- Cloud and Mobile Security
Cloud computing is becoming a game-changer for the academia and industry that need low-cost and scalable data processing capabilities. However, this new computing paradigm is also fraught with security and privacy risks that need practical solutions. Though many cloud security issues are related to the problems that have long been studied, I strongly believe that distinctive features of the cloud actually expand the space of these seemingly old problems, which leads to new challenges and opportunities for security research.
For example, software in the cloud is often built through integrating web APIs provided by different web service providers, and served by delivering part of its components to the user through mobile apps or browser. Our research in the past a few years show that this Software-as-a-Service (SaaS) model can easily bring in logic flaws during API integrations, due to the miscommunication between the API provider and the API user, and is fundamentally vulnerable to side-channel attacks. As evidence to the seriousness of the problems, we found that high-profile web stores integrating payment services (e.g., PayPal Checkout, etc.) can be exploited to shop for free, popular social-login services (e.g., Google ID, Facebook Connect, etc.) can be easily abused, and leading web services are leaking out such sensitive user information as healthcare data, family incomes, investment secrets and mobile users’ true identities to network eavesdroppers or malicious zero-permission apps running on the victim’s phone. Mitigation of these threats needs new technologies, a demand leading to new research directions that become increasingly interesting to the security community (see the follow-up research including ours here [1, 2]). Our research in these areas has received media attentions and won us a Best Practical Paper Award from Oakland’11 and Runner-up recognition of the PET Award. My other research on SaaS includes in-line mediation of untrusted Flash, and techniques for protecting Mash-up web applications. Recently, we are moving towards mobile cloud security and privacy.
On the IaaS layer, my ongoing research focuses on secure data-intensive computing on hybrid clouds. A hybrid cloud is the typical way that an organization uses the commercial cloud: the public cloud here often acts as a receiving end of the computation “spill-over” from the organization’s internal system. This new computing paradigm, which involves both the public cloud and the private cloud, presents a new opportunity for Outsourcing a large-scale computing task, in an efficient and privacy-preserving way, to untrusted environments. Our ongoing research shows that over this platform, new secure computation techniques can be developed to support real-world data-intensive computing.
- Data and Health Informatics Security
I am also interested in data-related security problems, particularly those critical for protecting patient privacy during analysis and dissemination of human genomic data (a typical example of “Big Data”), and for measurement and understanding of emerging illicit online activities.
One of the most important security challenges in health informatics is the privacy issues in human genome study (HGS), as indicated by the recent report from Presidential Commission for the Study of Bioethical Issues. We have been working on this problem since 2008. Specifically, HGS relies on convenient access to aggregated human DNA data. Prior research, however, shows that public release of such data could lead to disclosure of HGS participants’ identity information. Our research further reveals that test statistics (e.g., p-values, r-squares) calculated from such aggregated data and published by HGS papers could also be used to infer sensitive patient information. These findings point to a disturbing lack of understanding about privacy implications for releasing DNA data. Our ongoing research aims to address this important issue, towards building a sound security foundation to facilitate data sharing without undermining patients’ privacy. We won the PET Award for Outstanding Research in Privacy Enhancing Technologies in 2011 for our research in this area.
We have also been studying innovative technologies that enable secure analysis of human genomic data on public computing platforms. For example, we developed a novel computation partition technique that outsources sequencing read mapping, a big-data analysis task critical for HGS, to public commercial clouds. This task involves evaluating edit distances for millions upon billions of sequence pairs, which cannot be handled by any prior secure computing techniques.
More recently, we start working on web data analysis and measurement for understanding new malicious online activities. Examples include our study of malware web advertising (“malvertising”) and the topological structures of the malicious hosts playing critical roles in a large spectrum of malicious web activities (e.g., drive-by downloads, scam, SPAM, etc.). Our discoveries have been used to design new detection techniques, which are shown to outperform existing commercial tools.