Skip to main content

2015 CyLab Partners Conference

The conference was a huge success! The agenda highlighted the latest research in security and privacy with an interactive forum between faculty, students, and industry.

The conference proceedings, including presentations, posters, event photos and videos are now available exclusively to our partners.

Not a CyLab partner? Learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at or 412-268-1870.


Tuesday, September 29, 2015: Newell-Simon Hall 3305

8:00am - 9:00 Breakfast and Registration
9:00 - 9:15 Introductions
9:15 - 10:30 Session I: Usable Privacy and Security I

Lorrie Cranor, Professor, School of Computer Science and Engineering and Public Policy; Director, CyLab Usable Privacy and Security Lab

Abstract: The CMU Security Behavior Observatory (SBO) is a network of instrumented home computers that record a wide-array of information on the security- and privacy-related behavior of their users. To date we have collected data from about 100 home computers and we are continuing to recruit new participants. Recently we identified a subset of our participants whose computers were infected with malware or had engaged in behaviors that would put them at increased risk of malware. We conducted interviews with 12 of these users to better understand their mental models and rationale for engaging in risky computer security behavior. I will present some of our findings and discuss plans for future research using the SBO platform.

Lorrie CranorBio: Lorrie Faith Cranor is a Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering masters program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O'Reilly 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O'Reilly 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003 she was named one of the top 100 innovators 35 or younger by Technology Review magazine and in 2014 she was named an ACM Fellow for her contributions to usable privacy and security research and education. She was previously a researcher at AT&T-Labs Research and taught in the Stern School of Business at New York University. In 2012-13 she spent her sabbatical year as a fellow in the Frank-Ratchye STUDIO for Creative Inquiry at Carnegie Mellon University where she worked on fiber arts projects that combined her interests in privacy and security, quilting, computers, and technology. She practices yoga, plays soccer, and runs after her three children.

"Towards Personalized Privacy Assistants: Modeling People’s Privacy Preferences and Expectations"
Norman Sadeh, Professor, School of Computer Science and CyLab

"Who Really Benefits From Targeted Advertising?"
Alessandro Acquisti, Professor, Heinz College and CyLab

Blase Ur, PhD Candidate in Institute for Software Research

Abstract:Users often make passwords that are easy for attackers to guess. Prior studies have documented features that lead to easily guessed passwords, but have not probed why users craft weak passwords. To understand the genesis of common password patterns and uncover average users’ misconceptions about password strength, we conducted a qualitative interview study. In our lab, 49 participants each created passwords for fictitious banking, email, and news website accounts while thinking aloud.
We then interviewed them about their general strategies and inspirations.
Most participants had a well-defined process for creating passwords. In some cases, participants consciously made weak passwords. In other cases, however, weak passwords resulted from misconceptions, such as the belief that adding “!” to the end of a password instantly makes it secure or that words that are difficult to spell are more secure than easy-to-spell words. Participants commonly anticipated only very targeted attacks, believing that using a birthday or name is secure if those data are not on Facebook. In contrast, some participants made secure passwords using unpredictable phrases or non-standard capitalization. Based on our data, we identify aspects of password creation ripe for improved guidance or automated intervention.

Blase UrBio: Blase Ur is a fifth-year PhD student at CMU, advised by Lorrie Cranor. His work encompasses helping users create strong passwords, supporting privacy decisions with data, and improving smart homes. He has received an NDSEG fellowship, a best paper award at UbiComp 2014, a Data Transparency Lab grant, an honorable mention for best paper at CHI 2012, a Yahoo Key Scientific Challenges Award, and a Fulbright scholarship. He received his bachelor's degree in computer science from Harvard University, where he was drama club president.

10:30 - 10:45 Break
10:45 - 12:00pm Session II: Cyber-Physical Systems and Biometrics

"Localization in the Pittsburgh Convention Center"
Anthony Rowe, Assistant Research Professor, Electrical and Computer Engineering and CyLab

"Detection of Integrity Attacks on Cyber-Physical Systems"
Bruno Sinopoli, Associate Professor, Electrical and Computer Engineering and CyLab

Marios Savvides, Associate Research Professor, Electrical and Computer Engineering; Director, CyLab Biometrics Center

Abstract: : Biometrics research has moved on from solving constrained problems, such as facial recognition with cooperative, well lit frontal faces, to more unconstrained problems involving challenges posed by variation in pose, illumination, occlusions, and resolution artifacts. This talk will focus on some of the projects being worked on out at the CyLab Biometrics Center and the algorithms and solutions developed in order to deal with challenging and unconstrained facial recognition and long range iris recognition.

