Software security

At the heart of countless cyberattacks is a single flaw in the code making up a piece of software. Carnegie Mellon University CyLab researchers are focusing their efforts on improving software security in a variety of ways, from creating automated methods of finding and fixing software bugs to verifying the security of software without compromising its performance.

People

Learn who at CyLab is working in software security.

Subtopics

We have researchers working in the following subtopics of applications of security and privacy. Check out each of their research:

Related news

Fromherz wins ACM SIGSAC Doctoral Dissertation Award

Former CyLab Presidential Fellow Aymeric Fromherz earns ACM SIGSAC’s 2022 Doctoral Dissertation Award for his thesis, “A Proof-Oriented Approach to Low-Level, High-Assurance Programming.”

Award-winning research paves the way for provably-safe sandboxing using WebAssembly

Researchers at Carnegie Mellon have developed a pair of compilers enabling provably-safe multilingual software sandboxing using WebAssembly.

CyLab Ph.D. student receives honor for “highest quality” thesis

CyLab’s Aymeric Fromherz was recognized with an A.G. Milnes Award for his Ph.D. thesis work “judged to be of the highest quality and which has had, or is likely to have, significant impact in his or her field.”

Two of three IEEE Test of Time Awards go to CyLab researchers

At last month’s IEEE Symposium on Security and Privacy, two of three Test of Time Awards—among the most prestigious awards presented—were given to CyLab researchers.

Over 18,000 people hacked their way through picoCTF 2022

Over 18,000 people participated in Carnegie Mellon University’s annual cybersecurity competition last month—including more than 6,000 middle and high school students.

CyLab researchers awarded AI security funding

CyLab’s Giulia Fanti, Corina Pasareanu, and Vyas Sekar have been awarded research funding from the C3.ai Digital Transformation Institute.

Yinglian Xie receives 2021 CyLab Distinguished Alumni Award

The co-founder and CEO of security company DataVisor has been selected to receive the 2021 CyLab Distinguished Alumni Award.

Keeping distributed systems secure Opens in new window

Carnegie Mellon researchers are working to design networks that keep our ever-increasing numbers of connected devices safe and secure.

Research paper Opens in new window

See More Stories

CyLab names 2021 Presidential Fellows

Four high-achieving CyLab Ph.D. students pursuing security and/or privacy-related research have been awarded CyLab Presidential Fellowships.

A big step towards cybersecurity’s holy grail

The trek towards the holy grail of cybersecurity—a user-friendly computing environment where the guarantee of security is as strong as a mathematical proof—is making big strides.

CyLab researchers discover novel class of vehicle cyberattacks

The new class of vulnerabilities was disclosed in a new study presented at last month’s IEEE Symposium on Security & Privacy, held virtually.

The world’s largest online hacking competition launches next week

picoCTF 2021 begins March 16 at 12 p.m. and concludes March 30 at 3 p.m. ET. Participation is free, and all one needs to participate is a computer with basic Internet access.

CMU-Africa and CyLab aim to improve financial inclusion in emerging economies

Carnegie Mellon University (CMU) CyLab and CMU-Africa have established the CyLab-Africa initiative, which aims to improve the cybersecurity of financial systems in Africa and other emerging economies.

Phishing, fairness, and more: CyLab’s 2021 seed funding awardees

Over $350K in seed funding has been awarded to 14 different faculty and staff in seven different departments across three colleges at CMU.

Cyber defense is an art in human deception

CyLab's Coty Gonzalez and her research group presented two studies on cyber deception at this week’s Human Factors and Ergonomics Society annual meeting. CyLab director Lorrie Cranor gave the meeting’s keynote talk.

Simple “nudges” can encourage people to use a safer payment method

A team of CyLab researchers have found two forms of "nudging" that can successfully convince people to start using mobile payment, which is more secure than paying with a credit card at a point-of-sale terminal.

What if you could better control what mobile apps do with your data?

