CyLab Year-In-Review: 2022-2023 by CMUEngineering

2022–2023 CYLAB YEAR IN REVIEW

LETTER FROM THE DIRECTOR D EA R F R IE N D S As I write this, it has been almost 20 years since CyLab’s launch in October 2003, just a couple of months before I arrived at CMU. I joined CyLab near the beginning, and when we moved into the Robert Mehrabian Collaborative Innovation Center (CIC) in 2005, I was among the first building occupants. I watched as Mike Reiter and Lujo Bauer equipped the building with an innovative smartphone-based distributed access control system and worked with my students to conduct usability studies with those who were using the system to unlock their office doors. Today, you can use your smartphone to unlock your hotel room door at many major hotel chains, but in 2005, using our primitive smartphones to select the door to open, do some (at the time slow) computation, and transmit proof to the door that it was allowed to open, made us feel like we were living in the future. Over the years, CyLab researchers have impacted new technologies and corporate and government policies in many areas. We invented CAPTHAs, effective phishing attack simulation training, device pairing protocols using barcode technology, verifiable computation, new approaches to trusted computing and malware detection, made advances in biometrics and computer vision technologies, automated attack systems, and developed the privacy choice icon adopted by the State of California. We demonstrated the first physical attacks on machine-learning-based face recognition systems, analyzed mobile app privacy compliance at scale, and collected and analyzed data that shed light on the “Silk Road” anonymous marketplace. Our extensive research on password policies led numerous organizations to update their policies and the National Institute for Standards and Technology (NIST) to revise their password guidance. Our research on the predictability of Social Security Numbers led to changes in how these unique identifiers are assigned, and our research on consumer privacy decision-making has impacted approaches to privacy taken by both companies and policymakers. CyLab researchers have testified before Congress, the Federal Trade Commission, the Federal Communications Commission, as well as state, national, and international agencies. We are home to the top undergraduate cybersecurity program and the first and only master’s program in privacy engineering. With the passage of time, CyLab has witnessed remarkable expansion, presently comprising more than 150 faculty members from various colleges within Carnegie Mellon University. As we move forward, it is crucial to maintain this momentum and strive for an even greater impact. The interconnected nature of our world demands ongoing innovation and collaboration. By fostering interdisciplinary partnerships, CyLab continues to drive advancements in security and privacy, making a positive difference in the world. Here’s to another successful 20 years of redefining security and privacy and to a future where the work of CyLab continues to shape the landscape of cybersecurity for the better!

Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab, FORE Systems University Professor of Computer Science and of Engineering & Public Policy

CONTENTS

4 CyLab 20th Anniversary

CyLab Media Mentions

16 Carnegie Mellon Hosts 10th Annual picoCTF Hacking Competition 18 picoCTF Empowers Teachers to Bring Cybersecurity Education to Their Classrooms 20 Award-Winning Research Paves the Way for Provably-safe Sandboxing Using WebAssembly 21

Measuring Internet Resilience in Ukraine

CyLab’s Secure Blockchain Initiative

CyLab Icon Connects Users with Online Privacy Choices

Zero Trust in ‘Zero Trust’

26 Carnegie Mellon’s Hacking Team Wins 7th DEF CON Capture-the-Flag Title 27

Featured Grants

28 CMU Hacking Team Defends Title at MITRE Cybersecurity Competition 30

CyLab Awards 2023 Seed Funding

CyLab’s Future Enterprise Security Initiative

CyLab Seminar Series

CISA Director Delivers Major Address at CMU

CMU-Africa Week Showcases Research and Culture

CyLab Presents at White House’s Launch of New IoT Cybersecurity Labeling System

Partners Shaping a Safer Future

Partners Conference

In July, Carnegie Mellon University’s CyLab Security and Privacy Institute met with government officials and technology industry leaders as the White House launched its new Cyber Trust mark.

CyLab Names Presidential Fellows

Graduated Ph.D. Students

Security and Privacy Courses and Degrees

CyLab Core Faculty

Featured Speaking Engagements

Featured Recognitions

Alumni Award

CyLab Staff

In Other News

20 Years of CyLab As CyLab Celebrates its 20th anniversary, we reflect on the Security and Privacy Institute’s impact and most significant achievements.

Researchers Discover Vulnerability in Large Language Models Large language models (LLMs) use deep learning techniques to process and generate human-like text. Trained on vast amounts of data from books, articles, websites, and other sources, the models use this learned knowledge to generate responses, translate languages, summarize text, answer questions, and perform a wide range of natural language processing tasks.

CYLAB 2022-23 YEAR IN REVIEW

CYLAB 20TH ANNIVERSARY

Created in 2003 with the support of a $6.1 million per year grant from the Army Research Office, Carnegie Mellon University’s CyLab Security and Privacy Institute has spent the past 20 years tackling the field’s most significant challenges, leading the way in education and research. Led by Founding Director Pradeep Khosla, CyLab started with just six faculty members, who worked closely together as they set out on a mission to improve security and privacy for all. Since then, CyLab has grown significantly and today boasts more than 140 faculty members from colleges and departments across Carnegie Mellon University.

LEADING THE WAY

INNOVATIVE VENTURES

Over its 20-year history, CyLab has propelled itself to become one of the world’s top security and privacy institutes, paving the way and developing a model for cybersecurity education and research. The Institute’s four directors have served as visionaries throughout the years, forging new paths and finding ways to adapt to the everchanging cyber landscape.

CyLab research has resulted in a number of notable startups and spinoffs, bringing innovative security and privacy technologies to market. • Led by Lorrie Cranor, Jason Hong, and Norman Sadeh, CyLab’s seminal work on anti-phishing techniques resulted in Wombat Security, a start-up focused on security awareness training to prevent phishing attacks. The company was acquired by Proofpoint in 2018 for $225 million. • Luis von Ahn and Manuel Blum’s start-up, reCAPTCHA, enabled websites to prevent automated programs, or bots, from perpetrating large-scale abuse. The company was acquired by Google in 2009, and the technology is still used today.

CRACKING THE CODE With thousands of published papers and countless innovative technologies, CyLab researchers have developed solutions to some of the world’s most significant security and privacy challenges. Its research has had a profound impact, influencing public policy in a variety of areas. The work of CyLab faculty, postdocs, and students has uncovered ways to securely pair devices via smartphone, introduced and coined the term ‘verifiable computation,’ triggered the FBI shut down of illegal dark web marketplaces, pioneered privacy and security nutrition labels, developed a test to detect malware with near certainty, created the fastest-ever open-source intrusion detection system, and influenced policy around consumer privacy laws, to name a few.

• Former CyLab Director David Brumley’s start-up ForAllSecure advanced CyLab’s research on automated attacks, winning the 2016 DARPA Cyber Grand Challenge and earning $2 million in prize money. • Marios Savvides’ start-up HawXeye was acquired by Bossa Nova Robotics, who used the company’s technology to improve its aisle-roaming robots, which were used to scan Walmart shelves for out-of-stock or misplaced products. DEVELOPING TALENT With CyLab’s inception, Carnegie Mellon University began developing first-of-their-kind security and privacy-focused academic programs. In tandem with CyLab’s launch, CMU’s Information Networking Institute, considered the education arm of CyLab at the time, created the Master of Science in Information Security (MSIS) program, offering a technical focus on security and computer systems.

a mastery level. In addition, picoCTF has begun holding a National Science Academy-funded teachers camp, aiming to provide educators with the tools and resources needed to introduce cybersecurity education in their classrooms. FOSTERING COLLABORATION AND DRIVING CHANGE The first cohort of the School of Computer Science’s Privacy Engineering master’s program.

Ten years later, CMU’s School of Computer Science launched the first master’s program in Privacy Engineering, preparing students with technology backgrounds to develop products and services that respect user privacy.

Understanding the impact of collaboration, as well as the value of industry and government insights, CyLab began developing its partner program. In 2004, Lockheed Martin became CyLab’s first corporate member, providing funds to support ongoing research and development in cybersecurity and to educate the public on cybersecurity issues.

In 2018, the university created a security and privacy concentration for Computer Science and Electrical and Computer Engineering undergraduates, which has been recognized by US News and World Report as the top Undergraduate Cybersecurity Program three years in a row (2021, 2022, 2023). Today, security and privacy courses are offered in several CMU departments and colleges, including the College of Engineering’s Engineering and Public Policy and Electrical and Computer Engineering departments, the Information Networking Institute, as well as the School of Computer Sciences Computer Science and Software and Societal Systems departments, and the Human-Computer Interaction Institute. BREAKING DOWN BARRIERS CyLab has made it a priority to help narrow the worldwide cybersecurity talent shortage through innovative programs and platforms that introduce the field to students at a younger age. In 2005, CyLab and the Information Networking Institute launched MySecureCyberSpace.com, an initiative funded by the National Science Foundation that offered a fun and unique way to teach grade school students about computer security and internet safety. In 2013, CyLab Director David Brumley set out to address the lack of K-12 cybersecurity education by creating picoCTF, a gamified student-focused hacking competition. The annual event offers students of all ages and skill levels the opportunity to gain experience in the field and compete against one another. Over the years, the competition has grown significantly, seeing more than 18,000 participants in 2022 and 2023. Today, picoCTF offers a free year-round educational platform, enabling users to get familiar with basic concepts and work their way up to

Professor Lujo Bauer presents his research at the 2015 CyLab Partners Conference. The annual event highlights the latest research in security and privacy with an interactive forum between faculty, students, industry and government.

Since then, CyLab has worked alongside many corporate and government organizations, growing its partnership program to more than 30 members in 2023. Together, CyLab and its partners collaborate to identify key research areas and tackle some of the field’s most difficult problems. Through topic-focused initiatives, such as IoT@CyLab, FutureEnterprise@CyLab, SecureBlockchain@CMU, and CyLab-Africa, CyLab and its partners continue to have great success moving technologies forward and re-imagining what security and privacy look like in this ever-evolving field. “As CyLab celebrates its 20th anniversary and we reflect on the past two decades, we want to thank all of our partners, faculty, students, and staff, both past and present, who have helped make CyLab THE destination for security and privacy education and research,” said Lorrie Cranor, Director, and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab FORE Systems Professor of Computer Science and Engineering & Public Policy. CYLAB 2022-23 YEAR IN REVIEW

20 YEARS OF CYLAB

As CyLab Celebrates its 20th anniversary, we reflect on the Security and Privacy Institute’s impact and most significant achievements. Oct. 2003: CyLab was founded with a $6.1 million per year grant from the Army Research Office, creating one of the largest security and privacy research and education efforts of its time. CyLab was originally led by director Pradeep Khosla and director of education, training, and outreach Dena Haritos Tsamitis. Mike Reiter served as the founding technical director.

Founding co-director, Pradeep Khosla, addresses the crowd during an unveiling event for Carnegie Mellon’s CyLab.

Former CMU President, Jared L. Cohon announces the creation of CyLab at a press conference.

John Anderson, former Dean of CMU’s College of Engineering, chats with U.S. Representative Mike Doyle during CyLab’s unveiling.

2003-2004: Adrian Perrig, Dawn Song, and others published a series of papers on secure protocols for sensor networks, which served as precursors to today’s networks of IoT devices. Secure communication is a cornerstone of IoT device security. 2004: Lockheed Martin became CyLab’s first corporate member, providing funds to support ongoing research and development in cybersecurity and to educate the public on cybersecurity issues. As of 2023, CyLab’s partnership program has grown to include more than 30 corporate and government organizations.

2004: CMU team led by Mike Reiter was awarded a $6.4 million NSF grant to establish a new center, “Security Through Interaction Modeling” (STIM), housed in CyLab. In the same way that ecology studies the web of life, STIM aimed to understand and model the complex interactions among humans, computers, and attacks. 2004: Officials from the Korea Information Security Agency pledged $6 million over three years to form CyLab-Korea in Seoul, South Korea. A year later, CyLab partnered with the Hyogo Prefectural government to create the INI Kobe Master of Science in IT at CyLab-Japan.

2005: CyLab hosted the Symposium On Usable Privacy and Security (SOUPS), founded by Lorrie Cranor. SOUPS was the first conference focused on this topic. USENIX would eventually adopt SOUPS as one of its annual meetings. 2005: Nearly half of the papers at the annual IEEE Security and Privacy Symposium were co-authored by researchers from CyLab. 2008: Virgil Gligor became the second director of CyLab.

2005: CyLab moved into the Collaboration Innovation Center on the CMU Pittsburgh campus, gaining 25,000 square feet of space to house faculty, staff, students, and meeting and lab space. The building was equipped with a smartphone-based distributed access control system, allowing faculty and staff to unlock their office doors with their smartphones before the term “smartphone” was commonly used. The system, named “Grey,” was developed by Lujo Bauer and Mike Reiter and remains in use today. 2005: INI and CyLab launched MySecureCyberSpace. com, an initiative funded by the NSF to educate the public about computer security and internet safety. Dena Haritos Tsamitis served as the initiative’s principal investigator. 2005: Seminal work on anti-phishing techniques began in CyLab. In 2008, Lorrie Cranor, Jason Hong, and Norman Sadeh turned their work into Wombat Security, a startup focusing on security awareness training to prevent phishing attacks. In 2018, the company was acquired by security company Proofpoint for $225 million.

