Evil hypervisors can work out what apps are running, extract data from encrypted guests “In a paper [PDF] presented Tuesday at the ACM Asia Conference on Computer and Communications Security in Auckland, New Zealand, computer scientists Jan Werner (UNC Chapel Hill), Joshua Mason (University of Illinois), Manos Antonakakis (Georgia Tech), Michalis Polychronakis (Stony Brook University), and Fabian Monrose (UNC Chapel …

Work Prof. Amir Rahmati and his students used in their 2018 CVPR paper “Robust Physical-World Attacks on Deep Learning Visual Classification” is now on display at London Science Museum as part of of a special exhibition on autonomous driving! https://www.sciencemuseum.org.uk/see-and-do/driverless-who-is-in-control

Thang Bui, Scott D. Stoller, and Jiajie Li, Greedy and Evolutionary Algorithms for Mining Relationship-Based Access Control Policies. Computers & Security, 80:317-333, January 2019. Thang Bui, Scott D. Stoller, and Jiajie Li, Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. In Proceedings of the 11th International Symposium on Foundations & Practice of Security (FPS 2018), volume 11358 of …

ICBots: Tools and Techniques for Detecting Web Botshttps://ara.amazon-ml.com/recipients/#2018

That Virus Alert on Your Computer? Scammers in India May Be Behind It:

ConcurORAM: High-Throughput Stateless Parallel Multi-Client ORAM Anrin Chakraborti and Radu Sion (Stony Brook University) Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation Panagiotis Papadopoulos (FORTH-ICS, Greece); Panagiotis Ilia (FORTH-ICS); Michalis Polychronakis (Stony Brook University, USA); Evangelos Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis (FORTH-ICS, Greece) Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support …

We are #16 in the world, in terms of numbers of papers published in security! http://s3.eurecom.fr/~balzarot/notes/top4_2018/affiliations.html

Tyche: A new permission model to defend against smart home hacks With the use of many integrated smart devices, an app-driven home environment is now a reality. But this young technology faces many new challenges, in particular, how users grant apps permissions to operations on devices. Prompting user for permission to every individual operation can cause usability issues (too many …

We’re hiring in security and systems. Apply now! https://www.cs.stonybrook.edu/about-us/career/facultypositions https://hiring.cs.stonybrook.edu/

“Robust Physical-World Attacks on Deep Learning Models”, Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, Dawn Song (alphabetical order) (arXiv:1707.08945) [IEEE Spectrum] http://spectrum.ieee.org/cars-that-think/transportation/sensors/slight-street-sign-modifications-can-fool-machine-learning-algorithms [Yahoo News] https://sg.news.yahoo.com/researchers-demonstrate-limits-driverless-car-technology-151138885.html [Wired] https://www.wired.com/story/security-news-august-5-2017 [Engagdet] https://www.engadget.com/2017/08/06/altered-street-signs-confuse-self-driving-cars/ [Telegraph] http://www.telegraph.co.uk/technology/2017/08/07/graffiti-road-signs-could-trick-driverless-cars-driving-dangerously/ [Car and Driver] http://blog.caranddriver.com/researchers-find-a-malicious-way-to-meddle-with-autonomous-cars/ [CNET] https://www.cnet.com/roadshow/news/it-is-surprisingly-easy-to-bamboozle-a-self-driving-car/ [Digital Trends] https://www.digitaltrends.com/cars/self-driving-cars-confuse-stickers-signs/ [SCMagazine] https://www.scmagazine.com/subtle-manipulation-of-street-signs-can-fool-self-driving-cars-researchers-report/article/680146/ [Schneier on Security] Confusing Self-Driving Cars by Altering Road Signs [Ars …

“Decentralized Action Integrity for Trigger-Action IoT Platforms”, Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, Atul Prakash, In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS’18). San Diego, CA, February 2018. “Heimdall: A Privacy-Respecting Implicit Preference Col lection Framework”, Amir Rahmati, Earlence Fernandes, Kevin Eykholt, Xinheng Chen, Atul Prakash, In the 15th ACM International Conference on Mobile Systems, Applications, …

Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks Mingwei Zhang, Michalis Polychronakis, and R. Sekar. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC). December 2017, Orlando, FL. Compiler-assisted Code Randomization Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis and Michalis Polychronakis. To appear in Proceedings of the 39th IEEE Symposium on Security & Privacy (S&P). May …

Thang Bui, Scott D. Stoller, and Shikhar Sharma. Fast Distributed Evaluation of Stateful Attribute-Based Access Control Policies. In Proceedings of the 31st Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2017). Lecture Notes in Computer Science. Springer-Verlag, 2017 Scott D. Stoller and Thang Bui. Mining Hierarchical Temporal Roles with Multiple Metrics. Journal of Computer …

