Browsing by Subject "security"

Now showing 1 - 9 of 9
  • Thumbnail Image
    Item
    Automated Code-Behavior and -Semantic Understanding for Security
    (2023-09) Wu, Qiushi
    There has been a growing focus on strengthening program security to protect software ecosystems, especially in light of the swift expansion of available programs in the software supply chain. Static program analysis, embraced by both the industry and academia, allows for an in-depth examination of a program without executing it, making it pivotal in enhancing software security. Static program-analysis techniques delve deeply into various aspects of programs, whether at the source code, binary, or intermediate representation (IR) level. They can dissect data dependencies, control flow, type information, memory operations, cache activities, function calls, and more, which disclose the low-level semantics of a program. By harnessing this information, one can pinpoint security vulnerabilities, examine patches, or simulate the execution behavior of a program. The capabilities of static program analysis are rooted in the foundational principles of programming language and compiler theories. However, traditional static analysis also has shortcomings, particularly in grasping the high-level semantics of programs. For example, it struggles to extract complex programming logic rules, such as the privilege prerequisites for accessing specific variables or functions. Furthermore, when faced with a function, such as fread(), the static analysis cannot accurately interpret its high-level behavior—reading a file. However, understanding such high-level code behaviors is pivotal for in-depth analysis of the security facets of programs. For example, distinguishing between confidential and non-confidential data is crucial since each demands distinct privilege protection mechanisms. Recognizing such a difference necessitates a sophisticated grasp of the program’s high-level semantics. Consequently, bridging the gap between high-level code behaviors and low-level code semantics is imperative for bolstering the security of real-world programs. And over the past few years, we have done the following work to bridge this gap. Firstly, we utilized general behavioral rules of code, summarized with statistical methods, to minimize the reliance on high-level code semantics. Specifically, we introduced HERO, a system designed to detect Disordered Error Handling (DiEH) bugs. It operates on a fundamental programming principle: error cleanup functions should be invoked in a stack-like order. Leveraging this rule, HERO could pinpoint numerous error-handling related bugs, such as use-after-free, without tapping into the high-level semantics of programs. Our second work used security rules and formal definitions to analyze code behaviors. Specifically, we introduced SID to evaluate the security impacts bugs based on their corresponding patches. The driving concept behind SID is that both the impact of a patch and violations of security rules, such as out-of-bound access, can be framed as constraints solvable through automated methods. Consequently, SID can accurately distinguish between patches related to security and those unrelated to it. In this project, the high-level semantics of the code are extracted by human interpretation and later evaluated using formal methods. Besides these, we also leveraged machine learning (ML) models to decipher the behav- iors of functions semi-automatically. Specifically, we developed DiffCVSS to discern the correlation between functions and CVSS metrics by analyzing both function descriptions and vulnerability narratives. On the other hand, we employed GNNIC to probe the similarity among functions by scrutinizing their call graphs, function names, and utilized types, all with the assistance of graph neural networks. In these two projects, the high-level semantics of the code are summarized and analyzed using natural language processing techniques combined with machine learning methodologies.
