Jefferson's Wheel

I found two of our former undergraduate researchers at a seminar at Dagstuhl (Germany) on Web Application Security.

Photo by Anh Nguyen-Tuong

Salvatore Guarnieri (UVa BS 2006, left in the picture) is now a PhD student at the University of Washington. He presented his work on (mostly) statically analyzing JavaScript that he did as an intern at MSR.

William G. J. Halfond (UVa BS 2002, right in the picture) is finishing a PhD at Georgia Tech this year. He presented his work on automatically generating inputs for web application penetration testing.

John Wilander has been blogging the workshop: Dagstuhl Seminar Final (or, if you can’t read Swedish try Google’s translation).

The New York Times has an article on social network privacy issues including the risks of third party applications: When Everyone’s a Friend, Is Anything Private?, New York Times, 7 March 2009 (by Randall Stross, Digital Domain column).

FACEBOOK has a chief privacy officer, but I doubt that the position will exist 10 years from now. That’s not because Facebook is hell-bent on stripping away privacy protections, but because the popularity of Facebook and other social networking sites has promoted the sharing of all things personal, dissolving the line that separates the private from the public.

…

Facebook’s default settings for new accounts protect users in some ways. For instance, the information in one’s profile is restricted to friends only; it is not accessible to friends of friends. But Facebook sets few restrictions by default on what third-party software can see in a network of friends. Members are not likely aware that unless they change the default privacy settings, an application installed by a friend can vacuum up and store many categories of a member’s personal information.

David E. Evans, an associate professor of computer science at the University of Virginia, says he wishes that Facebook would begin with more restrictions on the information that outside software developers can reach. For 15 of 19 information categories, Facebook sets a default setting of “share,” which means the information can be pulled out of Facebook and stored on servers outside its control. These 15 categories include activities, interests, photos and relationship status.

“Facebook could set defaults erring on the side of privacy instead of on the side of giving your information away,” he said.

Chris Kelly, Facebook’s chief privacy officer, defends its current settings, saying it “gives users extensive control over the applications they choose to interact with.” He also said Facebook had removed “thousands” of applications that members deemed untrustworthy.

In Professor Evans’s view, however, banishment of malevolent software comes too late: “Once the application has got the data, it’s got it, stored on someone else’s machine.”

The defaults turn out to be crucially important, because few users go to the trouble of adjusting the settings. Asked how many members ever change a privacy setting, Mr. Kelly said 20 percent.

Randolph Yu Yao is joining our research group and the NSF RFID project. He’s a PhD student in Computer Engineering and will be working on something related to security and privacy for RFID systems that integrates cryptographic requirement with circuit-level designs.

His brief bio is below. Please join me in welcoming Randolph to the group!

I was born in a small city in southeast of China, and traveled from south to north during my high school, undergraduate, half-graduate study. I’m very happy to travel to the other half of the planet for my PhD study here in the end.

I was an EE major and love to deal with various aspects of embedded system. I’ve worked on the RoboCup, which forms a robot team to play “football”; the Mobile Satellite Communication Vehicle, which essentially control the attitude of antenna in dynamic circumstance; the Multi-Agent Cooperation via wireless communication etc. I didn’t realize before that the security issues of the embedded system are very challenge problems and becomes a bottleneck for their ubiquitous deployments, no matter for sensor networks or RFID. My ultimate goal is to enable these smart embedded systems acceptable by common people and put into daily service without concern about the security and reliability in the face of expanding network connection.

I also like sports such as swimming, traveling, exploration, basketball, hiking but no running which I think too boring. I enjoy the weather, the blue sky and fresh air here.

Technology Review has an article surveying the state of RFID security: RFID’s Security Problem, Technology Review, January/February 2009. It focuses on security and privacy issues related to RFID-enabled passports and driver’s licenses.

Excerpt: (bolding is mine)

Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher’s analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-­transit systems of ­Boston, London, and other cities, has shown that the security of smart cards can’t be taken for granted. “I think we are in the growing-pains phase,” says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. “This happens with a lot of technologies when they are first developed.”

