At the heart of countless cyberattacks is a single flaw in the code making up a piece of software. Carnegie Mellon University CyLab researchers are focusing their efforts on improving software security in a variety of ways, from creating automated methods of finding and fixing software bugs to verifying the security of software without compromising its performance.
Learn who at CyLab is working in software security.
We have researchers working in the following subtopics of applications of security and privacy. Check out each of their research:
IoT labels will help consumers figure out which devices are spying on them
A team of CyLab researchers have developed a prototype security and privacy “nutrition label” that performed well in user tests. To develop the label, the team consulted with a diverse group of 22 security and privacy experts across industry, government, and academia.
Provably-secure code incorporated into Linux kernel
This month, code from the provably correct and secure “EverCrypt” cryptographic library, which CyLab’s Bryan Parno and his team helped develop and release last year, was officially incorporated into the Linux kernel — the core of the Linux operating system.
Why people delay software updates, despite the risks
In a study published in the latest issue of the Journal of Cybersecurity, a team of CyLab researchers found that the time-cost of updates and individuals’ risk preferences have a significant impact on whether or not a user applies a software update, and how long it takes them to do so.
CyLab’s Corina Pasareanu and colleagues receive $1.2 million grant to develop automated bug-finding techniques
The National Science Foundation has awarded a $1.2 million grant to researchers at Carnegie Mellon University, UC-Berkeley, and UC-Santa Barbara to develop automated bug-detection and repair techniques that work at large scales.
Achieving provably-secure encryption Opens in new window
Earlier this week, a team consisting of researchers from CyLab released the world’s first verifiably secure industrial-strength cryptographic library—a set of code that can be used to protect data and is guaranteed to protect against the most popular classes of cyberattacks.
CyLab’s Gligor and Woo receive Distinguished Paper Award for breakthrough result on establishing “root of trust”
In a breakthrough study, “Establishing Root of Trust Unconditionally,” CyLab researchers Virgil Gligor and Maverick Woo present a test that can be run on any computing device to show whether the device has been infected with malware or not.
Building a verifiably-secure internet
In security, almost nothing is guaranteed. It's impossible to test the infinite ways a criminal hacker may penetrate a proverbial firewall. But what if, by the laws of mathematics, something could be proven to be secure without running an infinite number of test cases?
CMU student discovers website leaking locations of cell phone customers
Some cybersleuthing by Robert Xiao, a Ph.D. student in the Human-Computer Interaction Institute, uncovered a security vulnerability on the website of LocationSmart, a Carlsbad, Calif., company that provides a service for identifying the real-time location of mobile phones in the United States and Canada.
Fourteen years later, Pasareanu’s automated software-testing work awarded for retrospective impact
Fourteen years ago, CyLab associate research professor Corina Pasareanu and two of her colleagues published a paper outlining three automated techniques for checking software for bugs and vulnerabilities. This month, Pasareanu and her colleagues are receiving the 2018 Retrospective Impact Award from the International Symposium on Software Testing and Analysis (ISSTA).
CyLab team develops promising tool to help prevent cross-site scripting (XSS) attacks
Right now, go to Google.com, search for something (anything) and then look at the search results’ URL. It’s a jumbled mess of numbers, letters, and characters, right? That mess of characters is coordinating the creation of the webpage, displaying a customized list of results based on what you searched for.
Celebrating “SSL,” the unsung hero of online shopping
In the time it takes you to read this sentence, Americans are spending somewhere between $50,000 and $100,000 on retail online. In those mere seconds of time, few thought twice about sharing their credit card numbers with Amazon, or banking routing numbers with PayPal or social security numbers with their banks. We have the Secure Socket Layer (SSL) to thank for that.
To improve smartphone privacy, control access to third-party libraries
Smartphone apps that share users’ locations, contacts and other sensitive information with third parties often do so through a relative handful of services called third-party libraries, suggesting a new strategy for protecting privacy, Carnegie Mellon University researchers say.
CyLab's Bryan Parno shares Distinguished Paper Award win with demonstration of verifiable security
In a paper presented at the USENIX Security Symposium, Bryan Parno and a team of researchers demonstrated a new programming tool that enables high-performance cryptographic code to be verifiably correct and secure.