Clark School Home UMD
wie homepage

2013 Summer Research Projects

Please note that "Daily Activities" are provided as estimates of time commitment and do not include additional program activities.

Program Dates

Start date: June 3, 2013.
End date: August 2, 2013


A Secure Programming Contest

Project Description:
Experts have long advocated that achieving security in a computer system requires careful design and implementation from the ground up. Unfortunately, students are rarely taught how to produce secure code, and in practice software often ships with significant vulnerabilities. In fact, experts are divided on what features of a software process---the interaction model, the programming language or framework used, whether program analysis tools or code reviews are employed, etc.---are most important for producing secure code.

Inspired by the popularity of cybersecurity contests (most of which involve breaking a system, or reconfiguring an existing system to protect it), we are developing a secure coding contest that has two goals: (1) give student contestants a competitive setting to learn about secure software creation, and (2) experimentally measure the outcomes of the contest to add to the evidence of what works and what does not. The contest, called build-it, break-it pits builders---tasked with building a non-trivial software system that aims to be correct, efficient, and secure---against breakers, who aim to find as many bugs and vulnerabiltiies as possible in builder systems. To make this contest a reality, we need to develop software infrastructure to run it, set up the rules to incentivize participants toward the desired outcomes, and design automation (e.g., for various forms of grading) so that the contest scales up. We also need to run pilot contests to better understand human interactions, and data analysis methods for making sense of the results.

CS Scholar Responsibilities and Daily Activities:

In this project, the scholar will develop contest administration software (extending UMD's Marmoset system). Scholars will design and evaluate machine learning methods for auto-grading bug reports submitted by break-it teams, as well as design and evaluate scoring systems, based on economics and game theory, for build-it and break-it teams. Scholars will design programming tasks for a pilot contest, and once designed, the scholar will run the pilot contest over the summer, and assess the results.  At the conclusion, the scholar will be responsible for writing a final report and recommendations.

As a general guideline, we expect CS Scholars to perform background reading, assigned by mentors, on machine learning and game theory methods relevant to the contest's design. The mentors will also provide scholars with a full description of the contest's design, as currently conceived, as a starting point. Scholars should be proficient in Java programming, to help develop the adminstration software, and in basic Linux usage. Basic mathematical maturity will be needed, but background in machine learning and game theory is not required. Knowledge of statistics and probability will be useful for both the machine learning and data analysis compoents.


Analysis, Development, and/or Implementation of Cryptographic Protocols

Project Description:
Cryptographic protocols are pervasive on today's Internet, from the SSL protocol used to encrypt credit-card transactions over the web, to the SSH protocol used for secure remote login. Academic protocols with more powerful functionality are also being developed and studied. This project will focus on analyzing cryptographic protocols, with the goal of either designing/analyzing new protocols or finding novel attacks on existing protocols. Work here can range from purely theoretical to low-level hacking; the exact details of the project will be determined based on the interests of the students involved.

Students should have programming experience and mathematical maturity, but no background in cryptography is required.

CS Scholar Responsibilities and Daily Activities:
All CS Scholars will be expected to perform background reading (15%) on previous work and protocol details. Scholars will then spend the majority of their time conducting research (65%). There will also be regular meetings with the faculty advisor (5%), as well as weekly meetings with all the CS Scholars (5%). At the end of the summer, Scholars will prepare their results for presentation and possible publication (10%).


Exploring Power Signatures for Information Forensics and Security

Project Description:
In the modern era, a huge amount of digital information is available in the form of audio, image, video, and other sensor recordings. The integrity as well as time/location stamps of these data can be quite easily tampered.  This project explores Electric Network Frequency (ENF) as an emerging direction to authenticate digital recordings.

ENF is the supply frequency of power distribution networks in a power grid.  The nominal value of the ENF is 60 Hz in the North America; and 50 Hz in most other parts of the world.  ENF value fluctuates from the nominal value due to dynamically varying loads on the power grid.  Digital audio and visual recording devices located near power sources often pick up the ENF signals because of the interference from electromagnetic fields generated by the power sources.  These naturally embedded ENF values thus can serve as a potential time- and location- stamp for digital recordings.

As part of the project, students will be introduced to related signal processing and authentication techniques. Students will create interactive demonstration systems under desktop and mobile platforms such as the Apple's iOS or the Google's Android system. If time permits, students are also encouraged to explore new algorithms and techniques to enhance the authentication performance and/or achieve new forensics/security functionalities.

