CyberByte - Fall 2022

Page 18

Pomp and Circumstance Return to Tandon.

CCS faculty and Ph.D. grads celebrate the first in-person graduation ceremony since 2019.

CENTER FOR CYBERSECURITY

FALL 2022 1
FALL 2022
Doctors all around (clockwise from top left) and Drs. Rasika Bhalerao (l) and Damon McCoy. (r); Dr. Michail Maniatakos with Drs. Esha Sarkar (l) and Dimitris Tychalas (r); Dr. Brendan Dolan-Gavitt with Drs. Yu Hu (c) and Zekun Shen
FALL 2022 2
GREETINGS FROM THE EDITOR-IN-CHIEF 3 2022 Ph.D. GRADUATES 4 RESEARCH FOCUS: PRIVACY 6 FACULTY PROFILE: RACHEL GREENSTADT 8 STUDENT PROFILE: ALAN CAO 10 ALUMNI PROFILE: KIRAN CHAUDHRY 12 CCS EVENTS 14 CCS NEWS 17 AWARDS AND HONORS 18 Editor in Chief Quanyan Zhu Editorial Copy Writer Lois De Long
IN THIS ISSUE
OUR TEAM

MORE THAN JUST KEEPING SECRETS…..

When asked in an interview for this issue’s Faculty Profile how she would define the issue of privacy, Dr. Rachel Greenstadt replied it was “how individuals can manage the data about them, and their self-presentation in their interaction in online and offline spaces. It’s about autonomy and control and how we accomplish this in a digital world.” in other words, in the realm of cybersecurity, solving privacy issues requires more than just building metaphorically higher walls or more fences. It also means giving both individuals and groups a defense against misrepresentation and that, without that protection, breaches can have a devastating human cost.

In this issue of CyberByte, we take a very brief look at how this complex issue is being addressed at NYU’s Center for Cybersecurity. In addition to the profile of Greenstadt, we offer brief summaries of other privacy research initiatives underway at both at the Brooklyn and Abu Dhabi campuses. As we feature these different research that mark the scope of CCS work in privacy, we welcome feedback from alumni that may be addressing these issues in industry and academia. We would be happy to highlight your contributions in future issues.

As we feature these different research areas that mark the scope of work performed at NYU’s Center for Cybersecurity, we welcome feedback from alumni who may be addressing these issues in industry and academia. We would be happy to highlight your contributions in future issues

FALL 2022 3

CELEBRATING OUR 2022 PH.D. GRADUATES

The NYU Center for Cybersecurity is proud to recognize its 2022 Ph.D. graduates. After two years of virtual ceremonies, this year’s eight newly minted graduates got to mark their departure at an in-person graduation ceremony, held in May 2022 at the Barclays Center. Congratulations on the Center’s newest doctors.

MAX ALIAPOULIOS

(Advisor: Dr. Damon McCoy) Ph.D. Computer Science

In collaboration with his advisor, Max has contributed to a number of projects in security and privacy, applied machine learning, and cybercrime. Two recent studies have looked at the influence of dark web marketplaces on available supplies during the COVID-19 pandemic, and examined how QAnon theories were disseminated over time. During his tenure, he authored or coauthored numerous papers for conferences, such as the International AAAI Conference on Web and Social Media and the IEEE Symposium on Security and Privacy.

Khoury College of Computer Sciences at Northeastern University. Her Ph.D. dissertation is entitled, “Analyzing Harms of Online Platform and Policy Design.”

LAURA EDELSON

(Advisor: Dr. Damon McCoy)

Ph.D. Computer Science

SAMRAT ACHARYA (Advisors: Dr. Yury Dvorkin and Dr. Ramesh Karri) Ph.D. Electrical Engineering

Samrat was featured in CyberByte’s Spring 2021 issue for serving as an unofficial spokesperson for cybersecurity in his native Nepal during the pandemic. This role evolved when he wrote an article to ensure that the surge in online work would not open new cybersecurity threats. His research at NYU Tandon focused on smart grid security, and security of cyber-physical systems, and he wrote his dissertation on “Cybersecurity of Electric Vehicle Charging.” Over the past five years, Samrat has authored or co-authored 17 papers. He recently began a new post as a power systems research engineer at Pacific Northwest National Laboratory.

RASIKA BHALERAO

(Advisor: Dr. Damon McCoy) Ph.D. Computer Science

Rasika has pursued research endeavors in cybersecurity, ethics,

Laura Edelson will not be leaving Tandon right away as she will be serving as a postdoctoral researcher at Cybersecurity for Democracy, a CCS initiative that promotes transparency in social media. Her work with this group, which she founded with her advisor, Dr. Damon McCoy, has made her a sought-after commentator for journalists on issues of privacy, disinformation, and the abuses of social media. Laura’s dissertation, “Characteristics of Misinformation and Political Content in Online Information Spaces,” was one of three from Tandon honored with a Pearl Brownstein Doctoral Research Award.

bias in machine learning during her tenure at Tandon. Her commitment to ethical approaches in education and research are reflected in several papers, including one presented at the 53rd ACM Technical Symposium on Computer Science Education. Rasika has accepted a position as an Assistant Teaching Professor in the

and social

YU HU

(Advisor: Dr. Brendan Dolan-Gavitt)

Ph.D. Computer Science

Yu completed two master’s degrees at NYU Tandon—in wireless communication and cybersecurity—before starting his

FALL 2022 4

doctoral work at the school. His research initiatives have focused on automatic bug-finding techniques, and developing novel defenses against real-world software system attacks. As an associate researcher in the NYU Tandon MESS (Machine Learning, Embedded Systems, and Software/Systems Security) Lab, he contributed to research projects in crash widening, chaff bugs, and hybrid AEG. He also served as an adjunct lecturer for wireless and electronics. Yu’s dissertation topic is “Evaluating and Improving Symbolic Bug-finders for Security Vulnerabilities.”

