MC2 Researchers Present 10 Papers at Upcoming Security Symposiums

Faculty, postdocs and students in the Maryland Cybersecurity Center (MC2) will present 10 papers next month at co-located symposiums focused on the security and privacy of computer systems and networks, as well as human-computer interaction, security and privacy.

Things kick off on August 8 with the 17th Symposium on Usable Privacy and Security (SOUPS), followed on August 11 by the 30th USENIX Security Symposium.

Both events are being held in a virtual format this year due to the ongoing COVID-19 pandemic.

MC2 researchers are featured at both symposiums, presenting a diverse array of security-related topics, including encouraging users of popular messaging apps to employ end-to-end encryption, newly discovered distributed denial of service attacks, the perceived risks of sending documents containing sensitive information, and more.

“The MC2 papers at USENIX Security and SOUPS showcase the high-quality work our faculty and students are conducting across a wide range of security topics—from cryptography to network security, from malware to human-centered security and privacy,” says Michelle Mazurek, an associate professor of computer science and director of MC2. “This diversity of topics and methods is a core strength of MC2.”

One example of the work being presented is “Evaluating In-Workflow Messages for Improving Mental Models of End-to-End Encryption,” which explores end-to-end (e2e) encryption.

The paper is co-authored by Mazurek and UMD computer science doctoral student Omer Akgul, undergraduate research assistant Shruti Das and Wei Bai, who received his doctoral degree in electrical and computer engineering in 2019.

The researchers created educational messages to improve functional mental models of e2e encryption and evaluated them in both a controlled and a more realistic setting. Their results suggest short educational messages can be useful if users pay attention to them. However, they hypothesize that in-app nudging may require more intrusiveness to be effective.

Another paper being presented, “Database Reconstruction from Noisy Volumes: A Cache Side-Channel Attack on SQLite,” demonstrates the feasibility of database reconstruction under a cache side-channel attack on SQLite, a C-language library that implements a small and fast SQL database engine.

The paper is co-authored by Dana Dachman-Soled, an associate professor of electrical and computer engineering; Aria Shahverdi, a doctoral student in electrical and computer engineering; and Mahammad Shirinov of Bilkent University, who interned with Dachman-Soled’s group in Summer 2019.

After launching the side-channel attack on the SQLite database management system, the researchers developed two algorithms that approximately recovered the database using the information leaked from the attack.

They also present the effectiveness of closest vector problem (CVP) solvers in reducing the overall noise in the recovered databases to obtain databases with improved accuracy. Dachman and her team showed that for attributes with ranges of size 12, their algorithm can recover the approximate database in 190 seconds at most with maximum error percentage of 0.11%.

Other MC2 papers being presented at USENIX are:

It's stressful having all these phones": Investigating Sex Workers’ Safety Goals, Risks, and Practices Online,” by Allison McDonald, University of Michigan; Catherine Barwulor, Clemson University; Michelle L. Mazurek, UMD; Florian Schaub, University of Michigan; and Elissa M. Redmiles, Max Planck Institute for Software Systems

Through interviews and surveys with sex workers, the researchers examine participants’ safety goals, including how sex workers perceived risks to their safety from clients, platforms and legal entities. The researchers’ results suggest that sex workers are well aware of the risks presented by digitally mediated sex work and are employing multiple ways to protect their privacy and security. However, they often rely on manual strategies, such as using multiple devices, as current tools don’t balance effort and efficacy well enough to address their safety needs and goals.

Weaponizing Middleboxes for TCP Reflected Amplification,” by Kevin Bock, UMD; Abdulrahman Alaraj, University of Colorado Boulder; Yair Fax and Kyle Hurley, UMD; Eric Wustrow, University of Colorado Boulder; and Dave Levin, UMD

The researchers discover that firewalls and other kinds of network-based "middleboxes"—the foundation of Internet security—can be weaponized by attackers to launch unprecedentedly large denial of service attacks. They used Geneva, an artificial intelligence tool they created, to discover new TCP-based amplification attacks that trick middleboxes into sending large amounts of traffic to unsuspecting victims. Their results show that middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch these powerful amplification attacks. They conclude that censoring nation-states pose a more universal threat than previously understood.