Incremental Program Obfuscation Sanjam Garg, Omkant Pandey CRYPTO 17 A New Approach To Black-Box Concurrent Secure Computation Sanjam Garg, Susumu Kiyoshima, Omkant Pandey EUROCRYPT 18

Panning for gold.com: Understanding the dynamics of domain dropcatching, Najmeh Miramirkhani, Timothy Barron, Michael Ferdman, and Nick Nikiforakis to appear in the Web Conference (WWW), 2018 Abstract An event that is rarely considered by technical users and laymen alike is that of a domain name expiration. The massive growth in the registration of domain names is followed by daily, equally …

https://www.cs.stonybrook.edu/about-us/News/Trifecta-PragSec-Lab-Three-papers-accepted-ACM-security-conference In their first paper titled Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers doctoral researchers Meng Luo and Oleksii Starov, guided by Assistant Professor Nima Honarmand and Nikiforakis, present their work on the first browser-agnostic framework for assessing the vulnerability of modern mobile browsers. By analyzing thousands of mobile browsers and exposing them to tens of thousands …

The latest software development practices can turn out new programs and products in record time. However, with enhanced speed and convenience come “code bloat,” creating a larger attack surface with a proliferation of security vulnerabilities, just waiting for hackers. Recent advances in software development often result in the need for constant system updates or bug fixes. Failure to implement these …

Rethinking Mobile Security in the New Age of App-as-a-Platform Sponsor: National Science Foundation Amount: $500,543 https://www.nsf.gov/awardsearch/showAward?AWD_ID=1652205 Congrats Long!

“Mining Relationship-Based Access Control Policies.” By Thang Bui (Ph.D. student), Scott D. Stoller (professor), and Jiajie Li (undergraduate). In 22nd ACM Symposium on Access Control Models and Technologies (SACMAT 2017), Indianapolis, June 2017.

Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions, Oleksii Starov and Nick Nikiforakis Proceedings of the 26th International World Wide Web Conference (WWW), 2017 What’s in a Name? Understanding Profile Name Reuse on Twitter, Enrico Mariconti, Jeremiah Onaolapo, Sharique Ahmad, Nicolas Nikiforou, Manuel Egele, Nick Nikiforakis and Gianluca Stringhini Proceedings of the 26th International World Wide Web …

Revisiting Browser Security in the Modern Era: New Data-only Attacks and Defenses Roman Rogowski, Micah Morton, Forrest Li, Kevin Z. Snow, Fabian Monrose, and Michalis Polychronakis. In Proceedings of the 2nd IEEE European Symposium on Security & Privacy (S&P). April 2017, Paris, France Anrin Chakraborti, Chen Chen, Radu Sion, “DataLair: Efficient Block Storage with Plausible Deniability against Multi-Snapshot Adversaries”, Privacy …

Listen to ‘Tech Support’ Scam Calls That Bilk Victims Out of Millions https://www.wired.com/2017/03/listen-tech-support-scam-calls-bilk-millions-victims/

Sanjam Garg, Susumu Kiyoshima, Omkant Pandey On the Exact Round Complexity of Self-Composable Two-Party Computation EUROCRYPT 2017 Sanjam Garg, Omkant Pandey, Akshayaram Srinivasan, Mark Zhandry Breaking the Sub-Exponential Barrier in Obfustopia EUROCRYPT 2017

Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis, Dial One for Scam: A Large-Scale Analysis of Technical Support Scams After more than one year of work and 3 rejections, getting the Distinguished Paper Award at #NDSS2017 feels nothing short of incredible… pic.twitter.com/oPPPGKHb1w — Nick Nikiforakis (@nicknikiforakis) March 1, 2017

Norax: Enabling Execute-Only Memory for COTS Binaries on AArch64 Yaohui Chen, Dongli Zhang, Ruowen Wang, Ahmed Azab, Long Lu, Hayawardh Vijayakumar, Wenbo Shen XHOUND: Quantifying the Fingerprintability of Browser Extensions, Oleksii Starov and Nick Nikiforakis to appear in the 38th IEEE Symposium on Security and Privacy (IEEE S&P), 2017 Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts, Najmeh Miramirkhani, …

Congratulations Michalis! http://www.dimva.org/dimva2017/

nycryptoday: Crypto is the deadliest Espresso. https://nycryptoday.wordpress.com/

Professor Scott Stoller and Ph.D. student Thang Bui received the Best Paper Award from the 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2016) in July 2016, for their paper on “Mining Hierarchical Temporal Roles with Multiple Metrics”. Role mining algorithms have potential to significantly reduce the cost of migration from low-level legacy …

Nick is one of the organizers of a Dagstuhl workshop on online privacy and web transparency (https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=17162) Nick is the PC co-chair for eCrime 2017. Michalis is the publication chair for RAID 2017. Nick is the publicity chair for RAID 2017.