Marios SavvidesBio: Marios Savvides is a Research Professor in the Electrical and Computer Engineering Department of Carnegie Mellon University and also in Carnegie Mellon's CyLab. Dr. Savvides is also the Director of the CyLab Biometrics Center. His research is in developing Biometric Identification technologies and algorithms that work under co-operative scenarios (, i.e. recognizing a person based on their face, iris, fingerprint,and palmprints) and also un-cooperative scenarios (using surveillance data to recognize a person). Savvides collaborates and works in joint projects with Prof. B.V.K. Vijaya Kumar and Prof. Pradeep Khosla.

His research in Biometrics has been mostly focused on Face Recognition and Iris Recognition, developing new technology that can achieve distortion tolerant face & iris recognition. The appearance of face images can vary due to a number of factors such as pose, expression and illumination. Thus Savvides has been researching in developing techniques such as advanced correlation filters that have built-in tolerance to such variations. In the iris field, intra-class variations include local deformations, focus blur and off-angle iris views.

Recently (the past year) he has been spearheading and leading our CMU efforts in the Face Recognition Grand Challenge (FRGC) and the Iris Challenge Evaluation(ICE) which are parts of NIST's efforts in evaluating and identifying key performance technologies in Face recognition and Iris Recognition. This is a project that he works jointly with Prof. B.V.K. Vijaya Kumar, infact they are the only two faculty in CMU participating in FRGC and FRVT (the Face Recognition Vendor Test 2006) and more remarkably, they are also participating in ICE too (that makes them the only group doing both in academia and industry!).

12:00 - 1:00 Lunch in Gates Hillman Center, Room 4405
1:00 - 2:15 Session III: Machine Learning and Security Analytics

Christos Faloutsos, Professor, School of Computer Science

Abstract: Given a large graph, like who-calls-whom, or who-likes-whom, what behavior is normal and what should be surprising, possibly due to fraudulent activity? How do graphs evolve over time? We focus on these topics:
(a) anomaly detection in large static graphs
(b) patterns and anomalies in large time-evolving graphs.

Christos FaloutsosBio: Christos Faloutsos is a Professor at Carnegie Mellon University. He has received the Presidential Young Investigator Award by the National Science Foundation (1989), the Research Contributions Award in ICDM 2006, the SIGKDD Innovations Award (2010), 21 "best paper" awards (including 3 "test of time" awards), and four teaching awards. Five of his advisees have attracted KDD or SCS dissertation awards. He is an ACM Fellow, he has served as a member of the executive committee of SIGKDD; he has published over 300 refereed articles, 17 book chapters and two monographs. He holds nine patents and he has given over 40 tutorials and over 20 invited distinguished lectures. His research interests include large-scale data mining with emphasis on graphs and time sequences; anomaly detection, tensors, and fractals.

Jaime Carbonell, Director LTI and Allen Newell Professor of Computer Science

Abstract: Machine Learning has reached a level of maturity that enables many rich applications in areas as diverse as: finance, marketing, signal processing, engineering, computational biology and cybersecurity. Recent advances in machine learning include transfer learning, multi-task learning, proactive learning and highly scalable learning for big data. These advances are particularly relevant for cybersecurity, e.g.: identifying malware both from static (code) analysis and dynamic (behavioral) aspects, identifying malicious websites, storage-media forensics for recovery of malware damage (e.g. deleted and/or partially purged files) and other data-intensive challenges. The presentation will focus on the new machine learning techniques and connect them to cyber applications.

Jaime CarbonellBio: Dr. Jaime Carbonell is the Director of the Language Technologies Institute and Allen Newell Professor of Computer Science at Carnegie Mellon University. He received SB degrees in Physics and Mathematics from MIT, and MS and PhD degrees in Computer Science from Yale University. His current research includes machine learning, scalable data mining (“big data”), text mining, machine translation and computational proteomics. He invented Proactive Machine Learning, including its underlying decision-theoretic framework, and new Transfer Learning methods He is also known for the Maximal Marginal Relevance principle in information retrieval, for derivational analogy in problem solving and for example-based machine translation and for machine learning in structural biology, and in protein interaction networks. Overall, he has published some 350 papers and books and supervised some 65 PhD dissertations. Dr. Carbonell has served on multiple governmental advisory committees such as the Human Genome Committee of the National Institutes of Health, the Oakridge National Laboratories Scientific Advisory Board, the National Institute of Standards and Technology Interactive Systems Scientific Advisory Board, and the German National Artificial Intelligence (DFKI) Scientific Advisory Board. In education, Carbonell created the PhD and MS degrees in Language Technologies at CMU and designed courses in language technologies, machine learning, data sciences and electronic commerce.

Nicolas Christin, Assistant Research Professor, Electrical and Computer Engineering and CyLab

Abstract: Criminologists and economists have studied criminality offline for the last century, often with considerable data collection challenges. The development of online crime completely changes the picture: on the one hand, the Internet creates additional challenges in attribution; on the other hand, there is considerably more data available for forensic investigation and analysis. I will focus on our efforts in collecting and analyzing large sets of online crime data, and will present a couple of interesting problems that we have been facing; and how we relied on machine learning techniques to address them.

