March 2 - DLS Presents Wenke Lee, Georgia Tech

 

As the first Distinguished Lecture Series (DLS) presenter, the Department of Computer Science is pleased to welcome from Georgia Institute of Technology. On March 2 at 2:30p, Dr. Lee will present Security Overlay: Data Protection via User-Intent Monitoring. The abstract for his talk is presented below. To see the full schedule of speakers for this spring's DLS, click

Talk abstract:
We are increasingly depending on cloud-based services in our daily activities, and inevitably a lot of our sensitive and valuable data is transported through or stored in the cloud. There have been many incidents where the security of user data was compromised because of malicious or vulnerable client-side applications and cloud servers. 

Our research aims to develop a data protection approach that can be widely adopted by the average end-users, and a key challenge we need to overcome is user acceptance. In particular, we need to provide transparent user experience, that is, our data protection approach should not alter the functionality, workflow, and the look-and-feel of an application. Further, we need to provide intuitive, user-intended protection, that is, the default security policy should match a user’s understanding of the expected (good) behaviors of an application. 
The centerpiece of our approach is a new systems mechanism called the security overlay, which can intercept user input and application output and display relevant data on an overlay window right on top of the application’s UI. The overlay window is isolated from the application and its security is dependent on the trusted computing base, or TCB, such as a virtual machine monitor or the OS kernel.

We have developed a prototype of security overlay and applied it to several application scenarios. For example, the security overlay of a web-based email client can ensure that user sees and agrees that the text on the overlay display is really his message, and that the outgoing email payload matches that text. We call this the “what you see is what you send (WYSIWYS)” policy. As another example, the security overlay for WhatsApp can display plaintext input on the overlay window for the user but only send the encrypted input to WhatsApp (and its remote server). In other words, this provides end-to-end message encryption.