ISR

It is essentially impossible to build modern software without extensive supply chains. Supply chains decrease development risk, but typically at the cost of increased security risk. In particular, it is often difficult to trust or verify that a component contains no unwanted behaviors, vulnerabilities, or malicious code that may harm an application or its users.

Sandboxes provide relief by encapsulating a component and imposing a security policy on it. Instead of trusting or verifying the component, we must trust or verify the relatively simple sandbox. Given this appealing prospect, researchers have spent decades developing new sandboxes. However, sandboxes are rarely used in practice. What is hampering adoption? This thesis advances our understanding of and overcomes some barriers to adoption.

We begin by systematically analyzing a decade of sandboxing research from relevant top-tier conferences. This work uncovers our first two challenges: sandbox researchers often (1) use relatively subjective validation techniques and (2) ignore usability.

We then focus on the Java sandbox to empirically study its use within the open source community. We find unnecessary complexity in the sandbox that has promoted a thriving exploit landscape. We develop run time monitors for the Java Virtual Machine (JVM) that disable these complexity points, stopping sandbox escaping exploits without breaking compatibility with benign applications. However, we found no cases where the sandbox was successfully used for security purposes, which motivated us to overcome necessary complexity via tooling. Our tools help users derive and refine a security policy and impose it on targeted Java application components.

Finally, we observe vulnerability-inducing design and implementation complexity in adopted sandboxes, and thus develop and evaluate a sandboxing technique that leverages cloud computing environments to execute untrusted computations. Any malicious outcomes produced by the computations are contained by ephemeral virtual machines.

We evaluate our tools and sandbox in a series of case studies that investigate hard-to-sandbox cases in collaboration with industrial partners.

Thesis Committee:
Jonathan Aldrich (Co-chair)
William L. Scherlis (Co-chair)
Lujo Bauer (ECE/ISR)
Bruno Amizic (The Boeing Company)

Copy of Thesis Document

With the emergence of the Internet of Things and a data-centric economy, where a growing number of products, services and business processes rely on the collection and processing of user data, people are increasingly confronted with an unmanageable number of privacy decisions. What is needed is a new, more scalable paradigm that empowers them to regain control over their data. Over the past ten years, my group at CMU has been working towards the development of personalized privacy assistants. To be effective, these assistants will have to be capable of incrementally learning the privacy preferences of their users,  semi-automatically configure many privacy settings on their behalf and generally alert their users about privacy practices they may not be expecting. These assistants will have to be minimally disruptive, limiting their interactions with us to the bare minimum, yet knowing enough about us to make many decisions on our behalf.

Through these very selective interactions, they will alert us about practices we may not feel comfortable with, confirm privacy settings they are not sure how to configure, refine models of our preferences, and occasionally nudge us to carefully (re)consider the implications of some of our  privacy decisions. 

As part of this presentation, I will summarize our progress in this area, focusing in particular on a series of pilot studies conducted to evaluate personalized privacy assistant functionality developed to help smartphone users manage their mobile app privacy settings. I will also review some of the ethical and business challenges that the development of this type of technology needs to consider.

Norman Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University. His research interests span mobile and pervasive computing, cybersecurity and privacy, human computer interaction, machine learning and personal assistants. Norman is director of the School of Computer Science’s Mobile Commerce Lab and also co-founder and co-director of the School of Computer Science’s Master’s Program in Privacy Engineering. He also co-founded and served as co-director of the School’s PhD Program in Societal Computing during its first ten years. 

Dr. Sadeh is also co-founder, chairman and chief scientist of Wombat Security Technologies, a CMU spinoff that sells a unique suite of cybersecurity training products and anti-phishing filtering technologies. Norman has been on the faculty at Carnegie Mellon since 1991 and is also well-known for his work on the livehoods project as well as earlier work in scheduling, constraint satisfaction and constrained optimization, supply chain management and Semantic Web technologies. In the late nineties, he served as Chief Scientist of the European Union’s $600M e-Work and e-Commerce program, which at the time included all pan-European research in cyber security and online privacy. 