Nicolas ChristinBio: Nicolas Christin is an Assistant Research Professor in Electrical and Computer Engineering at Carnegie Mellon University, where he has also affiliations with CyLab, the computer and information security research center, the Information Networking Institute and the department of Engineering and Public Policy. He holds a Diplôme d'Ingénieur from École Centrale Lille, and M.S. and PhD. degrees in Computer Science from the University of Virginia. He was a researcher in the School of Information at the University of California, Berkeley, prior to joining Carnegie Mellon in 2005. His research interests are in computer and information systems networks; most of his work is at the boundary of systems and policy research, with a slant toward security aspects. He has most recently focused on online crime, security economics, and psychological aspects of computer security. His group's research won several awards including Honorable Mention at ACM CHI 2011, and Best Student Paper Award at USENIX Security 2014. He equally enjoys field measurements and mathematical modeling.

Kyle Soska, PhD Candidate in Electrical Computer Engineering

Abstract: Significant recent research advances have made it possible to design systems that can automatically determine with high accuracy the maliciousness of a target website. While highly useful, such systems are reactive by nature. In this talk, I discuss a complementary approach and evaluate a novel classification system which predicts, whether a given, not yet compromised website will become malicious in the future. I adapt several techniques from data mining and machine learning which are particularly well-suited for this problem and use them to achieve good detection accuracy over a one-year horizon; that is, I generally manage to correctly predict that currently benign websites will become compromised within a year.

Kyle SoskaBio: Kyle is a fourth year PhD student studying Anonymity and Cyber Crime under his adviser Nicolas Christin at Cylab. His research interests include studying provable anonymity guarantees and the corresponding usability tradeoffs for systems. He is also interested in measuring and exploring the socioeconomic results of Cyber Crime and the application of Machine Learning towards automatically detecting malicious behavior.

2:15 - 3:30 Session IV: Software Engineering Institute & CERT

Summer Fowler, CERT Technical Director for Risk & Resilience

Kevin Fall, Chief Technical Officer and Deputy Director of Research, SEI

Abstract: Abstract forthcoming.

Kevin FallBio: Kevin Fall, PhD is the Chief Technical Officer and Deputy Director, Research, of the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU). SEI is a Federally-Funded Research and Development Center that works with government, industry and academia to improve the acquisition, development and security of software systems. The SEI also operates the CERT program in cybersecurity. As CTO, Fall is primarily responsible for the technical strategy of SEI, and for creation and maintenance of SEI's research portfolio. He is also an an adjunct professor in the school of Computer Science, a former member of the DARPA ISAT Study Group and and the co-chair of the Delay Tolerant Networking Research Group. He has served as a member of the Air Force Scientific Advisory Board, Internet Architecture Board, and the Army/DARPA Senior Advisory Group and as a consultant to the Defense Science Board. He is a Fellow of the IEEE (for his work on DTN), and author of the second edition of the textbook "TCP/IP Illustrated, Volume 1: the Protocols".

Prior to joining CMU and Qualcomm, he was a Principal Engineer at Intel Labs for 12 years. Prior to this, he was the principal network architect at NetBoost corporation (acquired by Intel), an adjunct professor of computer science at UC Berkeley, staff scientist at the Lawrence Berkeley National Laboratory, and visiting scholar at the Woods Hole Oceanographic Institution. He has 30 years of experience in computer systems and networking. Specific areas include network protocols and architecture, network simulation, and security. He is also a pilot, scuba diver, and locksmith and holds 9 patents.

Jay McAllister, Senior Analyst and Adjunct Instructor, SEI

Abstract: Overview of the SEI Emerging Technology Center’s efforts to research and develop technical solutions and analytical practices to help government, industry, and academia improve their cyber intelligence capabilities.

Jay McAllisterBio: Jay McAllister is a senior analyst and adjunct instructor. He leads the cyber intelligence efforts for the SEI Emerging Technology Center and teaches a graduate cyber intelligence course at Carnegie Mellon’s Information Networking Institute. Prior to joining the SEI, Jay served as a counterintelligence and counterterrorism analyst for the Naval Criminal Investigative Service.

3:30 - 3:45 Break
3:45 - 5:00 Session V: Network Security and IoT

Vyas Sekar, Assistant Professor, Electrical and Computer Engineering

Abstract: The state of network security today is quite abysmal. Security breaches and downtime of critical infrastructures continue to be the norm rather than the exception, despite the dramatic rise in spending on network security.

