
Cybersecurity
The security research group performs extensive work in areas such as software supply chain security, web security and privacy, smartphone and mobile security, database security, trustworthy ML/AI, homomorphic encryption and human-centered security and privacy. It also makes significant contributions to open-source software. The group’s research has been externally funded by agencies such the NSF, DARPA and the NSA and members are recipients of two NSF CAREER awards and one DARPA Young Faculty Award. The group aims to publish its research in top security and related venues, such as Usenix Security Symposium, IEEE Security and Privacy Symposium, ACM Conference of Computer and Communications Security, ACM Mobicom and ACM SIGMOD.
Reza Curtmola |
Research Areas: Cybersecurity, software security, web security and privacy Defending Software Supply Chains Against Hackers Funded by DARPA and the NSF, we have developed in-toto, an open-source framework that promises to safeguard software for developers and end users. In-toto provides organizations with insights into the software development and distribution chain, such as having a provable assurance that proper software development practices were followed. With in-toto in place, it will be more difficult for malicious code to be slipped into software products, thus raising the bar significantly for attackers. Through integrations, in-toto is currently used by thousands of companies and has improved the security of millions of users. Web Security and Privacy The goal of this project is to explore targeted privacy attacks on the web through the lens of side channels. We uncovered new attacks that can lead to targeted deanonymization on the web by using CPU cache side channels. In particular, we uncover a set of practical and scalable attacks that can deanonymize users in several important settings for which prior attack methods are not effective. This affects all major browsers, including Chrome, Firefox, Safari, Edge, Tor Browser and numerous major sites, including Google, Twitter, LinkedIn, TikTok, Facebook, Instagram and Reddit. Our attacks run in less than 3 seconds in most cases and can be scaled to target an exponentially large number of users. More importantly, we provide a comprehensive countermeasure against all of the attacks we discovered. This countermeasure is already available on the Chrome and Firefox extension stores and can be downloaded and installed immediately by concerned users. This work was published in the 31st USENIX Security Symposium |
Iulian Neamtiu |
Research Areas: Programming languages, software engineering and their applications to reliable AI, smartphones, security Android Security Our research is focused on security issues in Android apps and the Android platform, including exposing deceptive practices in apps, apps attempting to cover their traces, ransomware, unauthorized collection and transmission of user data in general and personally identifiable health information in particular, apps refusing to disclose the data they collect or refusing to delete data when legally mandated. |
Shantanu Sharma |
Research Areas: Database, security, privacy, blockchain, IoT Information-Theoretically Secure Processing Despite over two decades of research, secure data outsourcing remains an open challenge. Informationtheoretically secure techniques provide the highest level of security regardless of the computational capabilities of an adversary. One of the well-known information-theoretically secure techniques is Shamir’s secret sharing. We develop information-theoretically secure data processing systems that can efficiently execute different types of SQL queries on large databases. Furthermore, we focus on information-theoretically secure machine learning techniques. Smart and Privacy-Preserving Smart Spaces Smart spaces are rapidly growing in present time. Examples of smart spaces are office/university buildings, shopping malls, train/bus stations and airports that capture user-related data via different types of sensors. While such sensor data is beneficial to developing multiple value-added services, smart spaces jeopardize user privacy due to mixing sensor data with the digital representation of space. For example, tracking a person in real-time can reveal their behavior. We develop an end-to-end secure and privacy-preserving smart space that respects user privacy at each stage of data processing, such as data collection, storage, processing, sharing and auditing |
Cong Shi |
Research Areas: Mobile Security Privacy Study of Unrestricted Motion-Position Sensors in the Age of Extended Reality Extended Reality (XR) has gained popularity in numerous fields. We conduct a comprehensive study to assess the trustworthiness of the embedded sensors on XR, which embed various forms of sensitive data that may put users’ privacy at risk. We find that accessing most on-board sensors (e.g., motion, position and button sensors) on XR SDKs/APIs requires no user permissions, exposing a huge attack surface for an adversary to steal users’ private information, such as keystrokes, speeches and sensitive physiological states. |
Zhihao “Zephyr” Yao |
Research Areas: Operating systems, mobile computing, security and privacy, system support for secure AI/ML Strengthening Trust and Security in Mobile Systems In our increasingly digitized society, ensuring the security of mobile systems has become critical, especially as smartphone owners often run securitycritical financial applications and life-critical medical applications alongside untrusted programs. Our research focuses on creating novel solutions to strengthen trust in these devices, particularly in scenarios where security and privacy are challenged by the increasingly complex software stack and the integration of artificial intelligence. By minimizing the Trusted Computing Base (TCB), designing trusted execution environments and developing hardwarebased isolation techniques, we aim to provide robust safeguards against privacy leakage, unauthorized access and service disruption, while maintaining performance and usability. These efforts enable secure and reliable mobile systems that support a range of novel applications, from verifying video authenticity to ensuring the reliability of high-assurance medical systems. Enhancing Privacy and Security in Large Language Model Interactions As Large Language Models (LLMs) become more integrated into online experiences, the privacy and security implications of their use are increasingly concerning. Our research aims to address these challenges by developing methods to protect user privacy and enhance the security of LLM interactions. We focus on mitigating privacy risks by sanitizing sensitive user data before it reaches LLM services and examining the security flaws in LLM-generated code. Additionally, we explore the security implications of the emerging WebGPU interface, which is increasingly used in conjunction with LLMs to accelerate performance in a web browser. Our goal is to make the interactions with LLMs more secure for everyday users. |
Nathan Malkin |
Research Area: Human-centered security and privacy Human-Centered Security and Privacy Our research investigates how human factors — people’s distinctive priorities, abilities and limitations, as well as group behaviors and processes — contribute to cybersecurity and privacy failures and how we can improve our systems to avoid these problems. For example, we have studied how system administrators deploy software updates, developers write secure code and end users manage their privacy with respect to voice assistants. We then design and empirically validate systems that help people overcome these technological challenges through more usable interfaces, such as by automating and eliminating confusing choices in smart home settings |