Cybersecurity research at Chalmers has been successful for a long time, and now two framework grants from SSF will further strengthen the area. Two applications, WebSec and Octopi, received funding in last year's major call for cybersecurity. WebSec will be conducted largely within the division for Information Security, while Octopi has extensive collaboration with the division for Functional Programming. Both projects aim at introducing the security aspect early in development, rather than searching for, and attempting to correct errors when the systems are already taken in production.
Trying to prevent as much as possible
"The goal of security research is to ensure that security is not getting in the way of other development, that there are tools and automated methods that make it hard to make mistakes" says Andrei Sabelfeld, Professor in the Information Security division and project leader for the new SSF-funded project WebSec.
One of the most serious threats to web security is cross-site scripting, which means that the attacker is able to inject malicious code in the victim's web browser. Companies pay big money every year to detect and block security holes in the systems they use.
"Web systems are heterogeneous, they are implemented in different programming languages and designed at different levels, so when you connect them, there will be holes. In a typical cross-site scripting attack, the attacker injects code instead of data. With new programming languages and security enhancing mechanisms, such attacks can be prevented. In the project, we will develop new concepts for analyzing web applications for detection, mitigation, and prevention of cross-site scripting attacks", says Andrei Sabelfeld.
"We will also work with system-wide security. We return to the problem that different components are designed in different programming languages, and often we succeed in securing one of the components, perhaps the browser or database, but when they're connected, new errors occur that we didn't think of", says Andrei Sabelfeld.
Here, the researchers will build mechanisms to track the information throughout the system, and ensure that no information is destroyed or leaked.
Internet of things moving towards the industry
"The Internet of Things refers to a wide variety of connected devices - big things like cars, smaller things as a robot vacuum cleaner, your wrist watch, or anything that has some computational power and is connected to the internet. The idea is that all these devices should be interconnected to simplify and improve your life, but this trend brings major problems when it comes to security", says Alejandro Russo, professor in the division for Information Security, and project leader for Octopi.
Industry is showing increased interest in harnessing the benefits of the internet of things, for example user data sampling and data from sensor measurements can be used to improve the next generation of products. But the overall security level is too low, and an unsafe internet of things is open for attack. There are frightening examples of how smart refrigerators have been hacked to access password data, and connected cars have been taken over and remotely controlled.
In most programming languages used to program devices for the internet of things today, security is not a factor. Octopi will make the development of embedded systems comfortable while help placing security at a central point in the deveoper's mind.
"The project is unique in the way it will apply the advantages of programming in very high level languages; correctness, security, reasoning about software, for developing software for the internet of things. But this vision requires solutions to some tough problems in order to become a reality", says Alejandro Russo.
Project members: Mary Sheeran
, John Hughes
, Koen Lindström Claessen
and Carl Seger
, division for Functional Programming, Chalmers University of Technology.
Industrial Partners: Pelagicore AB, LumenRadio AB och Ericsson.
The project is funded by Swedish Foundation for Strategic Research
with 31 million SEK.