Jefferson's Wheel

Yan Huang has been selected as a finalist for the NYU-Poly AT&T Best Applied Security Paper Award for the paper, Faster Secure Two-Party Computation Using Garbled Circuits (USENIX Security 2011, co-authored with David Evans, Jonathan Katz, and Lior Malka). The award recognizes the best paper on applied security in any venue between September 1, 2010 and August 31, 2011.

The award will be announced at a ceremony as part of the CSAW Cybersecurity Competition in New York on 11 November.

Peter Chapman presented our work on side-channel analysis for web applications at CCS yesterday. His slides are available here: [PPTX] [PDF].

It provides an automated way to analyze a web application for side-channel vulnerabilities, as well as a better metric for quantifying those vulnerabilities (that may have applications to many other areas where it is important to know how well states can be distinguished). It is described in more detail in this paper: Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications (and earlier post), but for the important connection to Guinness you need to view the slides. The tool is also freely available at http://www.cs.virginia.edu/sca/ (with a tutorial explaining how to use it!)

Yikan Chen presented his work on Auditing Information Leakage for Distance Metrics at the Third IEEE Conference on Privacy, Security, Risk and Trust today.

The slides are here: [PPTX] [PDF]

Videos from all the talks at USENIX Security are now available on the conference site.

Here are the talks by UVa people:

• Peter Chapman (HotSec Workshop): Privacy-Preserving Applications on Smartphones and Q & A (extensive discussion session, including the other two talks in the session)
• Pieter Hooimeijer: Fast and Precise Sanitizer Analysis with BEK
• Adrienne Porter Felt (now at UC Berkeley): Permission Re-Delegation: Attacks and Defenses
• Michael Dietz (now at Rice University): QUIRE: Lightweight Provenance for Smart Phone Operating Systems
• Yan Huang: Faster Secure Two-Party Computation Using Garbled Circuits

I would also highly recommend Collin Jackson’s invited talk on Crossing the Chasm: Pitching Security Research to Mainstream Browser Vendors.

Yan Huang’s talk on Faster Secure Two-Party Computation Using Garbled Circuits at USENIX Security 2011 is now available: [PPTX] [PDF].

You can also download our framework and try our Android demo application.

University of Virginia people at USENIX Security in Union Square
San Francisco, 10 August 2011

Front row (left-to-right):

• Joseph Calandrino (UVa BS Math with CS 2004, UVa MCS 2005, soon to finish a PhD at Princeton).
• Erika Chin (UVa BSCS 2007, now a PhD student at UC Berkeley)
• Michael Dietz (UVa BSCS 2008, now a PhD student at Rice University)
• Jiamin Chen (finishing a UVa BACS in 2012, currently an undergraduate researcher on secure computation)
• Brittany Harris (finishing a UVa BACS in 2013, currently an undergraduate researcher on secure computation)
• Sang Koo (finishing UVa BSCS and BSCpE in 2013, currently an undergraduate researcher on mobile secure computation)
• Yuchen Zhou (currently PhD student in Computer Engineering at UVa, working on web security
• Yikan Chen (currently a PhD student in Computer Engineering at UVa, working on auditing information leakage)
• Pieter Hooimeijer (nearly finished PhD student at UVa, working in Westley Weimer’s group on programming languages and security)

Back row:

• Nate Paul (UVa PhD 2008, now at Associate Professor at the University of Tennessee, with a joint appointment at Oak Ridge National Labs)
• Nicholas Christin (UVa PhD 2003, now faculty at CMU Cylab)
• Adrienne Porter Felt (UVa BSCS 2008, now PhD student at UC Berkeley)
• Samee Zahur (currently a PhD student in Computer Science at UVa, working on improving secure computations using partial evaluation)
• Austin DeVinney (visiting researcher at UVa, completing a BSCS at Radford University in 2012)
• Yan Huang (currently a PhD student at UVa, working on secure computation)

UVa students book-ended the symposium, with Pieter presenting the first paper (Fast and Precise Sanitizer Analysis with BEK), and Yan presenting the last paper (Faster Secure Two-Party Computation Using Garbled Circuits). Adrienne Felt (Permission Re-Delegation: Attacks and Defenses and Michael Dietz (Quire: Lightweight Provenance for Smart Phone Operating Systems) also presented papers in a session that I was privileged to chair. Erika Chin, Joseph Calandrino, and Nicholas Christin were also co-authors of papers, and Austin, Brittany, Jiamin, Samee, Yan, and Yuchen also presented posters. Peter Chapman (BACS 2012) also presented a paper at HotSec, but wasn’t able to stay for the rest of the symposium.

Our paper on side-channel analysis of web applications is now available:

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications. In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 17-21 October 2011. [PDF, 12 pages]

The paper describes a black-box tool for detecting side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. Our tool quantifies the severity of side-channel leaks in a web application, and gives web application developers a measure of the risk of information leakage against different types of adversaries. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks where an adversary can learn about the state of the application and visitor’s choices, even over encrypted connections. Our approach provides a new way to quantify the severity of these vulnerabilities based on analyzing the results of traces of the web traffic using the Fisher criterion.

Peter will present the paper at CCS in Chicago in October.

Project Site

Several of our students presented posters at the USENIX Security Symposium Poster Session.

Peter Chapman presented our paper on Privacy-Preserving Applications on Smartphones at the 6th USENIX Workshop on Hot Topics in Security today. Here are the talk slides [PDF].

The CommonContacts demonstration app is now available in the Android Market.

Project Website

Yan Huang presented Private Editing Using Untrusted Cloud Services at the Second International Workshop on Security and Privacy in Cloud Computing in Minneapolis this morning.

Here are the slides from his talk: [PPTX, PDF].
The full paper is also available: [PDF, 10 pages].