2008: Mike Reiter, Adrian Perrig, Bryan Parno, and Jonathan McCune proposed the Flicker system, which was a precursor to how we use trusted computing (e.g., SGX) today, allowing one to run a secure computation with added certainty that it’s not being corrupted. 2009: Alessandro Acquisti uncovered a security flaw in how social security numbers (SSNs) were distributed. Using a person’s place and date of birth, his algorithm could reliably predict all nine digits. Acquisti’s work would later influence the way the Social Security Administration assigned SSNs. 2009: Google acquired reCAPTCHA, a start-up that grew out of CyLab researchers Luis von Ahn and Manuel Blum’s pioneering work. Web sites still use the technology today to prevent automated programs, or bots, from perpetrating large-scale abuse. 2009: Seeing-is-believing pairing protocol by Mike Reiter and Adrian Perrig showed how to use 2D barcodes to securely pair devices via smartphone. Similar protocols are used today by many in-home IoT devices. 2009: A team of CyLab faculty led by Lorrie Cranor was awarded a $3 million NSF grant to establish a usable privacy and security doctoral training program. This grant supported an interdisciplinary group of 27 students from four departments over eight years. 2010: Bryan Parno and colleagues introduced and formalized the term “verifiable computation,” which enables a computer to offload computation to untrusted clients while maintaining verifiable results, paramount in cloud computing and client-server computing.

Wombat co-founders and early employees in 2009.

CYLAB 2022-23 YEAR IN REVIEW

20 YEARS OF CYLAB

2011: David Brumley received the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the U.S. government on young scientists and engineers. He was honored for his “innovation and vital research on malware analysis and for strong educational and outreach activities.” 2012: Nicolas Christin published the first extensive look into the economics of Silk Road, an online anonymous marketplace that deals with drugs and other contraband. The FBS subsequently shut Silk Road down the following year.

considered the “Superbowl of Hacking,” bringing together hacking teams from all over the work. PPP would go on to win five more titles (2014, 2016, 2017, 2019, 2022), making them the winningest team in DEF CON history. 2013: Jason Hong developed PrivacyGrade.org, a website that assigns letter grades to apps based on how they treat users’ data. Subsequently, the FTC charges that the developer of the Android Flashlight App, one of the most popular Android apps at the time, deceived consumers about its data practices.

2013: CyLab launched picoCTF, a free online cybersecurity competition for middle and high school students. picoCTF would quickly become the largest competition of its kind and later expand its reach by creating a year-round cybersecurity education platform.

2013: CMU launched the first of its kind master’s program in Privacy Engineering to prepare students with technology backgrounds to develop products and services that respect user privacy. 2013: CyLab’s competitive hacking team, the Plaid Parliament of Pwning (aka “PPP) won their first DEF CON Capture-the-Flag competition. The competition is widely

2014: A CyLab team won DEF CON’s “Crack me if you can” password-cracking challenge, combining multiple approaches to crack more passwords than their competitors. The same researchers would go on to develop and win the 2016 USENIX Security Best Paper Award for their machine-learning-based tool to calculate password strength and receive both the 2017 ACM CHI Best Paper Award and the 2023 IEEE Test of Time Award for their password creation interface, which helps users create stronger but still memorable passwords. 2015: Two CyLab teams were awarded DARPA Brandeis grants. Norman Sadeh and his colleagues’ project focuses on personalized privacy assistants that can assist smartphone users in protecting their privacy. Jason Hong and colleagues continued this work, improving the privacy of Android smartphones with new ways of analyzing app behaviors, developer support, and user interfaces.

2015: David Brumley became CyLab’s third director. He also became CyLab’s first Bosch Distinguished Professor in Security and Privacy Technologies, a position to be held by future CyLab directors.

AT&T, Infineon Technologies, and Nokia Bell Labs. At a time when the number of IoT devices was exploding, CyLab’s IoT initiative aimed to create the knowledge and capabilities to build secure and privacy-respecting IoT systems.

2016: David Brumley’s startup ForAllSecure, advanced CyLab research on automated attacks to win the 2016 DARPA Cyber Grand Challenge, the first-of-its-kind completely autonomous hacking competition. The team received $2 million in prize money.

2018: A team led by Lujo Bauer, Nicolas Christin, and Lorrie Cranor was awarded the IEEE Cybersecurity Award for Practice in recognition of their massive body of research on password security, work that would later influence NIST password guidelines. Alessandro Acquisti was awarded the IEEE Cybersecurity Award for Innovation for his groundbreaking work on the economics and behavioral economics of privacy and personal information security. 2018: Norman Sadeh and colleagues successfully executed the first-ever automated analysis of over 1 million mobile apps for privacy compliance to analyze the text of privacy policies and code analysis techniques. Sadeh and his students would later go on to create ‘Privacy Label Wiz,’ a tool that helps developers better understand their apps’ privacy practices and create accurate privacy nutrition labels.

2016: Lujo Bauer and colleagues demonstrated the first physically realizable attacks on a machine learning-based system, using custom eyeglass frames to fool state-ofthe-art facial-recognition systems. 2016: Vyas Sekar, Mike Reiter and CMU graduate SooJin Moon won the NSA’s 4th Annual Best Scientific Cybersecurity Paper Competition for their work ‘Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration.”

2018: The $27.6 million CONIX Center was established at CMU to build smarter networks to connect edge devices to the cloud. CyLab’s Anthony Rowe served as the center’s director. 2018: Marios Savvides’ startup HawXeye was acquired by Bossa Nova Robotics to make their aisle-roaming robots smarter. At the time, their robots were in over 50 Walmart stores throughout the U.S., scanning shelves for out-of-stock or misplaced products.

2016-2017: Virgil Gligor led work to establish what is known as a “root of trust,” creating a test that - for the first time - could detect malware on a device with near certainty. The study received a Distinguished Paper Award (NDSS, 2019), and Gligor would later be inducted into the Cybersecurity Hall of Fame for this work and others. 2017: Doug Sicker became the interim director of CyLab, while David Brumley went on leave to grow his startup, ForAllSecure. 2018: CyLab launched the Secure and Private IoT Initiative with founding sponsors Amazon Web Services,

CYLAB 2022-23 YEAR IN REVIEW

20 YEARS OF CYLAB

2018: CMU launched a security and privacy concentration for undergraduates in computer science and electrical and computer engineering. In 2020, a minor in Security, Privacy, and Policy was introduced for undergraduate students across the university. Since 2021 the CMU has been recognized by US News and World Reports for having the top undergraduate Cybersecurity program. 2018: David Brumley and CMU graduate Tiffany Bao won the NSA’s 6th Annual Best Scientific Cybersecurity Paper Competition for their research, “How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games.”

2021: Carnegie Mellon and The University of Pittsburgh launched the Collaboratory Against Hate Research and Action Center to develop effective tools that inhibit hate’s creation, growth, and destructive consequences. Lorrie Cranor served as CMU’s founding co-director of CAH. 2021: CyLab and CMU-Africa established the CyLab-Africa Initiative, aimed at improving the cybersecurity of financial systems in Africa and other emerging economies. The initiative has led to many collaborative, cross-continent research projects, helping to shape and improve Africa’s digital landscape.

Jan. 2019: Lorrie Cranor became CyLab’s fourth director. 2019: Kathleen Carley, Doug Sicker, and David Danks were awarded a $5 million grant from the Knight Foundation to launch the Center for Informed Democracy and Social Cybersecurity to foster research around topics such as how to better recognize disinformation online, how to identify who is spreading it, how to inoculate groups against it, and how to counter it. 2019: Bryan Parno, his student Aymeric Fromherz and a group of Microsoft researchers released the world’s first verifiably secure, industrial-strength cryptographic library—a set of code that could be used to protect data and, at the time, was guaranteed to protect against the most popular classes of cyberattacks. EverCrypt was later incorporated into Linux kernel—the core of the Linux operating system. 2020: In March 2020, the state of California adopted a new privacy icon designed by a team of researchers from Carnegie Mellon’s CyLab and the University of Michigan. The icon has become widely adopted on the bottom of commercial websites.

2020: Led by Justine Sherry, a team of CyLab researchers developed Pigasus, the fastest-ever open-source intrusion detection system, achieving 100 gigabits per second using a single server. The new system significantly reduced the amount of hardware needed by previous methods and offered enormous energy savings. 10

2022: CyLab launched its Future Enterprise Security initiative, a multi-year, interdisciplinary research program aimed at redefining security for businesses, big and small, through innovations in artificial intelligence, computer science, engineering and human-factors research.

2022: CyLab introduced the CMU Secure Blockchain Initiative, a university-wide collaboration rethinking blockchain across enterprise ecosystems. Comprised of over 35 faculty members from four CMU colleges, the initiative will address challenges in consensus mechanisms and scalability; cryptocurrencies and markets; cryptography; formal verification; and regulation, policy, and governance.

2023: Following many papers and years of work developing usable and effective IoT security and privacy labels, CyLab researchers Lorrie Cranor and Yuvraj Agarwal were invited to participate in White House meetings and industry working groups tasked with developing IoT labels consistent with the US government’s approach.

CYLAB MEDIA MENTIONS

7.27.2023 On concerns around large language models:

“Through simulated conversation, you can use these chatbots to convince people to believe disinformation.” Matt Fredrikson, Associate Professor, School of Computer Science

7.21.2023 On artificial intelligence:

“AI is our attempt at creating tech that mimics human cognition. The pace of development is pretty rapid right now.” Sauvik Das, Assistant Professor, Human-Computer Interaction Institute

7.18.2023 On IoT security and privacy label research:

“We’ve found that consumers are willing to pay a significant premium for products with better security and privacy features.”

security system can help reduce the burden on the non-security experts on the team.”

7.2.2023 On importance of considering privacy in new tech:

“You think about privacy from the very, very earliest stage of the process and if you don’t, you’re going to shoot yourself in the foot. Privacy is one of those qualities that you just cannot slap on at the end.”

Lorrie Cranor, Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab; FORE Systems University Professor of Computer Science and of Engineering and Public Policy

Norman Sadeh, Professor, Software and Societal Systems Department and Co-Director of the Privacy Engineering Program

12.1.2022 On regulations following FTX collapse:

5.12.2023 On improving large language models:

“We need better theories of how humans recognize meaning and how people interpret texts. There’s just a lot less money put into understanding how people think than there is to making better algorithms.” Kathleen Carley, Professor of Computation, Organizations, and Society, Software and Societal Systems Department

Yuvraj Agarwal, Associate Professor, School of Computer Science

3.11.2023 On improving cybersecurity policies:

“I think security has always been everybody’s problem, but now we are realizing it. And I think a well-designed

“A giant collapse obviously makes it harder to get regulation through but presumably it also underscores the importance of coherent regulation.” Bryan Routledge, Associate Professor of Finance, Tepper School of Business

10.3.2022 On cybersecurity practices::

“For most of these organizations, security is a cost center. It’s a line item on the budget without an immediate benefit. You crash and burn and only then you feel, ‘Oh I should have had a fire department.” Vyas Sekar, Tan Family Professor, Electrical and Computer Engineering

CYLAB 2022-23 YEAR IN REVIEW

CYLAB PRESENTS AT WHITE HOUSE’S LAUNCH OF NEW CYBER TRUST MARK In July, Carnegie Mellon University’s CyLab Security and Privacy Institute met with government officials and technology industry leaders as the White House launched its new Cyber Trust mark. School of Computer Science Associate Professor Yuvraj Agarwal represented CMU at the event, sharing key findings from CyLab’s five-plus years of IoT security and privacy label research. The emergence of IoT technology has provided consumers with numerous benefits, from improving energy efficiency to helping automate routine tasks. However, there are growing concerns about the security and privacy of these devices, and unease around sensitive data being sold or shared with third parties. “We’re seeing baby monitors with cameras that strangers can access over the Internet and smart thermostats that don’t disclose the use of microphones,” says Lorrie Cranor, director of CyLab and professor at CMU’s Software and Societal Systems and Engineering and Public Policy departments. “Consumers are rightfully concerned about the security and privacy of IoT devices.” Since 2018, CyLab faculty and students have advocated for IoT labels to empower consumers by providing the knowledge necessary to make informed purchasing decisions. Led by Cranor and Agarwal, the team has explored how privacy and security factors into IoT device purchase behaviors, finding a willingness among consumers to pay significant premiums for products featuring a consistent label that highlights positive security and privacy features.

Last year, Agarwal, Cranor, and Pardis Emami-Naeini, a Carnegie Mellon alum and assistant professor at Duke University, published an overview paper titled “An informative Security and Privacy ‘Nutrition’ Label for Internet of Things Devices,” describing their journey in designing an IoT security and privacy label. They also launched a free, easy-to-use generator, allowing device manufacturers to create product-specific labels. “We designed our label through a multi-step process that involved extensive research with both consumers and experts,” says Agarwal. “Our current IoT label highlights the most actionable information for consumers, covering both security and privacy factors.” During a previous White House meeting in October 2022, Agarwal presented a briefing on Carnegie Mellon’s IoT label, offering a consumer-tested solution that could be immediately implemented across the IoT industry. Since then, Agarwal and Cranor continue to have a seat at the table, serving on a working group tasked with moving the IoT labeling initiative forward and meeting with several organizations, including industry associations, to share their research on the topic. In their most recent study, Agarwal and Cranor surveyed over 500 IoT device purchasers, showing them three potential designs of varying complexity for IoT product packaging labels. The low-complexity design simply included a shield and QR code, the medium complexity version added a few key security and privacy characteristics, and the high-complexity design included extensive security and privacy information. Consumers overwhelmingly preferred the design with the most information, although they also found the mediumcomplexity design to be understandable and helpful for choosing a product to purchase. A majority of consumers were dissatisfied with the low-complexity design, identifying it as their least favorite option. “We’ve found that consumers want to know about IoT products’ security and privacy properties and that having this information influences their risk perception and willingness to purchase smart devices,” says Agarwal.

