Grants

Unsolicited phone calls, also known as robocalls, are one of the most pervasive and visible network security problems in the United States. Despite the sincere efforts of telephone providers, regulators, legislators, and technologists, there are virtually no consistently effective countermeasures. The project's novelties are in creating technical solutions that will empower regulators and providers to stop robocalling at scale. The project's broader significance and importance lie in dramatically improving the security and trustworthiness of the telephone network and, in so doing, restoring the telephone network as a useful communications medium. The goal of this work is to end the scourge of unsolicited phone calls by creating new techniques to detect abusive actors, restore trust in telephony by positively authenticating all phone calls, and prevent compromises of Internet voice infrastructure that would enable robocall abuse. The principal methodologies include developing threat intelligence, designing secure and privacy-preserving protocols, conducting Internet-scale measurement, and call audio analysis. This project is also developing public information campaigns, operator and regulator training, and telephone security content for network security courses.

Similar to human users, software relies heavily on the use of credentials, like passwords, to prove identity and rights to access resources. During software development, software engineers may need to share these software credentials, and operators who deploy the software will often need to distribute these credentials securely to servers. Engineers may take the path of least resistance which includes storing credentials -- keys, database connection strings, certificates, usernames and passwords -- in distributed version control systems used to manage software development. This type of storage makes accessing and distributing these credentials more convenient but also creates the very real hazard that they will be leaked to the public or to insider threats. This project will develop an understanding of how software engineers choose to manage credentials, and will develop techniques, tools, and datasets to better detect credential leaks and to prioritize credential removal based on the risks that disclosure of the credential would create. This project will include a mixed-methods investigation of the interplay of functional and security concerns on the software engineer's overall decision-making strategy for protecting or revealing credentials in software artifacts. This project will inform our approach to improve the ability of static analysis tools to detect more credentials with a lower false positive rate. Additionally, the project will identify the asset being protected by the credential, which will enable an automated or semi-automated risk estimation. Finally, the project will lead to the creation and evaluation of new techniques for securely storing and sharing secrets among project teams and in a system.

Automated calls (often called "robocalls"), which may range in purpose from telemarketing to outright fraud, have reached epidemic proportions. While some robocalls are societally useful, there are plenty that are used for malicious purposes. This is particularly concerning because some scam calls steal millions of dollars annually, often from vulnerable populations including the elderly and recent immigrants. Policy mechanisms like the National Do Not Call Registry have failed to meaningfully stop these calls. Despite a clear need, the network security community currently lacks the infrastructure and techniques needed to provide insight into the scope of this problem, which prevents the development and scientific validation of effective solutions. This project is aimed at developing techniques to characterize and measure robocalls, which will lead to better defenses against scam calls for end users. The project will develop a new infrastructure to collect robocalls. This infrastructure will facilitate the development of new techniques to measure the impact of victim behaviors on robocallers, as well as comprehensive and systematic measurements of robocalling trends including geographic, network and temporal characteristics; common abuse trends; measurements of spoofing rates; and characterization of robocall campaigns. Such insights will lead to better detection and prevention of these calls.

Software is at the very center of today's society, permeating commerce, transportation, information exchange, and entertainment. Today's software is rarely written from scratch and is frequently dependent on a large ecosystem of open source libraries and tools. As a result, a single vulnerability in a library often has a cascading effect, resulting in corresponding vulnerabilities in the many software systems and applications that depend on it. The goal of this project is to aid software developers in identifying and updating vulnerable dependencies through the creation of methods that detect, measure, and remediate a software project's use of external, open source software with security flaws. As part of achieving this goal, the investigators will develop the first global vulnerable-dependency graph to characterize the problem within the broader open source ecosystem. The creation of this global vulnerable-dependency graph depends on addressing two key research challenges. First, software dependencies exist in many forms, ranging from clear listings in package manifests to copies of external libraries added to a software project's code repository. Second, not all vulnerability fixes are announced. Developers often discover and fix vulnerabilities without issuing an announcement (or perhaps even without knowing a vulnerability was fixed). This project will address these challenges through novel application of static program analysis and text analytics. These techniques will scalably recover software dependencies, mapping both publicly known vulnerabilities as well as discovered silent vulnerability fixes to individual versions of software libraries and tools.