News

Researcher Spotlight: Joshua Garcia

December 20, 2018

Joshua Garcia


Assistant Professor of Informatics at UCI Donald Bren School of Information and Computer Sciences

Ph.D., Computer Science, USC

 

Researcher Spotlight: Joshua Garcia

What brought you to UCI?
UCI is an amazing institution, with top-notch software and security research, which are my two main areas of research interest. This means the researchers at UCI are outstanding. Additionally, Southern California and Irvine are wonderful places to live. I grew up in Southern California and count myself as extremely lucky to have continued to be at such an excellent institution, even in a career that tends to prevent you from having much choice about where I live.

What is your major focus area as a researcher, and why?
I am a software-engineering researcher focusing on software security, testing, analysis, and design. I have been primarily researching mobile security for the last several years.

In one sentence, what is the most important question you want to address?
To what extent can software analysis and design be improved to achieve high accuracy and scalability for software security and other software qualities?

What has been (or will be) the impact of your research?
My research tools and datasets have been used by dozens of researchers, agencies, and companies around the world—including universities in Argentina, Australia, Brazil, Canada, China, Europe, and the United States, and by companies and government agencies such as Boeing, Bosch, Google, IBM, Microsoft, Northrop Grumman, the FBI, the Department of Homeland Security, and NASA.

What is innovative about your research?
In the area of mobile security, my approach, called LetterBomb, is the first automatic exploit-generation approach for Android apps, with the ability to generate over 180 zero-day exploits from a random selection of 10,000 apps, including popular apps with up to 10,000,000 downloads. Types of vulnerabilities for which we utilized automatically generated exploits include privilege escalations, denial of service, and spoofing vulnerabilities. We further created an Android malware-detection and family-identification approach, called RevealDroid, that is highly accurate, scalable, and obfuscation-resilient—with results superior to the top 60 commercial anti-virus tools and state-of-the-research approaches. RevealDroid has the novel ability to analyze unconventional code mechanisms, i.e., reflection (the ability of a program to inspect or modify itself) and native code, using lightweight static program analysis.

What papers do you have coming through in the next year?
We are leveraging LetterBomb and automatic program repair to automatically fix vulnerabilities in Android apps. We will also be presenting the first approach, called Darcy, for detecting and repairing architectural inconsistencies in modern Java programs, which now contain modules that allow engineers to specify exposed interfaces, which has novel security implications. Specifically,  we found 146 instances of inconsistencies among 38 Java applications. By automatically fixing these inconsistencies, we were able to measurably improve various attributes of the subject applications’ architectures, e.g., reducing the attack surface of applications by 61%, producing deployable applications that consume 17% less memory, and improving the encapsulation of applications by 28%.

A Buckeye Bounce? New Ohio Approach Might Just Catch On

October 22, 2018

National Cybersecurity Month 2018 has been, appropriately, an active time in cybersecurity law and regulation. Our state of California has passed a first-of-its-kind law to begin to regulate Internet of Things (IoT) devices – smart thermostats, implantable medical devices, etc. Watch this space for much more on this important development. California is often the first state out of the blocks with landmark innovations in cybersecurity and privacy regulation.

Often, but not always.

On November 2nd 2018, a groundbreaking new cybersecurity law will go into effect in Ohio of all places. Ohio’s new approach hopefully will serve as a bellwether for cybersecurity law and data breach liability legislation across the country.

Ohio Senate Bill 220, grants “safe harbor” to companies taking reasonable measures to implement a standards-based cybersecurity program. Not to be confused with the US-EU data transfer agreement of the same name that was struck down by Europe’s highest court, the Ohio “safe harbor” law provides significant protection from legal liability for companies that implement a reasonable written cybersecurity plan.

(more…)

CPRI Cyber Crisis Simulation: Understanding the Rules and Risks of Cyber Conflicts

CPRI Cyber Crisis Simulation: Understanding the Rules and Risks of Cyber Conflicts

October 11, 2018

UCI’s Cybersecurity Policy & Research Institute (CPRI) recently partnered with the Atlantic Council and the Marine Corps University Foundation (MCUF) to provide a half-day cyber simulation event, approximating adership decision-making during a crisis with cyber actions. Event participants were notified of cyber activity related to an “escalating crisis” with a rival nation. They had to choose between a number of options to de-escalate the crisis, conduct a proportionate response or escalate the situation. They then had to recommend a coordinated response, ranging from “publicly call for third-party mediation” to “use exploit chains to erode rival military navigation.”