Lorrie Cranor and Yuvraj Agarwal discuss potential label designs for IoT device packages. 12

Associate Professor Yuvraj Agarwal (far right) presents CyLab’s IoT label research during the White House’s U.S. Cyber Trust Mark launch.

“Our latest research shows that while accessing this information through a QR code can be helpful, consumers prefer to have important security and privacy information readily available on product packaging.” During the White House event, the administration revealed its new IoT mark that, alongside a QR code, is geared towards helping consumers identify which products meet a set of baseline security and privacy practices, something Agarwal and Cranor hope industry leaders will be quick to adopt. “As the details of IoT package labels are finalized, we’d like to see a consensus around including some basic information about sensor data collection next to the mark to help consumers gain a quick understanding,” says Cranor. “We’re looking forward to working with industry groups to standardize the details of these labels based on the results of our consumer research.” To learn more about CyLab’s research around IoT security and privacy labels, visit www.iotsecurityprivacy.org.

“We designed our label through a multi-step process that involved extensive research with both consumers and experts.” Yuvraj Agarwal, associate professor, School of Computer Science

CYLAB 2022-23 YEAR IN REVIEW

RESEARCHERS DISCOVER VULNERABILITY IN LARGE LANGUAGE MODELS Large language models (LLMs) use deep learning techniques to process and generate human-like text. Trained on vast amounts of data from books, articles, websites, and other sources, the models use this learned knowledge to generate responses, translate languages, summarize text, answer questions, and perform a wide range of natural language processing tasks. This rapidly evolving AI technology has led to the creation of several open-source and publicly available tools, such as ChatGPT, Claude, and Google Bard, among others, enabling anyone to search and find answers to a seemingly endless range of queries. However, while these tools offer significant benefits, there is growing concern about their ability to generate objectionable content and the consequences that could result. Recent work has focused on aligning LLMs in an attempt to prevent undesirable generation, and on the surface, seems to succeed. Public chatbots will not generate inappropriate content when asked directly. While attackers have had some success circumnavigating these measures, their approach often requires significant human ingenuity, and results have been inconsistent. But now, researchers at Carnegie Mellon University’s School of Computer Science (SCS), the CyLab Security and Privacy Institute, and the Center for AI Safety in San Francisco have uncovered a new vulnerability, proposing a simple and effective attack method that causes aligned language models to generate objectionable behaviors at a high success rate. 14

“As autonomous systems become more of a reality, it will be very important to ensure that we have a reliable way to stop them from being hijacked by attacks like these.” Matt Fredrikson, associate professor, School of Computer Science

In their latest study, ‘Universal and Transferable Adversarial Attacks on Aligned Language Models,’ CMU Associate Professors Matt Fredrikson and Zico Kolter, Ph.D. student Andy Zou, and alumnus Zifan Wang found a suffix that, when attached to a wide range of queries, significantly increases the likelihood that both open and closed source LLMs will produce affirmative responses to queries that they would otherwise refuse. Rather than relying on manual engineering, their approach automatically produces these adversarial suffixes through a combination of greedy and gradient-based search techniques. “At the moment, the direct harms to people that could be brought about by prompting a chatbot to produce objectionable or toxic content may not be especially severe,” says Fredrikson. “The concern is that these models will play a larger role in autonomous systems that operate without human supervision.” One example of such a system is an assistant that has access to your email and credit card information to help out with day-to-day activities. “As autonomous systems become more of a reality, it will be very important to ensure that we have a reliable way to stop them from being hijacked by attacks like these.” In 2020, Fredrikson and fellow researchers from CyLab and the Software Engineering Institute discovered vulnerabilities within image classifiers, AI-based deep learning models that automatically identify the subject of photos. By making minor changes to the images, the researchers could alter how the classifiers viewed and labeled them.

shows that even if you have a big trillion parameter closed-source model, people can still attack it by looking at freely available, smaller and simpler open-sourced models and learning how to attack those.” By training the attack suffix on multiple prompts and models, the researchers have also induced objectionable content in public interfaces like Google Bard and Claude and in open-source LLMs such as LLaMA-2 Chat, Pythia, Falcon, and others. Fredrikson says the next steps are to look at ways of addressing these attacks on LLMs.

Using similar methods, Fredrikson, Kolter, Zou, and Wang successfully attacked Meta’s open-source chatbot, ‘tricking’ the LLM into generating objectionable content. While discussing their finding, Wang decided to try the attack on ChatGPT, a much larger and more sophisticated LLM. To their surprise, it worked. “We didn’t set out to attack proprietary large language models and chatbots,” says Fredrikson. “But our research

“Right now, we simply don’t have a convincing way to stop this from happening, so the next step is to figure out how to fix these models.” Similar attacks have existed for a decade on different types of machine learning classifiers, such as in computer vision. While these attacks still pose a challenge, many of the proposed defenses build directly on top of the attacks themselves. “Understanding how to mount these attacks is often the first step in developing a strong defense.”

READY, SET, GO!

CyLab Director Lorrie Cranor and a team of College of Engineering faculty won their heat at the 2023 CMU Buggy races. The team posted an impressive time of 2:44.7, defeating faculty and staff from the Mellon College of Science.

CYLAB 2022-23 YEAR IN REVIEW

CARNEGIE MELLON HOSTS 10TH ANNUAL picoCTF HACKING COMPETITION On March 14th, hackers from around the globe flocked to picoCTF.org for Carnegie Mellon’s 2023 cybersecurity capture-the-flag competition. In its 10th year, picoCTF saw more than 18,000 middle, high school, and undergraduate students who worked through 45 progressively difficult challenges as they climbed the competition’s leaderboards. “We take great pride in the ongoing growth of picoCTF,” says Program Director Megan Kearns. “The competition started as the go-to beginner-friendly CTF for high school students, and we are now delighted to witness a surge in participation from a broader age range.” While many of this year’s competitors were from the U.S., the event saw thousands of international students, demonstrating picoCTF’s commitment to expanding its global outreach. Both Africa and Japan have leveraged the competition to inspire and encourage their students to pursue cybersecurity careers, each sponsoring picoCTF and hosting country and continent-specific leaderboards.

2023 Winners

16 16

“The success of the outreach initiatives by our partner sponsors, CMU Africa in Rwanda and Cognitive Research Labs in Japan is evident in the remarkable growth in student participation numbers,” says Kearns.

Members from the top three teams in the 2023 Middle / High School division pose for a photo during picoCTF’s annual award ceremony.

Many of the competition’s challenges were developed by members of Carnegie Mellon’s internationally acclaimed competitive hacking team, the Plaid Parliament of Pwning. The team has won first prize in numerous prestigious competitive hacking events, including six of the last ten DEF CON Capture the Flag competitions. In addition to the competition, picoCTF’s year-round platform offers users a wide range of educational resources to help gain experience in cybersecurity. The platform offers learning guides and a YouTube lecture series, introducing fundamental cybersecurity principles such as cryptography, web exploitation, forensics, binary exploitation, and reversing. The picoGym allows users

“Cybersecurity is not something we memorize by reading text. To build the necessary skills, we need continuous practice.” Hanan Hibshi, Assistant teaching professor, Information Networking Institute (INI)

to put their knowledge to the test, providing a practice space where they can access newly released challenges. “Whether you’re an accomplished cybersecurity professional, seasoned hacker, or new to CTFs, the picoGym offers captivating challenges that can be tackled at your own pace,” says Kearns. With over 435,000 active users worldwide, the free platform is a gateway into the field of cybersecurity, enabling anyone with access to a computer and the internet to start building their skills. “Cybersecurity is not something we memorize by reading text. To build the necessary skills, we need continuous practice,” says Hanan Hibshi, an assistant teaching professor at CMU’s Information Networking Institute (INI) and research advisor for picoCTF. “Unfortunately, not every school and country is equipped to provide resources for practical exercises. picoCTF provides a platform for students to build and sharpen their cybersecurity skills no matter where they reside or the number of resources available to them.”

C Y L A B 2 0 2 1 - 2 2 Y E A R I N R E V I E W | 17

picoCTF EMPOWERS TEACHERS TO BRING CYBERSECURITY EDUCATION TO THEIR CLASSROOMS For over ten years, Carnegie Mellon University’s picoCTF has been working to close the cybersecurity talent gap, introducing the field to students of all ages through its annual Capture-theFlag competition and year-round educational platform.

Steve Miller, a computer science teacher at Upper St. Clair School District (PA), recognizes the challenges around introducing cybersecurity into high school curricula, explaining that teachers often don’t have the background or skills to teach it confidently. “Even as a computer science major, cybersecurity was never a focus of mine.” Understanding the importance of this growing field, Miller decided to attend the picoCTF for NSA GenCyber Teachers’ Program, hoping to open new doors for his students.

In June, picoCTF furthered its outreach efforts, bringing together high school teachers from around the U.S. for its first-ever NSA GenCyber Teachers’ Program.

“It’s our job as educators to open [students’] eyes to the future and what’s possible for them,” said Miller. “By shining a light on the opportunities in cybersecurity, I hope to motivate my students to consider their futures and give them the chance to see if this is a field they are interested in pursuing.”

The five-day in-person camp offered a comprehensive program featuring engaging lectures, hands-on labs, and valuable networking opportunities as attendees were introduced to the latest tools, resources, and best practices in cybersecurity education. Teachers walked away from the experience with actionable lesson plans, ready to be implemented in the upcoming school year.

Laura Campbell, a Hilton Head Preparatory School teacher who spent almost 20 years as a software developer, traveled from South Carolina to attend the program. Taking what she’s learned throughout her career, Campbell has made it her mission to create new technology offerings at her school and plans to introduce a course on artificial intelligence and cybersecurity this fall.

“Training teachers is the only way to scale cybersecurity education,” said David Brumley, professor in Carnegie Mellon’s Electrical and Computer Engineering Department and founder of picoCTF. “And it only works when you find teachers willing to add to their already busy schedules to learn something new.”

“I would recommend a program like this to any teacher interested in bringing cybersecurity education to their students,” said Campbell. “Coming in person and having the opportunity to talk with the instructors and the other teachers has been invaluable.” “I’m excited to bring these ideas and the lesson plans we’ve created to my new course right from the get-go.” picoCTF’s hacking competition has been on Marlboro High School (NJ) teacher Christine Rehwinkel’s radar for years. Her family has made the annual event a tradition, coming together to learn new concepts and solve challenges. With Rehwinkel’s school district preparing to introduce cybersecurity courses in the fall, she jumped at the opportunity to attend the camp. “Because it’s such a new field, finding resources for teaching cybersecurity has been challenging,” said Rehwinkel. “When I saw picoCTF was offering a teachers’ camp, I already knew what a great resource its platform and competition are, so I immediately signed up.”

picoCTF Software Engineer and Education Lead Luke Jones gives a lecture during the 2023 NSA GenCyber Teachers’ Program. 18

Patrick Hooper, the co-founder of Community Forge, a community center located in Wilkinsburg, PA, looks

Left: Attendees and organizers of picoCTF’s NSA GenCyber Teachers’ Program gather for a group photo. Below: Hanan Hibshi, an assistant teaching professor at CMU’s Information Networking Institute (INI) and research advisor for picoCTF, gives a talk during the camp.

at cybersecurity education from a slightly different lens. He believes the field could provide life-changing opportunities for the underserved populations his organization works with. “A big part of education is empowerment, helping the youth get what they need out of life,” said Hooper. “The reality for many of the youths we work with is that they might not be able to pursue a four-year degree. They need to make money to pull themselves and their families out of poverty. So, we really focus on finding ‘shortcuts’ to help them achieve stable and lucrative lives.” “When we heard cybersecurity was an area where there was a lot of need, with technical skills that can be learned outside of a four-year program, that really excited us.” Hooper believes picoCTF’s gamified learning experience, coupled with its accessible platform, has the potential to

engage and inspire his students, opening the door to a brighter future and rewarding, well-paying careers. Thanks to the program’s success and funding from the National Security Agency (NSA), picoCTF organizers have announced they will host the camp again in 2024 and 2025. Teachers interested in attending the program are encouraged to reach out to picoCTF Director Megan Kearns at mkearns1@andrew.cmu.edu. “With a decade of success as an annual CTF competition and subsequently evolving into a year-round learning platform, the natural evolution of picoCTF is to provide training to those on the frontline of education,” said Kearns. “By empowering teachers with the skills to harness programs like picoCTF, we magnify our impact on students and accelerate our pursuit of narrowing the cybersecurity talent gap. The future of cybersecurity education and our nation’s health relies on a confident and competent workforce.”

