MC2 Faculty, Students Have Four Papers Accepted to the IEEE Symposium on Security & Privacy

Faculty and students in the Maryland Cybersecurity Center (MC2) had four papers accepted to the 2017 IEEE Symposium on Security & Privacy.

The annual event—held this year from May 22–24 in San Jose, California—is considered the premier forum for presenting developments in computer security.

“We're excited to see our work being recognized by our peers,” says Jonathan Katz, a professor of computer science and director of MC2. “This indicates the strength of our research in various areas of cybersecurity, including advanced cryptography, usability, and network security.”

In addition to Katz, MC2 faculty Dave Levin, Michelle Mazurek, and Charalampos (Babis) Papamanthou, as well as postdoctoral researchers Dimitrios Papadopoulos and Daniel Genkin, and graduate students Doowon Kim and Yupeng Zhang, were involved in papers accepted to the symposium.

One of the papers, “Comparing the Usability of Cryptographic APIs,” focuses on evaluating the usability of cryptographic libraries that software designers rely on when incorporating cryptography in their applications.

“Cryptography can be really hard for non-experts to get right,” says lead author Mazurek, an assistant professor of computer science who also holds an appointment in the Human-Computer Interaction Lab. “Our work examines how and why it is difficult.”

Mazurek says that people have recently developed “simplified” cryptographic libraries that are intended to ensure that non-experts use cryptography correctly and avoid common errors. But no one had actually evaluated whether and why these simplified libraries improve outcomes, she says.

For their research, the team, which also included researchers from the National Institute of Standards and Technology and Saarland University, evaluated five cryptographic libraries.

The researchers found that simplified libraries do help, but there are important caveats—if they do not cover the complete set of necessary tasks or if the documentation is poor, the libraries may not provide an overall improvement. The results, Mazurek says, point to needed improvements so that non-experts can use cryptography effectively.

Another paper, “CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers,” introduces a system that would more efficiently push certificate revocations to web browsers.

Levin, an assistant professor of computer science and a co-author on the paper, explains that web browsers rely on HTTPS to secure communication with websites, and at the heart of this process are cryptographic “certificates”—cryptographically signed statements from “certificate authorities” (CAs)—that vouch that a website is who it claims to be.  

But sometimes these certificates need to be revoked, especially in the wake of a major cyberattack, such as 2014’s Heartbleed bug. Compromised websites request that their CA revoke their certificate, and web browsers download the revocations from the CAs. To ensure the security of HTTPS, user’s browsers should download every revocation.

“Unfortunately, no major browsers today do this—in fact, our study in 2015 showed that no mobile browsers download any revocations,” Levin says. “One of the main arguments against downloading revocations is that it requires downloading too much data—downloading all revocation information today could take gigabytes, which is untenable, especially for mobile browsers.”

Levin and other researchers from Northeastern University, Duke University, and Akamai Technologies have developed a new system called CRLite that enables web browsers to download revocation information seamlessly and compactly—a feat that has so far eluded the security community. It represents all certificate revocation information in what would require a daily download of 0.58MB—the average website nowadays is about 2.5MB.  

Other papers being presented at the symposium are:

SecureML: A System for Scalable Privacy-Preserving Machine Learning,” by Yupeng Zhang, introduces a system that allows companies to perform machine learning on users' data without learning the underlying data. It can significantly protect the privacy of users’ data, says Zhang, while maintaining the benefits of machine learning, such as ad recommendations and fraud detection. 

vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases,” by Katz, Genkin, Papamanthou, Papadopoulos, and Zhang, proposes a verifiable database system that allows clients to delegate their data to a server in the cloud, while being able to validate the correctness of the answers for SQL queries on that data returned by the server.

In addition to their work in MC2, Katz, Levin, Mazurek and Papamanthou all have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).

MC2 is supported by the College of Computer, Mathematical, and Natural Sciences and the A. James Clark School of Engineering. It is one of 16 centers and labs in UMIACS.

—Story by Melissa Brachfeld

Published May 22, 2017