
Other Research
In our lab, we are open to conducting a range of research that doesn’t fit into our otherwise broad portfolio. Here you will find information about publications from these projects.
Blockchain
Bitcoin’s success has led to significant interest in its underlying components, particularly blockchain technology. Over 10 years after Bitcoin’s initial release, the community still suffers from a lack of clarity regarding what properties defines blockchain technology, its relationship to similar technologies, and which of its proposed use-cases are tenable and which are little more than hype. In our research,1 we have answered four common questions regarding blockchain technology:
- What exactly is blockchain technology?
- What capabilities does it provide?
- What are good applications for blockchain technology?
- How does it relate to other distributed technologies (e.g., distributed databases)?
Our finding show that Blockchain technology is most appropriate under three conditions: (a) a need for shared governance and operation (i.e., not trusted central parties can conduct any of these responsibilities), (b) auditable state, and (c) resilience to data loss.
We are currently exploring applications for blockchain technology in two areas. First, distributed document management for health care. Second, supporting multi-organizational humanitarian aid and disaster relief. In both these situations, there is no central authority to handle governance and operation, but there is a need for organizations to work with each other. Our research aims to build tools that will support both of these use cases, including in situations with limited Internet connectivity—situations which are critical for both applications, but which are not currently well-supported by existing blockchain techniques.
Secure Software Development
Many of today’s software products are insecure. Often, security is ignored as companies race to be first-to-market. Subsequent attempts to bolt security onto existing products face many challenges, frequently leaving residual vulnerabilities. The current paradigm for developing secure software is failing, and it is essential to explore alternatives.
To make progress, it is important to first understand the drawbacks of the current secure software development paradigm—i.e., implementing security on an application-by-application basis. In this model, each application needs to be architected with security in mind, and many—if not most—application developers must then correctly implement the relevant security features. Unfortunately, there is a significant lack of developers trained in cybersecurity, meaning that the architecture and implementation are both likely to have security flaws. Moreover, there is no indication that the number of cybersecurity-trained developers will ever scale up sufficiently to support the ever-increasing need for new applications.
Regardless of the specific reason, the result of the current paradigm is thousands, if not tens-of-thousands, of applications with broken and outdated security. To address these issues, we are researching alternative software development paradigms. For example, we are exploring a paradigm where instead of explicitly implementing security primitives into individual applications, they are instead implemented at global control points that are then responsible for layering security on top of all (unmodified) applications. We have successfully used this paradigm to improve the security of TLS (TrustBase2) and secure Email (MessageGuard3).
-
Ruoti et al. 2019. SoK: Blockchain technology and its potential use cases. In arXiv, arXiv:1909.12454. ↩
-
O’Neill et al. 2017. TrustBase: An architecture to repair and strengthen certificate-based authentication. In Proceedings of the 27th USENIX Security Symposium. USENIX. ↩
-
Ruoti et al. 2018. A comparative usability study of key management in secure email. In Proceedings of the 14th Symposium on Usable Privacy and Security. USENIX. ↩