CYLAB 2022-23 YEAR IN REVIEW

AWARD-WINNING RESEARCH PAVES THE WAY FOR PROVABLY-SAFE SANDBOXING USING WEBASSEMBLY “This is code downloaded from the internet. Are you sure you want to run it?”

“Security-critical bugs are found regularly in various implementations”, says Bosamiya, “Writing a highperformance compiler is already hard, and compilers from Wasm need to protect even against adversarial inputs, which makes it even harder.” To address this issue, the group has developed two distinct approaches for safely executing Wasm code via provably-safe software sandboxing—a technique that confines the impact of any bugs or malice in the untrusted code, preventing it from harming code or data in its environment. The first, vWasm, achieves provably-safe sandboxing by drawing on traditional formal methods to produce mathematical, machine-checked safety proofs. In contrast to traditional formally verified compilers that have focused on proving that correct input code is faithfully compiled to equivalent output code, vWasm ensures that all input code, regardless of correctness or even malice, is compiled to safely sandboxed code.

Jay Bosamiya, a Ph.D. student in CMU’s Computer Science Department (CSD), works on his laptop at the Gates Hillman Complex.

In today’s computer programming landscape, developers often face the challenge of safely using untrusted code. Libraries and frameworks, for example, help coders skip large amounts of tedious and duplicative work, but using code from unverified sources can become hazardous without the proper safeguards in place. In the worst cases, untrusted code can deplete system resources, lead to data breaches, affect system integrity, and even create vulnerabilities that allow outsiders to use machines for illegal activity. Over the past several years, Jay Bosamiya, a Ph.D. student in Carnegie Mellon’s Computer Science Department (CSD), along with his advisor Bryan Parno, a professor in CSD and the Department of Electrical and Computer Engineering (ECE), have been working to find ways to eliminate the threats associated with untrusted code. In their award-winning paper, “Provably-Safe Multilingual Software Sandboxing using WebAssembly,” Bosamiya, Parno, and Wen Shih Lim, a master’s student in the School of Computer Science, observed that WebAssembly (Wasm) is ideally positioned to safely execute untrusted code as it promises safety and performance while serving as a compiler target for many high-level languages. However, the group notes its promises are only as strong as its implementation. 20

“In the past, there has often seemed to be a tension between safety and performance. With rWasm, you no longer have to pick between the two.” Jay Bosamiya, Ph.D. student, Computer Science Department After a few years of working on vWasm, Bosamiya came up with an idea that changed the way he and Parno had been looking at the problem. Over the course of just a few weeks, he prototyped the first provably-safe sandboxing compiler with competitive run-time performance, rWasm. Leveraging Rust, a systems programming language with a strong focus on performance, reliability and safety, rWasm turns low-level Wasm code into a higher-level safe Rust code, enabling safe sandboxing without the tedium of writing formal proofs. “In the past, there has often seemed to be a tension between safety and performance,” says Bosamiya, “with rWasm, you no longer have to pick between the two.” vWasm and rWasm are open-sourced, allowing others to use, inspect, and build upon each. Bosamiya hopes computer programmers and researchers worldwide will use them to improve the security of software systems over time. “Provably-Safe Multilingual Software Sandboxing using WebAssembly” earned both a USENIX Distinguished Paper Award and the 2nd place prize in the 2022 Internet Defense Prize Competition at the 31st USENIX Security Symposium.

MEASURING INTERNET RESILIENCE IN UKRAINE When Carnegie Mellon master’s students Akshath Jain, Deepayan Patra, and Mike Xu reached out to Department of Computer Science Professor Justine Sherry, asking to take her doctoral level “Computer Networks” course, they never imagined they would end up presenting their course project at the ACM Internet Measurement Conference (IMC)) in France. During the course, students were introduced to a paper titled “On Distributed Communications Networks,” written by the late Paul Baran in the 1960s, which defined the intentional design principles that later work on the Internet would share.

Developed ahead of the Cold War, the Internet’s architects were concerned about an attack on communication infrastructure. In turn, the Internet was deliberately designed to reroute around failures automatically. Using packet switching rather than circuit switching, both technologies used for networking, the Internet can overcome downed routers and links by sending information along alternative paths. “My students had just learned how the Internet was designed to be resilient during wartime,” said Sherry. “The war in Ukraine offered them a unique opportunity to evaluate whether and to what extent this design goal has been realized.” “For our final project, we wanted to tackle something relevant,” said Jain. “With the invasion beginning to unfold, we thought, ‘how can we look at this from a networks perspective?’” Continued on page 23

Source: The Ukrainian Internet Under Attack: an NDT Perspective - Areas of military activity as of March 20, 2022 (approximate date of maximum Russian occupied territory in Ukraine within the window of analysis). Shaded regions to the North, South, and East are controlled by Russian forces. CYLAB 2022-23 YEAR IN REVIEW

CYLAB’S SECURE BLOCKCHAIN INITIATIVE Carnegie Mellon University’s Secure Blockchain Initiative (SBI) is off and running, as six projects have been selected for its first round of seed funding.

FIRST ROUND OF FUNDED PROJECTS Analysis and Optimization of Resilience in Blockchain Peer-to-Peer Networks • Osman Yagan - Research Professor, Electrical and Computer Engineering (ECE) Modeling Barriers to Self-Custody for Cryptocurrency Novices • Sauvik Das - Assistant Professor, Human-Computer Interaction Institute (HCII) • Jason Hong - Professor, HCII Blockchain Censorship • Nicolas Christin - Professor, Engineering and Public Policy (EPP) & Software and Societal Systems (S3D) Accountability for Unlinkable, Anonymous Transactions

Hosted by CyLab and led by co-directors Nicolas Christin, Elaine Shi, and Ariel Zetlin-Jones, the initiative aims to rethink blockchain across enterprise ecosystems by addressing various challenges around three main research thrusts: • Cryptoeconomics: Cryptography, Consensus, and Verification • Applications and Implementations • Cryptocurrencies, Tokenized Assets, and Policy Through this unique collaboration, CyLab intends to develop a suite of novel foundations and technologies to ensure fundamental research elements, especially from a security, privacy, ethics and societal impact perspective. Comprised of over 35 faculty members from four CMU colleges, the multi-year, multi-disciplinary initiative serves as the University’s central hub for blockchain research.

• Giulia Fanti - Assistant Professor, ECE • Elaine Shi - Associate Professor, Computer Science Department (CSD) & ECE Investigating Common Security Vulnerabilities in Blockchain Software • Hanan Hibshi - Assistant Teaching Professor, Information Networking Institute (INI) The Value of Bitcoin Options • Lars-Alexander Kuehn - Associate Professor, Tepper School of Business Funding for these projects was made possible by the Algorand Foundation, Crypto.com and Ripple. Interested in getting involved or sponsoring the Secure Blockchain Initiative? Learn more at blockchain.cmu. edu or contact CyLab’s Director of Partnerships, Michael Lisanti at mlisanti@andrew.cmu.edu.

CMU SECURE BLOCKCHAIN SUMMIT In May, CyLab hosted the firstever CMU Secure Blockchain Summit, bringing together experts from around the world to share their research and discuss the future of the technology and its applications. The two-day event featured five sessions, including talks and panel discussions focused on topics like cryptoeconomics, applied cryptography, programming languages, policy and regulation, ethics and equity, and more.

Continued from page 21

Graphs showing percentage changes of metrics on a per-oblast basis comparing wartime numbers to prewar numbers.

Collaborating with Google Research Scientist Phillipa Gill, who works on the company’s Measurement Lab project, an open-source initiative focused on global network performance measurement, the trio began gathering data about Ukraine’s Internet performance. They reviewed metrics to determine the extent of network degradation during the first 54 days of the invasion and whether it correlated with where Russian troops were located. Findings showed Internet performance began degrading almost immediately after the invasion began on February 24, 2022. Researchers say the degradation became even more apparent in the days following, with average packet loss rates increasing by as much as 500% relative to prewartime baselines. “The intensity of the degradation correlated with the presence of Russian troops in the region,” said Patra. “But it was clear that in all these cities under attack, there were places where you could still get Internet access.” The group also analyzed traceroute data, looking for changes in routing through the network. They found modest changes in routing correlated with performance degradation and an increased reliance on international (rather than domestic) Internet service providers for global connectivity. That said, even in the face of an invasion, the Internet in Ukraine was still largely available and functional. “The ability of the network to rapidly adapt and diversify paths provides evidence of infrastructure resilience,” said Xu. C Y L A B 2 0 2 2 - 2 3 Y E A R I N R E V I E W | 23

CYLAB ICON CONNECTS USERS WITH ONLINE PRIVACY CHOICES Have you noticed the new icon popping up on websites across the Internet?

“When we brainstormed possible icons, we thought about trying to directly convey the “do not sell my personal information” concept or an “opt-out” concept,” said Lorrie Cranor, director of CyLab, and professor at Carnegie Mellon’s School of Computer Science and Engineering & Public Policy Department. “However, we realized that in the future, people will likely have multiple privacy choices that cover areas beyond the selling of information. Therefore, it would be better to design an icon that effectively conveys the idea of choices.” Researchers also suggested using a more general phrase for the link label, such as “privacy options” or “privacy choices,” taking users to a one-stop shop where they could make all of their privacy decisions.

Thanks to researchers at Carnegie Mellon’s CyLab Security and Privacy Institute, the University of Michigan, and Fordham University, users can now easily make choices about how websites use their personal information, all in one convenient spot. For years, the team of privacy experts has been conducting user studies, searching for the best ways to help website visitors make informed decisions about their personal data. So, when the California Attorney General’s office requested public input on the California Consumer Privacy Act in 2019, the group decided to review the new regulations to see how they could help.

“Websites don’t want to include multiple links, so we see many of them adopting the alternative opt-out link and our icon.” Lorrie Cranor, director, CyLab

The statute mandated that websites collecting and sharing visitors’ personal information include a link labeled “Do not sell my personal information,” optionally accompanied by an icon to be specified by the Attorney General’s office. So, the researchers went to work developing and testing different options.

As regulators finalized the California Consumer Privacy Act regulations, they chose to adopt the researchers’ icon, providing the resource as an optional tool while mandating the “Do not sell my personal information” link. In January 2023, another privacy law went into effect in California, the 2020 California Privacy Rights Act (CPRA), which required covered websites to include a longer “Do not sell or share my personal information link” as well as a new “Limit the use of my sensitive information” link. The CPRA also created the California Privacy Protection Agency, which decided to take a closer look at the statute, making modifications to better serve consumers in today’s ever-evolving internet landscape. With the list of required privacy links beginning to grow, the agency decided to provide an alternative option, allowing websites to use the researchers’ icon alongside text that reads “Your Privacy Choices” or “Your California Privacy Choices” rather than listing multiple links. “Websites don’t want to include multiple links, so we see many of them adopting the alternative opt-out link and our icon,” says Cranor. “Consolidating privacy choices into a single page makes exercising consumer choices less of a scavenger hunt, enabling consumers to better protect their privacy,” explains Hana Habib, special faculty instructor and associate director of the CMU Software and Societal Systems Department’s Masters in Privacy Engineering program. The icon now appears on Spotify, Proctor and Gamble, Walmart, Ford Motor Company, and Verizon’s websites, among many others.

ZERO TRUST IN ‘ZERO TRUST’

In May 2021, the President of the United States issued an executive order, initiating a government-wide effort to sure up its cybersecurity practices. The mandate tasked agencies with implementing zero-trust architectures and a cloud-based infrastructure by 2024, aiming to increase security and mitigate potential risks. But Carnegie Mellon University Electrical and Computer Engineering Professor Virgil Gligor says the plan leaves much to be desired and explains achieving zero trust isn’t possible. “Before I tell you what zero trust is, maybe I should start by defining trust,” said Gligor. “Trust is the acceptance of the truth of a statement without evidence or investigation; it is blind faith or wishful thinking, if you will.” “There are some areas where unjustified beliefs are ok, but in cybersecurity, believing that a security property holds without any evidence or investigation is a liability. So, cybersecurity professionals look to eliminate blind beliefs.” To achieve zero trust, the highest level of trust establishment, Gligor says, several tenets would have to be realized. Most importantly, all security properties of an enterprise network would have to be proven unconditionally and with certainty (i.e., with probability one in finite time).