…
As long as the remaining problems are ignored, though, it’s unlikely that the technology will become good enough to protect international borders without compromising the privacy of thousands or millions of people. Tadayoshi Kohno, for one, says that at this point, he is not convinced that RFID even offers security advantages over the old IDs. Technology used on this scale, and for purposes this important, should be clearly better than what it’s replacing: the U.S. experience with electronic voting systems shows what can happen when it’s not. If officials continue to advocate band-aids such as privacy sleeves rather than working to address the full extent of critics’ concerns, they will ultimately undermine the very technology that they hope to promote. While new ID technology seems likely to stay, it could become a fiasco if officials don’t pay attention to the work of hackers and security researchers. These people try to expose weaknesses before they can be exploited maliciously. It’s much less painful to swallow the news from them than to wait until a problem becomes embarrassing–or devastating.

The list of papers accepted to the 2009 IEEE Symposium on Security and Privacy (Oakland Conference) is now posted here:
http://oakland09.cs.virginia.edu/papers.html.

Twenty-six papers were accepted (from over 250 submissions).

The symposium will be held 17-20 May 2009 at the Claremont Resort in Oakland, CA. Hope to see you there!

I’ve won an Outstanding Faculty Award from the State Council on Higher Education for Virginia.

UVa has a story: U.Va. Computer Scientist David Evans Wins Statewide Outstanding Faculty Award, 29 January 2009.

SCHEV Update Newsletter [PDF]

Richmond Times-Dispatch: 12 college teachers honored in Virginia, 27 January 2009.

[Added 3 February] The Cavalier Daily also has an article: Computer science professor receives award: State Council of Higher Education honors David Evans as recipient of this year’s Outstanding Faculty Award, Cavalier Daily, 3 February 2009.

[Added 9 March] Pictures from the Ceremony

Jonathan McCune successfully defended his PhD thesis at Carnegie Mellon University last week. Jon (sorry, that’s “Dr. McCune”) was an undergraduate researcher in our group from 2001-2003, when he worked on agent-based software (for our RoboCup team) and adaptable sensor network security, before joining CMU’s PhD program in 2003. Dr. McCune’s recent research has focused on leveraging trusted hardware to build secure systems.

Congratulations Dr. McCune!

The Daily Progress has an rather odd article juxtaposing our RFID research with a donation from Bob Barker (“Price is Right” host) to the law school to fund animal rights research: Barker’s gift to found animal law program; Science Foundation funds chip research. Perhaps we can combine projects to work on preserving pet privacy when implanting RFID tags in animals.

…
“Animal law is a growing area that is in much discussion,” Riley said. “It is a good way even for a student who has no interest in practicing animal law to enlarge their interest and to understand different ways the law works.”

A recent of example is Leona Helmsley’s will, Riley said.

When the hotelier, dubbed the “queen of mean,” died at 87 in August 2007, she spurred a legal debate by leaving behind a $12 million trust for the care of her dog.

Riley said a group of students at UVa have shown interest in animal law.

Elsewhere at UVa, the National Science Foundation’s grant will enable a team of engineers to create a more secure design for RFID chips, which are commonly found in remote car-locking systems and touchless debit cards.

These tiny chips, which send information over short distances using weak radio waves, are an increasingly popular way to monitor potentially sensitive information.

UVa researchers have been working to create a stronger encryption scheme that would keep information on RFID chips secure while keeping costs low.

[Added: 14 Jan] NetworkWorld has also picked up this story: NSF gives University of Virginia researchers a million good reasons to improve RFID security, privacy, by Alpha Doggs, NetworkWorld, 14 Jan 2009.

UVa Today has an article about our (myself, abhi shelat, John Lach, and Ben Calhoun) recent NSF Cybertrust grant on RFID security and privacy: U.Va. Team Receives $1 Million Grant To Improve RFID Security, by Brevy Cannon, 9 January 2009.

Some excerpts:

To address the problematic use of custom cryptography, the U.Va. research team will develop an encryption scheme that is relatively strong — providing some measure of privacy and security — but that can be implemented at almost zero cost by repurposing the meager hardware resources already available on common RFID tags. Providing a solution that adds virtually no cost is crucial, because these RFIDs are made by the billions, at such low costs (5 cents or less apiece) that there is no margin for any added expense.

…

The team is breaking new ground by using a holistic design approach that considers how all the various levels of the design — the hardware, the encryption algorithm and how it is used — work together, mindful of how an attacker will target the single weakest link in the design.

…

The research team hopes their research will forestall that possibility, enabling RFIDs to be used in countless ingenious applications not yet dreamt of, without sacrificing privacy and security in a Faustian bargain.

The story about Adrienne Felt’s Facebook privacy study made the list of UVA Today Most Popular Stories of 2008.