ZEKUN SHEN

(Advisor: Dr. Brendan Dolan-Gavitt)

Ph.D. Computer Science

Zekun completed a master’s in computer science at Tandon in 2017 before moving on to his doctoral studies at the school. Much of his work has focused on using fuzzing and sanitizing techniques to test programs and operating systems. Zekun co-authored a paper “Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds” that was presented at USENIX Security in August 2022. He is now working as a research scientist at Meta.

PRESTON MOORE

(Advisors: Dr. Justin Cappos and Dr. Phyllis Frankl)

Ph.D. Computer Science

Preston’s research focused on application security and reliability, specifically exploring a novel testing technique that exposed applications to simulations of scenarios that had caused other applications to fail. In investigating this topic, he developed two new techniques that allow developers to detect situations where an application may fail before it is deployed, so that its deficiencies can be corrected without the negative consequences of a crash. Preston presented his work at ISSRE 2019, and was honored with the Best Paper and Presentation award. His dissertation is entitled “A PORT in Stormy SEAs: Leveraging Past Problems to Prevent Future Failures.” Preston is now working as a Senior Software Engineer for Anaconda in New York City

JANITH WEERASINGHE

(Advisor: Dr. Rachel Greenstadt)

Ph.D. Computer Science

Janith actually began his doctoral studies at Drexel University in Philadelphia, PA, following completion of his master’s degree there. Since arriving at Tandon, his research initiatives have focused on using machine learning to mitigate abuses that occur on social media platforms. His dissertation topic is entitled “Using Stylometry to Mitigate Abuse in Online Communities.” Janith is joining the staff of The Washington Post as a data scientist.

FALL 2022 5

RESEARCH FOCUS:

PRIVACY RESEARCH AT THE NYU CENTER FOR CYBERSECURITY

If one were to rank the concerns of the general public about technology there is little doubt that privacy issues would be front and center. In a 2019 survey of U.S. residents by the Pew Charitable Trust, 81% of respondents voiced concern that they had no control over information collected about them by companies (see https://www.pewresearch.org/internet/2019/11/15/ americans-and-privacy-concerned-confused-and-feeling-lackof-control-over-their-personal-information/). Given the concern privacy issues raise, it should not be surprising that CCS faculty and students are researching so many different solutions to vulnerabilities that have privacy implications. Here is a quick look at a few of these projects.

of breaches. In this effort, Reagen and Maniatakos are working in collaboration with a data security company called Duality. Learn more about the research at https://engineering.nyu.edu/news/ novel-tandon-designed-microchip-will-allow-data-be-processedwithout-being-decrypted The second project aims to reduce the loss of efficiency associated with non-linear operators like ReLU (rectified linear activation function).

ENCRYPTION

The use of encryption strategies offers a way to protect data that is particularly sensitive, such as medical records or financial transactions. Unfortunately, the need to decrypt the data once it reaches its destination adds a layer of effort that could reduce the overall efficiency of the process. Now, a relatively new strategy called fully homomorphic data encryption has emerged that can allow computing to be performed on encrypted data. Several CCS-affiliated faculty, including Dr. Brandon Reagen (far left in photo) and Dr. Siddharth Garg (center) of Tandon’s Electrical and Computer Engineering Department, and Dr. Michail Maniatakos (right) of the Computer Engineering Department at NYU Abu Dhabi, have applied, tested, or advanced this technology in some way over the past year or so. In fact, Reagen has actually made contributions to two of these projects.

The first, supported by a three-and-a-half year, $14-million grant from the Defense Advanced Research Projects Agency (DARPA), is the development of an FHE encrypted chip that reduces the risk

To address these issues, Reagen and Garg, along with two then Ph.D. students, developed a set of optimizations they call DeepReDuce. As stated in a presentation given last summer at the International Conference on Machine Learning (https://arxiv. org/pdf/2103.01396.pdf ), “the key insight is that not all ReLUs contribute equally to accuracy. We leverage this insight to drop, or remove, ReLUs from classic networks to significantly reduce inference latency and maintain high accuracy.”

TESTING Many methods promise to provide privacy via anonymity, but do they deliver? One such technology, generative adversarial networks (GANs), uses machine-learning systems to “scrub” images of any traces of personal identity. But, a team of researchers, led by Garg, suggest that these scrubbed images leave a lot of “residue” behind. In tests conducted to see how effective tools like privacy protecting GANs (PP-GANs) actually were, Garg found that designs can, in fact, be subverted to pass privacy checks, while still permitting extraction of secret information.The results of this study were presented in a paper entitled “Subverting Privacy-Preserving GANs: Hiding Secrets in Sanitized Images.” Among its findings were “the insufficiency of existing DL-based privacy checks, and potential risks of using untrusted third-party PP-GAN tools.” The paper can be read in its entirety at https://arxiv.org/pdf/2009.09283.pdf