Attackers today can easily leverage a distributed and programmable infrastructure of compromised machines (or botnets) to launch large-scale and sophisticated attack campaigns. In contrast, the defenders of our critical infrastructures are fundamentally crippled as they rely on fixed capacity, inflexible, and expensive hardware appliances deployed at designated “chokepoints”. These primitive defense capabilities force defenders into adopting weak and static security postures configured for simple and known attacks, or otherwise risk user revolt, as they face unpleasant tradeoffs between false positives and false negatives. Unfortunately, attacks can easily evade these defenses; e.g., piggybacking on popular services (e.g., drive-by-downloads) and by overloading the appliances. Continuing along this trajectory means that attackers will always hold the upper hand as defenders are stifled by the inflexible and impotent tools in their arsenal.

The goal of our research is to  change the dynamics of this attack-defense equation. Instead of taking a conventional approach of developing attack-specific defenses, our work  focuses on empowering defenders with the right tools and abstractions to tackle the constantly evolving attack landscape. To this end, we envision a new software-defined approach to network security, where we can rapidly develop and deploy novel in-depth defenses and dynamically customize the network’s security posture to the current operating context.

In this talk, I will give an overview of our recent work in this space.

Vyas SekarBio: Vyas Sekar is an Assistant Professor in the ECE Department at CMU. His research interests lie at the intersection of networking, security, and systems. He received his Ph.D. from the Computer Science Department at Carnegie Mellon University in 2010. He earned his bachelor's degree from the Indian Institute of Technology Madras, where he was awarded the President of India Gold Medal. His work has been recognized with best paper awards at ACM SIGCOMM, ACM CoNext, and ACM Multimedia.

Anind Dey, Associate Professor, Human Computer Interaction Institute

Abstract: In this talk, I will outline one vision for the Internet of Things being proposed by a interdisciplinary group of researchers at CMU. This vision includes a discussion of the types of campus- and city-wide applications and scenarios that we are exploring, the middleware that will support the implementation and execution of these applications, and the challenges that we need to address. The main challenges are supporting secure and private transactions, scalability and responsiveness, and machine learning for developers and end-users.

Anind DeyBio: Anind K. Dey is the Charles M. Geschke Chair and Director of the Human-Computer Interaction Institute at Carnegie Mellon University. He leads the Ubicomp Lab, which performs research at the intersection of ubiquitous computing, human-computer interaction and machine learning, in the areas of mobile computing, health and sustainability among others. He has authored over 100 papers on these topics, serves on the editorial board of several journals, and is a member of the prestigious CHI Academy. Anind received his PhD in computer science from Georgia Tech, along with a Masters of Science in both Computer Science and Aerospace Engineering. He received his Bachelors of Applied Science in Computer Engineering from Simon Fraser University.

Patrick Tague, Associate Research Professor, Carnegie Mellon Silicon Valley and CyLab

Abstract: The Internet of Things represents a step in the direction of allowing distributed groups of embedded devices to act like components in a biological system, providing sensory inputs, actuating in response to neural commands, and interacting with the physical world. The cyber-physical nature of these signals and interactions enables a wealth of exciting applications, but unfortunately, the physical world likes to present problems that traditional approaches to security and privacy do not handle very well. In this brief talk, we'll highlight some of the work being done in the Mobile, Embedded, and Wireless Security research group, particularly focusing on how contextual understanding of application scenarios can provide valuable information for security protocols and personal privacy protections. Time permitting, we'll talk about home, enterprise, and vehicular IoT scenarios.

Patrick TagueBio: Patrick Tague is an Associate Research Professor at Carnegie Mellon University with appointments in the Electrical and Computer Engineering Department and the Information Networking Institute, and he is also the Associate Director of the INI. Patrick leads the Mobile, Embedded, and Wireless Security group at the Silicon Valley Campus of CMU, and the group is affiliated with CMU CyLab. Patrick's research interests include wireless communications and networking; wireless/mobile security and privacy; robust and resilient networked systems; and analysis and sense-making of sensor network data. He received PhD and MS degrees in Electrical Engineering from the University of Washington as a member of the Network Security Lab and BS degrees in Mathematics and Computer Engineering from the University of Minnesota. He received the NSF CAREER award in 2012. In his free time, Patrick is a homebrewer, Lego builder, woodworker, and amateur radio operator.

Seyed K. Fayaz, PhD Candidate in Electrical Computer Engineering

Abstract: DDoS defense today relies on expensive and proprietary hardware appliances deployed at fixed locations. This introduces key limitations with respect to flexibility (e.g., complex routing to get traffic to these "chokepoints") and elasticity in handling changing attack patterns. We observe an opportunity to address these limitations using new networking paradigms such as software-defined networking (SDN) and network functions virtualization (NFV). Based on this observation, we design and implement Bohatei, a flexible and elastic DDoS defense system. In designing Bohatei, we address key challenges with respect to scalability, responsiveness, and adversary-resilience. We have implemented defenses for several DDoS attacks using Bohatei. Our evaluations show that Bohatei is scalable (handling 500 Gbps attacks), responsive (mitigating attacks within one minute), and resilient to dynamic adversaries.

