You know the green lock in the corner of your browser? That symbol represents thousands of lines of code program developers went through to encrypt your data so an attacker cannot read or modify it. The software used to make your Web communication secure is notoriously hard for developers to use, but a BYU team developed a new system that cuts the thousands of lines of code down to just a few.
Computer science Ph.D. student Mark O’Neill recently presented his work at the USENIX Security Symposium in Baltimore, Md. His project won second place in the 2018 Facebook Internet Defense Prize, which comes with a $60,000 prize for future research at BYU. O’Neill worked with his advisor Daniel Zappala, fellow computer science professor Kent Seamons, and a handful of other undergraduate and graduate students.
In a press release praising the team’s project, Facebook Research wrote, “This work provides a prototype implementation that makes it easier for application developers to make appropriate use of cryptography. We believe safe-by-default libraries and frameworks are an important foundation for more secure software.”
O’Neill, who has long been interested in increasing online privacy and security, said early in his grad-school career he noticed particular problems with the way phones and computers use encryption on the internet. His team’s solution, he said, deals with a number of issues: “First, it allows programs to automatically encrypt their data using the latest greatest standards — even if the programmer doesn't know anything about security. Second, it allows users, IT personnel and companies to control exactly how apps and programs make secure connections on their machines, giving people the freedom to tailor security to their specific needs.”
The work is still in development, but in the long run, Seamons said, “we want it to come built in with your phone or computer system. In the near-term, we plan to release software that developers can download and include with the applications and servers they develop.”
The project is a significant piece of O’Neill’s dissertation, which has focused on moving security into the operating system. His major emphasis has been giving control over security to the people who own and operate their computers, rather than leaving it in the hands of software developers, who may not be aware of security best practices.
“Mark has a real gift for identifying practical security problems, combined with a gift for developing solutions that fit into a broad vision of improving Internet security for everyone,” Zappala said.
The research was funded by the Department of Homeland Security and the National Science Foundation. Other students involved in the project were Scott Heidbrink, Jordan Whitehead, Nick Bonner, Tanner Perdue, Torstein Collett and Luke Dickinson.