FALL 2022 6

SYSTEMIC PROTECTION, INDIVIDUAL DEFENSE

Sometimes the best privacy defense is a good offense, and a good offense requires a deeper understanding of the mechanisms that allow breaches to occur. As stated on his website, Dr. Damon McCoy, an associate professor of computer science and engineering, has focused his research on “empirically measuring the security and privacy of technology systems and their intersections with society.” One of his most recent initiatives, conducted with Dr. Rachel Greenstadt (see profile on the next page), Ph.D. candidate Kejsi Take, Ph.D. alumnus Kevin Gallagher, and colleague Dr. Andrea Forte of Drexel University, examined the obstacles faced by individuals seeking to remove their data from People Search Websites. In a paper published in the Proceedings on Privacy Enhancing Technologies in July 2022, the team observes that “the successful monetization of users personal identifiable information motivates data aggregators to make the removal more difficult.” In order to fight back, McCoy and his team provide recommendations to users, third parties, removal services and researchers aiming to make the removal process more effective. You can read the paper at https://petsymposium.org/2022/files/papers/issue3/popets-2022-0067.pdf

PRIVACY IN THE REALM OF 5G

The emergence of 5G technologies has brought a rash of new security and privacy issues to the telecommunications sector. NYU Abu Dhabi’s Cyber Security and Privacy Lab, overseen by principal investigator Dr. Christina Pöpper, assistant professor of computer science, is tackling challenges in mobile network security, aviation security, and communication privacy. Pöpper’s recent research initiatives have examined the tracking of targeted users in 5G networks (paper at https://dl.acm.org/ doi/10.1145/3448300.3467826) and the potential service/privacy losses that can occur during the “handover procedure,” where an ongoing call or data session is switched from one base station or core network to another, e.g., when user equipment is moving (paper at https://dl.acm.org/doi/pdf/10.1145/3485832.3485914). Though the handover process is cryptographically protected, it is vulnerable to denial-of-service and man-in-the-middle attacks, and information disclosure. Read about the ongoing work of the lab at https:// nyuad.nyu.edu/en/research/faculty-labs-and-projects/cybersecurity-and-privacy-lab.html

INTERNET OF THINGS

As homes become smarter, the risk of privacy breaches from devices connected to Internet of Things devices grows as well. Dr. Danny Y. Huang, an assistant professor of electrical and computer engineering at Tandon, focuses much of his research efforts on improving the security of smart devices. Huang is part of a multi-university project team working with an open source app called IoT Inspector, (https://inspector.engineering.nyu.edu/) which gives individuals the ability to monitor network activity involving their in-home smart devices. Huang is also a Consumer Reports Digital Lab Fellow charged with uncovering and addressing emerging consumer harms from these devices. You can read more about his work with IoT Inspector in a paper published in the Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies (https://iotinspector.org/papers/ ubicomp-20.pdf ).

FALL 2022 7

PRIVACY, ANONYMITY, TRUST, AND READING BETWEEN THE LINES

As we have already established in this issue of CyberByte, the concept of privacy in a computer science context is complex and needs to be addressed in a diverse number of ways. The research initiatives of Dr. Rachel Greenstad affirm just how diverse these approaches can be. During her previous work as director of Drexel University’s Privacy, Security, and Automation Laboratory (PSAL), and as an associate professor of computer science at NYU Tandon since 2019, Greenstadt has tackled issues of cyber harassment and cyber crime, sometimes in partnership with her CCS colleague Dr. Damon McCoy. One such example can be read at https:// dl.acm.org/doi/pdf/10.1145/3432909

She has also used techniques like topic modeling, named entity recognition, privacy ontology, sentiment analysis, and text normalization to investigate a broad range of privacy concerns related to social media (see https://dl.acm.org/doi/ pdf/10.1145/2665943.2665958)

But, Greenstadt has also conducted studies that explore the double-sided potential of privacy technologies that can both conceal identities or reveal them.

In an interview with CyberByte in May of 2022, Greenstadt spoke about her work with one such technology called stylometry— a technique based on the premise that “we all speak a dialogue of one.” Using the assumption that the language everyone speaks is subtly unique, stylometry analyzes linguistic patterns that can assist in identifying authorship of both text and code samples. Though the technique can be applied using a deep learning system, she noted that “a handcrafted approach, relying on character N-gram sliding windows of 1 to 4 characters” works about as well.

These models are used to characterize author style, which, in turn, can be used for forensic attribution work, such as “trying to see how identities migrate from one forum to another to understand dynamics of online communities, like cybercriminal forums.” But, she has also used the technique to test the viability of anonymization strategies so those who might need to hide their identities know whether their submissions are safe (see https://arxiv.org/pdf/1512.08546.pdf ).

Greenstadt notes that there is a somewhat long history of using stylometry to verify authorship, and it can and has been admissible in a number of court cases. One of the earliest instances was back in the 1960s, when it was used to prove authorship of some of The Federalist Papers. More recently, it was used to prove that a detective novel called The Cuckoo’s Calling was actually the pseudonymous work of Harry Potter author J.K. Rowling (https://en.wikipedia.org/wiki/The_ Cuckoo%27s_Calling).

For Greenstadt, some of her interest in stylometry goes back to graduate school conversations with colleagues, including Nick Mathewson, who would later cofound the Tor project. But, she admits that she initially had “quite a bit of skepticism” about the technique. “My thought was ‘well, if you pick the words, surely you could trick it’.” When she finally decided to pursue the work, it was at the request of Michael Brennan, the first doctoral student she worked with at Drexel. “By this point, there had been quite a lot of work done on stylometry, but nobody had really ‘stresstested’ it. What we could potentially bring to it was this cybersecurity adversarial mindset by asking ‘what would it take to fool the system?’”

