Our research
Content type
+
Downloads (441)
+
Events (396)
 
Groups (150)
+
News (2592)
 
People (804)
 
Projects (1066)
+
Publications (12006)
+
Videos (5240)
Labs
Research areas
Algorithms and theory47205 (268)
Communication and collaboration47188 (187)
Computational linguistics47189 (186)
Computational sciences47190 (197)
Computer systems and networking47191 (680)
Computer vision208594 (47)
Data mining and data management208595 (64)
Economics and computation47192 (95)
Education47193 (79)
Gaming47194 (69)
Graphics and multimedia47195 (199)
Hardware and devices47196 (196)
Health and well-being47197 (77)
Human-computer interaction47198 (779)
Machine learning and intelligence47200 (722)
Mobile computing208596 (33)
Quantum computing208597 (19)
Search, information retrieval, and knowledge management47199 (618)
Security and privacy47202 (268)
Social media208598 (21)
Social sciences47203 (240)
Software development, programming principles, tools, and languages47204 (556)
Speech recognition, synthesis, and dialog systems208599 (73)
Technology for emerging markets208600 (25)
1–25 of 268
Sort
Show 25 | 50 | 100
1234567Next 
Arvind Arasu, Ken Eguro, Manas Joglekar, Raghav Kaushik, Donald Kossmann, and Ravi Ramamurthy

Cipherbase is a comprehensive database system that provides strong end-to-end data confidentiality through encryption. Cipherbase is based on a novel architecture that combines an industrial strength database engine (SQL Server) with lightweight processing over encrypted data that is performed in secure hardware. Cipherbase has the smallest trusted computing base (TCB) among comparable systems and provides significant benefits over the state-of-the-art in terms of security, performance, and...

Publication details
Date: 1 April 2015
Type: Inproceeding
Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot

The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of...

Publication details
Date: 1 November 2014
Type: Article
Publisher: USENIX – Advanced Computing Systems Association
Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill

An Ironclad App lets a user securely transmit her data to a remote machine with the guarantee that every instruction executed on that machine adheres to a formal abstract specification of the app’s behavior. This does more than eliminate implementation vulnerabilities such as buffer overflows, parsing errors, or data leaks; it tells the user exactly how the app will behave at all times. We provide these guarantees via complete, low-level software verification. We then use cryptography and secure...

Publication details
Date: 6 October 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Andrew Baumann, Marcus Peinado, and Galen Hunt

Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data.

We introduce the notion of shielded execution, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator's OS, VM and firmware). Our prototype, Haven, is the first system to achieve shielded execution of...

Publication details
Date: 6 October 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Kirsten Eisentrager, Sean Hallgren, and Kristin Lauter

In this paper we present a new attack on the polynomial version of the Ring-LWE assumption, for certain carefully chosen number fields. This variant of RLWE, introduced in [BV11] and called the PLWE assumption, is known to be as hard as the RLWE assumption for 2-power cyclotomic number fields, and for cyclotomic number fields in general with a small cost in terms of error growth. For general number fields, we articulate the relevant properties and prove security reductions for number fields with those...

Publication details
Date: 30 September 2014
Type: Article
Publisher: Springer
Blase Ur, Jaeyeon Jung, and Stuart Schechter

We investigated how household deployment of Internetconnected locks and security cameras could impact teenagers’ privacy. In interviews with 13 teenagers and 11 parents, we investigated reactions to audit logs of family members’ comings and goings. All parents wanted audit logs with photographs, whereas most teenagers preferred text-only logs or no logs at all. We unpack these attitudes by examining participants’ parenting philosophies, concerns, and current monitoring practices. In a follow-up online...

Publication details
Date: 15 September 2014
Type: Inproceeding
Publisher: Ubicomp
Jaeyeon Jung and Matthai Philipose

Small and always-on, wearable video cameras disrupt social norms that have been established for traditional hand-held video cameras, which explicitly signal when and which subjects are being recorded to people around the camera-holder. We first discuss privacy-related social cues that people employ when recording other people (as a camera-holder) or when being recorded by others (as a bystander or a subject). We then discuss how low-fidelity sensors such as far-infrared imagers can be used to capture...

Publication details
Date: 14 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Dan Liebling and Sören Preibusch

Multiple vendors now provide relatively inexpensive desktop eye and gaze tracking devices. ith miniatureization and decreasing manufacturing costs, gaze trackers will follow the path of webcams, becoming ubiquitous and inviting many of the same privacy concerns. However, whereas the privacy loss from webcams may be obvious to the user, gaze tracking is more opaque and deserves special attention. In this paper, we review current research in gaze tracking and pupillometry and argue that gaze data should...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Zheng Dong, Kevin Kane, and L. Jean Camp

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: SSRN
Armando Faz-Hernandez, Patrick Longa, and Ana Sanchez

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we...

Publication details
Date: 4 September 2014
Type: Article
Publisher: Springer
Christian Paquin

U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509 certificates. Like any long-lived credentials, there might be a need to revoke issued U-Prove tokens before they expire. Achieving this might seem counterintuitive: how can you revoke an identity when users are anonymous or pseudonymous? This paper explores various revocation mechanisms compatible with the U-Prove technology, to help system designers select the best one for...

