TULIPS: Projects

Technology Usability Lab In Privacy and Security

Usability of Security APIs

The overall goal of this project is to develop a usable SSL/TLS API by studying how developers with limited security background approach adding encryption to their projects, followed by identifying common sources of error, and then iteratively designing an API that supports adding security as part of the developer's typical work model.

SSL/TLS is used to encrypt communication between devices on the internet, but many developers make errors when attempting to incorporate these libraries into their projects, leading to serious security problems such as data leakage and potential compromise of devices. It is estimated that as many as 88% of Android apps contain at least one cryptographic API usage mistake, e.g., using constants for keys, salt, seeds, or choosing the wrong encryption mode [1].

Just like any other human computer interface, APIs need to be designed to be usable, minimize accidental error, and generally support the workflow of users. When these principles are not taken into account, it becomes easy for even highly skilled developers to make mistakes. While several HCI methods exist for exploring API usability and creating new API designs, in general there have been few attempts to apply them to security libraries.

[1] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in Android applications. In Proc. ACM CCS’13, pages 73–84. ACM, 2013.

People

Funding

Research and projects here are partially funded by the following groups:

Related Student Projects

The following are projects completed by interns, undergraduate, and masters students related to the Software Update project.
Project screenshot.

Usability Analysis and Improvement of Two Cryptographic Prototyping Frameworks

Ma Qing Gao (2017-2018, Masters Thesis)

Supervisor: Markulf Kohlweiss

Cryptography schemes can be the core solution for ensuring computer security. This project focuses on conducting two usability lab study to evaluate the usability of two existing. This project focuses on conducting two usability lab study to evaluate the usability of two existing cryptographic prototyping frameworks, which are the three existing Python cryptography programming libraries: Charm, Petlib and Bplib. The final outcomes of this thesis were: (1) giving the weakness and improvement suggestion of the documentation and error respond of these libraries. (2) identify the syntax of which library is more acceptable and understandable by cryptographers.

Project screenshot.

Putting the 'S' in HTTPS: Automatically Fixing Insecure HTTP and Flawed HTTPS Connections in Android

Vesko Stefanov (2017-2018, Undergraduate Thesis)

Supervisor: Kami Vaniea

Cryptographic solutions like HTTPS protect information in transit, but only if they are used correctly by developers. In this project, I develop an early prototype of an Android application which checks all outgoing connections from the device and where possible auto-upgrades them to HTTPS connections. I also test how feasible it is to auto-upgrade HTTP connections in terms of the ability of remote servers to accept the upgraded connections.

Project screenshot.

Encrypt me if you can: Helping developers add Transport Layer Security to Android applications

Dimple Gulrajani (2016-2017, Undergraduate Thesis)

Supervisor: Kami Vaniea

An alarming number of mobile applications on the Google Play store do not encrypt their communications leaving them open to Man In The Middle attacks. This thesis analyzes why this is the case and presents a new tutorial to help developers correctly use TLS.