FALL 2022 8 FACULTY PROFILE: DR. RACHEL GREENSTADT

To test these ideas, she designed a study that required two types of writing samples from participants. In the first set they merely attempted to disguise their writing in some way, but in the second group of samples, Greenstadt asked participants to write like Cormac McCarthy, an American novelist famous for tales of the frontier, and also for eliminating basic writing conventions, like punctuation and capitalization, from his text. The students were “supposed to do narratives of their morning, and we got these super grim tales of coffee and shaving,” she observed. While the immediate results of these tests were not conclusive, “there was an idea that something interesting was going on,” she noted, adding that she felt additional studies could reveal some useful things. “Maybe you couldn’t identify who did the writing, “ she explains, “but you can see some type of deception is going on.” Years later, the value of just noting that “deception is going on,” played out in an examination of Reddit accounts that were identified as part of the Russian manipulation in the U.S. Though the comparison didn’t reveal the authors’ identities, by just comparing them to other accounts on Reddit, it did show that the accounts in question “did not have stylistic integrity. These were supposed to be separate accounts, but they didn’t read that way.”

In addition to running stylometry studies, which have been documented in about 20 different publications, Greenstadt’s most recent research in this area has focused on a subset of stylometry called

author verification. As she explained, these initiatives can “determine if the same person wrote two different texts,” which is useful when looking to find “sock puppet” accounts that write threatening or harassing messages. She recently presented one such study, co-authored with new graduate Dr. Janith Weerasinghe, at the 16th International AAAI Conference on Web and Social Media. (You can read the full article at https://ojs.aaai.org/index. php/ICWSM/article/view/19359/19131).

While her work has provided tools to expose those who abuse the privacy of others—during the interview Greenstadt noted that an algorithm she developed with McCoy is possibly being used by the FBI—she has also made important research contributions to the other side of the privacy coin. That is, she sees the potential to design systems to help people more effectively anonymize their text. This includes work that has evaluated the relationship between anonymity and trustworthiness. Intrigued by the idea that Wikipedia bans contributions that come through Tor or from other pseudonymous contributors, she was curious to see if there were higher incidences of misleading or incorrect information coming from these sources. As explained in a news story prepared by NYU, Greenstadt and her colleagues examined more than 11,000 Wikipedia contributions made by Tor users, who despite the ban, were able to edit pages between 2007 and 2018 (https://engineering.nyu.edu/news/torusers-untapped-resource-wikipedia). Not only was there little difference between

the quality of these edits and those from editors who can be identified, but those editing through Tor were more likely to focus on topics that may be considered controversial, such as politics, technology, and religion.

Based on her findings, Greenstadt suggested that rather than banning these pseudonymous contributors that they and any other untrusted accounts should simply be reviewed before going live. She points out that this practice is already common in 17 other Wikipedia editions, including those in Germany and Russia. If such a review is instituted, it appears these pseudonymous editors could be valuable contributors at very little risk. And, as Greenstadt pointed out in the interview, “What are you really trusting them to do? People aren’t supposed to be providing facts out of their heads.” She adds that in the current political climate around the world, where anonymity is often a matter of life or death, particularly for journalists and activists,the motivation to use Tor, or to disguise ones identity online, becomes clearer.

Ultimately, for Greenstadt, the issue of privacy is, as quoted earlier, “about how individuals can manage the data about them, and their selfpresentation in their interaction in online and offline spaces.” Researching both sides of the privacy coin can help individuals negotiate this increasingly difficult management task.

9

STUDENT PROFILE: ALAN CAO

RISING SENIOR MAKES THE MOST OF EARLY TANDON CONNECTIONS

Alan Cao, who begins his senior year in the Computer Science and Engineering Department this fall, has been actively engaged in research at NYU Tandon longer than some graduate students. His initial research work, back in 2018, was in the Secure Systems Laboratory. As a high school student, he worked with Associate Professor of Computer Science and Engineering Justin Cappos and 2022 Ph.D. graduate Preston Moore on the CrashSimulator project (see https:// ssl.engineering.nyu.edu/papers/moore_ crashsim_issre2019.pdf ). For Cao, it was an introduction to “work that uniquely involved building systems and mitigations for security.” After finding out that NYU “aligned to that interest greatly and was a school local to me,” he noted that he “quickly sought to get involved,” not only to have a chance to “implement software that tries to solve complex security problems, but to also learn more about security research itself.”

Four years later, Cao has an impressive list of achievements to share on his resume. He has been an active member of the OSIRIS lab, for which he currently serves as a lab manager, and he was honored with a 2022 Leadership Award from Tandon’s Department of Computer Science and Engineering in recognition of “outstanding leadership in student activities.“ In an interview conducted via email while he completes a summer internship with Meta Platforms Inc., Cao answered a few questions about his accomplishments to date and what he has learned along the way.

CyberByte: What, if anything, about those early lab experiences inspired your current research interests?

Cao: I was very fortunate to pick up various knowledge from the people that I worked with. It also definitely kicked off an interest in trying to pursue work where my job is answering novel security research questions, whether it’s building automation to quickly detect vulnerabilities, or defending against rising threats.

CyberByte: In addition to the Leadership Award mentioned above, you also won recognition this year for a paper called “What the Fork? Finding and Analyzing Malware in GitHub Forks” that you presented at the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) this April. How did that project evolve?

Cao: Professor Brendan Dolan-Gavitt is the faculty advisor for the OSIRIS Lab, and his focus on both reverse engineering and doing en-masse analysis of open-sourced codebases aligned greatly with my interests. Thus, I thought he was the most appropriate person to reach out to about fulfilling my senior design credits. During this time, I had a peak interest in opensource supply chain security, specifically in the tactics threat actors use when propagating malware through package registries. I noticed this trend slowly showing up through GItHub forks, and wanted to understand if this is a significant threat in open source software. We built and scaled up detection infrastructure, and measured and reversed any samples we were able to find. We demonstrated the efficacy of our techniques by scanning 68,879 forks of 35 popular cryptocurrency repositories, which led to the discovery of 26 forked repositories that were hosting malware. I personally was very surprised to get an award for it during the conference.