  • Thumbnail Image
    Item
    Competing and contesting constructions of ‘modern’ womanhood: A vertical case study examining the effects of international development discourse on marriage and education in rural Upper Egypt
    (2015-05) Sallam, Mohamed
    In the Middle East and North Africa (MENA) education is widely understood to play a key role in promoting gender equality and economic empowerment. In the MENA region generally, and Egypt in particular, "early-marriage" is implicated as one of the main barriers to educational access for girls living in rural areas. In 2001 inspired by the Egyptian Government's commitment to the principles of the United Nations Girl's Education Initiative (UNGEI), Population Council in Egypt developed Ishraq, a literacy and life-skills program targeting rural and adolescent out-of-school girls in Upper Egypt. This dissertation examines how conceptions of womanhood are framed at varying levels of the international development landscape, and the extent to which they affect and are affected by national policy considerations (represented by the UNGEI and the Ishraq Program) and local understandings around education and marriage in rural Upper Egypt. This research is guided by the assumption that education policy formation is grounded in particular values regarding the role and purpose of education for girls. Through utilizing a vertically-oriented design, this dissertation explores how international and national policy discussions come to shape the construction and implementation of development programs targeting girls at local levels. Emerging from my conversations, interviews, and many observations with former Ishraq participants, program stakeholders, and other young women in rural Upper Egypt - are varied experiences and understandings that participants related regarding what it means to be a "modern" woman in rural Upper Egypt during this current revolutionary moment. What is revealed is an interplay between transnational development discourse and how particular women in rural Upper Egypt women engage in the social contests concerning marriage and education. The experiences and understandings of participants situated at the most local levels suggest a dynamism and complexity around these social contests that is all but left out of the prevailing policy documents, program materials, and among the views of those responsible of the funding and design of the Ishraq program. Moreover, participants experiences with safety and security in rural Upper Egypt during this most recent period of political transition appears to be contributing to the further isolation of rural communities.
  • No Thumbnail Available
    Item
  • Thumbnail Image
    Item
    debreach: Selective Dictionary Compression to Prevent BREACH and CRIME
    (2017-07) Paulsen, Brandon
    Compression side-channel attacks like CRIME and BREACH have made compression a liability even though it is a powerful tool for improving efficiency. We present debreach, a step towards a general and robust mitigation for these attacks. A modified DEFLATE compressor with output that is fully backwards-compatible with existing decompressors, debreach has the ability to mitigate compression side-channels by excluding from compression sensitive data (e.g., security tokens, emails) identified either by explicit byte ranges or through string matching. In terms of usability, security, and efficiency, we find that string matching is well-suited to the task of protecting security tokens, but we also find that existing approaches to token security work equally as well. On the other hand, we find explicit byte ranges are well-suited to protect arbitrary content, whereas existing approaches lack in either efficiency or generality. When compared to the widely-used and insecure zlib in realistic scenarios, explicit byte ranges reduce throughput in networked connections by 16-24% on popular website's data, though this still results in a 106-269% improvement over not compressing depending on the available bandwidth. While the reduction is significant, we show that debreach can still improve throughput on connections between 112-208 Mb/s. We end with a discussion of practical use cases for debreach along with suggestions for their implementation and potential improvements to the algorithm.
  • Thumbnail Image
    Item
    Dismantling security
    (2010-10) Calkivik, Emine Asli
    The post Cold War world witnessed the exponential growth in the range of issues and domains that became security concerns. A long list of objects--the nation, poverty, the human, health, food, the environment--is now firmly incorporated into the global security agenda. As the list of dangers expanded, security itself transmogrified into a medium through which we orient ourselves toward life, politics, and the world. In this dissertation, I argue that what is needed is not more security, but to dismantle the whole architecture of security so as to open up a space for a thought of politics that admits the fact that we can never be secure. To develop this argument, I first map out the landscape of the contemporary empire of security and then provide an overview of critical approaches to security within the discipline of International Relations, where I point out the paradoxical way in which the hegemony of security gets reproduced in these discussions despite the overarching concerns voiced about the complicity of security in the orders of power and violence. This is followed by a discussion of the meaning of dismantling security as an untimely critique. By drawing on historical materialist conceptions of time, I formulate the first sense of the untimely as a politics of time that seeks to counter the temporal structure enacted by the politics of security. Then I discuss the second sense of the untimely, which centers on the relationship between critical thinking and political time. I clarify what it means to brush against the grain of the doxa of security by being untimely in a disciplinary context and refusing to write security. I close by elaborating on three different conceptions of politics once the ground is cleared from security and formulate them as three moves that deconstruct the subject, the space, and the time of security by drawing on the works of scholars such as David Campbell, Michael Dillon, Jacques Rancière, and Jacques Derrida.
