Jefferson's Wheel

Jonathan Burket has been recognized with a CRA Outstanding Undergraduate Researcher Honorable Mention. This award recognizes outstanding research by undergraduate students in North America.

Jonathan joined our research group as a first year student (recruited from cs1120) and has done several research projects focused on web security including working on GuardRails and leading a new research project on correlating web application state and requests with behavior such as database requests.

Congratulations to Jonathan!

UVa Today has an article about my talk yesterday on open education: Evans: U.Va. Should Be a Global Leader in MOOCS, Online Learning, UVaToday, 1 May 2013. The article focuses just on the last slide, which is my proposal for what UVa should do.

The full talk is available at //www.cs.virginia.edu/evans/talks/smoochs/ and below:

Fraudulent mobile applications could trick users into entering sensitive passwords, and then send those passwords to rogue site operators. With current technologies, users have no way of knowing that when they enter a password it is going to the intended application. What is needed is a trusted path for password entry, so when users enter a password they can trust that it will only be visible to the trusted provider.

This paper presents a solution that does not require any modifications to existing apps or application servers, but modifies the Android kernel to establish a shared secret between the user and kernel as part of the boot process, and then uses that shared secret to provide a trusted path for password entry.

Tianhao Tong will present the paper at Moble Security Technologies (MoST) in San Francisco, CA, 23 May 2013.

Paper: Tianhao Tong and David Evans. GuarDroid: A Trusted Path for Password Entry. In Moble Security Technologies (MoST), San Francisco, CA, 23 May 2013. [PDF, 10 pages]

Code: GuarDroid.net

Samee Zahur and I have written a paper on Circuit Structures for Improving Efficiency of Security and Privacy Tools. The paper explores ways to design static circuits (as used in garbled circuit protocols and symbolic execution, among other things) to provide reasonable efficiency for algorithms that use common data structures like arrays. By taking advantage of somewhat predictable access patterns, as well as batching, our circuit structures are able to provide operations with amortized cost that is polylogarithmic in the size of the data structure (in contrast to naive approaches that would require effectively copying the entire data structure for each operation). Samee will present the paper at the IEEE Symposium on Security and Privacy (“Oakland”) in San Francisco in May.

Full paper (15 pages): [PDF]
Project: MightBeEvil.com/netlist

Code: //github.com/samee/netlist

I’ve written a post for the Udacity blog on CS101: One Year Later.

I’m quoted in this USA Today article: The power of computing, USA Today, 4 June 2012.

“To understand the world, you need to understand computing and programming,” Evans, who is also a computer science professor at University of Virginia, said in an email. “Without understanding computers and how they are programmed, much of the world will increasingly seem like magic.”

…

While Steve Jobs famously talked about computers as bicycles for the mind 20 years ago, computers today are far more powerful and connected worldwide as “super-tanker-sized, hypersonic spaceships of the mind,” said Evans.

“Without learning to program, you can still ride them if you are willing to remove your shoes at the security checkpoint and go where the pilot wants to go,” said Evans, “but if you want to be the one flying, you need to learn about computing.”

I was interviewed on Gary McGraw’s Silver Bullet podcast.

Gary and Dave discuss the founding of the Interdisciplinary Major in Computer Science (BA) at UVa and why a broad approach to Computer Science and Computer Security is a good idea, why data privacy gets short shrift in the United States, why people think (for no apparent reason) that their mobile devices are secure, groceries, David’s research on Secure Computation, and the Udacity project. They close out their discussion with a story about David’s trip to the World Cup in Korea and a choice between GEB and scheme.

You can download the podcast from //www.cigital.com/silver-bullet/show-076/.

My favorite article about Udacity so far is Professors without Borders, Prospect Magazine, 28 June 2012.

Not long ago, on a rainy Saturday morning, Professor Dave Evans and I hung out in bed while he tried to explain recursive functions (for the fourth time) and I worked on my homework. Or rather, I hung out in bed, and Evans, a computer science professor at the University of Virginia, hung out on my laptop screen, where I could—click—pause him midsentence and pour myself another cup of coffee.

“Computer Science 101: Building a Search Engine” was one of Udacity’s first offerings, and for seven weeks this spring, Evans was teaching me and 30,000 others to write enough Python—a basic programming language—to create a mini Google. We started with basics, including the difference between a computer and a toaster, and “bits” versus “bytes.” Then we went back in time for a little nerd history, from Augusta Ada King, Lord Byron’s daughter and the world’s first “programmer,” to PageRank, the search algorithm that powers Google.

Evans is the kind of nerdy savant whose gap-tooth smile and Monty Python humour attract a cult following on campus. (As an academic, he’s also a world-class cryptographer.) Thrun and Stavens found him in November 2011, flew him to Palo Alto in December, and by January he was crammed in a makeshift recording studio—still in Thrun’s guesthouse—rejigging his standard university curriculum into a Udacity one.

Our paper on strengthening secure computation protocols to resist stronger adversaries is now available:

Yan Huang, Jonathan Katz, and David Evans. Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution. In 33rd IEEE Symposium on Security and Privacy (“Oakland” 2012), San Francisco, CA. 20-23 May 2012. [PDF, 13 pages]

Yan Huang will present the paper at the Oakland conference (which will be held in San Francisco for the first time, after being in Berkeley/Oakland for the first 32 years!) in May.

Abstract: Known protocols for secure two-party computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semi-honest adversaries. We present a concrete design and implementation of protocols achieving security guarantees that are much stronger than are possible with semi-honest protocols, at minimal extra cost. Specifically, we consider protocols in which a malicious adversary may learn a single (arbitrary) bit of additional information about the honest party’s input. Correctness of the honest party’s output is still guaranteed. Adapting prior work of Mohassel and Franklin, the basic idea in our protocols is to conduct two separate runs of a (specific) semi-honest, garbled-circuit protocol, with the parties swapping roles, followed by an inexpensive secure equality test. We provide a rigorous definition and prove that this protocol leaks no more than one additional bit against a malicious adversary. In addition, we propose some enhancements to reduce the overall information a cheating adversary learns. Our experiments show that protocols meeting this security level can be implemented at cost very close to that of protocols that only achieve semi-honest security. Our results indicate that this model enables the large-scale, practical applications possible within the semi-honest security model, while providing dramatically stronger security guarantees.

Full paper (13 pages): [PDF]
Project site: MightBeEvil.com

Austin DeVinney, who worked with us on GuardRails last summer and presented a poster at USENIX Security Symposium, was featured in Radford’s College of Science and Technology newsletter.

Information technology student Austin DeVinney’s interest and curiosity has paid off with a summer internship opportunity with cybersecurity expert and Associate Professor of Computer Science at the University of Virginia David Evans.

The full article is here:
IT Student Presents Research at Prestigious Conference [PDF].