News

Undergrad Security Course Features Cool Projects

Students in my undergraduate computer security course had done several excellent projects. You can watch video clips of the projects or read reports.
httpvp://www.youtube.com/view_play_list?p=ABEF30FCC4453A52
I would like particularly mention the following projects:

Great job, guys!

Lessons learned from studying users’ mental models of security

In the course of past three years at LERSSE, we have done several studies that helped us to further the understanding of users’ mental models, when it comes to security. A mental model is “an abstraction of system’s architecture and software structures that is simple enough for non-technical users to grasp. . . It provides an integrated package of knowledge that allows the user to predict what the system will do if certain commands are executed, to predict the state of the system after the commands have been executed, to plan methods for novel tasks, and to deal with odd error situations” (Card and Moran, 1986). Adequate mental models of security controls are critical for computer users in order to avoid dangerous errors. Yet, security controls and their interfaces are hard to design in a way that could help users in developing and maintaining adequate mental models.

Findings from our projects led us to the following lessons:

  • users develop and maintain their mental models (mostly) through UI
  • users’ mental models are quite adaptive, changing sometimes as quickly as the system interface
  • “automating away” security can lead to inadequate mental models and dangerous errors
  • adequacy of mental models, not just UIs, has to be tested
  • security UIs must be consistent and users need to be made aware of the consistency if they are expected to notice inconsistencies
  • combining UIs for existing and new security functions can lead to unexpected mental models

You can find more details from the talk I’ve gave recently at Microsoft Research on the subject of users’ mental models of security. I discussed those projects in which we either intentionally studied users’ mental models of security controls or ended-up stumbling upon them (or their parts) by accident. Specifically, I focused on the studies of Vista personal firewallUAC prompt, and web authentication with OpenID

Single Sign On on the Web: What’s broken and What can be fixed?

With Ph.D. student San-Tsai Sun, we have been investigating single-sign-on for Web.
We have been looking at usability, business, and technical aspects of web single sign on (SSO) solutions:

  • He has analyzed OpenID protocol and 200 OpenID-enabled web sitesand found, among other things, that 50% of OpenID-enabled websites are vulnerable to cross-site request forgery attack (CSRF), 75% of evaluated websites allow an attacker to force the victim to log in their websites as the attacker. With additional reasonable capabilities (e.g., trick users to use a malicious wireless access point or install a malicious browser extension) that enable an attacker to intercept the authentication response from the identity provider, an adversary can impersonate the victim on 65% of OpenID-enabled websites and re-masquerade the victim on 6% of the websites by simply applying the intercepted authentication responses.
  • He (together with LERSSE postdoc (at that time) Kirstie Hawkey and another Ph.D. student Yazan Boshmafhas also looked into business and human aspects of the problem of low acceptance rate of OpenID. As a result, we propose that Web SSO technology should shift from its current shared-identity paradigm to a true Web single sign-on and sign-out experience in order to function as a platform to motivate RPs’ adoption.
  • On a more technical site, San-Tsai is investigating a browser-based Web SSO solution that requires minimal user interaction and provide relying parties with clear value propositions to motivate their adoption. Our approach builds OpenID support into web browsers, hides OpenID identifiers from users by using their existing email accounts, extends the OpenID protocol to perform authentication directly by browsers, and introduces an OpenIDAuth HTTP access authentication scheme to convey authenticated identities automatically into websites that support OpenID for authentication.

Understanding Wants and Needs of Personal Firewall Users

I’ve presented results of a user study by my graduate student Fahimeh Raja at SafeConfig. She conducted semi-structured interviews with a diverse set of participants to gain an understanding of their knowledge, requirements, perceptions, and misconceptions of personal firewalls. There are several interesting findings. Through a qualitative analysis of the data, we found that most of our participants were not aware of the functionality of personal firewalls and their role in protecting computers. Most of our participants required different levels of protection from their personal firewalls in different contexts. The most important factors that affect their requirements are their activity, the network settings, and the people in the network. The requirements and preferences for their interaction with a personal firewall varied based on their levels of security knowledge and expertise. We discuss implications of our results for the design of personal firewalls. We recommend integrating the personal firewall with other security applications, adjusting its behavior based on users’ levels of security knowledge, and providing different levels of protection based on context. We also provide implications for automating personal firewall decisions and designing better warnings and notices.

SOUPS Features LERSSE Research

LERSSE graduate students presented their research at the Symposium on Usable Security Privacy and Security (SOUPS). Here is a summary of the presented research: