Cellular and Telphone Network Security
The world has a fundamental reliance on the cellular and telphony system for secure communication and the establishment of indentity. Our work is actively studying security risks in telephony systems, ranging from understanding robocalls to insecure VoIP systems. This work integrates knowledge from fields as diverse as signal processing and digital communications; data science, machine learning, and statistics; cryptography; program analysis; reverse engineering; and Internet and telephone networks.
Faculty Contacts: Brad Reaves
A significant amount of computation and storage is outsourced to public clouds. Our research seeks to design novel security architectures that provide enhanced security capabilities cloud environments. For example, we have proposed novel types of introspection using hypervisors that create new opportunities for forensics. We have also leveraged the elasticity and emphemeral natures of cloud computing to provide better resiliency to network-based attacks.
The Crypto Group focuses on designing protocols for advanced cryptographic tasks such as zero-knowledge proofs and secure computation, and applying them to enhance privacy in emerging technologies (e.g., blockchain). Our main activities are:
- Designing cryptographic protocols for enhancing anonymity of users with application to privacy-preserving blockchain transactions.
- Designing cryptographic building blocks that offer composable security guarantees, and can be plugged securely in complex systems.
- Designing cryptographic protocols that are agnostic to any specific hardness assumptions and can be instantiated with Post-Quantum secure primitives.
Faculty Contacts: Alessandra Scafuro
Internet of Things (IoT) devices represent a significant security challenge due to their heterogeneity, scale, and resource constraints. Our research has taken a network-based approach to defending IoT smart home users, proposing novel frameworks for enhanced transparency and protection. Through these investigations, we have also discover fundamental design flaws in the ways in which smart home devices report telemetry and state, leading to ways in which attackers can blind and confuse smart home devices used for physical security.
Mobile devices are a primary computing platform for many users, if not their only platform. Our search has significantly enhanced the state of mobile platform and application security through the development of novel analysis tools and new architecture that provide enhanced protections. These efforts include both static and dynamic program analysis tools for Android applications to discover malware, privacy infrigements, and vulnerabilities. We have also targeted the platforms themselves, using static program analysis of the Android platform to discover missing or incorrect access control checks, as well as using reverse engineering to extract and formally model access control in iOS. Finally, we have also proposed generalized security frameworks for adapting the Android platform, as well as methods to incorporate strong Information Flow Control (IFC) guarantees.
Our rearch seeks to better understand network security through a combination of empirical measurements and novel network architectural defenses. For example, we used Software Defined Networking (SDN) to build distribured information flow protections for enterprises, as well as new models for adaptively isolating IoT smart home devices.
Our research covers a broad array of privacy topics in computing. Recent efforts have focused on privacy in mobile and Internet of Things (IoT) devices. In the mobile domain, we have used static and dynamic program analysis to study how applications abuse privacy sensitive information that is made available by the operating system (sometimes unintionally). We have also used Natural Language Processing (NLP) to infer text input semantics as well as sharing and collection practices in privacy policies. In the IoT domain, we have built network frameworks to study privacy implications of smart home devices, as well as novel defenses for end users.
Our research uses static and dynamic analysis to discover vulnerabilities in software applications and platforms. These efforts commonly include static program analysis, reverse engineering, and formally modeling of security requirements (e.g., access control logic). For example, we have studied flaws in access control policy and enforcement logic in both the Android and iOS mobile platforms, discovering over a dozen CVEs. We have also perform large scale studies of software ecosystems (e.g., GitHub) to better understand the types of vulnerabilities that these environments introduce (e.g., exposing secrets within code).
Web Security and Privacy
Our research seeks to better understand how the web works and evolves over time and how we can make it more secure for the users. Research efforts range from designing a secure browser architecture to measuring and understanding large-scale Internet attacks. Also we are working on building instrumented browsers that can enable us to explore ways in which online trackers are evolving and coming up with new ways to track our digital footprint.