Building a solid ground for cybersecurity

Substantial tools and methods to counter the most common vulnerabilities on the web. Efforts to develop a secure internet of things for industrial use. Two new, extensive cybersecurity projects are about to start at the Department of Computer Science and Engineering.
Cybersecurity research at Chalmers has been successful for a long time, and now two framework grants from SSF will further strengthen the area. Two applications, WebSec and Octopi, received funding in last year's major call for cybersecurity. WebSec will be conducted largely within the division for Information Security, while Octopi has extensive collaboration with the division for Functional Programming. Both projects aim at introducing the security aspect early in development, rather than searching for, and attempting to correct errors when the systems are already taken in production.

Trying to prevent as much as possible

Photo of Andrei Sabelfeld"The goal of security research is to ensure that security is not getting in the way of other development, that there are tools and automated methods that make it hard to make mistakes" says Andrei Sabelfeld, Professor in the Information Security division and project leader for the new SSF-funded project WebSec.
One of the most serious threats to web security is cross-site scripting, which means that the attacker is able to inject malicious code in the victim's web browser. Companies pay big money every year to detect and block security holes in the systems they use.

"Web systems are heterogeneous, they are implemented in different programming languages ​​and designed at different levels, so when you connect them, there will be holes. In a typical cross-site scripting attack, the attacker injects code instead of data. With new programming languages ​​and security enhancing mechanisms, such attacks can be prevented. In the project, we will develop new concepts for analyzing web applications for detection, mitigation, and prevention of cross-site scripting attacks", says Andrei Sabelfeld.
For JavaScript, the most common programming language on the web, the project will deliver a platform for analysis that will aid programmers in producing code that is already protected when it goes in to production.

"We will also work with system-wide security. We return to the problem that different components are designed in different programming languages, and often we succeed in securing one of the components, perhaps the browser or database, but when they're connected, new errors occur that we didn't think of", says Andrei Sabelfeld.

Here, the researchers will build mechanisms to track the information throughout the system, and ensure that no information is destroyed or leaked.

Internet of things moving towards the industry

Photo of Alejandro Russo"The Internet of Things refers to a wide variety of connected devices - big things like cars, smaller things as a robot vacuum cleaner, your wrist watch, or anything that has some computational power and is connected to the internet. The idea is that all these devices should be interconnected to simplify and improve your life, but this trend brings major problems when it comes to security", says Alejandro Russo, professor in the division for Information Security, and project leader for Octopi.

Industry is showing increased interest in harnessing the benefits of the internet of things, for example user data sampling and data from sensor measurements can be used to improve the next generation of products. But the overall security level is too low, and an unsafe internet of things is open for attack. There are frightening examples of how smart refrigerators have been hacked to access password data, and connected cars have been taken over and remotely controlled.

In most programming languages used to program devices for the internet of things today, security is not a factor. Octopi will make the development of embedded systems comfortable while help placing security at a central point in the deveoper's mind.
"The project is unique in the way it will apply the advantages of programming in very high level languages; correctness, security, reasoning about software, for developing software for the internet of things. But this vision requires solutions to some tough problems in order to become a reality", says Alejandro Russo.

Project information

WebSec, Säkerhetsdrivna webbsystem
Project leader: Andrei Sabelfeld, Chalmers University of Technology.
Project members: Alejandro Russo och David Sands, Chalmers University of Technology, and Philipp Rümmer, Uppsala University.
The project is funded by Swedish Foundation for Strategic Research with 30 million SEK.

Octopi, säker programmering för sakernas internet
Project leader: Alejandro Russo, Chalmers University of Technology.
Project members: Mary Sheeran, John Hughes, Koen Lindström Claessen and Carl Seger, division for Functional Programming, Chalmers University of Technology.
Industrial Partners: Pelagicore AB, LumenRadio AB och Ericsson.
The project is funded by Swedish Foundation for Strategic Research with 31 million SEK.

Published: Tue 27 Feb 2018.