CS Scholar Responsibilities and Daily Activities:
All CS Scholars will be expected to perform background reading (15%) on forensic techniques using power signatures. All scholars will be trained on using programming and software tools for development in respective desktop or mobile platforms (20%). Scholars will be trained to implement interactive demonstration system (that may involve both software and some hardware aspects) on ENF-based forensics (60%). The scholars will meet at least once a week to compare experiences and identify specific activities for ongoing study (5%). All scholars will compile their results for a presentation and a report, and demonstrate their implemented systems.


Experimental Criminology in Cyberspace: How Does Warning and Surveillance Impact Attackers Behavior?

Project Description
A recent report to the U.S. Senate Committee on Homeland Security and Governmental Affairs emphasizes the need for the development of security protection programs for information technology and control systems that address the real-time environment of cyber attacks. Addressing this challenge, we integrate criminological, statistical and cyber-security knowledge, and propose an experimental research design for studying how system configurations determine the dynamic of a real time computer attack and affect attackers decision making and behavior while in the system.

This project’s goal is to explore how different configurations of warning and surveillance in the target systems affect attackers’ probability to gain control over attacked systems and use the compromised computer for building attacks. The CS Scholars will collect attackers and attacks data using a large set of target computers built for the sole purpose of being attacked. This architecture allows collecting information at the host application and network levels, filtering user traffic from malicious traffic and controlling the target computers from an isolated monitoring network. Once collected, the CS Scholars will analyze data using multilevel logit models with robust standard errors. The CS Scholars will assess the simultaneous effects of attackers attributes and system configurations on the probability to access certain files vs. others, download data into and from the system, and launch attacks.

CS Scholar Responsibilities and Daily Activities:
All CS Scholars will be expected to perform background reading (10%) on security data collection and analysis (especially network and host data and keylogs data) and statistics (especially on multilevel logit models). All Scholars will collect and analyze security data obtained when deploying various surveillance mechanisms (40%). All Scholars will apply statistical models to identify the impact of the deployed surveillance mechanisms (45%). The Scholars will meet at least once a week to compare experiences and identify specific activities for ongoing study (5%). All Scholars will compile their results for a presentation and report publication.


Modeling Vulnerabilities and Exploitability of Software Systems

Project Description
Software defects can implement may unintended conditions and behaviors, and when a defect enables compromise of system security we refer to it as a vulnerability. Security-conscience designers analyze software for vulnerabilities, but exposing defects is difficult since, while a vulnerability is necessary for system compromise, a defect by itself it may not be sufficient. Many vulnerabilities only become exploitable as a result of complex interactions between code, data, configuration, other vulnerabilities, and the actions of legitimate users (either routinely or through the attacker's coercion). The difficulty of modeling these interactions hinders our ability to assess the presence of a vulnerability and rigorously verify that an operational adaptation (such a reconfiguration) might mitigate the effect of the vulnerability.

This project's goal is to develop a method of expressing structured metadata in order to describe various aspects of vulnerabilities, such that the metadata could be used by automated systems which assess vulnerabilities or their mitigations through static or dynamic analysis.

Students should have substantial programming experience and mathematical maturity, but no background in cryptography or security is required.

CS Scholar Responsibilities and Daily Activities:

In this project, scholars will gain expertise in penetration frameworks such as Metasploit and exploit modules. Scholars will have the opportunity to set up vulnerable open-source test applications and become proficient in hacking these applications by exploiting their vulnerabilities. Scholars should become proficient in the use of the test applications in order to discover ways that the vulnerabilities could be mitigated. Scholars will be responsible for coding various types of vulnerability metadata in order to discover which kinds of metadata structures point to the mitigations that were previously discovered.

Students should have substantial programming experience and mathematical maturity, but no background in cryptography or security is required. All CS Scholars will be expected to perform background reading (20%) on previous work and experimental apparatus available to this project. Scholars will then spend the majority of their time conducting research (60%), which, in collaboration with the faculty advisor and his group, will involve crafting and modeling exemplar vulnerabilities within various system configurations. There will also be regular meetings with the faculty advisor (5%), as well as weekly meetings with all the CS Scholars (5%). At the end of the summer, Scholars will prepare their results for presentation and possible publication (10%).

Top of page


Security & Cryptography for Cloud Computing, Measurement of Internet Fraud and Defense Mechanisms

Project Description
While cloud computing has gained increasing popularity, a ubiquitous concern is the privacy of users data in the cloud, as well as the integrity of computation performed by untrusted cloud servers.

In this research project, we will build new cryptographic protocols and software/hardware architectures for cloud computing, offering privacy and integrity by design.

We are also working on understanding various types of frauds on the Internet. In this project, we will also data collection and measurement studies of fraudulent activities on the internet, seek to obtain a better understanding of underground economies, and design appropriate defense mechanisms.

This project combines theory and systems building to design a secure cloud platform which is both practical, and achieves provable guarantees. Students with either a strong theory or systems background are welcome to participate and contribute to the project.