“Trust is the acceptance of the truth of a statement without evidence or investigation; it is blind faith or wishful thinking, if you will.” Virgil Gligor, Professor Electrical and Computer Engineering

“If you’re able to do this, there is no liability left; you’ve reached zero trust,” explains Gligor. “Unfortunately, this is theoretically impossible for some properties and practically unachievable for others.” In his technical report, “Zero Trust in Zero Trust?”, Gligor says that “black box” devices, which are used in all servers

and endpoints of enterprise networks, make zero trust unachievable, as there is at least one security property that cannot be justified unconditionally with certainty. So, what does the government mean when it says zero trust architectures? And what does it hope they will achieve? Zero-trust architectures are not penetration-resistant. Therefore, they do not eliminate breaches. Gligor says that by implementing these architectures, the government’s primary goal is to limit adversaries’ ‘lateral’ movement by segmenting networks in an effort to reduce the amount of damage an adversary can cause. To secure these network segments or implicit trust zones, the government outlines a plan that would grant access to resources based on continuous verification of users’ attributes (e.g., roles, permissions, access levels) and enforce the least privilege principle (a security concept that states a user or entity should only have access to the specific data resources and applications needed to complete a required task). However, Gligor says this concept is technically unsound. Limiting ‘lateral’ adversary movement can only be achieved if the continuous verification checks and Continued on page 29 C Y L A B 2 0 2 2 - 2 3 Y E A R I N R E V I E W | 25

CARNEGIE MELLON’S HACKING TEAM WINS 7TH DEF CON CAPTURE-THE-FLAG TITLE

The winningest team in DEF CON’s Capture-the-Flag (CTF competition history, Carnegie Mellon University’s Plaid Parliament of Pwning (PPP, was back at it again, as the team defended its title, earning its seventh victory in the past eleven years. PPP joined forces with CMU Alum and University of British Columbia Professor Robert Xiao’s team, Maple Bacon, as well as hackers from CMU Alumni and PPP founders Brian Pak and Andrew Wesie’s startup Theori.io (The Duck. Together, the group competed under the name Maple Mallard Magistrates (MMM). DEF CON’s three-day flagship competition, widely considered the ‘Olympics’ of hacking, brought together some of the world’s most talented cybersecurity professionals, researchers, and students, as twelve of the world’s top teams (who qualified from a field of 1,828 teams attempted to break each other’s systems, stealing virtual flags and accumulating points while simultaneously protecting their own. 26

“It feels great to win once again, and the team is incredibly pleased that we built and maintained a lead throughout the entire contest.” Jay Bosamiya, Ph.D. student, Computer Science Department

As the number of cybersecurity attacks continues to increase worldwide, competitions like DEF CON’s Capturethe-Flag provide the opportunity for leading cybersecurity engineers to measure up against one another, learning and developing new techniques as they work through various challenges. Carnegie Mellon students, faculty, and alumni once again demonstrated the University’s prowess in cybersecurity, finishing in the top spot on the leaderboard at the end of days one and two, and holding on in the competition’s final 24 hours to secure the victory. For the win, the team earned eight black badges, the most elite recognition in hacking, bringing PPP’s count to 56. “It feels great to win once again, and the team is incredibly pleased that we built and maintained a lead throughout the entire contest,” said Jay Bosamiya, PPP’s team captain for DEF CON Capture-the-Flag,

FEATURED GRANTS a Ph.D. student in Carnegie Mellon’s Computer Science Department, and member of CMU’s CyLab Security and Privacy Institute. “Our victory as MMM shows how well our three teams work together.” “It’s hard to understate the impact our students have in cybersecurity,” said David Brumley, Professor in CMU’s Electrical and Computer Engineering Department. “Aside from DEF CON, CMU students were the first to hack a Tesla and the iPhone, have founded multiple successful companies like Theori, ForAllSecure, and Comma, and have become professors at top universities. Graduates of CMU’s cybersecurity programs are simply among the best in the field, and DEF CON is just one very specific way that proves it.” PPP was first formed in 2009 and began competing at DEF CON in 2010. The team’s previous wins came in 2013, 2014, 2016, 2017, 2019, and 2022, with second-place finishes in 2015, 2018, 2020, and 2021. The team runs and competes in several cybersecurity competitions each year, and recently defended its title at the MITRE embedded Capture-theFlag event (eCTF). Members of PPP contribute to Carnegie Mellon University’s annual student-focused hacking competition, picoCTF, developing challenges of varying levels of complexity. picoCTF has long been the go-to CTF for middle and high school students looking to build and hone their cybersecurity skills, and in recent years has expanded to include an undergraduate leaderboard, as well as several country and continentspecific leaderboards. Home to the CyLab Security and Privacy Institute, U.S. News and World Report’s top-ranked undergraduate cybersecurity program, and several world-class graduate programs and courses, Carnegie Mellon University continues to lead the way in cybersecurity education and research.

Alessandro Acquisti Understanding the Impact of Privacy Interventions on the Online Publishing Ecosystem Funder: National Science Foundation Other CMU researchers on grant: Yi Chen, Cristian M. Borcea, Cristobal Cheyre

Swarun Kumar & Akshitha Siraman Moonshot Award for Communication and Compute for All

Funder: National Science Foundation

Funder: CMU College of Engineering Other CMU researchers on award: Theo Benson, Mario Berges, Tim Brown, Giulia Fanti, Hanan Hibshi, Assane Gueye, Brandon Lucia, Jon Peha, Sean Qian, Allen Robinson, Vyas Sekar, Carmel Majidi, Yuvraj Agarwal, Zac Manchester

Virgil Gligor

Yorie Nakahira

Lorrie Cranor Center for Distributed Confidential Computing

RESTORE - Trustworthy Storage Devices Funder: AIS STTR - Defense Advanced Research Projects Agency Resilient Distributed Machine Learning in Secure Navy Tac2cal Networks Other CMU researchers on grant: Soummya Kar, Osman Yagan

Safety Against Latent Risks in Dynamic and Interactive Environments Funder: Office of Naval Research

Brian Parno Automating the End-to-End Verification of Security Protocol Implementation Funder: NSF SaTC

Hanan Hibshi

Verus: Developing Provably Correct and Reliable Rust Code

2022 GenCyber (for picoCTF Teachers Program)

Funder: Amazon

Funder: National Science Academy (NSA)

Corina Pasareanu

“Increasing Student Diversity in Cybersecurity Educations” (picoCTF) Funder: Cisco Systems Inc.

Aayush Jain 2023 Google Faculty Research Scholar Award for work on homomorphic secret sharing Funder: Google

Limin Jia DIVINA: Detecting Injection Vulnerabilities In Node.js Applications Funder: Amazon Other CMU researchers on the grant: Corina Pasareanu

Machine Learning for JavaScript Vulnerability Funder: C3.ai DTI Other CMU researchers on the grant: Lujo Bauer, Limin Jia, Hakan Erdogmus

Nihar Shah Robustness to Undesirable Behavior in Peer Review Funder: National Science Foundation

Justine Sherry Design and Deployment of Bespoke Congestion Control Funder: National Science Foundation CYLAB 2022-23 YEAR IN REVIEW

CMU HACKING TEAM DEFENDS TITLE AT MITRE CYBERSECURITY COMPETITION

For the second year in a row, Carnegie Mellon’s competitive hacking team, the Plaid Parliament of Pwning (PPP), has taken home the top prize at the MITRE Embedded Capture-the-Flag (eCTF) cybersecurity competition. Over the course of three months, PPP and 79 other collegiate-level teams worked to design and implement a key fob system for a car door lock, protecting the car from unauthorized entry and preventing attacks such as replays and key fob cloning. PPP’s win came in a landslide, scoring over 10,000 more points than the competition’s second-place finisher. CyLab Security and Privacy Institute Project Scientist Maverick Woo, who co-advised the team with Electrical and Computer Engineering (ECE) Professor Anthony 28

Rowe and Information Networking Institute (INI) Associate Teaching Professor Patrick Tague, credits the victory to the group’s composition and work ethic. “Our team has strong expertise in both embedded development and attacks,” says Woo. “Our students worked hard and were committed, and they were able to organize themselves to take advantage of the large team size.” The annual competition saw teams from the United States and around the world, with a record-breaking 546 student participants. Notably, PPP finished ahead of hackers from the University of California, Santa Cruz (2nd place), and the University of Illinois UrbanaChampaign (3rd place).

“This competition was a fantastic opportunity to apply hardware attacks I had only read about in practice.” Eliana Cohen, ECE master student

The competition had two phases—design and attack. Each phase offered opportunities to score points by obtaining flags and submitting them to the live eCTF scoreboard. During the design phase, hackers acted as a team of engineers at a car manufacturer, designing and building the embedded software that would get provisioned on the next line of cars and key fobs sold to customers. In the attack phase, teams had the opportunity to analyze other groups’ designs, identifying security flaws as they aimed to unlock and start the vehicles without authorization from the vehicle owners. eCTF competitions are unique from other CTF competitions because they focus on embedded systems security. Students not only defend against traditional cybersecurity attack vectors but also need to consider hardware-based attacks such as side-channel attacks, fault injection attacks, and hardware modification attacks. “These competitions offer students a unique opportunity to combine the knowledge and skill sets obtained in various cybersecurity, computer science, and computer engineering classes and apply them to real-world situations,” says INI Assistant Teaching Professor Hanan Hibshi. “Over the years, former students have shared how these experiences impacted their careers and their understanding of the concepts we discuss in class.” “Before competing in eCTFs, I had almost no security experience. Thanks to competitions like this, I now understand the basics of cryptosystems and have gained hands-on experience performing attacks and

designing secure systems,” says Carson Swoveland, a junior in ECE. “This competition was a fantastic opportunity to apply hardware attacks I had only read about in practice,” says ECE master’s student Eliana Cohen. “I learned a ton, and I’m excited to apply my experience as I begin my career.” Funding for this year’s team was made possible by several CyLab Security and Privacy Institute partners: Amazon Web Services, AT&T, Cisco, Infineon, Nokia Bell Labs, Rolls Royce, and Siemens.

Continued from page 25 application of least privilege principal prevent cross zone-attacks. Continuous monitoring of devices’ behaviors must also detect them. But Gligor explains that zero-trust architectures often fail to detect and prevent against these types of attacks, citing several examples in his technical report. “The goal of limiting adversaries’ movement to a minimized trust zone cannot be accomplished because the criteria that zero trust architectures use fail to minimize many critical trust zones,” says Gligor.

“Several other minimization principles exist, which zero trust architectures ignore for practical reasons. Their implementation would require security redesign, which the government seeks to avoid as it could delay deployment.” While Gligor says zero-trust architectures cannot serve as security models due to their inability to counter major security exposures, he stresses they are not entirely useless. “Although the architectures have a low defense value, they offer useful breach recovery value.”

Using data from IBM, Gligor shows that segmenting networks into minimized trust zones can significantly reduce the amount of data lost in a breach, decreasing the overall cost of recovery efforts. “When you recover data after a breach, you must determine how many information records were lost. With zero trust architectures, instead of losing 20 million records to an adversary, you might lose only 1,000 because you’ve limited the number of records the adversary has access to.”

CYLAB 2022-23 YEAR IN REVIEW

CYLAB’S AWARDS 2023 SEED FUNDING

In 2023, CyLab awarded $450K in seed funding to 20 faculty, staff, and students in five departments across three colleges at CMU. The funding was awarded on projects’ intellectual merit, originality, potential impact, and fit towards the Security and Privacy Institute’s priorities. ”We are very excited to be able to fund so many great projects this year,” said Lorrie Cranor, director of CyLab, and professor in Carnegie Mellon’s School of Computer Science and Engineering and Public Policy Department. “These funds help seed new collaborations and assist our junior faculty and postdocs as they start new research that will hopefully grow into larger externally funded projects.” “We are grateful to our partners for their support in enabling us to provide seed funding for cutting-edge research projects that have the potential to impact the world,” said CyLab’s Director of Partnerships, Michael Lisanti. “Their commitment is critical to our mission of creating a world in which technology can be trusted and

“We are grateful to our partners for their support in enabling us to provide seed funding for cuttingedge research projects that have the potential to impact the world” Michael Lisanti, director of partnerships, CyLab protecting the privacy and security of individuals and organizations worldwide.”

Rohan Padhye, Guannan Qu, Yuejie Chi, Joshua Sunshine, Brad Myers, Matthew Davis, Aayush Jain, Eunsuk Kang, David Garlan, Sauvik Das, Laura Dabbish, Tianshi Li, Jason Hong, Yuvraj Agarwal, Dimitrios Skarlatos, Wenting Zheng, Hong Shen, Fei Fang, Marc Dandin, Lujo Bauer 30

The selection committee comprised CyLab-affiliated faculty, who prioritized several aspects when making their selections:

• Brad Myers – Professor, Human-Computer Interaction Institute (HCII)

• Collaboration between CyLab faculty in multiple departments

Light-Weight Homomorphic Secret Sharing from Sparse Decoding Problems

• Projects led by or having significant involvement of junior faculty • Seed projects that are good candidates for follow-on funding from government or industry sources • Projects that are making good progress but reaching the end of their previous funding and need funding to finish or to continue the project until other sources of funding are obtained • Efforts to transition research to practice, e.g., by preparing software for release as open-source projects, conducting field trials, or deploying research results in real-world applications • Projects that can get started quickly and make significant progress with a small amount of funding • Non-traditional projects that may be difficult to fund through other sources • Education or outreach projects aimed at broadening participation in the security and privacy field Funded Projects Fuzzing for Stateful Performance Issues • Rohan Padhye – Assistant Professor, Software and Societal Systems Department (S3D) Provably Efficient and Secure Decentralized Algorithms for Multi-Agent Reinforcement Learning • Guannan Qu – Assistant Professor, Electrical and Computer Engineering (ECE) • Yuejie Chi – Professor, ECE Usable Test Generation for Security • Joshua Sunshine – Assistant Professor, S3D