“Having participated in a number of actual national security crisis meetings,” said CPRI Executive Director Bryan Cunningham, welcoming everyone to the event, “I can tell you that the [scenario] is pretty accurate.” The former White House lawyer and adviser warned the participants prior to the exercise, “You will find that you have not anywhere near enough information and not anywhere near enough time, and that is how reality works in many crisis situations.”

(more…)

UCI CPRI & Atlantic Council:<br>Invitation to Participate

UCI CPRI & Atlantic Council:
Invitation to Participate

September 17, 2018

Crisis Dynamics and Cyber Statecraft: Simulating Cross-National Perspectives

September 25, 2018
Donald Bren Hall, UCI Campus
9:00am-12:00pm
Space is limited for this event.*

The UC Irvine Cybersecurity Policy & Research Institute (CPRI) is proud to announce – in partnership with the Atlantic Council and the Marine Corps University Foundation – a 1/2-day crisis simulation exercise critical to increase understanding, by governments, police forces, and businesses, of how states use offensive cyber capabilities, alongside more traditional instruments of statecraft, to manage crises and further their national interests. For businesses, this exercise will enhance understanding of how nation-state cyberwarfare may affect them. All attendees will be able to participate – through scenario focus groups – in the decision-making process and outcome.

(more…)

Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

July 12, 2018

by Shauhin A. Talesh

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft.

Read More > Talesh-2018-Law_Social_Inquiry Cyber

INSURANCE COMPANIES AS CORPORATE REGULATORS: THE GOOD, THE BAD, AND THE UGLY

July 12, 2018

by Shauhin A. Talesh

Political scientists, economists, and legal scholars have been debating corporate social responsibility for decades. To that end, the financial crisis, fraud relating to Enron and Worldcom, Occupy Wall Street, and even the 2016 presidential primary debates all raise attention and concern about what corporate social responsibility is and should be in the United States.

Read More > Talesh DePaul Cyber Insurance

ICS Researchers Introduce Thermanator, Revealing a New Threat to Using Keyboards to Enter Passwords and Other Sensitive Information

June 29, 2018

A thermal image of “iloveyou” 20 seconds after entry.

After entering a password, your regular computer keyboard might appear to look the same as always, but a new approach harvesting thermal energy can illuminate the recently pressed keys, revealing that keyboard-based password entry is even less secure than previously thought. Computer Science Ph.D. students Tyler Kaczmarek and Ercan Ozturk in the Donald Bren School of Information and Computer Sciences (ICS), working with Chancellor’s Professor of Computer Science Gene Tsudik, have exploited thermal residue from human fingertips to introduce a new insider attack — the Thermanator.

(more…)

Gene Tsudik, Two Computer Science Ph.D. Students Develop Novel De-Authentication Prototype

June 25, 2018

Chancellor’s Professor of Computer Science Gene Tsudik and two of his Ph.D. students, Tyler Kaczmarek and Ercan Ozturk, have developed a novel technique aimed at mitigating “Lunchtime Attacks.” Such attacks occur when an insider adversary takes over an authenticated state of a careless user who has left his or her computer unattended. Tsudik, Kaczmarek and Ozturk have come up with an unobtrusive and continuous biometic-based “de-authentication,” i.e., a means of quickly terminating the secure session of a previously authenticated user after detecting that user’s absence. They introduce the new biometric, called Assentication, in a paper appearing at the 2018 International Conference on Applied Cryptography and Network Security (ACNS).

(more…)

Gene Tsudik, ICS Exchange Students on International Team Studying Information Leakage

June 25, 2018

In a paper to appear at the 2018 European Symposium on Research in Computer Security (ESORICS), a team of researchers from UC Irvine, New York Institute of Technology and University of Padova (Italy) reveal a new attack: Secret Information Leakage from Keystroke Timing Videos (SILK-TV). The UCI researchers include Chancellor’s Professor of Computer Science Gene Tsudik and undergrad exchange students Martin Georgiev and Nikita Samarian.

(more…)

Page 6of 9: 1 ... 4 5 6 7 8 9