Calendar of Seminars
M Mon
T Tue
W Wed
T Thu
F Fri
S Sat
S Sun
0 seminars,
0 seminars,
1 seminar,
Towards a High-Assurance and Specification-Compliant X.509 PKI Implementation
Towards a High-Assurance and Specification-Compliant X.509 PKI Implementation
The X.509 Public-Key Infrastructure (PKI) is one of the most prominent and widely used authentication mechanisms, which plays a crucial role in different applications such as secure communication (e.g., SSL/TLS, IPSec), software updates, and emails. Flaws in an X.509 PKI implementation can make an application relying on X.509 PKI susceptible to impersonation attacks or interoperability issues. In this talk, I will discuss my group's effort in developing a high-assurance and specification-compliant implementation of X.509 PKI.
First, I will discuss the Symcerts system that uses domain-specific optimizations, symbolic execution, and differential analysis to automatically identify specification non-compliance in open-source SSL/TLS libraries. Second, I will discuss Morpheus, a black-box analysis engine, that automatically checks the logical correctness of RSA signature verification implementations in open-source SSL/TLS libraries through a formally verified oracle. Third, I will discuss my group's effort to formalize and re-engineer the specification of the X.509 certificate chain validation using an executable specification. I will conclude my talk with a sneak peek of our ongoing work on developing a formally verified implementation of the X.509 PKI.
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
1 seminar,
Understanding and Hardening Blockchain Systems Security under DoS Attacks
Understanding and Hardening Blockchain Systems Security under DoS Attacks
Ethereum is the largest smart-contract platform and second-largest cryptocurrency only after Bitcoin. Under the hood, Ethereum is a peer-to-peer network where miner nodes come to a consensus and decide what transactions to include in the blockchain. In practice, Ethereum's P2P network receives transactions sent from millions of web clients and propagates them to the tens of thousands of miner nodes. While the blockchain-to-client communication channel is a part of the system's critical path, its security is understudied in the existing research literature. This talk presents our recent research examining Ethereum systems security under the denial-of-service attack vectors (CCS'21, NDSS'21, and IMC'21). The security vulnerabilities discovered in these works have been confirmed and then fixed by the Ethereum developer community.
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
1 seminar,
Small and Different: Security and Privacy Risks of Mobile Browsers
Small and Different: Security and Privacy Risks of Mobile Browsers
Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features.
In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks.
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
1 seminar,
Trustworthy Machine Learning: Robustness, Privacy, Generalization, and their Interconnections
Trustworthy Machine Learning: Robustness, Privacy, Generalization, and their Interconnections
Advances in machine learning have led to rapid and widespread deployment of learning based inference and decision making for safety-critical applications, such as autonomous driving and security diagnostics. Current machine learning systems, however, assume that training and test data follow the same, or similar, distributions, and do not consider active adversaries manipulating either distribution. Recent work has demonstrated that motivated adversaries can circumvent anomaly detection or other machine learning models at test time through evasion attacks, or can inject well-crafted malicious instances into training data to induce errors in inference time through poisoning attacks. In this talk, I will describe my recent research about security and privacy problems in machine learning systems, with a focus on potential certifiably defense approaches via logic reasoning and domain knowledge integration with neural networks. We will also discuss other defense principles towards developing practical robust learning systems with robustness guarantees. Zoom meeting link: https://newcastleuniversity.zoom.us/j/81238177624?pwd=Nm16blNtakgwMmgrVVZpbmNCU2t5Zz09…
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
0 seminars,
1 seminar,
Learning from the People: Responsibly Encouraging Adoption of Contact Tracing Apps
Learning from the People: Responsibly Encouraging Adoption of Contact Tracing Apps
While significant focus was put on developing privacy protocols for these apps, relatively less attention was given to understanding why, and why not, users might adopt them. Yet, for these technological solutions to benefit public health, users must be willing to adopt these apps. In this talk I showcase the value of taking a descriptive ethics approach to setting best practices in this new domain. Descriptive ethics, introduced by the field of moral philosophy, determines best practices by learning directly from the user -- observing people’s preferences and inferring best practice from that behavior -- instead of exclusively relying on experts' normative decisions. This talk presents an empirically-validated framework of user's decision inputs to adopt COVID19 contact tracing apps, including app accuracy, privacy, benefits, and mobile costs. Using predictive models of users' likelihood to install COVID apps based on quantifications of these factors, I show how high the bar is for achieving adoption. I conclude by discussing a large-scale field study in which we put our survey and experimental results into practice to help the state of Louisiana advertise their COVID app through a series of randomized controlled Google Ads experiments.