Strategies and Perceived Risks of Sending Sensitive Documents,” by Noel Warford, UMD; Collins W. Munyendo, George Washington University; Ashna Mediratta, University of Maryland; Adam J. Aviv, George Washington University; Michelle L. Mazurek, UMD

This paper reports on two surveys of users’ experiences sending documents containing sensitive information. They note that participants report high levels of satisfaction with the privacy and convenience of their existing methods, while recognizing that there are possible risks associated with transmitting this information. These results suggest new opportunities for tools and user interventions designed to make secure transmission of documents simpler and more transparent.

When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World,” by Erin Avllazagaj, UMD; Ziyun Zhu, Facebook; Leyla Bilge, NortonLifeLock Research Group; Davide Balzarotti, EURECOM; and Tudor Dumitraș, UMD

The researchers present the first analysis of malware, PUP and benign-sample behavior in the wild, using execution traces collected from 5.4M real hosts from 113 countries. They empirically measure how much more variable malware behavior is compared to benign. Their research findings have important implications for malware analysts, and they emphasize the unique insights that can be gained by monitoring malware behavior at scale, on real hosts.

Mystique: Efficient Conversions for Zero-Knowledge Proofs with Applications to Machine Learning,” by Chenkai Weng, Northwestern University; Kang Yang, State Key Laboratory of Cryptology; Xiang Xie, Shanghai Key Laboratory of Privacy-Preserving Computing; Jonathan Katz, UMD; and Xiao Wang, Northwestern University

Recent progress in interactive zero-knowledge (ZK) proofs has improved the efficiency of proving large-scale computations significantly. Nevertheless, real-life applications (e.g., in the context of private inference using deep neural networks) often involve highly complex computations, and existing ZK protocols lack the expressiveness and scalability to prove results about such computations efficiently. In this paper, the researchers design, develop, and evaluate a ZK system (Mystique). Their system is the first to support ZK proofs about neural-network models with over 100 layers with virtually no loss of accuracy.

Other MC2 papers being presented at SOUPS are:

Comparing Security and Privacy Attitudes Among U.S. Users of Different Smartphone and Smart-Speaker Platforms,” by Desiree Abrokwa, Shruti Das, Omer Akgul, and Michelle L. Mazurek, UMD

Many studies of mobile security and privacy are limited to either only Android users or only iOS users. However, it is not clear whether there are systematic differences in the privacy and security knowledge or preferences of users who select these two platforms. Understanding these differences could provide important context about the generalizability of research results. This paper reports on a survey with a demographically diverse sample of U.S. Android and iOS users. The researchers ultimately found no significant differences in privacy attitudes of different platform users.

Pursuing Usable and Useful Data Downloads Under GDPR/CCPA Access Rights via Co-Design,” by Sophie Veys and Daniel Serrano, University of Chicago; Madison Stamos, University of Chicago/Google; Margot Herman, University of Chicago; Nathan Reitinger and Michelle L. Mazurek, UMD; and Blase Ur, University of Chicago

Data privacy regulations, such as the California Consumer Privacy Act, define a right of access empowering consumers to view the data companies store about them. Companies satisfy these requirements in part via data downloads, or downloadable archives containing this information. Data downloads vary in format, organization and more, but it’s unknown whether they achieve the transparency goals embodied by the right of access. The researchers report on the first exploration of the design of data downloads. Through 12 focus groups, they gathered reactions to six companies’ data downloads. Most participants indicated that current offerings need improvement.

Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study,” by Kelsey R. Fulton and Anna Chan, UMD; Daniel Votipka, Tufts University; Michael Hicks and Michelle L. Mazurek, UMD

Secure programming languages are designed to alleviate common vulnerabilities that are otherwise difficult to eliminate. However, these languages cannot provide any security guarantees if they aren’t adopted. To understand the benefits and hindrances that influence adoption in practice, using Rust as a case study, the researchers interviewed 16 software engineers and surveyed 178 members of the Rust developer community. Participants reported a variety of benefits and drawbacks to adopting Rust, including upfront costs like a steep learning curve and longer-term benefits like shorter development cycles.

—Story by Melissa Brachfeld

The Maryland Cybersecurity Center (MC2) is jointly supported by the A. James Clark School of Engineering and the College of Computer, Mathematical, and Natural Sciences. It is one of five major centers in the University of Maryland Institute for Advanced Computer Studies.


Published July 14, 2021