Congratulations to the Latest LERSSE Graduate!

Congratulations to Dr. Borke Obada-Obieh on her successful PhD defense and graduation from UBC. At LERSSE, she investigated the security and privacy challenges of using technology in personal, professional, and involuntary relationships. Her dissertation can be accessed via this link.

LERSSE Poster Received an Honourable Mention Award at SOUPS 2022

LERSSE poster Systematization of Knowledge: Human, Organizational, and Technological Dimensions of Developers’ Challenges in Engineering Secure Softwarehas received an honourable mention award at SOUPS 2022, poster session.


Despite all attempts to improve software security, vulnerabilities are still propagated within the software. A growing body of research is looking into why developers are unable to develop secure software from the beginning. However, despite this attention, research efforts on developer challenges lack a coherent framework. We present a systematization of existing knowledge on the factors that make secure software development challenging for developers. We evaluated 126 papers to develop a framework of challenges that includes 17 areas of challenges in three dimensions of Human, Organizational, and Technological. These areas appear to influence each other directly and indirectly. Our work highlights the interplay of these areas and their consequences for secure software development. We discussed lessons learned from the framework, shed light on its role in assisting practitioners, and proposed directions for future research.

Continue reading “LERSSE Poster Received an Honourable Mention Award at SOUPS 2022”

Investigating the Efficacy of User Access-Control Solutions on Smartphones

The incumbent all-or-nothing model of access control on smartphones has been known to dissatisfy users, due to high overhead (both cognitive and physical) and lack of device-sharing support. Several alternative models have been proposed. However, their efficacy has not been evaluated and compared empirically, due to a lack of detailed quantitative data on users’ authorization needs. In our paper, which we recently presented at the 31st USENIX Security Symposium, we bridge this gap with a 30-day diary study. We probed a near representative sample (N = 55) of US smartphone users to gather a comprehensive list of tasks they perform on their phones and their authorization needs for each task. Using this data, we quantify, for the first time, the efficacy of the all-or-nothing model, demonstrating frequent unnecessary or missed interventions (false positive rate (FPR) = 90%, false negative rate (FNR) = 21%). In comparison, we show that app- or task-level models can improve the FPR up to 88% and the FNR up to 20%, albeit with a modest (up to 15%) increase in required upfront configuration. We also demonstrate that the context in which phone sharing happens is consistent up to 75% of the time, showing promise for context-based solutions.

Continue reading “Investigating the Efficacy of User Access-Control Solutions on Smartphones”

SoK: The Dual Nature of Technology in Sexual Assault

SoK: The Dual Nature of Technology in Sexual Abuse

This paper systematizes and contextualizes the existing body of knowledge on technology’s dual nature regarding sexual abuse: facilitator of it and assistant to its prevention, reporting, and restriction. By reviewing 224 research papers, we identified 10 characteristics of technology that facilitate sexual abuse: covertness, publicness, anonymity, evolution, boundlessness, reproducibility, accessibility, indispensability, malleability, and opaqueness. We also analyzed how technology assists victims and other stakeholders in coping with and responding to sexual abuse. Our research questions examined the challenges in using technology to address sexual abuse too. For instance, its use by victims can lead to revictimization. To address technology’s challenges, we offer recommendations and suggest new research directions. These findings about the dual nature of technology can inform research and development toward better support for victims of sexual abuse.

Continue reading “SoK: The Dual Nature of Technology in Sexual Assault”

Challenges with Chrome’s Compromised Credential Notification

The widespread availability of usernames and passwords exposed by data breaches remains a big threat to users and organizations. In response, browsers such as Chrome started alerting users when their credentials appear in breaches. Specifically, whenever a user signs in to or registers on a site, a pop-up notification is triggered if the credentials used have been found in a data breach.

Continue reading “Challenges with Chrome’s Compromised Credential Notification”