algorithm and breaks it into a series of
modules that perform sub-computations. Although the sub-computations
can leak, not all of their bits can be
discovered. “The only assumption is
that it doesn’t expose everything that’s
happening in a sub-computation at
once,” Rothblum says.
Each module is a cryptographically
secure black box, allowing a hypothetical attacker to see the input and
the output, but not the computation
occurring inside the box. Data goes
into the first module, which performs
some computation, then passes the
output to the next module, and so on
down the line. “Each of them alone
isn’t doing anything too sensitive,”
explains Rothblum.
Even if the attacker can get some
idea of what a particular module is
doing, because he can only discover a
small number of bits, he cannot learn
enough to expose the whole algorithm.
That is true even if the adversary can
throw as many computing resources as
he wants into the problem.
Essentially, the compiler elongates
the program, and that can slow down
the computation substantially; to
protect against k bits of leakage from
each sub-computation, the program’s
execution time expands by a factor
between k-squared and k-cubed. But
Rothblum is optimistic that, though
it may take years, the computational
overhead could be significantly re-
duced. One approach might be to
identify a sensitive core piece of an al-
gorithm and only protect that smaller
piece. The significant fact is that the
compiler is feasible. “We know it can
be done, which we didn’t before,” he
says. “Now it’s a matter of making it
more efficient.”
Bugging smartphones
While Rothblum works on safer ways
to compile programs, other research-
ers are discovering vulnerabilities in
the growing universe of mobile de-
vices. Suman Jana, a doctoral student
at the University of Texas, Austin, won
Best Student Paper at the IEEE Sym-
posium on Security and Privacy in San
Francisco in May for describing an at-
tack that lets an adversary figure out
which Web sites a smartphone user is
browsing. The attack takes advantage
of the proc filesystem, a virtual file of
process information, in Unix, which is
the basis of Linux and Android, to un-
cover how much memory is allocated
to a program. Other avenues can reveal
similar information in Windows and
iOS systems.
Security
Emerging Cyber Threats Ring In The New Year
the coming year will experience
a serious array of new and more
sophisticated ways to seize and
manipulate user data, according
to the recently released
“emerging Cyber threats
Report for 2013.” Produced by
the Georgia tech information
security Center (GtisC) and the
Georgia tech Research institute
(GtRi), the report forecasts
several specific and ominous
trends likely to occur in the
months ahead.
the cloud is among the most
threatening on the horizon, as it
opens the potential for cloud-based botnets that could provide
a way to create vast, virtual
computing resources that will
further convince cyber criminals
to look for ways to co-opt cloud-based infrastructure for their
own ends. For example, attackers
could use stolen credit card
information to purchase cloud-computing resources to create
dangerous clusters of temporary
virtual attack systems.
the report also predicts
cyber criminals will continue
to manipulate search engine
algorithms and other automated
mechanisms that control what
information is presented to
internet users during a search.
indeed, researchers fear cyber
criminals may use “search
history poisoning” in the future
to manipulate users’ search
histories and use legitimate
resources for illegitimate gains.
“it is easy for attackers to
manipulate information on
the internet to have control
of what a user sees and hence
influence the user’s mind or
decision process,” says Wenke
Lee, director of GtisC. “it is
very alarming that most users
just assume personalization
is all good, but what we find is
that personalization algorithms
provide ample opportunities to
attackers/abusers to victimize
users. My prediction is that what
we have studied so far is only the
tip of the iceberg: attackers will
come up with many more ways
of information manipulation
and we must race ahead to bring
awareness to users and help
them mitigate these threats.”
Researchers note worrisome
security problems with the
u.s. supply chain that are both
difficult to detect and expensive
to defend against. the concern
is that security flaws in some of
these systems not only render
them vulnerable to compromise,
but may in fact offer a backdoor
for cyber espionage.
malware detection, such as
hardening their software
with techniques similar to
those employed in digital
rights management, and
exploiting the wealth of new
interfaces and novel features
on mobile devices.
“At the very least in the u.s.,
the infection rate of known
mobile malware is very low. i
think the main reasons are most
users download their apps from
well-vetted app stores, and it
is quite hard to produce a very
popular app to begin with,”
says Lee, musing that if one can
write a very popular app, he or
she can make enough money
legitimately, thus erasing any
desire for malicious behavior.
“on the other hand, privacy-
undermining apps will continue
to grow until users start to
care more about privacy and
better data access policies
and mechanisms are developed
and deployed.”
—Diane Crawford