FALL 2022 10

It definitely could not have been done without guidance and inspiration from Dolan-Gavitt. I hope the paper is a great stepping stone for research that not only tries to catch malware effectively, but also leads to secure design choices that can ultimately wipe out these classes of threats.

CyberByte: You have held internships with three significant tech firms (Apple, Trail of Bits, and now Meta). Have any of these experiences influenced what type of work you might want to do when you graduate?

Cao: I really enjoyed that all three experiences challenged me to try to solve difficult problems in unique ways, which required potentially novel ideas and demanded a good amount of engineering. The ability to do this in a job is definitely a necessity for me, and I would love to continue working in roles that present the opportunity to do ample security research. Furthermore, I hope that any future positions allow me to find vulnerabilities and/or do reverse engineering/binary analysis, and produce reusable software/ services that others can adopt.

CyberByte: You have also served as lab manager for OSIRIS. What does

this entail? Has it been difficult to keep activities going after two years of Covid and the changes it brought to the program?

Cao: As a lab manager for OSIRIS, a lot of my responsibilities are logistical. This includes corresponding with faculty and staff to ensure that our members have funding, proper access to resources, and the ability to host smaller in-person events. I also help manage the lab space, maintain some infrastructure, and communicate with prospective members about the lab. COVID-19 was definitely a game-changer for us, as we became largely a remote organization, and a bit inactive with our usual activities. Over time, however, we actually grew in popularity with more graduate students studying cybersecurity. This meant we had access to a group of part-time grad students that may already be working in the industry. Their presence opens more mentorship opportunities, and meaningful experiences for students interested in the cybersecurity space. Overall the lab was able to withstand the substantial changes to how we’ve operated pre-COVID, and also see this interesting shift that hopefully attracts a lot more newcomers, and

delivers a positive experience for members and their academic/industry goals.

CyberByte: I know you have also been active in CSAW. What types of things have you done for that event?

Cao: For CSAW, I helped as an organizer in the Fall of 2020, just as we went remote. This meant hosting the CTF, writing challenges, asking sponsors for challenges, and facilitating the rounds of the competition. While I’m not the primary lead for the recent CTF round, I still help with administrative tasks and by writing some challenges

CyberByte: What, if anything, are you looking forward to in your senior year?

Cao: I’m looking forward to wrapping up all the non-engineering classes that I have left over, and using free time to pursue personal projects, working with the lab, and also socializing with friends and family a lot more. And also finally graduating too and starting work in the industry.

FALL 2022 11
An illustration of how ForkSentry which can detect malicious fork repositories on GitHub.

NEWLY MINTED ALUMNUS MAKES EVERY CONNECTION COUNT

Kiran Chaudhry is just barely an alumnus, having received her M.S. in Cybersecurity degree in May 2022 via the Cyber Fellows program. She is now working on the security integration team for Salesforce, a company that creates cloud-based software to support businesses. But, she is also serving as an adjunct professor at the Ying Wu College of Computing at New Jersey Institute of Technology and the NYU Cyber Fellows program, teaching Privacy and IT at NJIT and Penetration Testing at NYU. Taking on posts in academia and industry at the same time might seem a bit daunting to some, particularly for a new graduate. But, for Chaudhry, it’s simply honoring a commitment to “pay knowledge forward” that has been part of her motivation since she was a freshman teaching Python and Java to K-8 students in a Jersey City, NJ, computer summer camp. As that first teaching assignment, along with being a tutor and peer mentor, helped her pay for some of her undergraduate college expenses, the takeaway for Chaudhry has been that when one pays things forward one can often move forward herself.

Chaudhry came to the attention of CyberByte as the winner of an NYU Inclusion Award, which is given to the one student in each academic department who has demonstrated a commitment to advancing inclusion, diversity, belonging and equity at Tandon. She received the honor for activities that support diversity in STEM professions, including single-handedly organizing, planning, and promoting two all Gen Z female panel events, even though she recalls, “I didn’t have any sponsorship or funds for either event.” As a social media ambassador for Niche.com, a scholarship application website, Chaudhry also had the opportunity to co-found a $2,000

scholarship. Lastly, during her time as community and partnership outreach campus chair for Victoria’s Secret Pink at NYU, she created a food event for Hispanic Heritage Month. The program provided students a healthy snack during midterms while spotlighting Elisa’s Love Bites, a local woman and Latinx-owned New York City business.

These examples show that Chaudhry has learned at a relatively young age how to form and use networks to both achieve personal goals, and to benefit others. In a recent conversation with CyberByte, she shared a few tips for other students who need to make the most of their available resources in order to achieve their goals.

Pay attention and follow the best leads

As a self-defined “first generation student,” Chaudhry knew early on that she would need to be smart about her educational decisions. She earned her first three college credits at the age of 12 by taking a biochemistry class at Rutgers University. Later on, “some female students from Rutgers did a presentation at my middle school and told us scholarships were available to women who wanted to study computer science.” She did land a full tuition honors scholarship to New Jersey City University and was able to complete her bachelor’s degree in two-and-a-half years. By then, she realized how much she liked teaching and began inquiring about adjunct work so she could “be a professor part time while continuing a corporate career. I was met with mostly one response, which was to have a master’s degree before applying.” Once again, she went searching for a program she could afford. Her research led her to NYU Tandon and the Cyber Fellows program. The program’s online

FALL 2022 12
ALUMNI PROFILE: KIRAN CHAUDHRY

nature meant she could save commuting fees from her home in New Jersey. But, she admitted she was also worried that she would not be able to “build that same sense of community” that she would have experienced had she chosen an in-person program.