CS Scholar Responsibilities and Daily Activities:
We have multiple research projects in our lab, encompassing theory, programming languages, and software/hardware systems building.

Responsibilities and activities include one or more of the following, depending on the direction the participating student wishes to take:

Depending on the direction the participating students wishes to take, responsibilities and activities include one or more of the following: Build an automated data collection tool for specific types of Internet fraud. The data collector involves website scraping, crowd sourcing, etc.; Analyze collected data to gain intelligence about the underground economy; Design novel cryptographic protocols for cloud computing; Implement modern cryptographic algorithms with applications in cloud computing; Design and implement new software architectures for protecting users' data and computation in the cloud; Design and implement new hardware architectures and attestation protocols for protecting users' data and computation in the cloud; Applications of programming language techniques for securing cloud computing; Discover and implement new attacks that lead to the leakage of sensitive data; Write and publish academic papers.

Top of page


Security Without Downtime Using Dynamic Software Updating

Project Description
Software is imperfect. To fix bugs and adapt software to user demands, developers must modify deployed systems. However, halting a software system to apply updates creates new problems: safety concerns for mission-critical and transportation systems; substantial revenue losses for businesses; maintenance costs; and at the least, inconvenience for users. However, these problems may translate into serious security risks if critical security patches are not applied promptly.

Dynamic software updating (DSU) is a general-purpose mechanism that solves these problems by updating programs while they run. The research community has shown that general-purpose DSU is feasible: systems that support dynamic upgrades to running C, C++, and Java programs have been applied to dozens of realistic applications, tracking changes according to those applications’ release histories. Concurrently, industry has begun to package DSU support into commercial products, such as Ksplice (recently acquired by Oracle) and JavaRebel.

This project will involve students in the development of robust dynamic software updating frameworks for C/C++ and Java programs. Subproject (1) would be to develop a framework for "dynamic update as a service" in support of applying remote updates to update-enabled programs. Subproject (2) would be to aid in the development of Kitsune, which is a dynamic updating system for C/C++ programs. Background on Kitsune can be found at www.cs.umd.edu/~mwh/papers/hayden11kitsune.html. Project (3) is to develop generic support for piggybacking computations on top of the garbage collector in support of dynamic updating for Java. A special-purpose instance of this technique was used for the Jvolve dynamic updating system; see www.cs.umd.edu/~mwh/papers/subramanian09jvolve.html.

CS Scholar Responsibilities and Daily Activities
All CS Scholars will be expected to perform background reading on dynamic software updating, including the papers linked above along with some others.

Student(s) working on project (1) would develop an infrastructure to permit deployment of updates in a secure fashion over the network to the running system. This system would have to take into account the architecture and OS to ensure the right code is applied, and include encryption and access control services to prevent unauthorized updates. This service should support Kitsune and other dynamic updating systems, such as Jvolve. The student(s) will have ownership over the design and implementation of this system, in collaboration with the project leads.

For project (2) students would develop dynamic updates using Kitsune on a various of high-availability applications, such as the snort intrusion detection system, and the quagga router infrastructure. Each scholar will identify a target application (such as one of the ones mentioned above) and a set of releases to it up to the present release; develop code to make these applications updatable; and then evaluate the correctness and effectiveness of the result. The goal is to push the limits of the technology to see where it breaks, and then work with the researchers to improve the infrastructure to adapt, making it better performant and easier to use. Finally, the last step is to work to get one of these modified applications into the Ubuntu or Debian distributions to promote wider adoption. For this project, good knowledge of C/C++ is a must, including knowledge of multi-threaded programming; at least some knowledge of the Ocaml programming language is preferred.

For project (3) students will develop a generic approach to extending a Java garbage collector to perform additional computation while it does its work. The starting point will be the GC assertions infrastructure (see Using the Garbage Collector to Check Heap Properties [pdf]), but instead of just permitting computations to read from heap objects, code is able to modify the heap as well. This functionality will be used to update the heap to support new code/data for the dynamic update. In addition, Java classloading will be used to bring in new code. For this project, students must have a strong knowledge of Java, including dynamic classloading; knowledge of garbage collection is preferred by not required. Students will be expected to understand the existing GC assertions infrastructure and adapt it. Then they will develop classloaders to perform dynamic updates of code, and orchestrate them with the GC changes. Each scholar will identify a target application (can be simple) and a set of releases to it up to the present release; develop code to make these applications updatable; and then evaluate the correctness and effectiveness of the result.

All Scholars will meet at least once a week to compare experiences and identify specific activities for ongoing study. All Scholars will compile their results for a presentation and report publication.

Top of page