• Matthew Davis – Ph.D. Student, S3D

• Aayush Jain – Assistant Professor, Computer Science Department (CSD) Adaptive Graceful Degradation for Resilient Cyber-Physical Systems • Eunsuk Kang – Assistant Professor, S3D • David Garlan – Professor, CSD Robust, Casual Estimates of Social Influence on Security Behavior • Sauvik Das – Assistant Professor, HCII • Laura Dabbish – Associate Professor, HCII Engaging End Users and Developers to Improve App Store Privacy Audits • Tianshi Li – Ph.D. Student, HCII • Jason Hong – Professor, HCII • Yuvraj Agarwal – Associate Professor, CSD & S3D Scale-Out Hardware Architecture for PrivacyPreserving Computing • Dimitrios Skarlatos – Assistant Professor, CSD • Wenting Zheng – Assistant Professor, CSD Towards Inclusive Security and Privacy: Design for Digital Security and Privacy for the Homeless Population • Hong Shen – Assistant Research Professor, HCII • Fei Fang – Assistant Professor, S3D Trusted Optical Sensing for Secure Multimedia Provenance Information • Marc Dandin – Assistant Professor, ECE • Lujo Bauer – Professor, ECE, S3D & CMU-Africa CYLAB 2022-23 YEAR IN REVIEW

CYLAB’S FUTURE ENTERPRISE SECURITY INITIATIVE CyLab’s Future Enterprise Security Initiative is redefining security for businesses, big and small, through innovations in artificial intelligence, computer science, engineering, and human-factors research. Led by co-directors Lujo Baur and Vyas Sekar, researchers are working towards ensuring that the operational security postures of all enterprises in future scenarios are comparable to the select few “hyper-scale operations” that have large security teams and global-scale visibility into threats. Thirteen projects were selected for the initiative’s first seed funding round and announced at the Future Enterprise Security Kick-Off Meeting in October 2022. During the execution of these projects, faculty and the initiative’s sponsors are collaborating to develop a suite of novel foundations and technologies, ways to achieve security in small- and medium-sized enterprise systems. Founding sponsors of FutureEnterprise@CyLab are Amazon Web Services, Aryaka, Bosch, Cisco, Microsoft, Nokia Bell Labs, PNC, and VMware. “Our partners are really engaged. They understand where problems lie and are willing to take the time to help us generate ideas, evaluate proposals, and offer suggestions as to how each project can become even more relevant to the core mission,” says Bauer. FUNDED PROJECTS: Correlated Multi-armed Bandit Algorithms for Automating Security Checks and Responses • PI: Osman Yagan – Research Professor, Electrical and Computer Engineering (ECE) Zero Trust: Virtues, Limitations, and Beyond • PI: Virgil Gligor – Professor, ECE Verifiable Personalization for Federated Learning • PI: Corina Pasareanu - Principal Systems Scientist, CyLab • Co-PI: Ravi Mangal – Postdoctoral Researcher, CyLab

Evaluating Graph-Based Anomaly Detection Models on Private Data • Co-PI: Giulia Fanti – Assistant Professor, ECE • Co-PI: Nihar Shah – Assistant Professor, Machine Learning Department (MLD) and Computer Science Department (CSD) Adversarial Unlearning via Sybil Attacks: Impacts on Federated Learning and Enterprise Security • PI: Carlee Joe-Wong – Associate Professor, ECE Understanding code injection attacks in Node.js packages • PI: Ruben Martins – Assistant Research Professor, CSD • Co-PI: Limin Jia – Research Professor, ECE Automatic Testing Web-based Microservices • PI: Limin Jia – Research Professor, ECE • Co-PI: Fraser Brown – Assistant Professor, Software and Societal Systems Department (S3D) Verus: Developing Provably Secure and Performant Software • PI: Bryan Parno – Associate Professor, CSD and ECE ODO: Open Dependency Observatory for Software Dependencies • PI: Rohan Padhye – Assistant Professor, S3D • Co-PI: Yuvraj Agarwal – Associate Professor, S3D Designing Robust Protocols for Future Enterprise Systems • PI: Eunsuk Kang – Assistant Professor, S3D • Co-PI: Romulo Meira-Goes – Postdoctoral Researcher, S3D CyDec: Cyber Deception Gym • PI: Fei Fang – Assistant Professor, S3D Differentially Private Synthetic Data Generation • PI: Steven Wu – Assistant Professor, S3D From Fault Injection Testing to Malicious Code Injection Testing • PI: Heather Miller – Assistant Professor, S3D

2022-2023 CYLAB SEMINAR SERIES September 19, 2022 Polo Chau Associate Professor, Georgia Tech Human-Centered AI: Safe, Interpretable, Trustworthy Analytics September 28, 2022 Hanna Halaburda Assistant Professor, NYU How Blockchain Tokens are Changing Platform Economics October 3, 2022 Blase Ur Assistant Professor, University of Chicago Improving Transparency and Data Access Rights for Targeted Advertising October 24, 2022 Tadayoshi Kohno Professor, University of Washington Ethical Frameworks and Computer Security November 7, 2022 Vivian Fang 4th year Ph.D. Student, UC Berkeley Towards Practical Secure Computation November 14, 2022 Corina Pasareanu Principal Systems Scientist, CyLab Security and Privacy Institute Machine Learning and Software Engineering December 5, 2022 Michelle Mazurek Associate Professor, University of Maryland Revisiting What It Means to Be ‘Usable’: Usable Privacy Beyond End Users

February 13, 2023 Tudor Dumitras Associate Professor, University of Maryland What Can Security and Machine Learning Teach Each Other? February 20, 2023 Zhiyang Xu 5th year Ph.D. Student, Harvard University Xatu: Boosting Existing DDoS Detection Systems Using Auxiliary Signals March 27, 2023 Brent Waters Professor, University of Texas at Austin, Director, Cryptography and Information Security Group - NTT Research Ten Years of Indistinguishability Obfuscation April 13, 2023 Jaideep Vaidya Professor, Rutgers University Privacy-Preserving Data Sharing and Analytics

CISA Director Jen Easterly gives national address at Carnegie Mellon University

CISA DIRECTOR

DELIVERS MAJOR ADDRESS AT CARNEGIE MELLON On Feb. 27, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly spent the day engaging the community at Carnegie Mellon University on the importance of technology product safety. Easterly began her visit with a national address titled ‘Unsafe at Any CPU Speed: The Designed-in Dangers of Technology and What We Can Do About It.”

April 24, 2023 Jean-Pierre Hubaux Professor, EPFL - Switzerland Secure and Privacy-Preserving Decentralized Machine Learning June 13, 2023 Serge Egelman Director of Research, International Computer Science Institute Taking Responsibility for Someone Else’s Code: Studying the Privacy Behaviors of Mobile Apps at Scale

The address pointed to Carnegie Mellon’s role in educating the next generation of cybersecurity leaders and examined the need for the technology industry to create products that are secure — both secure by design and secure by default. Later in the day, Easterly visited CyLab, where she toured its Biometrics Lab, attended a picoCTF demonstration, and was briefed on CyLab’s Future Enterprise Initiative.

CYLAB 2022-23 YEAR IN REVIEW

CMU-AFRICA WEEK SHOWCASES RESEARCH AND CULTURE In April, CyLab hosted its firstever CMU-Africa Week, aiming to foster new collaborations around research problems in Africa.

Fourteen students from the College of Engineering’s Kigali, Rwanda location traveled to Pittsburgh for a week of sharing research and African culture with faculty, staff and students. The visiting students joined nine of their peers who had been studying in Pittsburgh during the spring semester through the global campus exchange program.

Throughout the week, students had the opportunity to meet with the College’s leadership, take tours of CMU’s Mill19, the Create Lab, the Tech Spark, and the JPMorgan Chase & Co. AI Maker Space, visit companies like Google and Bosch, and explore the city. At the week’s featured event, students showcased their research during a poster session and led a cultural presentation that included African food, music, photography, and poetry. CMU-Africa and CyLab have been working closely together for years. In 2021, the two created the CyLabAfrica initiative to improve the cybersecurity of digital systems in Africa and other emerging economies.

“Although we can collaborate very effectively from across the globe in this virtual world, it is important to hold inperson events like CMU-Africa Week to build relationships among our CMU community,” says Assane Gueye, codirector of CyLab-Africa and associate teaching professor at CMU-Africa. “We hope to create a tradition with CMU-Africa Week and continue to host students and faculty here in Pittsburgh in order to encourage conversation around important research questions,” says Giulia Fanti, co-director of CyLab-Africa and assistant professor of Electrical and Computer Engineering.

CYLAB 2022-23 YEAR IN REVIEW

CYLAB PARTNERS SHAPING A SAFER FUTURE Carnegie Mellon CyLab is a world leader in innovative thinking and game-changing collaborations that make life more safe, secure and privacy-respecting. We welcome industry and government agencies to join us in what we do best: solving real-life problems through interdisciplinary research and education. From building visibility among students to gaining access to cutting-edge faculty research, upskilling your workforce, and launching new initiatives for social good, CyLab partnership opportunities offer both immediate and far-reaching results. CyLab’s partners include a wide variety of businesses and institutions, ranging from companies focused on developing advanced technologies to science and government agencies in the USA and international partner STRATEGIC LEVEL PARTNERS/SPONSORS

BASE LEVEL PARTNERS

countries. These organizations have access to research and education opportunities that spur industry-wide advancement, propel employees’ skills, and transform promising ideas into marketplace triumphs. Our strategic focus initiatives include rethinking Future Enterprise Security through innovation, creating the knowledge and capabilities to build and implement Secure Blockchain systems “beyond-the-hype,” and improving the cybersecurity of digital infrastructure in emerging economies through CyLab-Africa. If you’re interested in working together to develop a collaborative plan that benefits both your team and CyLab, please contact Michael Lisanti, Director of Partnerships, at partnerships@cylab.cmu.edu.

2022 PARTNERS CONFERENCE

The CyLab Annual Partners Conference highlights the latest research in security and privacy with an interactive forum between faculty, students, industry and government. In 2022, the hybrid event included three student poster sessions and over 40 faculty and student presentations that focused on topics within six categories, including: •

Machine learning and analytics

•

Hardware and network security

•

IoT security and privacy

•

Human factors in privacy and security

•

Software and systems security

•

Blockchain and Crypto

Aside from the formal presentations, attendees had the opportunity to tour CyLab’s Biometrics Lab, take part in demos on the Computing On Network Infrastructure for Pervasive Perception, Cognition and Action (CONIX) Center, the Usable Privacy Policy Project and picoCTF, and network during a dinner reception at Phipps Conservatory and Botanical Gardens. CyLab partners say the conference provides them with insight into the latest trends in cybersecurity and privacy and offers the opportunity to connect with colleagues and academics doing leading work in the field.

“Each year, we come to the CyLab Partners Conference to find out where the world is heading from a cybersecurity perspective,” said Max Wandera, director of Eaton’s Product Cybersecurity Center of Excellence. “The event helps us prepare and position ourselves for upcoming challenges.” “Cisco is a leader in network and enterprise security, and we’re constantly looking to advance the state of the art. To do that, we need to work closely with those in academia, and CMU’s CyLab is one of the best academic institutes out there,” said Ashish Kundu, head of cybersecurity research at Cisco. “At Kyndryl, we’re in the early stages of building partnerships. It makes sense for us to work with CyLab because its faculty and students are at the forefront of the cybersecurity space,” said Ilyas Iyoob, the company’s chief data scientist. CyLab’s partners include a wide variety of businesses and institutions, each united by a passion for creating a world in which technology can be trusted. To learn more about partnering with the Carnegie Mellon CyLab Security and Privacy Institute, contact Michael Lisanti, director of partnerships, at mlisanti@andrew.cmu.edu.

CYLAB 2022-23 YEAR IN REVIEW

CYLAB NAMES 2023 PRESIDENTIAL FELLOWS

Each year, CyLab recognizes high-achieving Ph.D. students pursuing security and/or privacyrelated research, with a CyLab Presidential Fellowship, covering an entire year of tuition. This year’s CyLab Presidential Fellowship recipients are:

Sudershan Boovaraghavan Ph.D. Student, Software and Societal Systems Department Advised by Yuvraj Agarwal, Associate Professor, School of Computer Science Sudershan’s research focuses on developing novel approaches to providing comprehensive support for privacy and security in Internet of Things (IoT) systems spanning from sensing hardware to backend infrastructure and application stack to enable seamless real-world deployment. A key idea driving Sudershan’s research is co-designing IoT systems with methods to enable data minimization, transparency, flexible user controls, and secure data flows. Sudershan’s work has led to the establishment of a first-of-its-kind IoT testbed through the deployment of the Mites system in the newly constructed CMU TCS building. This testbed provides an opportunity to investigate practical design strategies and tools to enhance privacy and security. “The goal of my research is to build a safe, secure, and easy-to-use IoT infrastructure,” said Boovaraghavan. “I’m passionate about my research because, in this rapidly evolving IoT landscape, where numerous smart devices are increasingly prevalent that collect data about our daily lives, my research allows the development of innovative tools for privacy and security that establish trust and accountability in such systems.”

Elijah Bouma-Sims Ph.D. Student, Software and Societal Systems Department Advised by Lorrie Cranor, Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab FORE Systems Professor of Computer Science and of Engineering & Public Policy Elijah Bouma-Sims’ research focuses on examining how human factors affect users’ privacy and security experience, especially for at-risk groups (e.g., LGBTQ+ community and children). He is currently investigating teenagers’ interactions with social media scams, as well as their engagement in high-risk behaviors such as trading cryptocurrency and gambling. “My research advances our understanding of the unique privacy and security threats faced by vulnerable members of our society,” said Bouma-Sims. “These insights will help to make the Internet a safer place for all people.”