Seyed FayazBio: Seyed K. Fayaz is a PhD candidate at Carnegie Mellon University. He is broadly interested in computer networks and systems with a focus on network policy verification and network security. He is a recipient of the CMU Bertucci Fellowship (2015) and the VMware Graduate Fellowship (2015-16).

5:00 - 6:00 Happy Hour
6:15 - 9:00 Dinner in Carnegie Museum of Art Cafe

Wednesday, September 30, 2015: Gates Hillman Center, Room 6115

8:00am - 9:00 Breakfast 
9:00 - 10:15 Session VI: Formal Methods and Privacy

Matt Fredrikson, Assistant Professor, School of Computer Science

Abstract: As data from far-reaching sources is continuously collected, aggregated, and re-packaged to enable new and smarter applications, the importance of confidentiality and data security must grow at the same pace. Some of the most surprising and invasive threats to materialize in recent years are brought about by so-called inference attacks: successful attempts to learn sensitive information by leveraging public data such as social network updates, published research articles, and web APIs. In this talk, I will discuss some of my recent work on uncovering new inference attacks in applications that use machine learning techniques, and describe a new logic-based approach for modeling, and subsequently limiting, adversaries' ability to infer secret data.

Matt FredriksonBio: Matt Fredrikson is an Assistant Professor in the Computer Science Department and the Institute for Software Research. Shortly before joining Carnegie Mellon, he received his PhD from the University of Wisconsin-Madison in 2015, where his research covered topics in privacy, security, formal methods, and program analysis. His work on privacy in personalized medicine won the best paper award at the USENIX Security Symposium in 2015, and in 2011 he was selected as a recipient of the Microsoft Research Graduate Fellowship.

Limin Jia, Associate Research Professor, CyLab

Abstract: Web browsers are a key enabler of a wide range of online services, from shopping and email to banking and health services. However, users' private data can be easily stolen by malicious browser extensions or websites that the users may have previously visited.

In this talk, I will present an approach for protecting users' private information on the Chromium web browser. We focus on tracking the flow of private data within the browser and stopping unauthorized flows. We develop a detailed formal model of our approach, for which we define and prove the security guarantees of our approach. A corresponding prototype system was built on top of Chromium. We demonstrate, and experimentally confirm, that the system can enforce many existing browser policies, as well as practically useful policies beyond those enforceable in standard web browsers.

Limin JiaBio: Limin Jia is an Associate Research Professor at CyLab at Carnegie Mellon University. Her research interests include programming languages, language-based security, type systems, logic, and program verification.

Amit Datta, PhD candidate in Electrical Computer Engineering

Abstract: To partly address people’s concerns over web tracking, Google has created the Ad Settings webpage to provide information about and some choice over the behavioral profiles Google creates on users. We present AdFisher, an automated tool that explores how user behaviors, Google’s ads, and Ad Settings interact. AdFisher can run browser-based experiments and analyze data using machine learning and significance tests. Our tool uses a rigorous experimental design and statistical analysis to ensure the statistical soundness of our results. We use AdFisher to study transparency, discrimination, and choice on the Google Ad Ecosystem. In particular, we found that visiting webpages associated with substance abuse changed the ads shown but not the settings page. We also found that setting the gender to female resulted in getting fewer instances of an ad related to high paying jobs than setting it to male. We cannot determine who caused these findings due to our limited visibility into the ad ecosystem, which includes Google, advertisers, websites, and users. Nevertheless, these results can form the starting point for deeper investigations by either the companies themselves or by regulatory bodies.

This is joint work with Michael Tschantz and Anupam Datta.
This work was presented at PETS 2015
Official version

Amit DattaBio: Amit is a PhD candidate at Carnegie Mellon University advised by Prof. Anupam Datta in the Dept. of Electrical and Computer Engineering. Broadly, his research interests span privacy, security, and cryptography. Recently, he has been involved in running information flow experiments on online web services to detect privacy violations. Amit received his Bachelor of Technology from the Indian Institute of Technology, Kharagpur in 2012, and has worked on topics like verifiable secret sharing and fully homomorphic encryption in the past.

10:15 - 10:30 Break
10:30 - 11:15 Session VII: Hardware and Architecture Security

Onur Mutlu, Associate Professor, Electrical and Computer Engineering

Abstract: We will briefly discuss the RowHammer problem in DRAM and how it poses a new security vulnerability. RowHammer is the phenomenon that repeatedly accessing a row in modern DRAM chips causes errors in adjacent, unrelated rows. It is caused by a hardware failure mechanism called read disturb errors. The Google Zero Project recently demonstrated that this hardware phenomenon can be exploited by user-level programs to gain kernel privileges. We will analyze the root causes of the problem and examine solution directions. We will also discuss what other problems may be lurking in DRAM and other types of memories that can potentially threaten the foundations of secure systems, as the memory technologies scale to higher densities.