Researchers in CyLab are working to create digital “privacy assistants” that can recommend phone app privacy settings to users based on their preferences.

Research paper Opens in new window

Elaine Shi receives inaugural CyLab Distinguished Alumni Award

Elaine Shi, a CyLab alum and professor at Cornell University who will join the faculty at CMU this Fall, has been selected to receive the inaugural CyLab Distinguished Alumni Award.

Carnegie Mellon hacking team finishes 2nd at DefCon

Carnegie Mellon University’s competitive hacking team, the Plaid Parliament of Pwning (PPP), finished in 2nd place in the “Capture the Flag” competition—widely referred to as “The Olympics of Hacking”—at this year’s DefCon security conference.

CyLab names 2020 Presidential Fellows

Seven Ph.D. students pursuing security and/or privacy research will receive 2020 CyLab Presidential Fellowships.

New programming language and tool ensures code will compute as intended

A team of researchers including CyLab's Bryan Parno published a study about a new tool that mathematically proves that concurrent programs will compute correctly.

Related Article Opens in new window

picoCTF announces next competition dates

The world's largest hacking competition, hosted by Carnegie Mellon University, has announced the dates of its next competition.

IoT labels will help consumers figure out which devices are spying on them

A team of CyLab researchers have developed a prototype security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.

Research paper Opens in new window

Provably-secure code incorporated into Linux kernel

This month, code from the provably correct and secure “EverCrypt” cryptographic library, which CyLab’s Bryan Parno and his team helped develop and release last year, was officially incorporated into the Linux kernel — the core of the Linux operating system.

Q&A with Lujo Bauer

Many Americans are entering their fifth of working remotely, which has resulted in new paradigms in their own and their employers’ cybersecurity and privacy. CyLab's Lujo Bauer has been monitoring the situation.

Q&A with Lorrie Cranor

As COVID-19 continues to spread around the world, CyLab director Lorrie Cranor says there are number issues related to privacy and cybersecurity that people need to be aware of.

Q&A with Vyas Sekar

As huge swaths of the world have shifted to remote work in response to COVID-19, CyLab's Vyas Sekar thinks that enterprises need to be thinking very critically about the security of their networks – maybe more now than ever.

Q&A with Jason Hong

As the COVID-19 pandemic continues to impact countless aspects of everyday life, CyLab researchers are monitoring its effects on people’s cybersecurity and privacy. Jason Hong thinks that right now, people need to be even more aware and cautious online.

Why people delay software updates, despite the risks

In a study published in the latest issue of the Journal of Cybersecurity, a team of CyLab researchers found that the time-cost of updates and individuals’ risk preferences have a significant impact on whether or not a user applies a software update, and how long it takes them to do so.

Cybercriminals: Things are about to get a lot more confusing for you

Two papers on cyber deception authored by CyLab’s Cleotilde Gonzalez and colleagues are being presented at this week’s Hawaii International Conference on System Sciences (HICSS).

Nearly 40,000 compete in picoCTF

The biggest hacking competition keeps getting bigger. Earlier this month, more than 39,000 people from all 50 US states and 160 different countries participated in picoCTF, a free online hacking competition hosted by CMU.

The world’s largest hacking competition, hosted by Carnegie Mellon, launches tomorrow

Tomorrow marks the sixth launch of picoCTF, a free, online cybersecurity competition aimed at middle and high school students created by security experts in Carnegie Mellon University’s CyLab.

Protecting 3D printers from attackers Opens in new window

CyLab’s researchers have developed a tool to identify security risks of networked 3D printers.

CyLab’s Corina Pasareanu and colleagues receive $1.2 million grant to develop automated bug-finding techniques

The National Science Foundation has awarded a $1.2 million grant to researchers at Carnegie Mellon University, UC-Berkeley, and UC-Santa Barbara to develop automated bug-detection and repair techniques that work at large scales.

