Thursday, May 23, 2013

CyLab's Strong Presence Continues at Annual IEEE Symposium on Security and Privacy

Min Suk Kang with fellow CyLab grad student, after presenting The Crossfire Attack at
34th Annual IEEE Security & Privacy Symposium (May 2013, San Francisco).
The 34th annual IEEE Security and Privacy Symposium was held May 19-22 2013, in downtown San Francisco. Once again, as in recent years, Carnegie Mellon University CyLab researchers made a significant contribution to both its content and its tone.

CyLab Distinguished Fellow Adrian Perrig served as one of the three Program Chairs, along with Wenke Lee of Georgia Tech and Michael Backes of Saarland University.

Also, four of the thirteen Session Chairs were current or former CyLab researchers: current faculty members Lujo Bauer and Anupam Datta, and former faculty members Jon McCune, now with Google, and Bryan Parno, now with Microsoft Research.

Two CyLab papers were among the thirty-eight presented: The Crossfire Attack authored by Min Suk Kang, Soo Bum Lee and Virgil D. Gligor of CyLab, and Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework authored by CyLab researchers Amit Vasudevan, Limin Jia, James Newsome and Anupam Datta, along with Sagar Chaki of the Software Engineering Institute (SEI) at Carnegie Mellon University) and Jonathan M. McCune of Google (a former CyLab researcher, as mentioned above).

Furthermore, the Best Paper Award went to Bryan Parno for Pinocchio: Nearly Practical Veriļ¬able Computation, co-authored with Craig Gentry and Mariana Raykova of IBM Research and Jon Howell, also of Microsoft Research. Before he went to Microsoft, Parno did his PhD at Carnegie Mellon University CyLab under the supervision of Adrian Perrig, and his dissertation won the 2010 ACM Doctoral Dissertation Award.

Here are excerpts from the two CyLab papers presented, with links to the full texts:

In this paper, we present the Crossfire attack. This attack can effectively cut off the Internet connections of a targeted enterprise (e.g., a university campus, a military base, a set of energy distribution stations); it can also disable up to 53% of the total number of Internet connections of some US states, and up to about 33% of all the connections of the West Coast of the US. The attack has the hallmarks of Internet terrorism3: it is low cost using legitimate-looking means (e.g., low-intensity, protocol conforming traffic); its locus cannot be anticipated and it cannot be detected until substantial, persistent damage is done; and most importantly, it is indirect: the immediate target of the attack (i.e., selected Internet links) is not necessarily the intended victim (i.e., an end-point enterprise, state, region, or small country). The low cost of the attack (viz., Section IV), would also enable a perpetrator to blackmail the victim. The Crossfire Attack , Min Suk Kang, Soo Bum Lee and Virgil D. Gligor (Carnegie Mellon University CyLab)

We propose an eXtensible and Modular HypervisorFramework (XMHF) which strives to be a comprehensible and flexible platform for building hypervisor applications (“hypapps”). XMHF is based on a design methodology that enables automated verification of hypervisor memory integrity. In particular, the automated verification was performed on the actual source code of XMHF – consisting of 5208 lines of C code – using the CBMC model checker. We believe that XMHF provides a good starting point for research and development on hypervisors with rigorous and “designed-in” security guarantees. Given XMHF’s features and performance characteristics, we believe that it can significantly enhance (security-oriented) hypervisor research and development. Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework, Amit Vasudevan, Limin Jia, James Newsome and Anupam Datta (Carnegie Mellon University CyLab), Sagar Chaki (SEI, Carnegie Mellon University) and Jonathan M. McCune (Google)

Some Related Posts
CyLab Chronicles: CyLab's Strong Presence at IEEE Security and Privacy 2012 Packs A Wallop

CyLab Research has Powerful Impact on 2010 IEEE Security & Privacy Symposium

CyLab Researchers Virgil Gligor and David Brumley Receive Honors

CyLab researcher Bryan Parno wins ACM 2010 Doctoral Dissertation Award

Parno, McCune and Perrig Author Book on Bootstrapping Trust in Modern Computing

-- Richard Power

Sunday, May 19, 2013

CyLab Researchers Alessadro Acquisti and Marios Savviddes featured on CBS Sixty Minutes

[NOTE: This CyBlog story is cross-posted as a CyLab Chronicles on the CyLab home page.]

In the wake of the Boston Marathon bombing investigation, there has been some mainstream news media attention paid to facial recognition software. After years of NCIS and other popular law enforcement TV dramas, there is an expectation that such technology could have led to a speedier conclusion to the manhunt, or perhaps even have prevented the savage attack.

In recent weeks, looking for meaningful answers, major news organizations turned to researchers at Carnegie Mellon University CyLab. Why? Because they are at the forefront of research into related technologies; and that's the forefront of not only research on how to deliver these technologies, but also the forefront on their broader implications on society as a whole.

On the May 19th edition of CBS Sixty Minutes, the work of two Carnegie Mellon University CyLab researchers were featured: Alessandro Acquisti, Associate Professor of Information Technology and Public Policy (Heinz College), author of some blockbuster privacy studies, related to the convergence of facial recognition software and social media and other vital issues, and Marios Savvides, Carnegie Mellon University Associate Professor (Electrical and Computer Engineering Department) and Director of the CyLab Biometrics Center.

Here is the CBS Sixty Minutes video, followed by some transcript excerpts:

This may look like a high school science project, but this is Carnegie Mellon's CyLab, a world-class research center.

[Lesley Stahl: Look at that!]