Peter Manohar Ph.D. Student, Computer Science Department Advised by Venkatesan Guruswami, Professor, University of California, Berkeley, and Pravesh K. Kothari, Assistant Professor, Computer Science Department Peter Manohar’s research focuses on designing algorithms to solve “near worst-case” instances of fundamental NP-hard problems, such as k-SAT, and leveraging these powerful algorithms to obtain new insights in other areas of theoretical computer science. Much of his work has centered around developing algorithms to solve constraint satisfaction problems and using these algorithms to prove new results in cryptography, extremal combinatorics, and coding theory. “My goal is to obtain a fine-grained understanding of the hardness of computational problems compared to traditional notions like NP-hardness by studying these problems in beyond average-case settings,” said Manohar. “Is it fair to call k-SAT a hard problem if we can efficiently solve all but the most adversarially constructed instances?”

Mansi Sood

Mingxun Zhou

Ph.D. Student, Electrical and Computer Engineering

Ph.D. Student, Computer Science Department

Advised by Osman Yagan, Research Professor, Electrical

Advised by Elaine Shi, Associate Professor, Computer Science and Electrical and Computer Engineering Departments, and Giulia Fanti, Assistant Professor, Electrical and Computer Engineering

and Computer Engineering Mansi Sood’s research focuses on stochastic modeling, analysis, and optimization in socio-technical systems. An underlying theme of her research has been leveraging the structure of interactions in the system to optimize performance. Two key application areas include controlling spreading processes (including misinformation) and enabling reliable inference in decentralized systems. “My research focuses on a foundational understanding of networked systems, with an emphasis on uncovering fundamental properties, identifying potential vulnerabilities, and improving reliability.”

Vasu Vikram Ph.D. Student, Software and Societal Systems Department Advised by Rohan Padhye, Assistant Professor, Software and Societal Systems Department Vasu Vikram’s research focuses on developing and scaling automated testing techniques to strengthen the safety and robustness of software. As modern software becomes increasingly complex, the need for techniques to support software evolution is essential. Much of Vasu’s work has centered around fuzz testing algorithms to automatically generate future-proof inputs to be used for regression testing.

Mingxun Zhou’s research focuses on designing privacy-preserving algorithms that balance utility, efficiency, and auditability by bridging cryptography and differential privacy. A series of his works on federated systems provide differentially private aggregation algorithms for different trust models. Another line of his works combines differential privacy and oblivious algorithms and provides a complete theoretical framework for the composability of differential obliviousness. He also works on private information retrieval (PIR), especially on practical PIR algorithms for real-world-scale problems, and has publications on various topics such as blockchain, probabilistic data structures, and reinforcement learning. “I love working on algorithm-design problems inspired by real-world applications, especially those related to privacy,” said Zhou. “It is a multidisciplinary area that involves cryptography, statistics, system design, machine learning, and more. I enjoy the complexity of this area and also the possibility that people can actually benefit from my works.”

“My goal is to explore and apply dynamic program analysis techniques to solve the complex problems that arise in real-world software,” said Vikram. “I enjoy researching ideas that can improve the workflow of software developers, including myself.”

C Y L A B 2 0 2 2 - 2 3 Y E A R I N R E V I E W | 39

2022-2023 GRADUATED PH.D. STUDENTS

Janice Blane, Software and Societal Systems

Tianshi Li, Human-Computer Interaction Institute

Advisor: Kathleen Carley Thesis: Social-Cyber Maneuvers for Analyzing Online Influence Operations Defense: April 2023

Advisors: Jason Hong, Yuvraj Agarwal Thesis: Privacy Annotations: Designing Privacy Support for Developers Defense: December 2022

Paulo Casanova, Software and Societal Systems

Zinan Lin, Electrical and Computer Engineering

Advisor: David Garlan Thesis: Failure Detection and Diagnosis in Architecturebased Autonomic Systems Defense: May 2023

Advisors: Vyas Sekar, Giulia Fanti Thesis: “Data Sharing with Generative Adversarial Networks: From Theory to Practice” Defense: January 2023

Darion Cassel, Electrical and Computer Engineering

Thomas Magelinski, Software and Societal Systems

Advisor: Limin Jia Thesis: Practical End-to-End Analysis of Information Flow Security Policies Defense: August 2023

Advisors: Kathleen Carley, Osman Yagan Thesis: Contextualized Conversational Network Dynamics on Social Media Defense: April 2023

Kyle Crichton, Engineering and Public Policy

McKenna McCall, Electrical and Computer Engineering

Advisor: Lorrie Cranor Thesis: Tracking User Web Browsing Behavior: Privacy Harms and Security Benefits Defense: August 2023

Advisor: Limin Jia Thesis: Information Flow Control for Dynamic Reactive Systems Defense: April 2023

Geoffrey Dobson, Software and Societal Systems

Abhilasha Ravichander, Language Technologies Institute

Advisor: Kathleen Carley Thesis: Cyber-FIT: An agent-based framework for simulating cyber team performance Defense: August 2023

Advisors: Norman Sadeh, Ed Hovy Thesis: Understanding People’s Diverse Privacy Attitudes: Notification, Control and Regulatory Implications Defense: December 2023

Vishal Dwivedi, Software and Societal Systems

Laixi Shi, Electrical and Computer Engineering

Advisor: David Garlan Thesis: Halo: A Framework for End-User Architecting Defense: November 2022

Advisor: Yuejie Chi Thesis: Provable Algorithms for Reinforcement Learning: Scalability, Efficiency, and Robustness Defense: July 2023

Alex Gaudio, Electrical and Computer Engineering Advisor: Asim Smailagic Thesis: Explainable Deep Machine Learning for Medical Image Analysis Defense: July 2023

Haojian Jin, Human-Computer Interaction Institute Advisors: Jason Hong, Swarun Kumar Thesis: Modular Privacy Flows: A Design Pattern for Data Minimization Defense: September 2022

Aqsa Kashaf, Electrical and Computer Engineering Advisors: Yuvraj Agarwal, Vyas Sekar Thesis: Towards a More Resilient Web Infrastructure Defense: June 2023

Jingxian Wang, Electrical and Computer Engineering Advisor: Swarun Kumar Thesis: Blind Wireless Beamforming to Power, Cook, and More Defense: August 2022

Han Zhang, Computer Science Advisors: Yuvraj Agarwal, Matt Fredrikson Thesis: Secure and Practical Splitting of IoT Device Functionalities Defense: August 2023

Shikun Zhang, Language Technologies Institute Advisor: Norman Sadeh Thesis: Understanding People’s Diverse Privacy Attitudes: Notification, Control and Regulatory Implications Defense: March 2023

SECURITY AND PRIVACY COURSES AND DEGREES Security and privacy courses and degree programs are offered across several departments and institutes at Carnegie Mellon. CMU’s offerings include both undergraduate and graduate courses, as well as full-time and part-time programs.

UNDERGRADUATE LEVEL • Minor in Information Security, Privacy, and Policy > >

Engineering and Public Policy Department Software and Societal Systems Department

• Security and Privacy Concentration > >

Electrical and Computer Engineering Department Computer Science Department

MASTER’S LEVEL

CELEBRATING 20 YEARS OF INI’S MSIS PROGRAM In tandem with CyLab’s launch, CMU’s Information Networking Institute, considered the education arm of CyLab at the time, created the Master of Science in Information Security (MSIS) program, offering a technical focus on security and computer systems. Standing the test of time, MSIS remains one of CMU’s premier cybersecurity programs.

• Master of Science in Information Security >

Information Networking Institute

• Master of Science in Artificial Intelligence Engineering - Information Security >

Information Networking Institute

• Master of Science in Information Security Policy and Management >

Heinz College

• Master of Science in Information Technology Information Security >

Information Networking Institute

PH.D. LEVEL CMU offers several Ph.D. programs that enable students to focus on security and privacy, including: College of Engineering Electrical and Computer Engineering, Engineering and Public Policy School of Computer Science Human-Computer Interaction, Language Technologies, Machine Learning, Software Engineering, Computer Science, Societal Computing

CyLab Executive Education Offerings The rapidly evolving landscape of technology-related security and privacy challenges requires an understanding of the business application and the ability to apply best practices to create solutions. From open enrollment to bespoke training programs, CyLab educators and researchers will empower you and your organization to solve critical challenges. CyLab offers training in these topics and more: • Artificial Intelligence (AI), Machine Learning, Security and Privacy • Behavioral Cybersecurity • Biometrics and AI • Blockchain and Cybersecurity • Cyber Workforce Development • Dark Web, Security Economics, Crime, and Fraud • Ethical Issues in AI and Cybersecurity • Internet of Things (IoT) Connected Products Security and Privacy

Interested in learning more about CyLab’s executive education offerings? Contact the CyLab partnerships team at partnerships@cylab.cmu.edu.

• Privacy Engineering • Social Cybersecurity and Social Network Analysis • Software-Defined Security for Next Generation Networks • Usable Privacy and Security CYLAB 2022-23 YEAR IN REVIEW

2022-2023 CYLAB CORE FACULTY

Alessandro Acquisti Trustee Professor of IT and Public Policy, Heinz College

Mohamed Farag Assistant Teaching Professor, Information Networking Institute (INI)

Yuvraj Agarwal Associate Professor, Software and Societal Systems Department (S3D)

Matt Fredrikson Associate Professor, CSD, S3D

Joanne Peca Associate Director, Associate Professor of the Practice, INI

Virgil Gligor Professor, ECE

Raj Rajkumar George Westinghouse Professor, ECE

Hana Habib Specialty Faculty Instructor, S3D, Associate Director, Masters in Privacy Engineering Program

Norman Sadeh Professor, S3D, Co-director, Privacy Engineering Program

Ehab Al-Shaer Distinguished Career Professor, S3D Lujo Bauer Professor, Electrical and Computer Engineering (ECE), S3D, CMU-Africa Shawn Blanton Associate Department Head for Research and Joseph F. and Nancy Keithley Professor, ECE Fraser Brown Assistant Professor, S3D David Brumley Professor, ECE Nicolas Christin Professor, Engineering and Public Policy (EPP), S3D Lorrie Cranor Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab, FORE Systems University Professor, S3D, EPP Sauvik Das Assistant Professor, HumanComputer Interaction Institute Giulia Fanti Assistant Professor, ECE

Dena Haritos Tsamitis Director and Barbara Lazarus Professor, Information Networking Institute (INI, Founding Director, Education, Training and Outreach, CyLab Hanan Hibshi Assistant Teaching Professor, INI Jason Hong Professor, Human-Computer Interaction Institute Aayush Jain Assistant Professor, CSD Limin Jia Research Professor, ECE Yorie Nakahira Assistant Professor, ECE Jema Ndibwile Assistant Teaching Professor, CMU-Africa Bryan Parno Associate Professor, CSD, ECE

Corina Pasareanu Principal Systems Scientist, CyLab

Marios Savvides Bossa Nova Robotics Professor of Artificial Intelligence, ECE, Director, CyLab Biometrics Center Vyas Sekar Tan Family Professor, ECE Elaine Shi Associate Professor, CSD, ECE Asim Smailagic Research Professor, ECE Patrick Tague Associate Teaching Professor, INI Conrad Tucker Professor, Mechanical Engineering Riad Wahby Assistant Professor, ECE Osman Yagan Research Professor, ECE Ding Zhao Assistant Professor, Mechanical Engineering Wenting Zheng Assistant Professor, CSD

This year, Riccardo Paccagnella joined Carnegie Mellon’s Software and Societal Systems Department after finishing his Ph.D. in computer science at the University of Illinois Urbana-Champaign. Paccagnella’s research interests lie in the areas of system and hardware security. 42

FEATURED SPEAKING ENGAGEMENTS Alessandro Acquisti Economic and Legal Challenges in the Advent of Smart Products Keynote Lecture, ZiF Research Group Closing Conference Hi! PARIS summer school on AI & Data for Society and Business Keynote Lecture, HEC Paris Lujo Bauer Towards robust ML-based malware detectors Invited Talk, ETH Zurich Kathleen Carley Influence and Coordination: Detecting Interesting Activity in Social Media Keynote Talk, Drums 2022: Security in a Post Truth World What Lies Beneath Keynote Talk, Second Conference on Chinese Affective Computing (CCAC 2022) Yuejie Chi Accelerating Ill-conditioned Lowrank Estimation via Scaled Gradient Descent Keynote Talk, IEEE Annual Computing and Communication Workshop and Conference David Garlan Humanizing Software Architecture Keynote Talk, The 16th European Conference on Software Architecture Virgil Gligor Zero Trust in Zero Trust? Invited Talks, Center for Cyber Defense and Information Security (KTH Stockholm), Zurich Information Security Center (ETH Zurich), Center for Digital Trust, (EPF Lausanne), National University of Singapore, Nanyyang Technnological University (Singapore), CMU - King Mongkut Institute of Technology (Ladkrabang, Bangkok, Thailand)

Zero Trust Virtues, Limitations, and Beyond Invited Talk, Swiss Support Center for Cybersecurity (EPF Lausanne)