CyLab researchers create tool to help prevent cyberattacks on vehicles

CyLab's Sekar Kulandaivel and colleagues have developed a network-mapping tool to help keep vehicles protected from cyberattacks. The tool meticulously maps a car's network in under 30 minutes on less than $50 worth of hardware.

CMU crowned hacking champs for fifth time in seven years

Carnegie Mellon University’s competitive hacking team, the Plaid Parliament of Pwning (PPP), just won its fifth hacking world championship in seven years at this year’s DefCon security conference.

CMU’s Plaid Parliament of Pwning prepares for DefCon 27

Five INI students and alums are headed to DefCon 2019 to compete in “World Series of Hacking.”

Virgil Gligor inducted to the Cybersecurity Hall of Fame

CyLab’s Virgil Gligor was formally inducted into the Cybersecurity Hall of Fame this week at the Arundel Preserve Hotel in Hanover, Maryland.

Achieving provably-secure encryption Opens in new window

Earlier this week, a team consisting of researchers from CyLab released the world’s first verifiably secure industrial-strength cryptographic library—a set of code that can be used to protect data and is guaranteed to protect against the most popular classes of cyberattacks.

CyLab’s Gligor and Woo receive Distinguished Paper Award for breakthrough result on establishing “root of trust”

In a breakthrough study, “Establishing Root of Trust Unconditionally,” CyLab researchers Virgil Gligor and Maverick Woo present a test that can be run on any computing device to show whether the device has been infected with malware or not.

Building a verifiably-secure internet

In security, almost nothing is guaranteed. It's impossible to test the infinite ways a criminal hacker may penetrate a proverbial firewall. But what if, by the laws of mathematics, something could be proven to be secure without running an infinite number of test cases?

CMU student discovers website leaking locations of cell phone customers

Some cybersleuthing by Robert Xiao, a Ph.D. student in the Human-Computer Interaction Institute, uncovered a security vulnerability on the website of LocationSmart, a Carlsbad, Calif., company that provides a service for identifying the real-time location of mobile phones in the United States and Canada.

Fourteen years later, Pasareanu’s automated software-testing work awarded for retrospective impact

Fourteen years ago, CyLab associate research professor Corina Pasareanu and two of her colleagues published a paper outlining three automated techniques for checking software for bugs and vulnerabilities. This month, Pasareanu and her colleagues are receiving the 2018 Retrospective Impact Award from the International Symposium on Software Testing and Analysis (ISSTA).

CyLab team develops promising tool to help prevent cross-site scripting (XSS) attacks

Right now, go to Google.com, search for something (anything) and then look at the search results’ URL. It’s a jumbled mess of numbers, letters, and characters, right? That mess of characters is coordinating the creation of the webpage, displaying a customized list of results based on what you searched for.

Celebrating “SSL,” the unsung hero of online shopping

In the time it takes you to read this sentence, Americans are spending somewhere between $50,000 and $100,000 on retail online. In those mere seconds of time, few thought twice about sharing their credit card numbers with Amazon, or banking routing numbers with PayPal or social security numbers with their banks. We have the Secure Socket Layer (SSL) to thank for that.

To improve smartphone privacy, control access to third-party libraries

Smartphone apps that share users’ locations, contacts and other sensitive information with third parties often do so through a relative handful of services called third-party libraries, suggesting a new strategy for protecting privacy, Carnegie Mellon University researchers say.

CyLab's Bryan Parno shares Distinguished Paper Award win with demonstration of verifiable security

In a paper presented at the USENIX Security Symposium, Bryan Parno and a team of researchers demonstrated a new programming tool that enables high-performance cryptographic code to be verifiably correct and secure.

CMU hackers give a glimpse into the hacker psyche

In this podcast episode, members of PPP share their thoughts on hacking, giving us all a glimpse into the hacker psyche.

Listen to the Podcast Opens in new window

Explore Other Research Topics