Publication details
Date: 2 September 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-122
Cormac Herley

In a traditional threat model it is necessary and sufficient to protect against all attacks. While simple, and appropriate in high-assurance settings, we show that this model does not scale
and is entirely inappropriate to the financially-motivated cyber-crime that targets two billion Internet users. The attackers who prey on Internet users are very constrained. The have finite gains, non-zero costs, and must make profit in expectation. Above all their techniques must scale. This means that they...

Publication details
Date: 1 September 2014
Type: Article
Arvind Arasu, Ken Eguro, Raghav Kaushik, and Ravi Ramamurthy

We show that any for any encrypted database system (EDBMS) that is ``server-centric'', where queries are processed in the server without shipping all the data to the client, completeness fundamentally interferes with confidentiality. A complete, server-centric EDBMS leaks enough information to the adversary so as to be able to reconstruct the plaintext, in the worst case. Our result is not meant to demonstrate real attacks on current systems. However, it does show that if we pivot on completeness, a...

Publication details
Date: 1 September 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-133
Christopher Smowton, Jacob R. Lorch, David Molnar, Stefan Saroiu, and Alec Wolman

This paper presents Zero-Effort Payments (ZEP), a seamless mobile computing system designed to accept payments with no effort on the customer’s part beyond a one-time opt-in. With ZEP, customers need not present cards nor operate smartphones to convey their identities. ZEP uses three complementary identification technologies: face recognition, proximate device detection, and human assistance. We demonstrate that the combination of these technologies enables ZEP to scale to the level needed by...

Publication details
Date: 1 September 2014
Type: Inproceeding
Saranga Komanduri, Rich Shay, Lorrie Cranor, Cormac Herley, and Stuart Schechter
Publication details
Date: 20 August 2014
Type: Inproceeding
Publisher: USENIX
Publication details
Date: 20 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-95
Joseph Bonneau and Stuart Schechter

Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56-bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2...

Publication details
Date: 20 August 2014
Type: Inproceeding
Publisher: USENIX
Christian Paquin

The U-Prove Cryptographic Specification focuses on the core U-Prove capabilities; the specified features were selected to simplify implementation and integration into existing systems, while meeting the needs of a wide array of scenarios. By design, the specification provides extension points, making it possible to extend the core capabilities to meet additional needs.

This paper describes recently released features compatible with the U-Prove technology. The reader is assumed to be familiar with...

Publication details
Date: 5 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-105
Joppe W. Bos, Craig Costello, Michael Naehrig, and Douglas Stebila

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing ciphersuites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem; we accompany these ciphersuites with a rigorous proof of security. Our approach ties lattice-based key exchange together with traditional authentication using...

Publication details
Date: 5 August 2014
Type: Technical report
Number: MSR-TR-2014-107
Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall

We present an app automation tool called Brahmastra for helping app stores and security researchers to test thirdparty components in mobile apps at runtime. The main challenge is that call sites that invoke third-party code may be deeply embedded in the app, beyond the reach of traditional GUI testing tools. Our approach uses static analysis to construct a page transition graph and discover execution paths to invoke third-party code. We then perform binary rewriting to “jump start” the third-party code...

Publication details
Date: 1 August 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Dinei Florencio, Cormac Herley, and Paul C. van Oorschot

We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and...

Publication details
Date: 1 August 2014
Type: Article
Arvind Arasu, Ken Eguro, Manas Joglekar, Raghav Kaushik, Donald Kossmann, and Ravi Ramamurthy

Cipherbase is a comprehensive database system that provides strong end-to-end data confidentiality through encryption. Cipherbase is based on a novel architecture that combines an industrial strength database engine (SQL Server) with lightweight processing over encrypted data that is performed in secure hardware. Cipherbase has the smallest trusted computing base (TCB) among comparable systems and provides significant benefits over the state-of-the-art in terms of security, performance, and...

Publication details
Date: 1 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-106
Yuri Gurevich, Efim Hudis, and Jeannette Wing

We say that an item of your personal information is private if you have it but nobody else does. It is inversely private if somebody has it but you do not. We analyze the provenance of inverse privacy and argue that technology and appropriate public policy can reduce inverse privacy to a minimum.

Publication details
Date: 1 July 2014
Type: Technical report
Number: MSR-TR-2014-100
Joppe Bos, Craig Costello, Patrick Longa, and Michael Naehrig

This document explains the details of the curve generation algorithms and provides the parameters for the NUMS (Nothing Up My Sleeve) curves. These curves are supported in the MSR Elliptic Curve Cryptography Library (MSR ECCLib).

Publication details
Date: 27 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-92
Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu

Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical password systems built on top of Captcha technology, which we call Captcha as gRaphical Passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether,...

Publication details
Date: 1 June 2014
Type: Article
Publisher: IEEE – Institute of Electrical and Electronics Engineers
Number: 6
1–25 of 268
Sort
Show 25 | 50 | 100
1234567Next 
> Our research