Skip Navigation
Search

Background

Cyber technologies are inextricably woven into the fabric of today's society.  Knowledge, communication, trade and even politics are no longer confined by geography, as the internet and the web have rendered distances meaningless. Cyber technologies amplify the reach of individuals and organizations in the farthest corners of the globe so that they can impact the entire world, yet this reach can be destructive when used for illicit or nefarious purposes. According to McAfee, world-wide losses due to cybercrime amounted to $600 billion in 2017. Juniper Research expects this number to grow to $2 trillion by 2019. Disinformation campaigns can be even more costly over the long term, as they sow discord and division in society, and erode our trust in institutions.

Continue Reading...

Cyber threats pose a far bigger challenge for advanced nations such as the United States than the rest of the world. Risks are even more concentrated for New York, given its standing as the financial capital of the world. Sustained investment in cyber-security research is needed to protect our economy, prosperity, security and privacy.

Recognizing the growing importance of cyber-security, Stony Brook University established the National Security Institute (NSI) in 2013. NSI brought together a team of leading researchers that have already made considerable headway on some of the thorniest cyber-security challenges being faced today. However, sustained progress in the field requires a holistic interdisciplinary approach spanning multiple areas and disciplines, including software and hardware engineering, secure and usable systems design, modeling, validation and verification, cryptology, human computer interaction, psychology, and policy.

The College of Engineering and Applied Sciences is uniquely positioned to bring together such an interdisciplinary team of researchers that can lead the way towards engineering solutions for secure and trustworthy communications, platforms and systems of tomorrow. Specifically, the College has identified four major research areas that will lay the foundation for secure and trustworthy cyberspace.

 

Software

“Software is eating the world” --- Marc Andreessen.

A generation of software-powered companies are scaling new heights of valuation on the stock market, eyeing to surpass a trillion dollars. Traditional, brick-and-mortar companies are being displaced by all-software-based organizations such as Uber, Airbnb and Netflix. While some companies perish in this onslaught, many others are transforming themselves into “software-first” outfits.  

It should come as no surprise in this environment that the size, scale, and complexity of modern software has grown enormously. Unfortunately, complexity is the #1 enemy of reliability and security. Failure properties of complex systems are poorly understood and, as a result, security mechanisms built into them are prone to unexpected breakdowns. One general strategy for combating this problem is “defense-in-depth,” building multiple layers of protection with the expectation that gaps in one layer can be blocked by another layer.

Languages, frameworks and environments

Programming languages and frameworks designed for security and reliability can avoid many types of vulnerabilities faced today. New operating system and virtualization primitives can provide stronger isolation that prevents security problems in one component from spreading across the entire system.

Bug detection

Today’s security vulnerabilities result mainly from software bugs that slip past the design, coding and test phases. Fuzzing and other automated testing techniques can curtail these bugs, but considerable additional research is required in order to expand the coverage of these techniques, to discover vulnerabilities that reside deeper in the program logic, and to scale to larger code bases.

 

Exploit mitigation

Not all vulnerabilities can be detected in advance, nor is it cost-effective to fix all detected bugs. Exploit mitigation provides a layer of defense for these residual vulnerabilities, either by preventing their exploitation, or by limiting the resulting damage. While some of these mitigations, e.g., address space layout randomization, are already deployed, many more remain to be discovered.

Attack surface pruning

While modern development toolkits and libraries increase programmer productivity, they also lead to bloated software with a lot of unused code and functionality. Increased code size means more vulnerabilities and/or code that can be abused in attacks. Code “debloating” techniques need to be developed to detect and remove such unused code, and/or restrict its execution.

Understanding malware

Despite best efforts, some attacks will succeed, eventually leading to the execution of attacker-crafted malware. Understanding the behavior of this malware is the first step in tracking the attack source, diagnosing other infected systems, and designing new security defenses that can cope better with similar attacks in the future.

Compiler-Rewriter

 

 

Faculty Contributors

Annie Liu, Computer Science

Nick Nikiforakis, Computer Science

Michalis Polychronakis, Computer Science             

 


C.R. Ramakrishnan, Computer Science     

R. Sekar, Computer Science

Erez Zadok, Computer Science      

Cyber-physical systems and IoT

Computer systems are playing increasingly central roles in the physical world, underpinning the operation of critical infrastructures such as the power grid and transportation systems. Wirelessly connected implantable devices are being used to monitor health, as well as to administer drugs and other forms of medical treatment. Self-driving automobiles are on the horizon. Internet-of-Things (IoT) systems such as wearables, networked appliances, locks and home security systems are becoming mainstream.