Marios Savvides and his students outfitted this ordinary toy drone with their new advanced facial recognition software... that locks in on a face from a distance, and then identifies it. [Drone: Hello Lesley, nice to see you.

Lesley Stahl: It got it.]

The students are taking surveillance technology to the next level. They can now turn a blurry face into a clear one; a flat image into a 3D model.

[Lesley Stahl: Oh my goodness.]

Their technology can take a masked face and by focusing only on the eyebrows search a catalog of faces, come up with several people with very similar eyebrows and eventually find the identity of the person.

Marios Savvides: So Utzav is going to take a normal photo of you. The software maps a face using dots like electronic measles and creates something as unique as a fingerprint: a faceprint.

Lesley Stahl: This is your facial recognition technology working right now to find me? Utzav: Yes.

For this demonstration, they had added my picture ahead of time to the university's database. Marios Savvides: That's the top match.

[Samsung Lady: To use face recognition, use the color-coded button on your remote.]

Facial recognition is already in some of our home appliances like TVs. In our mobile devices, PINs and passwords are giving way to faceprints. And the technology can single us out in real-time as we go about our daily business, often without us ever knowing ...

Alessandro Acquisti: The ability of remaining anonymous is shrinking. And the places where we can be anonymous are getting fewer and fewer.

Alessandro Acquisti is a professor at Carnegie Mellon who does research on how technology impacts privacy. He says that smart phones may make "facial searches" as common as Google searches and he did an experiment to show how easy it could be. He took photos of random students on his campus. He then ran the pictures through a facial recognition program he downloaded for free that sifted through Facebook profiles and other websites. And he was able not only to identify many of them instantly, he also got their personal data, including in some cases, their social security numbers.

Lesley Stahl: In order for this to work, does the person you're trying to identify have to be on one of these social networks?

Alessandro Acquisti: You must have, somewhere on the Internet, a face with your name on it. Lesley Stahl: Well, let's say someone doesn't have a Facebook account, but his or her daughter or son does, and they've got your picture. So are they now automatically in the mix?

Lesley Stahl: Well, let's say someone doesn't have a Facebook account, but his or her daughter or son does, and they've got your picture. So are they now automatically in the mix?

Alessandro Acquisti: It's funny because one of the participants, before doing the experiment, told us, "You're not going to find me because I'm very careful about my photos online." And we found him. Because someone else had uploaded a photo of him.

But if an academic can easily mine our data with facial recognition, what about the government? Well, the government has a problem because to be effective, facial recognition requires a good database. Facebook for instance has one with billions and billions of photos. The government not nearly that many, and so the FBI is now assembling on these rows of servers the largest biometric database on Earth, costing over a billion dollars ...

Alessandro Acquisti: Often we are not even aware of how much data we are actually revealing or it is being gathered about us or, in fact, how it would be used. The idea that you can start from a face and predict social security numbers from that face seemed quite alien and surprising. But now we know that it can be done.

Lesley Stahl: So there's no place to hide, absolutely no place to hide.

Alessandro Acquisti: It's those places are shrinking.

CBS 60 Minutes, 5-19-13

(Savvides also appeared in a recent CNN news story on the same subject.)

-- Richard Power

Wednesday, May 8, 2013

CyLab's Marios Savvides Appears on CNN in Wake of Boston Marathon Bombing Investigation

In the wake of the Boston Marathon bombing investigation, there has been some mainstream news media attention paid to facial recognition software. After years of NCIS and other law enforcement TV dramas, there is some popular expectation that such technology could have led to a speedier conclusion to the manhunt, or perhaps even have prevented the savage attack.

Looking for meaningful answers, CNN turned to Marios Savvides, Carnegie Mellon University Associate Professor and Director of the CyLab Biometrics Center, a leading expert in the field.

Here is a video excerpt, followed by a transcript of the news story:

TOM FOREMAN, CNN CORRESPONDENT: "When the FBI released these photos during the search for the Boston suspects, there was hope that computers might help as they do on shows like CSI, comparing facial features with existing data and coming up with a name. But even though pictures of both brothers were in public databases, the computers that searched that data missed them, and came up empty. The government has been working on facial identification software since the 1960s, and companies like Facebook and Apple use similar technology to tag people in photos. But security analysts widely admit this technology is not good enough to spot a suspect in the crowd. At Carnegie Melon, Mario Savvides runs the CyLab Biometric Center.

MARIOS SAVVIDES, DIRECTOR, CMU CYLAB BIOMETRICS CENTER: While the toughest problems is low resolution, when you look at images collected from (inaudible) TV footage, the faces are way too small.

FOREMAN: His team is developing next generation software to change poor and partial images into much clearer pictures. They are creating programs that can reliably match images of people to their true identities, despite low light, movement, odd positions.

SAVVIDES: Off-angle is a big challenge. How do you match an off- angle image that`s say 50 degrees, 60 degrees, 45 degrees off angle to a face that`s just a frontal sort of, you know, passport-type photo.

FOREMAN: They`re even transforming flat pictures into 3D, look at what their lab did with a single photo of me. In less than an hour it was turned into a series of images showing how I might look from above, from the left, from the right. Savvides believes such programs can and will substantially improve the reliability of facial recognition and lead police to suspects much faster.

SAVVIDES: And ultimately, hopefully save life, because that`s our aim, that`s our goal, that`s everything we do here.

FOREMAN: For now, the FBI is installing its latest version of facial identification software to work with security cameras coast to coast as part of the billion-dollar program called "next generation identification." Still, in Boston, it wasn`t technology, but human investigators who triumphed. Tom Foreman, CNN, Washington.

CNN, 5-7-13

-- Richard Power