A short accompanying report can be found here.

Onur MutluBio: Onur Mutlu is the Strecker Early Career Professor at Carnegie Mellon University. His broader research interests are in computer architecture and systems, especially in the interactions between applications, system software, compilers, and microarchitecture, with a major current focus on memory systems. He obtained his PhD and MS in ECE from the University of Texas at Austin and BS degrees in Computer Engineering and Psychology from the University of Michigan, Ann Arbor. Prior to Carnegie Mellon, he worked at Microsoft Research, Intel Corporation, and Advanced Micro Devices. He received the IEEE Computer Society Young Computer Architect Award, Intel Early Career Faculty Award, faculty partnership awards from various companies, and more than twenty best paper recognitions at various top computer systems venues and "IEEE Micro computer architecture top pick" paper selections. For more information, please see his webpage.

Brandon Lucia, Assistant Professor, Electrical Computer Engineering

Abstract: Energy-harvesting computing devices (EHDs) are an emerging class of computer systems that extract energy from their environment to operate. Such environmental energy is intermittently available and an EHD executes software intermittently, with periods of progress interspersed with power failures. Each power failure causes a reboot, compromising progress, losing volatile state, and potentially leaving non-volatile state inconsistent.

Bio: Brandon Lucia is an Assistant Professor in the Electrical and Computer Engineering Department at Carnegie Mellon University. Brandon's research lies on the boundary between computer architecture, computer systems, and programming languages. He focuses on improving programmability, reliability and efficiency of computing devices, looking especially into energy-harvesting and intermittent computer systems, as well as parallel and concurrent computer systems. Brandon's work spans layers of abstraction, from the microarchitecture to the application. Brandon received his PhD in Computer Science and Engineering from the University of Washington in 2013. Before coming to Carnegie Mellon University, Brandon was a Researcher at Microsoft Research in Redmond, WA. Learn more about Brandon's work (or listen to his band "netcat"') at

Ken Mai, Senior Systems Scientist, Electrical and Computer Engineering

Abstract: Electronics counterfeiting is a significant and growing problem for electronics manufactures, system integrators, and end customers. The widespread prevalence of counterfeit electronics in the manufacturing supply chain raises alarming security concerns in both the defense and civilian sectors. The threat ranges from relatively simple IC remarking in order to sell parts at a higher price or to recycle parts from discarded equipment to wholesale reverse-engineering/copying of designs and manufacturing of cloned ICs and systems. To combat IC counterfeiting, we propose secure chip odometers to provide ICs with both a secure gauge of use/age and an authentication of provenance to enable simple, secure, robust differentiation between genuine and counterfeit parts.

Ken MaiBio: Ken Mai received his B.S., M.S., and PhD. degrees in electrical engineering from Stanford University. He is currently a Principal Systems Scientist in the Electrical and Computer Engineering Department at Carnegie Mellon University. His research interests are in high-performance circuit design, secure IC design, reconfigurable computing, and computer architecture. He was the recipient of an NSF CAREER award, the George Tallman Ladd Research Award, and the Eta Kappa Nu Excellence in Teaching Award. He is a member of Phi Beta Kappa and IEEE.

11:15 - 12:00pm Session VIII: Software Security

Bill Scherlis, Professor, School of Computer Science; Director, ISR

Abstract: The National Security Agency recently launched a set of small collaborative projects focused on the "Science of Security." These projects, called Lablets, are led by four universities but involve several dozen others as funded collaborators. The talk will discuss the purpose and concept of operations for the lablets.

Bill ScherlisBio: William L. Scherlis is Professor of Computer Science and director of CMU's Institute for Software Research (ISR) in the School of Computer Science. He founded and led the CMU PhD Program in Software Engineering for its first decade of operation. He was Acting CTO for the Software Engineering Institute for 2012 and early 2013. Dr. Scherlis completed a PhD. in Computer Science at Stanford University, a year at the University of Edinburgh (Scotland) as a John Knox Fellow, and an A.B. at Harvard University. His research relates to software assurance, software analysis, and assured safe concurrency.

Scherlis has testified before Congress on software sustainment, on information technology and innovation, and on roles for a Federal CIO. He interrupted his career at CMU to serve at Defense Advanced Research Projects Agency (DARPA) for six years, departing in 1993 as a senior executive. Scherlis chaired the National Research Council (NRC) study committee that produced the report Critical Code: Software Producibility for Defense in 2010. He served multiple terms as a member of the DARPA Information Science and Technology Study Group (ISAT). He has been an advisor to major IT companies and a founder of two CMU spin-off companies.

