Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Our research
Content type
+
Downloads (447)
+
Events (422)
 
Groups (145)
+
News (2657)
 
People (737)
 
Projects (1069)
+
Publications (12192)
+
Videos (5463)
Labs
Research areas
Algorithms and theory47205 (294)
Communication and collaboration47188 (196)
Computational linguistics47189 (194)
Computational sciences47190 (199)
Computer systems and networking47191 (707)
Computer vision208594 (884)
Data mining and data management208595 (82)
Economics and computation47192 (98)
Education47193 (79)
Gaming47194 (71)
Graphics and multimedia47195 (215)
Hardware and devices47196 (201)
Health and well-being47197 (82)
Human-computer interaction47198 (810)
Machine learning and intelligence47200 (802)
Mobile computing208596 (38)
Quantum computing208597 (20)
Search, information retrieval, and knowledge management47199 (639)
Security and privacy47202 (280)
Social media208598 (29)
Social sciences47203 (248)
Software development, programming principles, tools, and languages47204 (572)
Speech recognition, synthesis, and dialog systems208599 (98)
Technology for emerging markets208600 (28)
1–25 of 280
Sort
Show 25 | 50 | 100
1234567Next 
Christopher Theisen, Kim Herzig, Patrick Morrison, Brendan Murphy, and Laurie Williams

Security testing and reviewing efforts are a necessity for software projects, but are time-consuming and expensive to apply. Identifying vulnerable code supports decision-making during all phases of software development. An approach for identifying vulnerable code is to identify its attack surface, the sum of all paths for untrusted data into and out of a system. Identifying the code that lies on the attack surface requires expertise and significant manual effort. This paper proposes an...

Publication details
Date: 1 May 2015
Type: Inproceeding
Publisher: IEEE – Institute of Electrical and Electronics Engineers
Arvind Arasu, Ken Eguro, Manas Joglekar, Raghav Kaushik, Donald Kossmann, and Ravi Ramamurthy

Cipherbase is a comprehensive database system that provides strong end-to-end data confidentiality through encryption. Cipherbase is based on a novel architecture that combines an industrial strength database engine (SQL Server) with lightweight processing over encrypted data that is performed in secure hardware. Cipherbase has the smallest trusted computing base (TCB) among comparable systems and provides significant benefits over the state-of-the-art in terms of security, performance, and...

Publication details
Date: 1 April 2015
Type: Inproceeding
Patrick Morrison, Kim Herzig, Brendan Murphy, and Laurie Williams

While Microsoft product teams have adopted defect prediction models, they have not adopted vulnerability prediction models (VPMs). Seeking to understand this discrepancy, we replicated a VPM for two releases of the Windows Operating System, varying model granularity and statistical learners. We reproduced binary-level prediction precision (~0.75) and recall (~0.2). However, binaries often exceed 1 million lines of code, too large to practically inspect, and engineers expressed preference for source file...

Publication details
Date: 1 April 2015
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Benjamin Dowling, Douglas Stebila, and Greg Zaverucha

This document describes ANTP, an authentication protocol designed to be built over the Network Time Protocol operating in client/server mode. ANTP's design meets the requirements of NTP and the Security Requirements of Time Protocols in Packet-Switched Networks, a TICTOC Working Draft. In particular, the server does not need to keep per-client state, and the authentication steps does not degrade timestamp accuracy when compared to unauthenticated NTP. This specification is meant to accompany a paper...

Publication details
Date: 27 February 2015
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2015-19
Ben Stock, Ben Livshits, and Ben Zorn

In recent years, the drive-by malware space has undergone significant consolidation. Today, the most common source of drive-by downloads are the so-called exploit kits. Exploit kits signify a drastic consolidation of the process of malware creation and delivery. This paper presents Kizzle, the first prevention technique specifically designed for finding exploit kits.

Our analysis of exploit kits shows that while the actual JavaScript delivered by kits varies greatly, the code observed after it is...

Publication details
Date: 13 February 2015
Type: Technical report
Number: MSR-TR-2015-12
Maria Christakis and Patrice Godefroid

We present IC-Cut, short for “Interface-Complexity based Cut”, a new compositional search strategy for systematically testing large programs. IC-Cut dynamically detects function interfaces that are simple enough to be cost-effective for summarization. IC-Cut then hierarchically decomposes the program into units defined by such functions and their sub-functions in the call graph. These units are tested independently, their test results are recorded as low-complexity function summaries, and the summaries...

Publication details
Date: 1 February 2015
Type: Technical report
Number: MSR-TR-2015-10
Tadayoshi Kohno, Joel Kollin, David Molnar, and Franziska Roesner

Transparent near-eye displays are shipping now for augmented reality applications. In addition to these applications, they promise a private display safe from shoulder surfing. Multiple researchers in the security and HCI communities have proposed systems building on the assumption these displays are private. Unfortunately, this assumption is not always true. We find multiple shipping displays suffer from display leakage: an adversary who observes a user wearing the display can reconstruct the contents...

Publication details
Date: 1 February 2015
Type: Technical report
Number: MSR-TR-2015-18
Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz

We propose BloomCookies that encode a user's profile in a compact and privacy-preserving way, without preventing online services from using it for personalization purposes. The BloomCookies design is inspired by our analysis of a large set of web search logs that shows drawbacks of two profile obfuscation techniques, namely profile generalization and noise injection, today used by many privacy-preserving personalization systems. We find that profile generalization significantly hurts personalization and...

Publication details
Date: 1 February 2015
Type: Inproceeding
Lucas Silva Figueiredo, Benjamin Livshits, David Molnar, and Margus Veanes
Publication details
Date: 14 November 2014
Type: Technical report
Number: MSR-TR-2014-146
Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M. Voelker
Publication details
Date: 2 November 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot

The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of...

