Skip to Content

CSE News

  • UC San Diego Department Establishes Endowed Chair to Honor Ronald Graham

    The CSE department is honoring one of its own with a special distinction. The department has established the Ronald L. Graham Chair of Computer Science, named after the current CSE professor, distinguished mathematician, and Chief Scientist in the California Institute for Telecommunications and Information Technology (Calit2). (The Qualcomm Institute is the UC San Diego division of Calit2.)

    The Graham Chair is the first named chair from the department’s endowment built up during the fundraising campaign launched five years ago. The chair announcement is timed to coincide with preparations for the celebration of Graham’s 80th birthday this October, and a series of other events honoring the mathematician-turned-computer science professor, which began in June with “Connections in Discrete Mathematics,” a week-long celebration of Graham's work. The speakers at Simon Fraser University in Vancouver included CSE professors C.K. Cheng and Pavel Pevzner. (Class photo of the conference with Ron and Fan Graham in front row pictured below.)

    “Ron Graham has led an exemplary life, first at Bell Labs, and later in academia,” said CSE Chair Rajesh Gupta, noting that the chair was originally funded by the anonymous alumnus who donated $18.5 million to the department in 2013. “The donor recognized the role Ron Graham has played and sought to honor him in this way while Graham is still an active faculty member who is revered by his students and colleagues alike. He has devoted the latter part of his life to passing along his knowledge and inspiration to students and younger faculty members.”

    The inaugural holder of the Graham Chair is expected to be announced in the fall. The chair will support a faculty member’s research and teaching in areas such as big data, computer systems and cyber-physical systems.

    After earning his PhD in Mathematics from UC Berkeley in 1962, Graham began a 37-year career at AT&T Bell Labs, primarily as its director of information sciences. His work on “hard problems” led him to focus on the complexity of routing telephone calls across U.S. time zones for AT&T. Graham was also influential on the development of the Internet, after he explored the creation of a worldwide network of routers with MIT mathematician Tom Leighton. Leighton went on to create Akamai Technologies, which is today believed to be the world's largest, globally-distributed computing platform – and a critical component of the global Internet. (For many years Graham served on Akamai’s board of directors.)

    Following the breakup of AT&T in 1984 and the spinoff of Bell Labs and manufacturing businesses into Lucent Technologies in 1996, Graham became Chief Scientist of the downsized research unit, renamed AT&T Labs. Three years later, in 1999, then-UC San Diego Chancellor Robert Dynes (a former colleague at Bell Labs) invited Graham to join the CSE faculty in the Jacobs School of Engineering. Less than two years later Graham added the title of Chief Scientist in Calit2, the joint UC San Diego-UC Irvine research institute created by the State of California in December 2000.

    Graham’s primary role in Calit2 has been as an advisor to the institute’s long-serving director, Larry Smarr, and its governing and advisory boards.  “I have relied tremendously on Ron Graham for his personal guidance and input on where to take Calit2 next,” said Smarr. “He has played an active role in discussions about the future of Calit2, and he helped us anticipate the massive impact that the Internet and communications technologies would have on many different disciplines and business sectors.”

    Graham’s ability to grasp the big picture and at the same time to break down the components of a problem in order to find a solution made him a born mathematician. At one point the Guinness Book of World Records attributed to Graham the longest number ever used in a mathematical proof (in 1977) – a number so big that there is no known notation – and “Graham’s number” got him featured in Ripley’s Believe It or Not!  His long friendship with influential mathematician Paul Erdős also resulted in Graham’s 1979 paper that introduced the concept of an “Erdős number” showing how closely other mathematicians were tied to Erdős based on the number of publications they co-authored with Erdős. Ron Graham’s Erdős number: 1 (reserved for Erdos’s immediate co-authors.) The concept later took hold in Hollywood as the basis of the popular “Six Degrees of Separation” game depicting how close an actor got to appearing in a movie with Kevin Bacon.

    Another of Graham’s frequent co-authors is UC San Diego mathematics and computer science professor Fan Chung Graham. They have been married since 1983.

  • UC San Diego Develops Online Software Development Courses for Coursera

    Enrollment now open, classes to start Sept. 15

    Three members of the Computer Science and Engineering faculty at the University of California, San Diego are the brains behind a new online course series to teach intermediate software development to learners around the world, Java Programming: Object-Oriented Design of Data Structures. The four courses and a Capstone Project make up a Specialization mini-degree program commissioned by Coursera, a leading provider of open online courses with 15 million registered learners worldwide.

    Earlier this year, a UC San Diego team of teaching professors consisting of Christine Alvarado, Mia Minnes and Leo Porter (pictured l-r) was awarded the opportunity to work with Coursera to develop the intermediate level Specialization.  Google is contributing ideas for real-world projects and the involvement of its engineers as guest lecturers to the Specialization. The company is interested in learning how participants use and experience the courses and may benefit from them.  (Coursera is also working with Duke University to develop an introductory level software development Specialization, with similar involvement from Google.)

    Alvarado, Minnes and Porter are popular teachers, but they also share a passion for research about computer-science education. Most of that research has focused on learning in the classroom, and the new courses for Coursera give the lecturers an opportunity to adapt what they have learned about education in the classroom to improve how computer science is taught online.

    “This Specialization is truly a unique offering for computer science learners,” said Porter.  “All the courses feature novel approaches to online-based learning – approaches we have developed by adapting best practices from computer-science education research to this new context.” 

