Our research seeks to empower individuals and organizations to control how their data is used. We use techniques from cryptography, programming languages, machine learning, and other areas to both understand and improve the security of computing as practiced today, and as envisioned in the future.

Security Research Group (19 January 2016)
Jack Doerner, Samee Zahur, Mahnush Movahedi, Mohammad Etemad, Haina Li, Weilin Xu, Karen Pan


Secure Multi-Party Computation
Obliv-C · MightBeEvil
Practical Secure Computation
Web and Mobile Security
ScriptInspector · SSOScan
Side-Channel Analysis · Social Networking APIs
Adversarial Machine Learning
Program Analysis
Perracotta · N-Variant Systems · Physicrypt · Splint


Private Multi‑Party Machine Learning

August 18th, 2016 by David Evans

I’m co-organizing a workshop to be held in conjunction with NIPS on Private Multi‑Party Machine Learning, along with Borja Balle, Aurélien Bellet, Adrià Gascón. The one-day workshop will be held Dec 9 or Dec 10 in Barcelona.

NIPS workshops are different from typical workshops attached to computer security conferences, with lots of invited talks (and we have some great speakers lined up for PMPML16), but there is also an opportunity for researchers to submit short papers to be presented at the workshop either as short talks or posters.

Insecure by Default? Authentication Services in Popular Web Frameworks

August 15th, 2016 by David Evans

Hannah Li presented a poster at USENIX Security Symposium on how popular web frameworks perform authentication:

Insecure by Default?
Authentication Services in Popular Web Frameworks

The work studies how different design choices made by web frameworks impact the security of web applications built by typical developers using those frameworks, with a goal of understanding the usability and performance trade-offs that lead frameworks to adopt insecure defaults, and develop alternatives that lead to better security without sacrificing the needs of easy initial development and deployment.

Open Source Echo

July 3rd, 2016 by David Evans

Kevin Zhao is working on building an open source “Amazon echo” personal voice assistant (using Jasper).

His first post about it is here: Building The Open Source Amazon Echo-Jasper.

ShanghaiTech Symposium

June 25th, 2016 by David Evans

I went to Shanghai for the ShanghaiTech Symposium on Information Science and Technology. ShanghaiTech was only founded three years ago, but has made tremendous progress and recruited a talented group of faculty and students.

Zheng Zhang and Haibo Chen

Hao Bai

For the Symposium, I presented a tutorial introduction to secure multi-party computation (focused towards systems researchers), and an invited talk on Memory for Data-Oblivious Computation. Was a special honor to be able to speak about MPC applications build using Yao’s protocol following Andrew Yao’s opening keynote.

Thanks a bunch to Hao Chen for inviting me to the Symposium!

Aarhus Workshop on Theory and Practice of Secure Multiparty Computation

June 5th, 2016 by David Evans

I’m back from the Workshop on Theory and Practice of Secure Multiparty Computation are Aarhus University in Denmark. Aarhus is a great city for biking – you can rent bikes (with trailers for children), and bike down the coast from the old city, past the beach, and to the countryside, all on a bikes-only roadway.

Highlight of the workshop was unquestionably the musical performance by Ivan Damgård, Claudio Orlandi, and Marcel Keller:

I gave a talk on circuit structures and Square-Root ORAM:

abhi shelat also presented on Jack Doerner’s work on private stable matching.

After the workshop, we had a family visit to Legoland (about an hour by train and bus from Aarhus). Photo albums: Aarhus, Legoland.

SRG at Oakland 2016

May 25th, 2016 by David Evans

At the IEEE Symposium on Security and Privacy in San Jose, CA, Samee Zahur presented on Square-Root ORAM and Anant, Jack, and Sam presented posters.

Anant Kharkar
Evading Web Malware Classifiers using Genetic Programming

Jack Doerner
Secure Gale-Shapley: Efficient Stable Matching for Multi-Party Computation

Samuel Havron
Secure Multi-Party Computation as a Tool for Privacy-Preserving Data Analysis

Summer School at Notre Dame

May 13th, 2016 by David Evans

I presented two tutorials on oblivious computation at Notre Dame’s Summer School on Secure and Oblivious Computation and Outsourcing. SRG PhD Yan Huang, now at Indiana University, was one of the other tutorial presenters. I also learned a lot about verifiable computation and argument systems from Justin Thaler. Thanks to Marina Blanton for organizing a great summer school!

Slides for my tutorials on garbling techniques and memory for data oblivious computation are below.

SRG Graduates Lunch

May 1st, 2016 by David Evans

Top row: Anant Kharkar, Glenn Field, Ethan Robertson, David Evans, Hao Bai (BSCS 2016), Wenjiang Fan (honorary), Mohammad Etemad, Samee Zahur (PhD 2016), Jack Doerner, Weilin Xu, Longze Chen (MCS 2015), Kevin Zhao.
Front row: Mahnush Movahedi, Ziqi Liu (BACS DMP 2016), Hannah Li

Congratulations to our 2016 SRG Graduates:

Dr. Samee Zahur, PhD 2016
Dissertation: Demystifying Secure Computation: Familiar Abstractions for Efficient Protocols
Dr. Zahur will be joining Google, and working in the group that works on secure computation (broadly) led by SRG alumnus Jonathan McCune.

Hao Bai, BSCS 2016
Thesis project: Mitigating Memory Trace Side-Channels through Cache Loading
Hao will be starting graduate school at Harvard University in the fall.

Ziqi Liu, Distinguished Major with High Distinction in Computer Science (BACS) 2016
DMP project: A Proxy for Mitigating Threats from Embedded Third-party Scripts
Ziqi will be joining Microsoft (Redmond).

Tracking Congressional Phones

April 18th, 2016 by David Evans

Karsten Nohl (SRG CpE PhD 2009) was on CBS’ 60 Minutes (April 17) as their “Moment of the Week”: Hacking into a congressman’s phone.

We heard we could find some of the world’s best hackers in Germany. So we headed for Berlin. Just off a trendy street and through this alley we rang the bell at the door of a former factory. That’s where we met Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia.


Karsten demonstrated to the reporter how to track a Congressman’s location and listen in on phone conversations using SS7 vulnerabilities (for a real Congressman, Ted Liu of California, who actually has a CS degree). With permission, of course!

We wanted to see whether Nohl’s group could actually do what they claimed — so we sent an off-the-shelf iPhone from 60 Minutes in New York to Representative Ted Lieu, a congressman from California. He has a computer science degree from Stanford and is a member of the House committee that oversees information technology. He agreed to use our phone to talk to his staff knowing they would be hacked and they were. All we gave Nohl, was the number of the 60 Minutes iPhone that we lent the congressman.

An excerpt from the show was also the 60 Minutes Moment of the Week.

An exercise in password security went terribly wrong, security experts say

April 1st, 2016 by David Evans

PCWord has a story about CNBC’s attempt to “help” people measure their password security: CNBC just collected your password and shared it with marketers: An exercise in password security went terribly wrong, security experts say, 29 March 2016.

Adrienne Porter Felt, a software engineer with Google’s Chrome security team, spotted that the article wasn’t delivered using SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption.

SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

“Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong,” Felt wrote on Twitter. “Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you.”

The form also sent passwords to advertising networks and other parties with trackers on CNBC’s page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let’s Encrypt project.

(Posted on April 1, but this is actually a real story, as hard as that might be to believe.)