PrivacyMeter: Real-time Privacy Quantification for the Web http://www.datatransparencylab.org/grantees2016.html The modern web is home to many online services that request and handle sensitive private information from their users. Previous research has shown how websites may leak user information, either due to poor programming practices, or through the intentional outsourcing of functionality to third-party service. Despite the magnitude of this problem, users …

Professor Omkant Pandey, along with his co-authors Vipul Goyal, Amit Sahai, and Brent Waters, have won the 2016 ACM CCS Test-of-Time Award (Association for Computing Machinery; Computer and Communications Security) for their work on attribute based data encryption. Their paper, Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data, was one of two selected for the prestigious award. “The Test-of-Time …

Cyber Day brings together experts in cyber security with the greater Stony Brook academic community for an inter-disciplinary dialogue on security and privacy in our digital lives. Join us, present your work, mingle, listen to the talks, or come just for the scenery! https://nationalsecurityinstitute.org/cyberday

TITLE TWC: Small: Emerging Attacks Against the Mobile Web and Novel Proxy Technologies for Their Containment INVESTIGATORS Nick Nikiforakis (Principal Investigator) Nima Honarmand (Co-Principal Investigator) ABSTRACT Users entrust their mobile devices with sensitive data, including business emails, as well as health and financial information. Thus, mobile devices have become an increasingly popular target for attackers. Mobile devices house powerful browsers …

TITLE TWC: Small: Combating Environment-aware Malware INVESTIGATORS Michalis Polychronakis (Principal Investigator) Nick Nikiforakis (Co-Principal Investigator) ABSTRACT Tools for dynamic detection of malicious software (“malware”), such as antivirus software, often create a protected “analysis environment” (or “sandbox”) in which to test suspicious software without risk to the computer system. Malware authors have responded by developing environment-awareness techniques, to enable their malware …

TITLE Early Detection of User-impersonating Attackers using Multilayer Tripwires PI: Nick Nikiforakis, co-PI: Erez Zadok, Sponsor: Office of Naval Research.

Radu Sion talks to InnovateLI about NSI: http://www.innovateli.com/a-findamental-approach-to-national-security/

http://www.theregister.co.uk/2015/10/08/cloudpiercer_tool_lifts_ddos_protection_cloak_from_70_percent_of_sites/ http://www.techrepublic.com/article/ddos-mitigation-may-leave-your-site-even-more-vulnerable/ http://www.scmagazineuk.com/cloudpiercer-tool-discloses-ddos-defence-providers/article/444000/ http://www.wired.com/2015/04/app-hides-secret-messages-starcraft-style-games/ http://www.scmp.com/tech/apps-gaming/article/1775587/anti-censorship-technology-uses-online-video-games-bypass-chinese http://www.cnn.com/2015/10/25/asia/china-war-internet-great-firewall/

No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells, Oleksii Starov, Johannes Dahse, Syed Sharique Ahmad, Thorsten Holz, Nick Nikiforakis to appear in the Proceedings of the 25th International World Wide Web Conference (WWW), 2016 It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services, Zubair Rafique, Tom Van Goethem, Wouter Joosen, Christophe Huygens, Nick …

Castle: A Video Game-based Covert Channel Abstract: The Internet has become a critical communication infrastructure for citizens to organize protests and express dissatisfaction with their governments. This fact has not gone unnoticed, with governments clamping down on this medium via censorship, and circumvention researchers working tirelessly to stay one step ahead. In this paper, we explore a promising new avenue …

TITLE MALDIVES: Developing a Comprehensive Understanding of Malware Delivery Mechanisms ABSTRACT The cybercriminal community is inarguably more organized, better resourced and more motivated than ever to perpetrate massive-scale computer infections across the Internet. The malware distribution systems that they control and operate are characterized by their use of highly specialized suppliers and commoditized malware services. As a consequence of this …

TITLE TWC: TTP Option: Large: Collaborative: Towards a Science of Censorship Resistance ABSTRACT The proliferation and increasing sophistication of censorship warrants continuing efforts to develop tools to evade it. Yet, designing effective mechanisms for censorship resistance ultimately depends on accurate models of the capabilities of censors, as well as how those capabilities will likely evolve. In contrast to more established …

According to the NSF, we are among the largest recipients of awards from the National Science Foundation’s SaTC program in 2015.