Make the most of any opportunity you may get

Contrary to her concerns though, NYU, which she described as, “my dream school, the school I always aspired to go to but just never thought I’d be able to afford,” not only helped her find community, but also allowed her to grow in ways other than than just academically or professionally. Signing up for the NYU RADical Health program, a four-week interactive experience to help incoming first-year students “build mental, emotional, and spiritual health,” Chaudhry found it “opened a number of doors at a most opportune time” as she became a mental health ambassador for NYU students “promoting self-care,

mindfulness, time management and active listening on social media while Covid was still challenging campus life.” Through the program Chaudhry also met Chelsea Garbell, Associate Director for Global Spiritual Life at NYU, and became a Spiritual Wisdom Fellow, giving her the opportunity to learn more about various faiths. “All these different experiences really catered to me as a person,” Chaudhry notes, adding, “I don’t think I would have been able to get these experiences outside of NYU.”

Keep the big picture in view

A big takeaway from Chaudhry’s experience is the value of thinking things through. “I have always been a person who did the long range plan. When I started at New Jersey City University, I mapped out my entire degree within two years in my first semester.” Now she is approaching her professional career the same way. “I definitely want to make a long term commitment to teaching,” she observes, noting she has already

held a number of teaching positions, including serving as a course expert and a graduate teaching assistant for three courses at Tandon: Information Security and Privacy, Cloud Security, and Mobile Security. When she reached out to NJIT about adjunct work, she explains that they “actually were willing to offer me the opportunity to interview for a university lecture full-time position. But I think that having industry experience is invaluable to teaching, because you bring in an added perspective that you simply cannot just get out of theory and textbooks. So that is the reason that I want to pursue both side by side.”

She concludes by saying, “ I think it’s just such a beautiful experience being able to connect with students, seeing them grow. You really feel like you’re making an impact. I’m not saying that you can’t make an impact at a corporate level but it’s a different type of impact and, as a first generation student it really feels so precious.”

FALL 2022 13

CCS EVENTS

THREE CCS-AFFILIATED PROJECTS SPOTLIGHTED AS RESEARCH EXCELLENCE EXHIBIT RETURNS TO TANDON

The 2022 Research Excellence Exhibit returned to the Brooklyn Commons on April 29th, marking another step towards the school’s return to in-person, oncampus events. From 1 to 4 p.m. the exhibit showcased 36 student projects that represent work in the school’s seven areas of research excellence: Communications/IT, Cybersecurity, Data Science/AI/Robotics, Emerging Media, Health, Sustainability, and all things Urban.

The three projects representing cybersecurity were:

Supply Chain Security Risk Analysis and Mitigation in IT/OT and IoT Systems, presented by then Masters student Yunfan

Xu (Advisor: Dr. Quanyan Zhu). Yunfan showcased ISCRAM, a tool for Supply Chain Risk Analysis and Mitigation. It provides analysis and decision support to reduce systemic risk from suppliers in complex IoT systems.

Exposing Encrypted Wireless Data Transfer in Wearable IoT Devices, presented by Masters students Sumish Pal Singh Ajmani and Karan Parikh (Advisor: Dr. Danny Huang)

This presentation reported on the very real risk of data, such as personal health data, financial information, and live locations, being inadvertently shared via wearable IoT devices, particularly when connected to home WiFi or a phone’s bluetooth.

“What makes our research unique is not just the tangible thing you might build as a result, but the ability to make people think differently,” Sumish Pal Singh Ajmani told a writer for NYU Tandon News covering the event. “We wanted to spread awareness by showing how easy it is for a user to get fooled by new cyber security

tools in the market. The interest from the crowd took us by surprise since we were competing for attention with AI bots and other admittedly compelling things. But it was great to see attendees starting to think about the cybersecurity of their smart devices.”

AI-Driven Interactive Safe Autonomous Driving, presented by Ph.D. students Tao Li (on the left in photo below) Haozhe Lei (right) and Dhairya Upadhyay (Advisor: Dr. Quanyan Zhu)

As explained by Tao Li, the project “presents a safe autonomous driving technology powered by artificial intelligence. The autonomous vehicle learns an online adaptation strategy accommodating different traffic participants and environmental conditions based on its prediction of future traffic conditions. This project demonstrates that AD has the potential to reduce automobile accidents, save thousands of lives, and roughly $190 billion in health care costs every year.”

FALL 2022 14

LIVE FROM NEW YORK: CSAW IS BACK, NOVEMBER 9-12

After two years as a virtual event, CSAW’22 returns to NYU Tandon’s Brooklyn campus, live and in person. The 19th edition of the world’s most comprehensive student-run cybersecurity event will kick off its schedule of seven competitions, panel discussions, poster sessions, and more on November 9.