Norman received his PhD in computer science from Carnegie Mellon University, an MSc, also in computer science, from the University of Southern California, and a BS/MSc in Electrical Engineering and Applied Physics from Brussels Free University.

We need better tools for C, such as source browsers, bug finders, and automated refactorings. The problem is that large C systems such as Linux are software product lines, containing thousands of configuration variables controlling every aspect of the software from architecture features to file systems and drivers. The challenge for software tools is to analyze all configurations of the source code without succumbing to exponential explosion due to variability.

Bug-finding is one area where such capability is useful. Even trivial bugs like linker errors become hard to find when they only appear in certain configurations, because testing each configuration one-at-a-time is infeasible. Previous work shows that such variability bugs do appear in the Linux kernel source but, lacking automated tools, finds them by examining patches to the source. To support variability-aware tools, we focus on two key subproblems, parsing and the build system, and show how these components work together to enable a simple variability-aware bug-finder for linker errors.

A configuration-preserving preprocessor and parser called SuperC collects all function calls and definitions along with their conditions. Then, a configuration-preserving Makefile evaluator called Kmax collects all compilation units and their conditions. To find linker errors, a boolean expression representing the potential linker error is constructed for each function call. The expression combines the conditions at the definition site and its compilation unit, the call site and its compilation unit, and the Linux feature model. A SAT solver then determines whether a linker error exists in any configuration. Evaluation shows that known bugs can be found and that the finder scales across the entire Linux kernel source code.

Paul Gazillo is currently a post-doctoral associate at Yale university where I research static analyses to find complexity attacks on software. I received my PhD from New York University December 2015, where my research focused on enabling software tools for C programs in the presence of the C preprocessor and variability. Before beginning the PhD, I was a research data analyst for Educational Testing Service.

Cyber-Physical Systems (CPS) are software-controlled systems that have complex interactions with the physical world. Many CPS, such as autonomous drones and self-driving cars, are becoming increasingly more embedded in our society, and therefore safety-critical and demanding of rigorous quality assurance. To this end, CPS engineering relies on modeling methods from diverse scientific and engineering fields, for example control theory and real-time scheduling. Diverse modeling methods are difficult to combine with each other due to their complexity and heterogeneity. Inconsistencies between models and analyses that come from different modeling methods often lead to implicit design errors, which subsequently can cause critical CPS failures with loss of lives and substantial material resources.

To detect and prevent inconsistencies between CPS modeling methods, this thesis investigates an improved architectural approach to integration of CPS modeling methods. This approach relies on architectural views (annotated component-and-connector models) to abstract out and check integration-relevant information from detailed models (e.g., hybrid programs). On top of these views I introduce a novel integration perspective based analyses -- algorithms and procedures that interpret and augment models. For each analysis I propose to specify a contract that captures inputs, outputs, assumptions and guarantees of the analysis in terms of view elements. A particularly challenging task is creating a language to express assumptions, guarantees, and consistency statements over heterogeneous models and views. This language needs to strike a balance between expressiveness and decidability to be effective in the CPS context.

The conceptual advances of this thesis enable a new level of automation for CPS modeling method integration. I will implement these advances in a toolset that will support automated model-view synchronization, analysis execution, and verification of semantic consistency between models. This toolset will serve as a means of evaluating the proposed integration approach in case studies of realistic CPS systems, such as autonomous spacecraft and collaborative robots. I will validate claims about correctness, effectiveness, and generality of my approach.

Thesis Committee:
David Garlan (Chair, ISR)
André Platzer (CSD CMU)
Bruce Krogh (ECE CMU)
Dionisio de Niz (Software Engineering Institute, CMU)
John Day (Jet Propulsion Laboratory/NASA)

Copy of Proposal Document

Solving the expression problem requires a language or system to allow one to add new variants to a datatype as well as new operations over it while ensuring strong static type safety without re-compiling the existing implementation.  The independently-extensible version goes a step further to require that these extensions can be added in any order.  In extensible languages this amounts to adding new (abstract) syntax to a language and new semantic analyses or translations to it.  Attribute grammars solve these versions of the expression problem, but with forwarding and a modular well-definedness analysis they also solve a version that requires that no 'glue' code need be written to combine the various extensions.  This means that the composition can always be done safely and automatically.  Using these techniques we have built ableC, an extensible language framework for C in which non-export programmers can select the language extensions that best fit their task at hand with the confidence that the supporting tools can generate a working compiler for their custom language.