  • Thumbnail Image
    Item
    I just don’t get it: Common Security Misconceptions
    (2019-06) Jindeel, Maz
    Many security mistakes are made because of some underlying misconception about computer security. These misconceptions can be remedied by developing curricula targeting them, but they must first be identified. This paper outlines our process for identifying common security misconceptions by surveying experts and coding their responses and the results of that process. We also present open-ended questions which are preliminary version of a computer security concept inventory based on these misconceptions.
  • Thumbnail Image
    Item
    Lorrie Faith Cranor Oral History
    (Charles Babbage Institute, 2023-09) Charles Babbage Institute, Univ. of Minnesota
    This oral history interview is sponsored by and a part of NSF 2202484 “Mining a Useable Past: Perspectives, Paradoxes, and Possibilities with Security and Privacy,” at the Charles Babbage Institute, University of Minnesota. At the start of the interview, Professor Lorrie Faith Cranor discusses early interests and studies in computer science and engineering & public policy at Washington University in St. Louis. This includes her dissertation, a pioneering work on computer voting systems. She then relates her work on privacy, security, and policy at AT&T laboratories following her D.Sc. for about a half dozen years and then transitioning to leave the lab to become a professor of Computer Science and of Engineering & Public Policy at Carnegie Mellon University. Cranor talks about launching an event and co-editing an influential edited volume, that led to her founding and early General Chair leadership of Symposium on User Privacy and Security (SOUPS). With a focus on this area, she also launched a research lab, the CyLab Usable Privacy and Security (CUPS) Laboratory and educational program with NSF support. This unique focus is not matched anywhere globally and Cranor and her team’s work have been central to bringing together researchers and understanding at the intersection of human-computer interaction (HCI) and computer security and privacy. She also discusses her evolving research in many areas including but not limited to phishing, cyber trust indicators, passwords, etc., as well as her year as Chief Technologist at the US Federal Trade Commission. Cranor, a master quilter, also relates how engineering quilts involve overlapping engineering principles with her design work in computer science.
  • Thumbnail Image
    Item
    Politics Of The Highly Improbable: Anticipation, Catastrophe, Security
    (2018-05) Kindervater, Garnet
    This dissertation theorizes the politics of imagining future catastrophes and their effects on contemporary political life. Interpreting late-20th century theories of epistemology and power, it scrutinizes concerns about human insecurity and their involvement in cultural knowledge production. In its broadest sense, the research articulates the politics of how humans live (and die) today; but most critically, how such politics influence ideas as the central fabric of contemporary life. Focusing chiefly on Foucault’s notion of the dispositif, critical security studies, and untranslated thinkers in contemporary French philosophy, it conceptualizes concerns for protecting against future events. I characterize future catastrophes not as empirical realities in themselves – because they exist in the future, and therefore not at all – but as speculative constructions that nevertheless bear enormous political force. I argue that speculating about disasters animates widespread anxieties about safety and insecurity in the United States. I develop this thesis under the banner of “catastrophism,” which designates a rational orientation to future disaster and a pervasive preoccupation with insecurity and death. The concept illustrates the relationship between security expertise and political life, broadly conceived, as it is informed by imagining future catastrophes in cultural and political discourses.
  • Thumbnail Image
    Item
    Secure Group Communication
    (2021-05) Schliep, Michael
    Communication privacy is constantly under threat from Nation State Adversaries (NSA). This has led many platforms, such as Facebook and Apple, to implement secure conversation cryptographic protocols in their messaging applications. However, many of the protocols do not provide provable security and do not provide other security guarantees about the conversation. One example of a missing security property is message order consistency between all participants. In this dissertation I demonstrate practical attacks against a popular private messaging protocol and application (Signal). I propose two private group messaging protocols with provable privacy properties for two networking models; online instant messaging, and mobile messaging. I show the performance of these models is practical for mutually authenticated groups ≤ 50 participants. Finally, I propose an improvement to the DP5 private presence protocol that reduces the message size from quadratic to logarithmic.