In a preview of CSAW events to come, the final presentations of the Hack 3D Summer Challenge were held on July 15 as the centerpiece of a day of talks on security issues in digital manufacturing. The competition winners, who received cash prizes and are now eligible to compete in November’s finals, are:

First Place ($750 cash prize): Neo, Indian Institute of Technology, Tirupati, India Sneja M S, Sirish Sekhar, Prabhat Reddy

Second Place ($500 cash prize): Hack3rm3n Kevin Jun, Lehigh University; Aryan Rastogi, Indian Institute of Technology, Indore, India; Abhishek Sridharan, National Institute of Technology, Tiruchirappalli, India

Third Place ($250 cash prize): Missile Pav Aakar Jain, Purdue University; Diksha Sharma, Symbiosis International University, India; Vishnu Bansal, Birla Institute of Technology and Science, Pilani, India; Sumiran Maiskar, VIT University

Other events were still in the planning stages at the time this issue went to press. Go to https://www.csaw.io/ for the latest news and announcements. CyberByte will publish a wrap-up of CSAW 2022 in its spring issue.

TANDON HOSTS VISITING DELEGATION OF CYBERSECURITY FACULTY FROM EASTERN EUROPE

This spring, the Center for Cybersecurity played host to two different groups of academics from eight Eastern EU countries seeking to learn more about cybersecurity education and practice in the U.S. As part of a program sponsored by World Learning, with funding from the Polish-American Fulbright Commission, 30 cybersecurity professors traveled to Tandon during a New York City between March 21 and April 4, 2022.

The overall goal of the program is to facilitate an “understanding of the US academic and practical landscape of cybersecurity” for faculty from Lithuania, Latvia, Poland, Hungary, Bulgaria, Estonia, Slovakia and Romania. In particular, the professors were interested in:

• Curriculum examples

• Preparing students for competitions

• Research and research collaboration

• Collaboration between academia and industry.

During their time at NYU Tandon, the group learned more about the history of cyber research at Tandon, the role of OSIRIS in CCS programs, an overview of cybersecurity educational programs at Tandon, and the Center’s partnerships with industry. They also toured the 10th floor, attended lectures by Dr. Hammond Pearce, research assistant professor with NYU’s Center for Cybersecurity, and Dr. Damon McCoy, associate professor of computer science and engineering; and received a virtual welcome from Dean Jelena Kovačević.

After the visit, Matt Brown, director of global programming for World Learning, observed that, “the visits to your Brooklyn site were perfect. The sessions were right on target, exactly what our participants were looking for, and with wonderful speakers all around. All of us at World Learning, Fulbright Poland, and the participants, appreciate the time you and your NYU colleagues took to prepare and deliver your talks, and to show us around your premises.”

FALL 2022 16

KEEPING THE TRUTH INTACT: TAF HARNESSES TUF TO CREATE SECURE LEGAL ARCHIVES

The Update Framework (TUF) (https://theupdateframework.io/), which has secured software updates on automobiles, cloud applications, and for community and commercial software repositories, has ventured out in a new direction: secure archiving of legal documentation. Earlier this year, Dr. Justin Cappos, whose Secure Systems Laboratory at NYU Tandon is home base for TUF, announced a new initiative with the Open Law Library called The Archive Framework (TAF), a system designed to protect any git repository, particularly those on which important digital documents, such as legal records or legislation, are created.

In an interview conducted late last year with David Greisen, Founder and CEO of OpenLaw Library, and Renata Vaderna, a software engineer at the company that did the programming on TAF, Greisen noted that TAF was designed to address a very specific security issue. While version control systems like GitHub can give the user control over multiple versions of a document, it has potentially serious liabilities in protecting both the content and the sequence of changes made within a document. By building on Git but integrating TUF to address the security issue, Greisen explains, users have a way to check the validity of documents and verify the authenticity of pull requests and other changes to the document. According to Cappos, who is an associate professor of computer science and engineering at NYU Tandon, TAF uses the delegation, role, and key management structures of TUF in order to provide long term security and resilience to attack.

The Open Law platform (https://openlawlib.org/) was initially created at the request of the city of Washington, DC, which wanted to use it to publish their legal code. What Open Law was able to do was “take all the tools of computer science and apply it to the codification process.“

Recently, OpenLaw received a grant from the Institute of Museum and Library Services (http://www.imls.gov) that will help them improve the storage of metadata and enhance the signing process on their platform. One particular issue they will be addressing is how to ensure the continuing authentication of data. As Greisen points out, “Law does not fit the space/time continuum of other security systems” largely because the “shelf-life” of legal documents “encompass not years, but decades and centuries.” If, for example, a jurisdiction ceases to exist, TAF is designed to enable other authorities to attest to the authenticity of the original publisher. “In a sense, it protects by leveraging the built in trust in institutions,” Greisein says.

Perhaps most importantly, in an era of deepfakes and disinformation, TAF offers a way to make sure legal records for a government entity or complex transactions in corporate law reflect the truth over time. “The demand for nonfungible-tokens (NFTs) shows the hunger for this type of service,” Greisen observes. Cappos concurs, noting that, “We’re proud to work on projects like these that ensure that history itself cannot be rewritten.”

TRAPS PROJECT TO SECURE POWER SYSTEMS RECEIVES DOE GRANT

U.S. power systems represent an increasingly desirable target for cyber hackers. An IBM report, cited in The New York Times in May, 2021, noted that “the energy industry was the third most targeted sector for such attacks in 2020, behind only finance and manufacturing.”

To address this issue, the U.S. Department of Energy announced on April 21, 2022, that it was committing $12 million in grants to fund initiatives to better secure the U.S. energy infrastructure. The grant program named six university-based programs as grant recipients, including NYU Tandon School of Engineering.

Tandon will use its three-year, $1,939,416 grant to develop a new program for identifying and addressing vulnerabilities in power grids. Dubbed “Tracking Real Time Anomalies in Power Systems” or TRAPS, the NYU initiative will be a collaborative effort with researchers at SRI International, the New York Power Authority, and Consolidated Edison.