Scherlis is a Fellow of the IEEE and a lifetime National Associate of the National Academy of Sciences.

Jonathan Aldrich, Associate Professor, School of Computer Science

Abstract:Software systems can be insecure in a million different ways, but there is only one way to create secure software: building security into the architecture and ensuring that architecture is followed consistently as the system is constructed. Unfortunately, with today's technologies, a system's security architecture is at best expressed informally, and enforcement of that architecture must be done through all-too-fallible human mechanisms.

In the Wyvern project, we are designing language-based mechanisms for expressing architecture in a tool-readable way, and enforcing security-relevant architectural constraints in the code. The approach allows the architect to specify and control the security architecture of a system as it is built and evolved, ensuring that critical security properties can be assured with a high degree of confidence.

Jonathan AldrichBio: Jonathan Aldrich is Associate Professor of Computer Science at Carnegie Mellon University. He is the director of CMU's Software Engineering Ph.D. program, and teaches courses in programming languages, software engineering, and program analysis for quality and security. In addition, he serves as a consultant on architecture, design, and legal issues in the software industry. Dr. Aldrich joined the CMU faculty after completing a Ph.D. at the University of Washington and a B.S. at Caltech.

Dr. Aldrich’s research centers on programming languages and type systems that are deeply informed by software engineering considerations. His research contributions include verifying the correct implementation of an architectural design, modular formal reasoning about code, and API protocol specification and verification. For his work on software architecture, Aldrich received a 2006 NSF CAREER award and the 2007 Dahl-Nygaard Junior Prize, given annually for a significant technical contribution to object-oriented programming. Current areas of research focus include extensible programming languages, analysis and type systems for security and productivity, and foundations of object-oriented programming.

Michael Maass, PhD Candidate in Software Engineering

Abstract: Modern applications are composed of code of varying trustworthiness obtained from diverse sources. These complex supply chains create internal attack surfaces where a vulnerable or malicious component can compromise an entire application. The Java sandbox was developed to securely encapsulate such components, but it is primarily used to secure applications launched from the web while treating all of their components uniformly. In this talk I identify and overcome developer-facing complexity in the Java sandbox hampering more advanced use. I discuss the design of MAJIC -- a tool that assists developers in recovering and refining a security policy from Java bytecode and that uses the policy to sandbox targeted application components.

Michael MaasBio: Michael is a fifth year PhD student studying Software Engineering in the Institute for Software Research. His research focuses on removing hurdles to sandbox deployment, but he maintains a broad interest in software security. Michael has seven years of industrial experience as a Security Engineer in the aerospace industry. He maintains close ties with the industry and validates much of his work in collaboration with practitioners suffering from problems his research aims to solve.

12:00 - 1:30 Poster Session and Lunch
1:30 - 2:15 Session IX: Usable Privacy and Security II

Lujo Bauer, Associate Research Professor, CyLab

Abstract: In this talk I'll discuss several recent projects to help users make better security decisions online. In two of the projects we leverage machine learning: in one, to suggest to users how to set their sharing preferences for content they upload to social networks; in another, to automatically configure web browsers to allow or deny tracking on a per-page-visit basis according to a user's preferences. The third project aims to help users create better passwords through detailed feedback and guidance, and shows how tricky it is to make systems both more secure and more usable.

Lujo BauerBio: Lujo Bauer is an Associate Research Professor in CyLab and the Electrical and Computer Engineering Department at Carnegie Mellon University. Lujo's research interests span many areas of computer security, and include building usable access-control systems with sound theoretical underpinnings, developing languages and systems for run-time enforcement of security policies on programs, and generally narrowing the gap between a formal model and a practical, usable system.

Florian Schaub, Postdoctoral Fellow, School of Computer Science

Abstract: Today's online economy is largely fueled by user data. Users are often unaware of what data services and devices collect about them, how such data is used, and the associated privacy implications. Privacy policies and privacy notices are supposed to provide transparency about services' data practices. However, they are often complex and difficult to understand, and most users ignore them. Constrained interfaces on mobile devices, wearables, and smart home devices exacerbate the issue. In our work, we analyze the challenges that often render privacy notices and control mechanisms ineffective, and develop usable privacy mechanisms that make users aware of potential privacy issues, empower them to control their privacy, and help them make beneficial privacy decisions.

Florian SchaubBio: Dr. Florian Schaub is a postdoctoral fellow in the School of Computer Science at Carnegie Mellon University. His research focuses on human factors of privacy, human-computer interaction, ubiquitous computing, and mobile security. He has a doctoral degree and Diplom in Computer Science from Ulm University, Germany, and a Bachelor in Information Technology (Multimedia Technology) from Deakin University, Australia. He has received the Ulm University Association's dissertation award for his PhD thesis, a SOUPS 2015 best poster award, and best paper awards at MUM 2014 and ITS 2014. He serves as poster co-chair for SOUPS 2015 and 2016, as well as publicity co-chair for MUM 2015. He is further an IAPP Certified Information Privacy Professional (CIPP/US) and Privacy Technologist (CIPT). His research has been featured in the Wall Street Journal, The Guardian, Wired, New Scientist, Technology Review, and other print and online media; as well as on CNN, BBC, and Channel 4's Gadget Man.

