed at researchers interested in studying security empirically, using data-driven techniques. The 29 workshop participants came from 6 countries and represented organizations from academia, industry, and government. The discussion topics included understanding the motivations, capabilities, and limitations of real-world adversaries; putting theoretical assumptions to the test; accounting for the socio-economic incentives of attackers and for the properties of deployment environments; measuring and predicting security; secure data mining and machine learning techniques; automatically learning the semantics of security threats; clean-slate ideas, grounded in security measurements. More information is available at

Presentation by Jennifer Golbeck at University of Pittsburgh Big Data Science Colloquium (March 2017): "Foretold Futures from Digital Footprints: Artificial Intelligence, Behavior Prediction, and Privacy"

Keynote by Jennifer Golbeck at University of Tennessee Social Media Week (February 2017):
''Algorithmic Servants or Algorithmic Tyranny: Living With a Predicted Future''

Keynote by Jennifer Golbeck at Washington & Lee University Mudd Center for Ethics (February 2017): "Foretold Futures from Digital Footprints: Artificial Intelligence, Behavior Prediction, and Privacy"

Adam Aviv served as Workshop and Tutorial Chair for SOUPS 2017.

Adam Aviv served on the NSPW 2017 program comittee.

Dave Levin presented results to international collaborators at the University of Jordan, Princess Sumaya University for Technology, and the Hashemite University.

Levin and his colleagues have also been working with developers at Mozilla to explore incorporating the CRLite system into Firefox; if successful, this would result in all Firefox clients being fully up-to-date on all certificate revocations on a daily basis, a drastic improvement over today's status quo.

Poorvi Vora gave an invited talk at the The Remote Voting conference in July 2016. The meeting was organized by the Government of India, to discuss the challenges of, and possible solutions for, remote voting by Indian citizens.

Michelle Mazurek co-led a tutorial at SOUPS 2016 on the science of password research.

NSA has provided a guest speaker to each of the three summer camps organized by the Maryland Cybersecurity Center.

E). Educational
In the Fall of 2017, Dumitras is teaching ENEE 657, a graduate computer security course that emphasizes empirical methods in security. The course Web page is at

NSA has provided respectively 14 and 11 mentors in Fall 2016 and Spring 2017 to the ACES program. Each mentor has two students they work with. They meet in person twice a semester. ACES provides various topics of discussion so they can stay engaged.

Dave Levin has incorporated the results from his research into both graduate and undergraduate courses on Computer and Network Security. Additionally, he has mentored two undergraduates (Cangialosi, now a graduate student at MIT; Larisch, now a graduate student at Harvard), multiple graduate students (Liu and Zhang), and a postdoctoral student (Taejoong Chung).

John Baras introduced concepts, models, and algorithmic evaluation of trust in graduate courses on multi-agent control.

Adam Aviv has incorporated elements of his research as capstone projects in his courses. He has also involved several undergraduates in his research.

The edutainment work arose from a class project in Mazurek's graduate class on human factors in security and privacy.

PIs Van Horn and Tobin-Hochstadt lectured at the long-running Oregon Programming Languages Summer School.

Van Horn is currently teaching an experimental variant of the introductory programming sequence featuring prominent use of a design-by-contract programming methodology and automated verification and bug-finding tools recently developed as part of this effort.

Van Horn continues to develop the pedagogically oriented programming environment accompanying the textbook "How to Design Programs". He is investigating a web interface for the system so that users can experiment with the system without needing to install specialized software.