Team for Research in
Ubiquitous Secure Technology

2012 TRUST Research Experiences for Undergraduates

PROGRAM OVERVIEW

The Team for Research in Ubiquitous Secure Technology sponsored 15 undergraduate students to participate in the summer 2012 TRUST REU program. Below are descriptions of the 2012 TRUST-REU research projects and links to each student's or team's research report and poster presentation.

RESEARCH PROJECTS


Christopher Balcells
University of California, Berkeley

Electroadhesion Minimizes Motion Artifacts in EEG (or "for minimizing")
New alternatives to wet electrodes have introduced affordable, portable EEG systems. These systems can accommodate previously unrealizable applications, such as ambulatory monitoring. However, artifacts, particularly those produced by motion between the electrode and the skin, limit the accuracy of these systems in the everyday environment. At this point, signal processing solutions are not robust enough for high noise environments with high accuracy demands. Electroadhesion may offer a mechanical solution to this problem. It uses electrodes with a large potential difference to create a holding force between the sensor and the skin. In order to determine if electroadhesion is a feasible solution, accelerations were measured during daily activities and compared to forces produced by an electroadhesive device. Leakage currents were also measured to evaluate the safety of this device. The results presented demonstrate that an electroadhesive device is (or "not") capable of resisting forces from daily activities.

Hen Su Choi
Santa Monica College

Using Brain-Computer Interfaces to Analyze EEG Data for Safety Improvement
Brain-computer interfaces (BCIs) deliver commands using electroencephalographic (EEG) activity or other electro-physiological measures of brain function. In this paper, we use EEG signals to collect important information about the states of a subject. Vigilance states are particularly important in this project. Drowsiness is a well-known safety issue for operators who must stay alert consistently for long periods of time. The objective of the present work was to record EEG data of individuals using a single-channel active dry electrode system. The hardware used in this work are the NeuroSky Mindwave, Mindset and Myndplay, three commercially available noninvasive BCI headsets. Raw data are presented and compared among the devices.

James Coakley
University of South Florida

An Evaluation of Bug Finding Approaches
Bugs in software, such as buffer overflows, can often become entry points for breaches in software security. These bugs are often difficult to find manually. They can also be extremely costly to fix after software is released. To alleviate this there are automated bug finding tools. Several different bug finding methods have been developed from existing approaches. We test several implementations of these methods using the automated tools including bounded model checking (CBMC), static analysis (Coverity) with BugBench, and compare and evaluate the results.

Anne Edmundson
Cornell University

Analysis of Security Code Review Effectiveness
With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review as well as determine the variation in effectiveness among web developers. We hired 30 developers to conduct a manual code review of a small web application. The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. Our findings include: (1) none of the subjects found all confirmed vulnerabilities, (2) more experience does not necessarily mean that the reviewer will be more accurate or effective, and (3) reports of false vulnerabilities were significantly correlated with reports of valid vulnerabilities.

Ronald Fenelus
Florida International University

An Evaluation of Bug Finding Approaches
Bugs in software, such as buffer overflows, can often become entry points for breaches in software security. These bugs are often difficult to find manually. They can also be extremely costly to fix after software is released. To alleviate this there are automated bug finding tools. Several different bug finding methods have been developed from existing approaches. We test several implementations of these methods using the automated tools including bounded model checking (CBMC), static analysis (Coverity) with BugBench, and compare and evaluate the results.

Maurice Grant
Ithaca College

RuzenaFit: Exercising the Limitations of Privacy
This paper focuses on studying how people view their privacy and finding out how people react to issues of privacy. We also aim to find out how much privacy users are willing to give up for an incentive. We use the medium of exercise and a calorie tracking program built for Android to test this. The us-er will be able to work out and track their calories burned, as well as compete with their friends. Users choose their privacy setting, which determines how much and the sensitivity of the information they share and login with their Fa-cebook account to register with the program. They wear the phones attached to a waistband during their day and it tracks how many calories they burn & points gained from it. Points were determined by calories burned combined with a multiplier of a value determined by the user's privacy setting. We were able to find that users were willing to sacrifice more of their privacy in order to gain more points because of the competitive nature of the game.