Eric Van Wyk's research focuses on programming languages, in particular extensible programming languages and compilers, applications of temporal logic, and algebraic compilers. In 2005 he was awarded a McKnight Land-Grant Professorship and the National Science Foundation's CAREER award in 2004.

He has authored or co-authored more than 25 publications, including journal and conference papers, articles and technical reports. Van Wyk has developed various software packages including the Silver attribute grammar specification and evaluation system, extensible specifications of Java 1.4 and ANSI C written in Silver, and various domain-specific language extensions for these Java and C specifications. He is a member of ACM, ACM SIGPLAN, IEEE, the IEEE Computer Society, and is involved in numerous conference committees. Van Wyk also does outreach, serving as a member of the St. Louis Park High School School Business and Information Technology Advisory Board.

Faculty Host: Jonathan Aldrich

Structured probabilistic inference has shown to be useful in modeling complex latent structures of data. One successful way in which this technique has been applied is in the discovery of latent topical structures of text data, which is usually referred to as topic modeling. With the recent popularity of mobile devices and social networking, we can now easily acquire text data attached to meta information, such as geo-spatial coordinates and time stamps. This metadata can provide rich and accurate information that is helpful in answering many research questions related to spatial and temporal reasoning. However, such data must be treated differently from text data. For example, spatial data is usually organized in terms of a two dimensional region while temporal information can exhibit periodicities. While some work existing in the topic modeling community that utilizes some of the meta information, these models largely focused on incorporating metadata into text analysis, rather than providing models that make full use of the joint distribution of meta-information and text. 

In this thesis, I propose the event detection problem, which is a multi-dimensional latent clustering problem on spatial, temporal and textual data. The event detection problem can be treated as a generalization of the topic modeling problem where events can be considered as topics that are augmented by location and time. Preliminary models can effectively learn the representations of major events covered in a corpus of Twitter data and can also be used for various prediction tasks such as predicting the spatial coordinates, time stamps of the documents as well as estimating life cycles of new born events. 

The approaches proposed in this thesis are largely based on Bayesian non-parametric methods to deal with steaming data and unpredictable number of data clusters. The research proposed will not only serve the event detection problem itself but also shed light into a more general structured clustering problem in spatial, temporal and textual data.

Thesis Committee:
Kathleen M. Carley (Chair)
Huan Liu (School of Computing, Informatics, & Decision Systems Engineering, Arizona State University)
Tom Mitchell (Machine Learning/CMU)
Alexander J. Smola (Machine Learning/CMU)

Copy of Proposal Document

Software development environments are increasingly integrating social media features that allow transparency of software projects and developers by making visible all work-related activity that software developers can use to enhance their work. Developers in these environments often choose to interact with other projects or developers, whether through forming dependencies, learning from an expert, or evaluating code contributions. Transparency can inform these decisions by allowing interested developers to see an entire network of information, such as all the developers that work on a particular project and their prior development history. With this promise of staying aware and interacting with an ecosystem of potentially millions of projects and developers comes the peril of consuming overwhelming amounts of mostly noisy information generated by the broadcast development activity of these projects and developers. However, by identifying what information developers need to be aware of in transparent environments, there is the opportunity to inform new practices and tools that assist developers in their tasks by only displaying information that is most relevant for the current task.

My dissertation work is to identify signals that developers make use of during tasks in transparent development environments and to use this knowledge to create tools that assist developers in performing these tasks. When developers are evaluating contributions, they make use of technical signals from the contribution and social signals from the submitter such as social connections and prior interaction on the project. Developers solving problems through discussion on contributions use signals such as the political influence of the community and how new the submitter is to inform decisions such as the scope of implemented solutions and the necessary amount of etiquette in a response. When deciding to use or participate in a project, developers make inferences about working dynamics, personal utility, and the project’s community. I propose the development of a tool that uses signals to assist developers in finding and evaluating projects in transparent development environments. Depending on the user’s current task, the tool should visualize different relevant project-related signals to assist the developer in evaluating projects. For example, a user looking to find a project to form a dependency with will see signals for a project’s maturity while a user looking to find a project to learn from might see signals for popularity. The development of this tool will occur in 2 phases: 1) enhanced project summary and 2) personalized project search. The enhanced project summary phase augments potential projects with additional signals that assist the user in evaluating and selecting projects. The personalized project search phase uses information about the user and potential projects to select only relevant projects for the particular user to evaluate.