Attacks on cyber-physical systems can be disastrous, risking life or bodily harm to individuals or populations.  Yet, the state of cyber-security in this domain is in its infancy. For some components, e.g., hardware, security rests entirely on trusting the vendor. Other components (e.g., medical devices) prioritize safety so much that security receives scant attention. Cost and time-to-market rule in the IoT space, with security relegated to an afterthought.  

Cyber-physical security advances require component-level investments, as well as research on understanding security properties of composite systems. Specific topics of interest include:

Hardware security

The scale and complexity of today’s hardware present easy opportunities within the hardware supply chain to hide malicious circuitry. Such “hardware Trojans” can be harnessed to hijack systems containing the victim hardware.   Hardware, software and security engineers need to come together to address this growing threat.

Privacy and security controls for IoT

Security and especially privacy risks posed by IoT systems often go unrecognized. Moreover, established mechanisms such as passwords and access controls may be too cumbersome. New context-dependent and intuitive security and privacy primitives need to be developed to address these challenges.

Modeling and verification

Safety-critical systems (e.g., medical devices) have benefited greatly from formal modeling and automated verification. The role of these techniques for building  secure systems is well-recognized, but practical applications have lagged due to challenges in developing models that are simple enough for verification, but preserve all security-relevant details.

Vulnerability analysis

Verification techniques are most likely to be viable at the component level or on small scale systems. At larger scales, it is easier to tackle the complementary problem of vulnerability analysis, which finds security bugs on a best-effort basis. Identified vulnerabilities can guide the design and placement of stronger protection mechanisms.

Photo

 software

Faculty Contributors

Mikhail Dorojevets, Electrical and Computer Engineering

Mike Ferdman, Computer Science

Amir Rahmati, Computer Science

C.R. Ramakrishnan, Computer Science

R. Sekar, Computer Science   

 

Radu Sion, Computer Science

Scott Stoller, Computer Science

Scott Smolka, Computer Science

Fan Ye, Electrical and Computer Engineering

Data

In a knowledge-driven society, data becomes the most valuable commodity. Users and companies increasingly store sensitive financial or healthcare information on public or private clouds. Intellectual property, stored in electronic form, is the most valuable asset for most companies. The value proposition of “big tech” is predicated on the huge trove of personal information collected from their users. All of this data presents a ripe target for bad actors that can benefit by stealing or abusing it. Indeed, data is typically the ultimate target of most cyber attacks today, and as a result, we are witnessing data breaches of ever increasing proportions. Protecting all this data poses perhaps the greatest security challenge today.

Controlling access to information

Sensitive data can be protected by enforcing policies that govern who can access the data, and how it may be used. New research is needed to develop easy-to-use policy languages and enforcement mechanisms that can accurately capture both access and usage constraints. In addition, novel policy mining techniques are needed to simplify policy development.

Computation on encrypted data

Loss of encrypted data is generally harmless, so an alternative to access control is to ensure that data is always in its encrypted form. The key challenge, then, is to develop algorithms that can operate efficiently on encrypted data. Such algorithms need to ensure that they achieve the results desired by the data owners without leaking additional information.

Cyber attack detection and attribution

It may not be possible to prevent all unauthorized accesses, so a secondary line of defense is to detect cyber attacks and subsequent data accesses and respond to them. Advances are needed to detect stealthy attacks by sophisticated adversaries, without raising many false alarms; to “connect the dots” automatically so that analysts can understand and respond to attacks; and to attribute attacks so that perpetrators can be identified and contained.

Understanding online ecosystems

Online applications can be thought of as members of distinct but interconnected ecosystems, such as the ecosystem of all online social networks or the ecosystem of all websites developed on a specific web application framework. This ecosystem-centric view of the web allows the modeling of functionality, the mapping of various actors, and the identification of systemic vulnerabilities across members of an ecosystem. New research is required to map more critical applications into online ecosystems and automatically reason about potential underlying vulnerabilities.