================================================= Nick got 3 papers into CCS 2015. Congrats Nick! “The Clock is Still Ticking: Timing Attacks in the Modern Web”, Tom Van Goethem, Wouter Joosen, Nick Nikiforakis “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers”, Thomas Vissers, Tom Van Goethem, Wouter Joosen, Nick Nikiforakis “Drops for Stuff: An Analysis of Reshipping Mule Scams”, Shuang Hao, Kevin Borgolte, Nick Nikiforakis, Gianluca …

Title: MARPLE: Mitigating APT damage by Reasoning with Provenance in Large Enterprise networks Agency: DARPA (BAA: Transparent Computing) Collaborators: IBM, UIC, Northwestern SBU PIs: Akoglu, Stoller, Sekar SBU amount: 1.2M

TITLE Algorithm Diversity for Resilent Systems PIs Scott Stoller, Annie Liu ABSTRACT In cyberspace, as in many other domains, diversity provides resilience and is a robust defense against attacks. Many ways of varying computer programs have been proposed to produce diversity from a given initial program. However, these techniques do not vary the core or essence of a program—the algorithms …

TITLE Developing a Comprehensive Understanding of Malware Delivery Mechanisms PIs Long Lu in collaboration with SRI and UIC ABSTRACT The cybercriminal community is inarguably more organized, better resourced and more motivated than ever to perpetrate massive-scale computer infections across the Internet. The malware distribution systems that they control and operate are characterized by their use of highly specialized suppliers and …

Phillipa Gill received $65k from the Comcast Tech Fund to study Detecting and Characterizing Internet Trac Interception Based on BGP Hijacking.

Nick Nikiforakis and Long Lu received $500k from NSF to study Cross-application and Cross-platform Tracking of Web Users: Techniques and Countermeasures. ABSTRACT The ability to track users and their online habits is essential to many online businesses, in particular, the advertisement industry. However, when pursued too aggressively, it intrudes on user privacy and even leads to online crimes. Recent research …

Nick Nikiforakis receives $67k from Cyber Research Institute to study Tools and Techniques for Understanding and Detecting Technical Support Scams. ABSTRACT One of the most recent and understudied social engineering attacks targeting every day web users are technical support scams. In a technical support scam, potential victims are contacted by scammers who pose as technicians from large software companies. The …

TITLE Enabling Secure and Trustworthy Compartments in Mobile Applications ABSTRACT Society’s dependence on mobile technologies rapidly increases as we entrust mobile applications with more and more private information and capabilities. Existing security research follows a common threat model that treats apps as monolithic entities and only captures attack surface between apps. However, recent research reveals that app internal attacks are …

TITLE Practical Plausibly Deniable Encryption through Low-Level Storage Device Behavior PIs Don Porter and Radu Sion, Stony Brook Dan Tsafrir, Technion ABSTRACT This project leverages low-level characteristics of flash and other emergent persistent memories to hide data with plausible deniability, improving performance and capacity over the state of the art. Plausibly deniable encryption is the ability to hide that a …

TITLE Sensorprint: Hardware-Enforced Information Authentication for Mobile Systems PIs Radu Sion, Stony Brook Bogdan Carbunar, FIU ABSTRACT Today’s societies are intrinsically and inextricably fused through a vast set of technology-driven networks, mostly mobile-based. Individuals equipped with feature-rich mobile devices effectively become the real-time eyes of the rest of the world, providing invaluable insights into remote, hard to access sites and …

Congrats Leman! Stay tuned for more info 🙂

TITLE TWC: TTP Option: Small: Collaborative: Detecting and Characterizing Internet Traffic Interception Based on BGP Hijacking ABSTRACT Recent reports have highlighted incidents of massive Internet traffic interception executed by re-routing Border Gateway Protocol (BGP) paths across the globe (affecting banks, governments, entire network service providers, etc.). The potential impact of these attacks can range from massive eavesdropping to identity-spoofing or …

TITLE TWC: Small: Towards Trustworthy Access Control Policies ABSTRACT Getting access control policies right is challenging, especially in large organizations. This project is developing techniques and tools to support efficient and trustworthy administration of Attribute-Based Access Control (ABAC) policies. ABAC is a flexible, high-level, and increasingly popular security policy framework. ABAC promises long-term cost savings through reduced administrative effort, but …

Achieving Regulatory Compliance in Data Management Sumeet Vijay Bajaj 11:15am CSE2311 Regulations mandate consistent procedures for information access, processing, and storage. In the United States alone, over 10,000 data management regulations exist in the financial, life sciences, health care and government sectors. A recurrent theme in data management regulations is the need for regulatory compliant storage to ensure data confidentiality, …

III: Medium: Collaborative Research: Collective Opinion Fraud Detection: Identifying and Integrating Cues from Language, Behavior, and Networks Given user reviews on Web sites such as Yelp, Amazon, and TripAdvisor, which ones should one trust? Online reviews have become an important resource for public opinion sharing. They influence our decisions over an extremely wide spectrum of daily and professional activities: e.g., …

Click here for more details.

Enabling Secure and Trustworthy Compartments in Mobile Applications Society’s dependence on mobile technologies rapidly increases as we entrust mobile applications with more and more private information and capabilities. Existing security research follows a common threat model that treats apps as monolithic entities and only captures attack surface between apps. However, recent research reveals that app internal attacks are emerging quickly …