Illinois Science of Security (SoS) Lablet

Paul Barford, University of Wisconsin, Madison
October 16, 2015, 10:00 a.m., B02 Coordinated Science Lab

Video

Abstract:  The diversity of entities and complexity of mechanisms involved in the delivery of online display and video advertisements lead to a variety of opportunities for fraudsters.  Recent reports by estimate online fraud in the hundreds of millions of dollars annually.  In this talk, I will provide an overview of the online ad eco-system.  I will describe the methods that are commonly used to commit ad fraud, and the basic approaches to detecting and mitigating fraud.  I will also describe a new type of ad fraud that we call domain laundering, which is quite subtle and takes advantage of the limitations in standard methods for ad placement attribution.  I will provide an overview of the mechanisms used to facilitate domain laundering along with case studies on three different instances of domain laundering that we have identified and diagnosed.  I will conclude with a discussion on approaches for enhanced identification and mitigation of online ad fraud including domain laundering.

Bio:  Paul Barford a professor of Computer Sciences at the University of Wisconsin-Madison.  He is also the Chief Scientist at comScore, Inc.  His Research interests are in computer networking and communications, large data analytics, and Internet security.  He was the founder of Nemean Networks (acquired By Qualys in ‘10) and co-founder of MdotLabs (acquired By comScore in ‘14).   He has published over 100 research papers and has served on numerous national and international panels, editorial boards, organizing committees, and program committees. He has an NSF CAREER award, several best paper awards and is a Distinguished Member of the ACM and a Senior Member of the IEEE.

Patrick McDaniel, The Pennsylvania State University
September 24, 10:00 a.m., B02 Coordinated Science Lab
Slides

Abstract: The introduction of smart phones in 2008 forever changed the way users interact with data and computation. These platforms and the network and cloud services supporting them have led to a renaissance of mobile computing. At the same time, changes in the nature of personal computing heightens concerns about security and privacy.   Such concerns prompted an ongoing area of scientific study exploring smartphone and application security. Through these efforts, the technical community has become increasingly aware that applications can (and in many cases have) work against the user’s best interests and house new forms of malware.

This talk explores the genesis and evolution of academic research efforts in evaluating smartphone application security over the first seven years of its existence. A retrospective view of how the community’s understanding of application security has changed over the years is provided, with a focus on the scientific questions asked and the methods used. We highlight a range of analysis techniques that extract software structures and behaviors from smartphone applications, and describe several studies that identified important security and privacy concerns. The talk concludes by considering the realities of current mobile apps and markets and identifies challenges in preventing misuse of smartphones.

Bio: Patrick McDaniel is a Professor in the Computer Science and Engineering Department at The Pennsylvania State University, co-director of the Systems and Internet Infrastructure Security Laboratory, IEEE Fellow, and Chair of the IEEE Technical Committee for Security and Privacy. Dr. McDaniel is also the program manager and lead scientist for the newly created Cyber-Security Collaborative Research Alliance. Patrick’s research efforts centrally focus on network, telecommunications, systems security, language-based security, and technical public policy. Patrick was the editor-in-chief of the ACM Journal Transactions on Internet Technology (TOIT), and served as associate editor of the journals ACM Transactions on Information and System Security, IEEE Transactions on Computers, and IEEE Transactions on Software Engineering. Patrick was awarded the National Science Foundation CAREER Award and has chaired several top conferences in security including, among others, the 2007 and 2008 IEEE Symposium on Security and Privacy and the 2005 USENIX Security Symposium. Prior to pursuing his Ph.D. at the University of Michigan, Patrick was a software architect and project manager in the telecommunications industry.

Somesh Jha, University of Wisconsin, Madison
April 2, 4:00 p.m., 301 Coordinated Science Lab
Slides

Abstract: Writing a complex but secure program is a near-impossible task for a conventional operating system. If an attacker compromises any module of a trusted program running on such a system, then the attacker can perform arbitrary operations on the system. However, if a program runs on a privilege-aware operating system, then the program can invoke system calls to explicitly manage the privileges of its modules, and thus minimize the abilities of an attacker. The developers of privilege-aware systems have rewritten complex programs to invoke such system calls to satisfy strong security properties. However, such systems have not been adopted by developers outside the development community of each system. Moreover, even the systems’ own developers often write programs for their system that they believe to be correct, only to realize later through testing that the rewritten program is insecure or does not demonstrate desired functionality of the original program.

In this talk we will examine the challenges in rewriting programs for privilege-aware systems, and present a tool, called a policy weaver, that rewrites programs for such systems automatically. Our policy weaver takes as input a program written for a conventional system and a small and declarative policy (i.e., a regular expression describing allowed program executions). The weaver outputs a version of the program that invokes system calls so that it satisfies the policy. The weaver reduces each rewriting problem to finding a correct strategy to a two-player automata-theoretic safety game. We describe our experience developing a policy weaver for the Capsicum privilege-aware operating system (now included in FreeBSD 9.0), and describe how a policy weaver for an arbitrary privilege-aware system can be constructed automatically by providing a declarative model of the system to a policy-weaver generator. I will conclude by describing some future work and encourage other researchers to work on some interesting problems on this topic.

Bio: Somesh Jha received his B.Tech from Indian Institute of Technology, New Delhi in Electrical Engineering. He received his Ph.D. in Computer Science from Carnegie Mellon University in 1996. Currently, Somesh Jha is a Professor in the Computer Sciences Department at the University of Wisconsin (Madison), which he joined in 2000. His work focuses on analysis of security protocols, survivability analysis, intrusion detection, formal methods for security, and analyzing malicious code.  Recently he has also worked on privacy-preserving protocols. Somesh Jha has published over 150 articles in highly-refereed conferences and prominent journals. He has won numerous best-paper awards. Somesh also received the NSF career award in 2005.