Brian Holtkamp
University of Houston, Downtown

Analysis of Security Code Review Effectiveness
With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review as well as determine the variation in effectiveness among web developers. We hired 30 developers to conduct a manual code review of a small web application. The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. Our findings include: (1) none of the subjects found all confirmed vulnerabilities, (2) more experience does not necessarily mean that the reviewer will be more accurate or effective, and (3) reports of false vulnerabilities were significantly correlated with reports of valid vulnerabilities.

Girum Ibssa
California Polytechnic State University

RuzenaFit: Exercising the Limitations of Privacy
This paper focuses on studying how people view their privacy and finding out how people react to issues of privacy. We also aim to find out how much privacy users are willing to give up for an incentive. We use the medium of exercise and a calorie tracking program built for Android to test this. The us-er will be able to work out and track their calories burned, as well as compete with their friends. Users choose their privacy setting, which determines how much and the sensitivity of the information they share and login with their Fa-cebook account to register with the program. They wear the phones attached to a waistband during their day and it tracks how many calories they burn & points gained from it. Points were determined by calories burned combined with a multiplier of a value determined by the user's privacy setting. We were able to find that users were willing to sacrifice more of their privacy in order to gain more points because of the competitive nature of the game.

Ashley Jones
Spelman University

Using Brain-Computer Interfaces to Analyze EEG Data for Safety Improvement
Brain-computer interfaces (BCIs) deliver commands using electroencephalographic (EEG) activity or other electro-physiological measures of brain function. In this paper, we use EEG signals to collect important information about the states of a subject. Vigilance states are particularly important in this project. Drowsiness is a well-known safety issue for operators who must stay alert consistently for long periods of time. The objective of the present work was to record EEG data of individuals using a single-channel active dry electrode system. The hardware used in this work are the NeuroSky Mindwave, Mindset and Myndplay, three commercially available noninvasive BCI headsets. Raw data are presented and compared among the devices.

Jodessa Lanzaderas
Mills College


  • Final Project Paper
  • Final Project Poster


Jose Martinez-Rivera
University of Puerto Rico, Mayaguez

Approaches of Managing IPv4 Exhaustion
We're running out of IPv4 addresses and we still have a lot of use for them even with the deployment of IPv6. To manage IPv4 remaining resources there are 2 main structures discussed, hierarchical and market models. Reading proposals and discussions in the ARIN (American Registry for Internet Numbers) community showed that the community rejects market models as a way to manage resources. Instead the community prefers the current hierarchal model because of its more administrative aspects. The decisions that the community makes, plays an important part on how the Internet number resources will be managed in the future.

Emanuel Rivera-Castro
Polytechnic University of Puerto Rico

Analysis of Security Code Review Effectiveness
With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review as well as determine the variation in effectiveness among web developers. We hired 30 developers to conduct a manual code review of a small web application. The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. Our findings include: (1) none of the subjects found all confirmed vulnerabilities, (2) more experience does not necessarily mean that the reviewer will be more accurate or effective, and (3) reports of false vulnerabilities were significantly correlated with reports of valid vulnerabilities.

Kehontas Rowe
Mills College

An Evaluation of Bug Finding Approaches
Bugs in software, such as buffer overflows, can often become entry points for breaches in software security. These bugs are often difficult to find manually. They can also be extremely costly to fix after software is released. To alleviate this there are automated bug finding tools. Several different bug finding methods have been developed from existing approaches. We test several implementations of these methods using the automated tools including bounded model checking (CBMC), static analysis (Coverity) with BugBench, and compare and evaluate the results.

Ashley Tolbert
Auburn University

Modeling State Privacy Laws: Analyzing Alabama and Alaska
The complexity of regulations in healthcare, financial services, and other industries makes it difficult for enterprises to design and deploy effective compliance systems. We believe that in some applications, it may be practical to support compliance by using formalized portions of applicable laws to regulate business processes that use information systems. In order to explore this possibility, we use a stratified fragment of Prolog with limited use of negation to formalize a portion of the US Health Insurance Portability and Accountability Act (HIPAA). As part of our study, we also explore the deployment of our formalization in a prototype hospital Web portal messaging system.

Ching Yu
Mills College


  • Final Project Paper
  • Final Project Poster