By Catherine Probst
From a small room inside Mason’s Center for Secure Information Systems (CSIS), an ever-present buzzing noise emanates throughout the building. On closer inspection, one realizes that this sound is being generated by nearly 30 Android smartphones that are connected to a gigantic server.
These smartphones are working overtime running mobile phone applications through countless rigorous tests. These tests determine everything from how much energy an app consumes to information about the user to whether the app is safe to install.
This is just one aspect of Mason researcher Angelos Stavrou’s work. At any given time, he has his hands in a variety of areas including security of mobile devices, cloud computing, and software reliability for desktops and laptops. Stavrou, associate professor of computer science in Mason’s Volgenau School of Engineering, works mainly on projects of importance to national security, but the results can be applied to consumer products.
For his most recent project, funded by the National Institute of Standards and Technology (NIST) and the Defense Advanced Research Projects Agency (DARPA), Stavrou has been working with a team of researchers to help alleviate one of the military’s greatest fears about the use of smartphones and tablets—that hackers or rogue apps could tap into the Android system and spill secrets to foreign governments.
According to Stavrou, who is also associate director of CSIS, there are dozens of apps that can help military personnel operate more efficiently including digital maps, flashlights, and communication and translation software.
“When you download an app on your phone, you’re not really aware of what is happening behind the scenes and what kind of information the app is collecting,” says Stavrou. “Most of the time, this is harmless, but for military and government personnel, the issue of security can be a matter of life and death.”
Since the project began in 2011, Stavrou and his colleagues have run tests on more than 600,000 apps. They discovered that many of the most popular smartphone apps gain access to personal information such as a user’s location and address book data. App developers will typically use this demographic information for marketing purposes, but if it falls into the wrong hands the result could be disastrous.
“These days, most of our lives are online. Whether it is communicating through e-mail, checking our bank account, or making a purchase, our information is all over cyberspace,” says Stavrou. “It’s a growing issue that is gaining more and more attention and which consumer protection agencies are looking into.”
With this information in hand, the researchers, as part of a larger team that involved NIST and local companies including Kryptowire and Invincea Labs, developed smartphone software that can be used specifically by the military and is capable of handling classified government information on off-the-shelf smartphones and tablets. The researchers have already made considerable progress on the project; the first batch of phones was deployed overseas last year and is currently being used by more than 1,200 military personnel and soldiers.
Working with Mason computer scientist Fei Li, Stavrou is also working on a project that focuses on the resilience of cloud systems. Funded by a $6.6 million grant from DARPA and partnering with Columbia University, the Maintaining Enterprise Resiliency via Kaleidoscopic Adaptation and Transformation of Software Services (MEERKATS) project looks at problems that can arise when a cloud system is maliciously attacked, preventing users from accessing information stored in the cloud.
Cloud computing syncs users’ computers to their mobile devices, allowing access to all their personal data—photos, movies, contacts, e-mail, documents, and so forth—at any given moment. Since it is used extensively by government and military personnel to share and store classified information, security is a top priority.
“Because data stored in the cloud system can be accessed from a variety of devices, it becomes a security issue that involves an ecosystem of providers,” says Stavrou. “Through the MEERKATS project, we hope to develop a vast array of methods in which an attack can be thwarted, thus protecting the entire cloud system.”
In a unique approach to data security, Stavrou and his team are working to create a cloud environment that is constantly changing, therefore creating an unpredictable target for a potential attacker. This method, says Stavrou, will more effectively hinder an attacker from accessing personal and confidential information in the cloud if someone loses a mobile device or tablet.
Another project that is similar to MEERKATS—Securely Taking on New Executable Software of Uncertain Provenance (STONESOUP)—focuses on securing information stored on the servers of desktop and laptop computers. Partnering with Stanford University and Columbia University, this four-year project is funded by a $7.5 million grant—$2.2 million was awarded to Mason—from the Intelligence Advanced Research Projects Activity.
For the STONESOUP project, Stavrou’s work involves testing the vulnerabilities of
software that run on computer servers, as well as on desktops and laptops. After identifying any weak spots in the software, Stavrou and his team work to create a variety of techniques that will help mitigate or render an attack on the server ineffective.
Some of these methods include tactics of diversion that keep adversaries from knowing what they are attacking; mitigation techniques that contain the effects of an attack to a particular area of the server; and software isolation and replication where portions of the system are isolated from others and replicated across different machines to boost resilience when they become compromised.
“If an assailant is successful at taking down an entire server and infiltrating the software programs of desktops and laptops, it has the potential to be devastating for an organization,” says Stavrou. “We want to make sure that the software programs that operate these systems can recover quickly and effectively without exposing any data.”