MC2 Researchers Present Six Papers at ACM Security Conference
Researchers affiliated with the Maryland Cybersecurity Center (MC2) had six papers accepted to the 2022 Association for Computing Machinery Conference on Computer and Communications Security (ACM CCS), including two that received honorable mention awards.
The annual conference brings together information security researchers, practitioners, developers and users from around the world. It was held this year from November 7–11 in Los Angeles.
“It's great to see MC2 faculty, students and postdocs continue to produce strong work on so many important topics, from the web’s certificate infrastructure to hardware security, and from secure software development to formalizing aspects of blockchain technologies,” says Michelle Mazurek, an associate professor of computer science and director of MC2.
“Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies,” one of the papers to receive an honorable mention, introduces a framework that decouples certificate processing mechanism from certificate validation policy.
The researchers demonstrate that they can express the complex policies of the Google Chrome and Mozilla Firefox web browsers in this framework. They confirm the accuracy of the Hammurabi policies by comparing the validation decisions they make with those made by the browsers themselves on more than 10 million certificate chains derived from certificate transparency logs, as well as 100K synthetic chains.
The paper’s authors include Dave Levin, an assistant professor of computer science and core faculty member in MC2; Michael Lum, who received a bachelor’s degree in computer engineering in 2021 and is now a software engineer at Metron, Inc.; Yaelle Goldschlag, who received a bachelor’s degree in mathematics and computer science and is now a software engineer at Instagram; Leah Kannan, a junior majoring in computer science; Kasra Torshizi, a junior double majoring in computer science and mathematics; Yujie Wang, who received a bachelor’s degree in computer science last spring; and researchers from Duke University, Virginia Tech, Carnegie Mellon University and Northeastern University.
The second paper to receive an honorable mention, “When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer,” experiments with defending post-quantum cryptography systems from active side-channel attacks.
In the paper, the researchers demonstrate the first end-to-end implementation of a successful key recovery attack against FrodoKEM, which was designed as a quantum-resistant public key cryptographic algorithm, using Rowhammer.
Their attack works as follows. First, they launch Rowhammer—a security exploit—to poison FrodoKEM’s KeyGen process. Then, they use a supercomputer to extract private-key material and synthesize this data using a tailored key-recovery algorithm. Finally, any individual FrodoKEM-encrypted session-key can be recovered in around two minutes on a regular laptop.
The paper’s co-author include Dana Dachman-Soled, an associate professor of electrical and computer engineering and core faculty member in MC2; Hunter Kippen, a third-year electrical and computer engineering doctoral student, and researchers from the University of Arkansas, University of Michigan, George Washington University, Georgia Institute of Technology, National Institute of Standards and Technology and the MITRE Corporation.
In addition to their tenured academic appointments, Mazurek, Levin and Dachman-Soled all have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).
The other MC2-affiliated papers presented at the conference were:
“Batching, Aggregation, and Zero-Knowledge Proofs in Bilinear Accumulators,” co-authored by Shravan Srinivasan, a sixth-year computer science doctoral student, and Charalampos Papamanthou, an associate professor of computer science at Yale University and former director of MC2.
“Thora: Atomic and Privacy-Preserving Multi-Channel Updates,” co-authored by Kasra Abbaszadeh, a first-year computer science doctoral student.
“Understanding the How and the Why: Exploring Secure Development Practices through a Course Competition,” co-authored by Mazurek; Kelsey R. Fulton, a sixth-year computer science doctoral student; Daniel Votipka, who received his doctorate in computer science in 2020 and is now an assistant professor of computer science at Tufts University; Desiree Abrokwa, who received a bachelor’s degree in computer science in 2021 and is now a product manager at Oracle; Michael Hicks, a professor of computer science with an appointment in UMIACS; and James Parker, who received his doctorate in computer science in 2020 and is now a software research engineer at Galois, Inc.
—Story by Melissa Brachfeld
Published November 14, 2022