Jason Hong, Associate Professor, Human Computer Interaction Institute

Abstract: In this talk, I discuss the results of several studies looking at how social psychology can be used to improve the security of an organization.

Jason HongBio: Jason Hong is an associate professor in the Human Computer Interaction Institute, part of the School of Computer Science at Carnegie Mellon University. He works in the areas of ubiquitous computing and usable privacy and security, and his research has been featured in the New York Times, MIT Tech Review, CBS Morning Show, CNN, Slate, and more. Jason is an associate editor for IEEE Pervasive Computing and ACM Transactions on Human Computer Interaction, and is on the editorial board for CACM (Web site) and Foundations and Trends in HCI. He is also an author of the book The Design of Sites, a popular book on web design using web design patterns. Jason is also a co-founder of Wombat Security Technologies, which focuses on the human side of computer security. Jason received his PhD from Berkeley and his undergraduate degrees from Georgia Institute of Technology. Jason has participated on DARPA's Computer Science Study Panel (CS2P), is an Alfred P. Sloan Research Fellow, a Kavli Fellow, a PopTech Science fellow, a New America National Cybersecurity Fellow, and currently holds the HCII Career Development fellowship.

2:15 - 3:15 Session X: Security & Decision Sciences

Baruch Fischhoff, Howard Heinz University Professor, Social and Decision Sciences and Engineering and Public Policy

Abstract: Decision science provides a systematic approach to addressing three aspects of human behavior inherent in managing any risk: (a) the behavior of the individuals who determine a system’s vulnerability and resilience; (b) the behavior of the experts who design a system and assess its robustness; (c) the behavior of the decision makers who guide a system’s development and must cope with its residual problems.

Baruch FischhoffBio: BARUCH FISCHHOFF, Ph.D., is the Howard Heinz University Professor in the departments of Social and Decision Sciences and of Engineering and Public Policy at Carnegie Mellon University, where he heads the Decision Sciences major. A graduate of the Detroit Public Schools, he holds a BS in mathematics and psychology from Wayne State University and an MA and PhD in psychology from the Hebrew University of Jerusalem. He is a member of the Institute of Medicine of the National Academy of Sciences and. He is past President of the Society for Judgment and Decision Making and of the Society for Risk Analysis, and recipient of its Distinguished Achievement Award. He was founding chair of the Food and Drug Administration Risk Communication Advisory Committee and recently chaired the National Research Council Committee on Behavioral and Social Science Research to Improve Intelligence Analysis for National Security and currently co-chairs the National Research Council Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity and the National Academy of Sciences Sackler Colloquium on “The Science of Science Communication.” He is a former member of the Eugene, Oregon Commission on the Rights of Women, Department of Homeland Security's Science and Technology Advisory Committee, the World Federation of Scientists Permanent Monitoring Panel on Terrorism, and the Environmental Protection Agency Science Advisory Board, where he chaired the Homeland Security Advisory Committee. He is a Fellow of the American Psychological Association, the Association for Psychological Science (previously the American Psychological Society), the Society of Experimental Psychologists, and the Society for Risk Analysis.

Casey Canfield, PhD Candidate in Engineering & Public Policy

Abstract: Phishing attacks threaten the information security of all levels of society, from individuals to governments. Yet these attacks are difficult to prevent with technology alone, as technology must be operated by people. Those responsible for managing security risks must understand user vulnerability, in order to evaluate interventions as well as estimate what risks remain. We use an approach from the vigilance literature, signal detection theory, to disentangle users’ ability to distinguish between phishing and legitimate emails (discrimination ability) and tendency to classify emails as phishing or legitimate (decision threshold). We compare performance on two tasks: detection, deciding whether an email is phishing; and behavior, deciding what to do with an email. We find that participants are more cautious when phishing messages contain personal greetings and when they perceive worse consequences from falling for phishing. These results suggest strategies that are more (and less) promising for reducing system vulnerability.

Casey CanfieldBio: Casey Canfield is a PhD candidate in Engineering & Public Policy. Her research focuses on using ideas from quantitative psychology to better integrate human behavior in cyber risk analysis.

3:15 - 3:45 Session XI: Cloud and Big Data Security

"Group discussion of Cloud and Big Data Security "
Greg Ganger and Garth Gibson, Professor, School of Computer Science

3:45 - 4:00 Closing Remarks