News Story
MC2 Faculty, Students Have Five Papers Accepted to ACM Conference on Computer and Communications Security
Published October 10, 2018
Faculty and students in the Maryland Cybersecurity Center (MC2) had five papers accepted to the 2018 Association for Computing Machinery (ACM) Conference on Computer and Communications Security (CCS).
The event—held this year from October 15–19 in Toronto—is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the ACM. The conference brings together information security researchers, practitioners, developers and users from all over the world to explore cutting-edge ideas and results.
The MC2 researchers are presenting work covering a wide array of security-related topics, including fuzz testing, examining security behaviors, and symmetric searchable encryption.
“ACM CCS is one of the top conferences in cybersecurity,” says Jonathan Katz, professor of computer science and director of MC2. “Having multiple papers accepted there is a tremendous accomplishment for our students and faculty.”
“Evaluating Fuzz Testing” examines prior research on fuzz testing— a quality assurance technique used to discover coding errors and security loopholes in software—and evaluates whether that research produces trustworthy results.
The research was supervised by Michael Hicks, a professor of computer science, and conducted by George Klees, a freshman majoring in computer science; Benji Cooper, a senior majoring in computer science; Andrew Ruef, a fifth-year computer science doctoral student; and Shiyi Wei, an assistant professor of computer science at the University of Texas at Dallas and a former postdoctoral researcher at MC2.
The team examined the experimental evaluations carried out by 32 recently published papers on fuzz testing. As detailed further in Hicks’s recent blog post, they found that every published fuzz testing evaluation lacked sufficient scientific rigor, to varying degrees, thus casting doubt on the published conclusions.
Then the researchers then performed their own extensive experimental evaluation of an existing fuzz tester. They found that using rigorous methods yielded results very different from those produced by the weaker methods they saw in prior work. Their experiments showed that the general problems they found in existing experimental evaluations can indeed translate to actual wrong or misleading assessments.
They conclude by presenting guidelines for carrying out future fuzz testing experimental evaluations, which, if followed correctly, should make reported results more robust.
Another paper, “Asking for a Friend: Evaluating Response Biases in Security User Studies,” asserts that when studying security behaviors, there is often a disconnect between what people say they do and what they actually do.
The paper is co-authored by Michelle Mazurek, an assistant professor of computer science; Tudor Dumitraș, an assistant professor of electrical and computer engineering; Elissa Redmiles, a fourth-year computer science doctoral student; Ziyun Zhu, a sixth-year electrical and computer engineering doctoral student; and researchers from the University of California and Maharaja Agrasen Institute of Technology.
The team examined the disconnect of people’s behaviors in the context of software updates. They compared results of how quickly people applied a newly available patch, to results of what people would recommend to a friend about applying a new patch, and then measured results from a Symantec dataset showing how quickly patches were actually applied.
The researchers found that people are better at answering some kinds of questions more accurately than others, and that the gap between self-reports and measurement is often fairly consistent.
Other MC2-authored papers being presented are:
“Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures” presents an improved and shorter approach for constructing post-quantum signatures— signature schemes that are secure even against quantum computers—based on secure computation protocols.
The paper is co-authored by Katz and Xiao Wang, who recently received his doctorate in computer science and accepted an academic appointment as an assistant professor at Northwestern University.
The team, which also includes a researcher from Georgia Tech, says they are exploring other applications of their work as it might apply to smart contracts and/or the verification of arithmetic circuits.
“New Constructions for Forward and Backward Private Symmetric Searchable Encryption,” advances the study of dynamic searchable encryption. It proposes the first practical constructions using “backward privacy,” a property ensuring that no information about previously deleted files is revealed by subsequent keyword queries.
Charalampos (Babis) Papamanthou, an assistant professor of electrical and computer engineering, collaborated on the paper with researchers from Hong Kong University of Science and Technology and Sharif University of Technology.
“‘What was that site doing with my Facebook password?’: Designing Password-Reuse Notifications,” discusses best practices for password-reuse notifications and how notifications alone appear insufficient in solving password reuse.
The paper is co-authored by Redmiles and researchers from the University of Chicago and Ruhr University Bochum.
The researchers explain that password reuse is widespread, so a breach of one provider’s password database threatens accounts on other providers. When companies find stolen credentials on the black market and notice potential password reuse, they typically send users a notification that their password has been reused, and suggest that they change the password on the account, as well as any other accounts that share the same password.
In this work, the team explores how effective such notifications are at motivating people to change reused passwords, and what components of notifications are most effective for motivating secure behavior.
In addition to their work in MC2, Katz, Hicks, Dumitraș, Mazurek and Papamanthou have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).
MC2 is supported by the College of Computer, Mathematical, and Natural Sciences and the A. James Clark School of Engineering. It is one of 16 centers and labs in UMIACS.
—Story by Melissa Brachfeld