NYU’s efforts will be overseen by Dr. Farshad Khorrami, a professor of electrical and computer engineering (ECE) at NYU. Dr Ramesh Karri and Dr. Prashanth Krishnamurthy, both from the ECE Department at Tandon, serve as coinvestigators.

In announcing the awards, U.S. Secretary of Energy Jennifer Granholm notes that, “investing in cutting-edge cyber security technology keeps us at the forefront of global innovation and protects America’s power grid in the face of increasing cyber threats from abroad.” She adds, “This funding will bolster our commitment to a secure and resilient clean energy future by fortifying American electricity systems and building a stronger grid.”

FALL 2022 17
+ = TAF
CCS NEWS

AWARDS AND HONORS

the materials engineering field, Gupta was singled out for “pioneering contributions to the science and technology of lightweight polymer and metal matrix composites.” Gupta, who is also affiliated with the Department of Civil and Urban Engineering, and the NYU Center for Cybersecurity, was also recognized for exceptional dedication to educating the public about scientific discoveries.

Among Gupta’s other research pursuits are using machine learning tools to reverse engineer printing orientation to discover the makeup of proprietary materials. With support from the United States Agency for International Development (USAID), he is also exploring how to create a “zero waste paradigm” for lithium ion and lead acid lithium-ion batteries.

GUPTA NAMED AN ASM INTERNATIONAL FELLOW

Dr. Nikhil Gupta, Professor of Mechanical and Aerospace Engineering, was recently named a Fellow of ASM International. In doing so the global organization of more than 20,000 members recognizes Gupta for making “significant contributions in the field of materials science and engineering.” Considered one of the highest honors in

Over the past few years, Gupta has been the focal point of initiatives at NYU promoting emerging 3D manufacturing technologies, and strategies to protect them from cyber risks. His recent technical accomplishments in this area include developing a method to hide secret codes in printed parts in order to verify that parts’ provenance (https://engineering. nyu.edu/news/researchers-turn-trackingcodes-unclonable-clouds-authenticategenuine-3d-printed-parts). He has also advocated for increased research in this area by regularly putting together panel discussions and workshops on the topic. Last summer, he also helped organize a program to bring together undergraduates from India and the U.S. to work on research initiatives in cybersecurity and 3-D manufacturing. Supported by a three-year grant from the National Science Foundation (NSF) International Research Experience for Students (IRES) program, the initiative will be repeated in 2022 and 2023.

Gupta is also a recipient of the Young Leader Professional Development Award and the 2020 Brimacombe Medalist Award, both from the Minerals, Metals, and Materials Society, the ASM International Silver Medal, and a Visiting Lectureship Award from the ASM-Indian Institute of Metals.

In acknowledging the honor, NYU Tandon Dean Jelena Kovačević states, “Nikhil’s election to the elite ranks of ASM Fellows is a well-deserved acknowledgement of his scholarship, research, and mentorship of students.” She adds, “It also speaks to the quality and innovative work of our faculty in all of our areas of excellence.”

18

AWARDS ROUND-UP

Congratulations to Brendan Dolan-Gavitt (picture above left) and several of his students who have presented papers at a number of top conferences over the past few months, and have garnered a few awards in doing so.

• What the Fork? Finding and Analyzing Malware in GitHub Forks, Alan Cao and Brendan Dolan-Gavitt, Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), co-located with NDSS. April 28, 2022. Winner of a Best Paper Runner Up Award.

• Asleep at the Keyboard? Assessing the Security of GitHub Copilot’s Code Contributions. Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. IEEE Symposium on Security and Privacy. May 23-25, 2022. Winner of a Best Paper Award.

• IRQDebloat: Reducing Driver Attack Surface in Embedded Devices. Zhenghao Hu and Brendan DolanGavitt. IEEE Symposium on Security and Privacy, May 23–25, 2022.

• Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds. Zekun Shen, Ritik Roongta, and Brendan Dolan-Gavitt. USENIX Security. August 10–12, 2022.

HACK@DAC: At last year’s HACK@ DAC competition, NYU’s Center for Cybersecurity claimed not one but two places in the winners circle. The event, held December 2021 as part of the Design Automation Conference, is a Capture the Flag-style competition that challenges participants to find security weaknesses in hardware (https://hackatevent.org/ hackdac21/).

First place in the competition went to a team composed of Ph.D. candidate Baleegh Ahmad (photo above center), Dr. Benjamin Tan (now an assistant professor at the University of Calgary) and Abdul Khader Thalakkattu Moosa, all of NYU, and Wei-Kai Liu from Duke University, while Tandon Ph.D. candidate Animesh Chowdhury (photo above left) who took third place, was a team of one, with support from Dr, Ramesh Karri.

In a segment of the June 1 podcast “What That Means with Camille,” part of Intel’s Cyber Security Inside series, Ahmad and Chowdhury answered questions about strategy and solving the challenges of the competition. The podcast is available at https://www.youtube.com/ watch?v=3fBfS163oDg,

GRADUATION AWARDS: The following CCS-affiliated individuals were honored with 2022 department and university awards. Note that all three of these individuals are spotlighted elsewhere in this issue.

CSE Leadership Awards (Undergraduate)

Alan Cao, Rising Senior

Pearl Brownstein

Doctoral Research Award

Laura Edelson

Inclusive Excellence Award for the Cyber Fellows Program

Kiran Chaudhry

FALL 2022 19
CENTER FOR CYBERSECURITY cyber.nyu.edu

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.