Nihar Shah Peer review, biases, and statistical learning Keynote Talk, STATLEARN 2023 Mark Sherman

Hanan Hibshi Just a Shift to the Left: Securing our Source Code Invited Talk, Women in Cybersecurity Conference Rethinking What We Share Online Invited Talk, The Visiting American Professionals Program

Protect Your Machine Learning Applications from SolarWinds’ Attacks Invited Talk, Weapon Systems Software Summit Provably Secure Kernel Invited Talk, OUSD Research and Development Working Group, McLean, VA SEI Research in Memory Safety Languages Invited Talk, Enduring Security Framework Working Group on Software Supply Chain

Swarun Kumar Towards City-Scale Low-Power Wireless Networks Invited Talk, TCS - IIT Madras Computer Science and Engineering Colloquium Series

Justine Sherry

Yorie Nakahira Assuring safety in intelligent systems Keynote Talk, Joint Symposium of European Research Consortium for Informatics and Mathematics and Japan Science and Technology Safety of Intelligent Systems Operating in Uncertain and Interactive Environments Invited Talk, Smart Mobility Connection

Re-envisioning generic server architectures for I/O-driven compute Keynote Talk, Open Networking Foundation European P4 Workshop Detecting and Mitigating Dishonest Behavior in Peer Review Invited Talk, Joint Statistical Meetings Dena Haritos Tsamitis Imposter Syndrome Invited Talk, Minorities in Cybersecurity Conference

Samuel Perl Limits of Using Artificial Intelligence and GPT-3 in Patent Prosecution Invited Talk, Israel Patent Attorneys Association event on Generative AI and Chatbots Norman Sadeh Privacy in the Age of AI and the Internet of Things Keynote Talk, International Workshop on Privacy Algorithms in Systems (ACM CIKM 2022)

“EWF Sisterhood Chat: Cultivating Your Personal Board of Advisors.” Panelist, RSA Conference Leveraging the Value of Alumni to Build Pathways to Employment Moderator - 2024 NICE Conference & Expo Carol Woody Addressing Supply Chain Risk and Resilience for Software-Reliant Systems Invited Talk, SEI Webinar Key Steps to Integrate Secure by Design into Acquisition and Development SEI Podcast

CYLAB 2022-23 YEAR IN REVIEW

FEATURED RECOGNITIONS

The Institute of Electrical and Electronics Engineers (IEEE) awarded two ‘Test of Time’ awards during its 44th Symposium on Security and Privacy, both going to papers co-authored by CyLab faculty members and alumni. Initiated in 2019, the ‘Test of Time’ award recognizes published papers previously presented at the annual symposium that have had a broad and lasting impact on both research and practice in computer security and privacy. This year, the awarding committee considered papers presented in 2011 through 2013.

Jonathan Aldrich Named member of the IFIP Working Group 2.4 on Software Implementation Technology

Yuvraj Agarwal Received Best Paper Honorable Mention Award at the 2023 ACM CHI for ‘Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels’ Co-authors: Tianshi Li, Kayla Reiman, Lorrie Cranor, Jason Hong

Kathleen Carley Received 3rd place overall and top paper presentation at AEJMC for “How Disinformation Operations against Russian Opposition Leader Alexei Navalny Influence International Community”

Pinocchio: Nearly Practical Verifiable Computation (2013) Bryan Parno, Jon Howell, Craig Gentry, Mariana Raykova

Install a COVID-19 Contact-Tracing App? Understanding the Influence of App Design and Individual Difference on Contact-Tracing App Adoption Intention’ Co-authors: Tianshi Li, Camille Cobb, Jackie Yang, Sagar Baviskar, Yuvraj Agarwal, Lujo Bauer Received Best Paper Award at 2023 ACM CHI for ‘Understanding Frontline Workers’ and Unhoused Individuals’ Perspectives on AI Used in Homeless Services’ Co-authors: Tzu-Sheng Kuo, Hong Shen, Jisoo Geum, Nev Jones, Haiyi Zhu, Ken Holstein

Aayush Jain

Co-authors: Iuliia Alieva, J.D. Moffitt

Received 2022 ACM Doctoral Dissertation Award for ‘Indistinguishability Obfuscation from Well-Studied Assumptions’

Lorrie Cranor

Limin Jia

Elevated to rank of University Professor, the highest distinction for faculty at Carnegie Mellon University

Received 2023 SACMAT Test of Time Award for ‘Privacy Promises That Can Be Kept: A Policy Analysis Method with Application to the HIPAA Privacy Rule’

Yuejie Chi Named Institute of Electrical and Electronics Engineers (IEEE) Fellow

Mohamed Farag Selected as a Reviewer for the Sponsored Research Program at the Project Management Institute

Jason Hong Named Association for Computing Machinery (ACM Fellow Received Best Research Paper Award (2019-2021 in Pervasive and Mobile Computing for ‘What Makes People 44

Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms (2012) Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez

Co-authors: Omar Chowdhury, Andreas Gampe, Jianwei Niu, Jeffery von Ronne, Jared Bannatt, Anupam Datta, William H. Winsborough

Swarun Kumar Received 2022 IPSN Best Paper Award for ‘SelfieStick: Towards Earth Imaging from a Low-Cost Ground Module Using LEO Satellites’ Co-authors: Vaibhav Singh, Osman Yagan

Bryan Parno Received Distinguished Paper Award, and Second Prize in the Internet Defense Prize competition at the USENIX Security Conference for ‘Provably-Safe Multilingual Software Sandboxing using WebAssembly’ Co-authors: Jay Bosamiya, Wen Shih Lim Received Golden Core Award from the IEEE Computer Society Received Distinguished Paper Award at ACM OOPSLA for ‘Linear Types for Large-Scale Systems Verification’ Co-authors: Andrea Lattuada, Travis Hance, Chanhee Cho, Matthias Brun, Isitha Subasinghe, Yi Zhou, Jon Howell, Chris Hawblitzel

Nihar Shah Received 2022 Best Paper Award Honorable Mention at AAAI HCOMP for ‘Near-Optimal Reviewer Splitting in TwoPhase Paper Reviewing and Conference Experiment Design’ Co-authors: Steven Jecmen, Hanrui Zhang, Ryan Liu, Fei Fang, Vincent Conitzer Received two Outstanding Paper Awards and People’s Choice Award at 2022 ICLR Workshop on ML Evaluation for ‘Tradeoffs in Preventing Manipulation in Paper Bidding for Reviewer Assignment’ Co-authors: Steven Jecmen, Fei Fang, Vincent Conitzer

Ariel Zetlin-Jones Received 2022 UBRI Oustanding Educator Award

AARON ROTH RECEIVES 2023 CYLAB DISTINGUISHED ALUMNI AWARD Aaron Roth, the Henry Salvatori Professor of Computer Science and Cognitive Science at the University of Pennsylvania, has been named CyLab’s 2023 Distinguished Alumni Award winner. “I was surprised and honored to learn I had won the award,” said Roth. “I’d like to thank everyone who was involved in selecting me as this year’s recipient.” Roth earned his Ph.D. in Computer Science from Carnegie Mellon University in 2010, where he was advised by former CMU Professor Avrim Blum. His dissertation, ‘New Algorithms for Preserving Differential Privacy,’ gave new methods for performing computations on private data. Nominated by his former advisee, now Assistant Professor in CMU’s School of Computer Science, Steven Wu, the award recognizes Roth’s excellence in algorithms and machine learning, leadership in the field, and commitment to his students. “As my advisor, Aaron is nothing less than a beacon of inspiration, marked by his relentless curiosity, exceptional instinct for identifying the most exciting questions, creative problem-solving acumen, and impeccable eloquence in communication,” said Wu. “Advising is one of the best parts of my job,” said Roth. “Being recognized by one of my former students at the University where I earned my Ph.D. is really special.” After graduating from CMU, Roth spent a year as a postdoc in Microsoft’s research division. In 2011, he

“I was surprised and honored to learn I had won the award. I’d like to thank everyone who was involved in selecting me as this year’s recipient.” Aaron Roth

joined the University of Pennsylvania’s Computer Science Department as a tenure-track faculty member. Over the years, Roth has spent time in consulting and advisory roles for Leapyear Technologies, Spectrum Labs, Keystone Strategy, Apple, and Facebook, and currently serves as an Amazon Scholar for Amazon Web Services (AWS). He has also written and contributed to several books and academic journals. Roth has been recognized for his work and contributions to the field of computer science through a number of awards, including the Presidential Early Career Award for Scientists and Engineers (PECASE), the Alfred P. Sloan Research Fellowship, an NSF Career Award, a Google Faculty Research Award, an Amazon Research Award, and a Yahoo Academic Career Enhancement Award. Roth says his current research focuses on algorithmic fairness, examining how machine learning algorithms distribute errors across different populations. “Recently, the ongoing research theme in my lab is uncertainty quantification,” said Roth. “In order to trust machine learning algorithms in important scenarios, we must try to understand when and where they make their mistakes. My group is looking at this problem from a fairness perspective, working to develop methods for predicting models’ reliability.” In the CyLab Distinguished Alumni Award’s fourth year, Roth joins 2022 winner Michelle Mazurek, 2021 winner Yinglian Xie, and 2020 winner Elaine Shi. Roth will be presented with the award and give a talk at CyLab’s annual Partners Conference in October 2023. CYLAB 2022-23 YEAR IN REVIEW

CYLAB STAFF

BUSINESS OPERATIONS

Brigette Bernagozzi Student Life and Office Coordinator

Business Manager

Ashley Bon

Rachel Burress

Megan Kearns

Priyanka Kochhar

Danyel Kusbit

Special Projects Administrator

Administrative Assistant

PARTNERSHIPS

Ryan Gent

Associate Director of Partnerships

Isabelle Glassmith Project Manager

Administrative Assistant

Brittany Frost

Senior Administrative Coordinator

Tina Yankovich

Administrative and Financial Coordinator

Manager of Personnel and Student Services

COMMUNICATIONS

SUPPORT

Ryan Noone

Belka

Chief Morale Officer

Communications Manager

Omen Michael Lisanti

Director of Partnerships

Jamie Scanlon

Project Administrator

Chief Information Paw-ficer

IN OTHER NEWS

OCT24 CyLab proposes improved consumer-friendly broadband ‘nutrition’ labels CyLab researchers have conducted a large-scale user study of more than 2,500 participants, uncovering the information most important to consumers shopping for broadband internet service and determining what terminology and presentation formats make this information most understandable and useful.

NOV01 Securing Africa’s cyberspace In their first year, CyLab-Africa and the newly announced Upanzi Network have made deliberate strides toward improving cybersecurity in Africa.

JAN19 Protecting your online data Sauvik Das, assistant professor at Carnegie Mellon’s Human Computer Interaction Institute and member of CMU’s CyLab Security and Privacy Institute, share tips on how to protect your online data.

MAY02 Wambui Njogu’s path to a career in cybersecurity On a journey that’s taken her from Kenya to Rwanda to Pittsburgh, MSIT student Wambui Njogu looks back on the experiences that instilled her passion for cybersecurity and how she developed her skills at CMU-Africa.

JAN30 CyLab and S3D host International Data Privacy Day event The CyLab Security and Privacy Institute and Software and Societal Systems Department hosted Carnegie Mellon’s annual International Data Privacy Day event, bringing students, faculty, and staff together to discuss various aspects of online privacy.

NOV10 Fromherz wins ACM SIGSAC Doctoral Dissertation Award

Researchers’ award-winning paper provides a faster, more efficient way to perform system verification.

Over the past several years, websites have begun implementing cookie consent banners to meet regulatory requirements, allowing users to make choices about how their personal information is collected and shared. However, CyLab researchers say many of these banners miss the mark and may not be the best way to offer users privacy options.

MAY17 Less is not more; Mapping a better route to user ad settings

Former CyLab Presidential Fellow Aymeric Fromherz earned ACM SIGSAC’s 2022 Doctoral Dissertation Award for his thesis.” A Proof-Oriented Approach to Low-Level, High-Assurance Programming.”

JAN12 Improving system verification

MAY05 Cookie consent banners need improvement, may not be the answer

For users looking to change their privacy settings on website like Facebook, it often feels like a scavenger hunt. Now, researchers from Carnegie Mellon and the University of Michigan are exploring design options to make settings related to advertising preferences more findable.

MAR09 U.S. Chamber AI Commission releases final report Conrad Tucker served as a commissioner on the US Chamber AI Commission aimed to position the US as a leader in responsible AI development and deployment. The commission’s final report has been released.

MAR29 New tool helps mobile app developers create more accurate iOS privacy labels Created by researchers at Carnegie Mellon University, Privacy Label Wiz is an easy-to-use, step-by-step resource to help developers create accurate mobile app privacy labels.

JUN16 New website highlights thousands of Android apps’ data collection practices Researchers at Carnegie Mellon University have launched a new website, offering Android users an easy and convenient way to see how their data is collected and shared.

For more CyLab news, visit cylab@cmu.edu/news

CYLAB 2022-23 YEAR IN REVIEW

STAY CONNECTED WITH CYLAB

WEBSITE

NEWSLETTER

cylab.cmu.edu

bit.ly/cylab-newsletter

TWITTER / X

FACEBOOK

linkedin.com/ showcase/ carnegiemelloncylab

@cylab

@carnegiemelloncylab