Privacy and fairness in the era of big data

Eliminating biases and maintaining individual privacy are two pressing concerns in this age of data-driven analytics. Privacy preservation requires adding noise to the inferences made from the data without unduly impacting accuracy. Fairness requires that the data used in inferences is representative and unbiased. It also requires a clearer understanding of the inference processes so that any biases in the inferences can be readily identified.

Architecture

Policy Mining

Faculty Contributors

Samir Das, Computer Science

Jie Gao, Computer Science

Nick Nikiforakis, Computer Science

Omkant Pandey, Computer Science  

 

Michalis Polychronakis, Computer Science

R. Sekar, Computer Science

Radu Sion, Computer Science

Scott Stoller, Computer Science

People

People have become the “weakest link” targeted by cyber attacks, often lured by phishing or other forms of social engineering. Humans are also the target of surveillance and censorship by authoritarian governments. Tracking and surveillance underpins many online services as well. There is urgent need for security solutions that can protect individual rights, freedom, and privacy, in addition to protecting them from scams, theft and other forms of cyber attacks.

Surveillance and censorship

An increasing number of governments, organizations, and other actors have dramatically increased their efforts to restrict what information is accessible on the Internet, and monitor the communication of unsuspecting or targeted users. Technologies to circumvent censorship and surveillance are thus crucial for the protection of minorities and rights defenders, and ensuring that the Internet will continue to be used as a liberating technology.

Measuring and countering unwanted tracking

The current monetization model of the web relies on tracking companies collecting large amounts of data for each user, with the purpose of better predicting user interests for targeting advertisements. This ever-increasing collection of user data can have dire consequences for users since it can reveal sensitive information that they did not intend to share. More research is required to automatically detect unwanted tracking activity on the web and develop countermeasures that allow users to regain control of their personal data.

Fraud, scam and crime

In the same way that the Internet enabled companies to move their business online, it also enabled cyber criminals to conduct criminal activity over the web, allowing them global reach and protecting them behind layers of anonymity and different jurisdictions. Modern cyber criminals are utilizing a wide range of technical and non-technical techniques to steal hundreds of millions of dollars from individuals and companies on a yearly basis. Research that aims to understand online criminal activity and perform attribution of seemingly unrelated attacks back to the same cyber criminals, is therefore crucial for maintaining the user’s trust in the web.

Usable security

Traditional approaches to computer security used to blame users when systems were compromised, as a result of misconfigurations and poor choices. Over time, the research community understood that users are a critical part of securing systems and must therefore be supported in making the right, from a security perspective, decisions. Cross-disciplinary research is required to understand how users make decisions and how security mechanisms should be designed to match the mental models behind these decisions.

People Security

Faculty Contributors

Xiaojun Bi, Computer Science

Nick Nikiforakis, Computer Science

Omkant Pandey, Computer Science

 

Michalis Polychronakis, Computer Science

Amir Rahmati, Computer Science

Radu Sion, Computer Science

Summary and Recommendations

summary

Develop frameworks, languages, and techniques for cost-effective application of defense-in-depth to software systems

Defense-in-depth is a well-established principle for securing systems, but its practical application is held back because it significantly increases development and operational costs. New research is needed to reduce this cost by bringing a high degree of automation to the steps and processes involved.

Understand globally, act locally

Today’s cyber-security environment is the product of complex interactions among multiple online ecosystems. These systems are too diverse and distributed, making global defenses impossible. But by understanding and measuring these systems, it is possible to develop localized defenses that target the vulnerabilities in these ecosystems.

Usability-centered security design

Users have become the weakest link in security because they are asked to make security judgments with too little context and time. To address this problem, security mechanisms have to be designed from the ground-up with usability in mind. Such design will minimize the number of security decisions that require user input, while making the remaining ones intuitive and natural.

Privacy-enabling technologies

The era of big data and always-on connectivity have greatly degraded society’s ability to protect individual freedom, privacy, security, and fairness. Substantial new research investment is required to develop new solutions that put privacy and fairness at the forefront, instead of viewing them as a necessary trade-off.

Foster interdisciplinary approaches for building trustworthy cyber-physical systems

Cyber-physical systems combine hardware, software, sensors and actuators. Ensuring the trustworthiness of cross-system and cross-layer interactions requires expertise across software and hardware engineering, modeling, validation and verification, cryptology, human computer interaction, psychology, and policy.