Publications

Verifiable ASICs

August 18, 2016

Riad S. Wahby, Max Howald, Siddharth Garg, Abhi Shelat, and Michael Walfish

A manufacturer of custom hardware (ASICs) can undermine the intended execution of that hardware; high-assurance execution thus requires controlling the manufacturing chain. However, a trusted platform might be orders of magnitude worse in performance or price than an advanced, untrusted platform. This paper initiates exploration of an alternative: using verifiable computation (VC), an untrusted ASIC computes proofs of correct execution, which are verified by a trusted processor or ASIC.

LAVA: Large-Scale Automated Vulnerability Addition

August 18, 2016

Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, William K. Robertson, Frederick Ulrich, and Ryan Whelan

Work on automating vulnerability discovery has long been hampered by a shortage of ground-truth corpora with which to evaluate tools and techniques. This lack of ground truth prevents authors and users of tools alike from being able to measure such fundamental quantities as miss and false alarm rates. In this paper, we present LAVA, a novel dynamic taint analysis-based technique for producing ground-truth corpora by quickly and automatically injecting large numbers of realistic bugs into program source code.

Activation of logic encrypted chips: Pre-test or post-test?

August 16, 2016

Muhammad Yasin, Samah Mohamed Saeed, Jeyavijayan Rajendran, and Ozgur Sinanoglu

The authors assess and compare the pre-test and post-test activation models of logic encrypted chips.

Supply-Chain Security of Digital Microfluidic Biochips

August 15, 2016

Sk Subidh Ali, Mohamed Ibrahim, Jeyavijayan Rajendran, Ozgur Sinanoglu, and Krishnendu Chakrabarty

Digital microfluidic biochips (DMFBs) implement novel protocols for highly sensitive and specific biomolecular recognition. However, attackers can exploit supply-chain vulnerabilities to pirate DMFBs’ proprietary protocols or modify their results, with serious consequences for laboratory analysis, healthcare, and biotechnology innovation.

Securing pressure measurements using SensorPUFs

August 11, 2016

Jack Tang, Ramesh Karri, and Jeyavijayan Rajendran

We present a micro-electro-mechanical (MEM) relay based physical unclonable function (PUF) that is capable of sensing pressure while providing an assurance of authenticity. The unique properties of the SensorPUF arise from the pressure sensitivity of electrostatically actuated MEM relay structures.

 

On omitting commits and committing omissions: Preventing git metadata tampering that (re) introduces software vulnerabilities

August 10, 2016

Santiago Torres-Arias, Anil Kumar Ammula, Reza Curtmola, and Justin Cappos

Metadata manipulation attacks represent a new threat class directed against Version Control Systems, such as the popular Git. This type of attack provides inconsistent views of a repository state to different developers, and deceives them into performing unintended operations with often negative consequences.

Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software

August 10, 2016

Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, and Elie Bursztein, and Damon McCoy

In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices.

Two-Party Privacy Games: How Users Perturb When Learners Preempt

August 10, 2016

Jeffrey Pawlick and Quanyan Zhu

Internet tracking technologies and wearable electronics provide a vast amount of data to machine learning algorithms. This stock of data stands to increase with the developments of the internet of things and cyber-physical systems. Clearly, these technologies promise benefits. But they also raise the risk of sensitive information disclosure. To mitigate this risk, machine learning algorithms can add noise to outputs according to the formulations provided by differential privacy. At the same time, users can fight for privacy by injecting noise into the data that they report.

On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities

August 10, 2016

Santiago Torres-Arias, Anil Kumar Ammula, Reza Curtmola, and Justin Cappos

Metadata manipulation attacks represent a new threat class directed against Version Control Systems, such as the popular Git. This type of attack provides inconsistent views of a repository state to different developers, and deceives them into performing unintended operations with often negative consequences.

 

You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications

August 10, 2016

Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson

Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy.

Self-Efficacy in Cybersecurity Tasks and Its Relationship with Cybersecurity Competition and Work-Related Outcomes

August 9, 2016

Jian Ming Colin Wee,  Masooda Bashir, and Nasir Memon

Research on cybersecurity competitions is still in its nascent state, and many questions remain unanswered, including how effective these competitions actually are at influencing career decisions and attracting a diverse participant base. The present research aims to address these questions through surveying a sample of ex-cybersecurity competition participants from New York University’s Cyber-Security Awareness Week (CSAW).

Non-Deterministic Timers for Hardware Trojan Activation (Or How a Little Randomness Can Go the Wrong Way)

August 8, 2016

Frank Imeson, Saeed Nejati, Siddharth Garg, and Mahesh V. Tripunitara

The security of digital Integrated Circuits (ICs) is essential to the security of a computer system that comprises them. A particularly pernicious attack is the insertion of a hardware backdoor, that is triggered in the field using a timer that is also inserted in the hardware. Prior work has addressed deterministic timer-based triggers—those that are designed to trigger at a specific time with probability.

InVEST: Intelligent visual email search and triage

August 7, 2016

Jay Koven, Enrico Bertini, Luke Dubois, and Nasir Memon

Large email data sets are often the focus of criminal and civil investigations. This has created a daunting task for investigators due to the extraordinary size of many of these collections. Our work offers an interactive visual analytic alternative to the current, manually intensive methodology used in the search for evidence in large email data sets. These sets usually contain many emails which are irrelevant to an investigation, forcing investigators to manually comb through information in order to find relevant emails, a process which is costly in terms of both time and money.

Cybersecurity for Control Systems: A Process-Aware Perspective

July 27, 2016

Farshad Khorrami, Prashanth Krishnamurthy, and Ramesh Karri

The authors argue that it is vital to develop effective real-time attack monitoring and threat mitigation mechanisms.

The Right to be Forgotten in the Media: A Data-Driven Study

July 14, 2016

Minhui Xue, Gabriel Magno, Evandro Cunha, Virgilio Almeida, and Keith W. Ross

Due to the recent “Right to be Forgotten” (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain “inadequate, irrelevant or no longer relevant, or excessive” information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks.

Cross-layer secure cyber-physical control system design for networked 3D printers

July 6, 2016

Zhiheng Xu, Quanyan Zhu

The authors explore the vulnerabilities of 3D-printing systems, and design a cross-layer approach for the system.

Deterring Financially Motivated Cybercrime

July 5, 2016

CCS_Lock

Zachary K. Goldman and Damon McCoy

In “Deterring Financially Motivated Cybercrime,” Zachary K. Goldman and Damon McCoy present three strategies for deterring attacks that use malicious cyber capabilities to generate a profit.

The Cybersecurity Competition Experience: Perceptions from Cybersecurity Workers

June 22, 2016

Colin Wee, Masooda Bashir, and Nasir Memon

How do workers within the field of cybersecurity perceive cybersecurity competitions? This study aims to address this question and investigate if competitions left a positive mark on the information security workers who participated in them.