Publication details
Date: 1 November 2014
Type: Article
Publisher: USENIX – Advanced Computing Systems Association
John Vilk, David Molnar, Eyal Ofek, Chris Rossbach, Benjamin Livshits, Alexander Moshchuk, Helen J. Wang, and Ran Gal

Immersive experiences that mix digital and real-world objects are becoming reality, but they raise serious privacy concerns as they require real-time sensor input. These experiences are already present on smartphones and game consoles via Kinect, and will eventually emerge on the web platform. However, browsers do not expose the display interfaces needed to render immersive experiences. Previous security research focuses on controlling application access to sensor input alone, and do not deal...

Publication details
Date: 1 November 2014
Type: Technical report
Number: MSR-TR-2014-147
Eric Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague

OAuth is undoubtedly a highly influential protocol today, because of its swift and wide adoption in the industry. The initial objective of the protocol was specific: it serves the authorization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook, Google, Microsoft and Twitter, have re-purposed OAuth for user authentication; (2)...

Publication details
Date: 1 November 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, and Brian Zill

An Ironclad App lets a user securely transmit her data to a remote machine with the guarantee that every instruction executed on that machine adheres to a formal abstract specification of the app’s behavior. This does more than eliminate implementation vulnerabilities such as buffer overflows, parsing errors, or data leaks; it tells the user exactly how the app will behave at all times. We provide these guarantees via complete, low-level software verification. We then use cryptography and secure...

Publication details
Date: 6 October 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Andrew Baumann, Marcus Peinado, and Galen Hunt

Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data.

We introduce the notion of shielded execution, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator's OS, VM and firmware). Our prototype, Haven, is the first system to achieve shielded execution of...

Publication details
Date: 6 October 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Kirsten Eisentrager, Sean Hallgren, and Kristin Lauter

In this paper we present a new attack on the polynomial version of the Ring-LWE assumption, for certain carefully chosen number fields. This variant of RLWE, introduced in [BV11] and called the PLWE assumption, is known to be as hard as the RLWE assumption for 2-power cyclotomic number fields, and for cyclotomic number fields in general with a small cost in terms of error growth. For general number fields, we articulate the relevant properties and prove security reductions for number fields with those...

Publication details
Date: 30 September 2014
Type: Article
Publisher: Springer
Blase Ur, Jaeyeon Jung, and Stuart Schechter

We investigated how household deployment of Internetconnected locks and security cameras could impact teenagers’ privacy. In interviews with 13 teenagers and 11 parents, we investigated reactions to audit logs of family members’ comings and goings. All parents wanted audit logs with photographs, whereas most teenagers preferred text-only logs or no logs at all. We unpack these attitudes by examining participants’ parenting philosophies, concerns, and current monitoring practices. In a follow-up online...

Publication details
Date: 15 September 2014
Type: Inproceeding
Publisher: Ubicomp
Jaeyeon Jung and Matthai Philipose

Small and always-on, wearable video cameras disrupt social norms that have been established for traditional hand-held video cameras, which explicitly signal when and which subjects are being recorded to people around the camera-holder. We first discuss privacy-related social cues that people employ when recording other people (as a camera-holder) or when being recorded by others (as a bystander or a subject). We then discuss how low-fidelity sensors such as far-infrared imagers can be used to capture...

Publication details
Date: 14 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Dan Liebling and Sören Preibusch

Multiple vendors now provide relatively inexpensive desktop eye and gaze tracking devices. ith miniatureization and decreasing manufacturing costs, gaze trackers will follow the path of webcams, becoming ubiquitous and inviting many of the same privacy concerns. However, whereas the privacy loss from webcams may be obvious to the user, gaze tracking is more opaque and deserves special attention. In this paper, we review current research in gaze tracking and pupillometry and argue that gaze data should...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Zheng Dong, Kevin Kane, and L. Jean Camp

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: SSRN
Armando Faz-Hernandez, Patrick Longa, and Ana Sanchez

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we...

Publication details
Date: 4 September 2014
Type: Article
Publisher: Springer
Christian Paquin

U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509 certificates. Like any long-lived credentials, there might be a need to revoke issued U-Prove tokens before they expire. Achieving this might seem counterintuitive: how can you revoke an identity when users are anonymous or pseudonymous? This paper explores various revocation mechanisms compatible with the U-Prove technology, to help system designers select the best one for...

Publication details
Date: 2 September 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-122
Cormac Herley

In a traditional threat model it is necessary and sufficient to protect against all attacks. While simple, and appropriate in high-assurance settings, we show that this model does not scale
and is entirely inappropriate to the financially-motivated cyber-crime that targets two billion Internet users. The attackers who prey on Internet users are very constrained. The have finite gains, non-zero costs, and must make profit in expectation. Above all their techniques must scale. This means that they...

Publication details
Date: 1 September 2014
Type: Article
Christopher Smowton, Jacob R. Lorch, David Molnar, Stefan Saroiu, and Alec Wolman

This paper presents Zero-Effort Payments (ZEP), a seamless mobile computing system designed to accept payments with no effort on the customer’s part beyond a one-time opt-in. With ZEP, customers need not present cards nor operate smartphones to convey their identities. ZEP uses three complementary identification technologies: face recognition, proximate device detection, and human assistance. We demonstrate that the combination of these technologies enables ZEP to scale to the level needed by...

Publication details
Date: 1 September 2014
Type: Inproceeding
Saranga Komanduri, Rich Shay, Lorrie Cranor, Cormac Herley, and Stuart Schechter
Publication details
Date: 20 August 2014
Type: Inproceeding
Publisher: USENIX
1–25 of 280
Sort
Show 25 | 50 | 100
1234567Next 
> Our research