Thesis Committee:
James Herbsleb (Co-chair)
Laura Dabbish (Co-chair)
Claire Le Goues
André van der Hoek (University of California, Irvine)

Copy of Proposal Document

Online privacy notices are supposed to act as the primary mechanism to inform users about the data practices of online services. In practice, users ignore notices as they are too long and complex to read. Instead, users rely on expectations to determine which sites they feel comfortable interacting with. Mismatches between actual practices and users’ expectations may result in users exposing themselves to unanticipated privacy risks. One approach for mitigating these risks is to highlight elements of privacy notices that users do not likely expect.

I propose to simplify privacy notices by understanding mismatches between users’ privacy expectations regarding data practices of online services and actual data practices of online services. I present an approach for identifying such mismatches. I distinguish between two types of privacy expectations: subjective expectation (“desire” or “should”) and objective expectation (“likelihood” or “will”). I identify different types of mismatches that result from each expectation type and investigate their impact on users’ privacy. I study how expectations and mismatches vary by contextual factors and user characteristics. Based on the understanding gained from studying expectations and mismatches, I design and test simplified privacy notices. I show that such simplified notices can be shorter and easier to comprehend for users.

Thesis Committee:
Norman Sadeh (Chair)
Alessandro Acquisti (Heinz College)
James Herbsleb
Joel Reidenberg (School of Law, Fordham University)
Florian Schaub

Software bugs and ineffective testing cost the US economy tens of billions of dollars each year.  Performance bugs are programming mistakes that slow down program execution.  Performance bugs affect the user-perceived software quality, degrade application responsiveness, and lower system throughput. In addition to impacting everyday software usage, performance bugs have also created high profile incidents, e.g., brought down the Wikipedia and Facebook servers. In this talk I will present my recent work on understanding, detecting, and fixing performance bugs.  I will first discuss Caramel, a static analysis technique that detects and fixes performance bugs that have non-intrusive fixes.  I will then discuss Toddler, a dynamic analysis technique that detects a different class of performance bugs than Caramel. The idea in Caramel and Toddler is to identify code and execution patterns that are indicative of common programming mistakes affecting performance.

I will also briefly present several other of my projects on performance, concurrency, and mobile bugs.  Caramel and Toddler found over 190 new performance bugs in widely used Java (Ant, Lucene, Google Core Libraries, Groovy, Tomcat, etc.) and C/C++ applications (GCC, Google Chrome, Mozilla, MySQL).  140 of these bugs have already been fixed by developers based on our reports.

Adrian Nistor is an Assistant Professor of Computer Science in the Schmid College of Science and Technology at Chapman University. He joined Chapman in August 2014. Adrian received his PhD from the Department of Computer Science at the University of Illinois, Urbana-Champaign in May 2014. Adrian's research interests are in software engineering, with a focus on detecting, repairing, and preventing bugs in real-world applications.

His current research projects investigate performance bugs and concurrency bugs. His techniques found more than 150 previously unknown bugs in widely used software, e.g., Google Chrome, Mozilla, Google Core Libraries, GCC, MySQL, Ant, Lucene, Groovy, Tomcat, JUnit, JMeter, Log4J, Struts, etc. More than 100 of these bugs are already fixed by developers. Adrian's research includes empirical and analytical work, static and dynamic techniques, and bugs from various application types---client, server, mobile, and scientific applications. His Caramel paper won an ACM SIGSOFT Distinguished Paper award at ICSE 2015. He received an NSF grant to investigate performance bugs that have non-intrusive fixes.

Faculty Host: Claire Le Goues

Pages

Subscribe to ISR