    When the Specialization launches on Sept. 15, it is expected to draw thousands of self-paced learners each month. The instructors recommend that students should already have a basic familiarity with Java programming, but there is no formal prerequisite. The first course in the series goes beyond coding, with students learning to design and build more complex Java software projects.

    “We’ll explore how to divide up a large project into a hierarchy of classes and how to increase the functionality of projects by importing existing libraries,” said Mia Minnes, speaking about the first course in the Specialization. “We’ll also look at some core algorithms for searching for and sorting data. Along the way, learners will develop an exciting, interactive application with a graphical user interface.”

    Given their research backgrounds, the instructional team at UC San Diego will be studying the courses’ impact on learners, and their findings will contribute to the still-nascent knowledge base about effective practices in online learning. 

    Minnes, Porter and Alvarado are sharing the teaching workload, and their topics include object-oriented programming, data structures, and performance analysis. Each course in the series runs approximately four weeks, and projects are an important part of the curriculum.

    “We want learners to be inspired to create,” said Alvarado. “They will dive into a course project right away, with each lesson designed around concepts that are directly applicable to extending the project’s functionality.”

    According to the instructors, the courses go beyond what existing online computer science courses offer by exploring topics that are often at the core of interviews for programming internships and full-time jobs. Indeed, the fourth course in the sequence hones in on problem-solving and interview skills.

    Video modules include lectures with core content as well as testimonials and stories from real-world software engineers (for example, discussing the frontiers of the software development industry), together with help videos to rescue learners who get stuck. The courses also offer recorded conversations between on-campus students who are learning the material (pictured l-r: Jahaziel Aguilera, Julia Kapich and Monica Hung) ew– leveraging the UC San Diego professors’ previous research findings on the value of ‘peer instruction’, particularly when it comes to learning computer science.

    There is a growing body of research that peer instruction can play a critical role in improved learning outcomes in computer science education. Students tend to relate better to other students, but it’s also because they are more likely to model their study behaviors to those of learners who appear to have gained a mastery of the subject.

    Each course in the Specialization can be taken independently, or they can be taken in sequence, ultimately culminating in a Capstone Project using intermediate programming and software design skills. Learners who pay for the Specialization and complete the four courses are then invited to undertake the Capstone Project.

  • CSE Lecturer Organizes Conference on Future of Virtual Reality

    Experts from academia and industry will share their insights into the future of virtual-reality technologies and content at the first annual Future of Virtual Reality Conference. The 2015 event takes place Tuesday and Wednesday, Sept. 8-9, in Atkinson Hall, and it is organized by Qualcomm Institute research scientist Jurgen Schulze, a part-time lecturer in the Computer Science and Engineering department.

    In addition to the conference, the Future of Virtual Reality will also showcase the latest technologies – from large-scale 3D displays to personalized VR systems such as the Oculus Rift – in a demonstration room next to the conference venue. The latest products and prototypes of VR gear will be on display and demonstrated during breaks in the conference schedule to give attendees an opportunity to see and use the newest systems and VR software.

    “Most conferences about virtual reality tend to be either focused on the industry, or the more academic side that looks where the technology is going in the medium to long term,” said conference organizer Schulze. “We decided to merge the two interested audiences, because we see that there is a lot that the two sides can learn from each other – especially when it comes to envisaging how far the technology can take us over the next decade.”

    Funding for the Future of Virtual Reality Conference is provided, in part, by a grant from the Calit2 Strategic Research Opportunities (CSRO) program.

    The institute is uniquely positioned to be a partner for companies wanting to enter the virtual-reality marketplace because of its cutting-­edge visualization and virtual reality laboratories, and its world­-class research activities in real-­time graphics and 3D user interaction. The Qualcomm Institute houses a variety of unique, gold­-standard 3D visualization systems, such as the StarCAVE, NexCAVE, TourCAVE, and WAVE (pictured), all of which are equipped with 3D tracking systems to allow for the prototyping of immersive VR software applications.

    The CSRO grant also provided funds to further develop applications around VR head-mounted displays and see-through augmented-reality displays.   Much of the research at UC San Diego in this area involves user control and 3D interaction as researchers develop strategies for how to best run applications on head-mounted consumer displays such as the Oculus Rift and Sony Morpheus.       

    The conference sessions reflect the breadth of open topics in the VR field, including display hardware, panoramic cameras, content generation, spatialized audio, user interaction, social applications of VR, and so on.   For university researchers one of the underlying issues is that VR applications can be very hardware dependent because they depend on the existence of specific types of input devices or display devices. Although VR applications are designed at the Qualcomm Institute to run on a variety of graphics cluster-based systems, including the StarCAVE, WAVE and even head-mounted devices such as Oculus Rift, they do not run on mobile devices.

    “There are obstacles to deploying our applications on mobile devices, in terms of the operating system, programming language and middleware software,” noted Schulze. “But we believe these obstacles can be overcome so that VR applications can run on the entire range of VR-capable devices, from mobile phones to large, immersive walk-in systems.”

    Indeed, Schulze and his colleagues in the Immersive Visualization Laboratory have already created a batch of software applications bringing traditional elements of virtual reality to mobile devices, including a viewer for archaeological dig sites, a 3D sketching tool, and a cell phone-based data viewer that works in conjunction with a large tiled display wall.

    One of the keynote presentations at the conference will be given by scientist, futurist, author and UC San Diego alumnus David Brin, an acclaimed author of science fiction works that have explored themes of virtual reality. Other speakers at the conference will include academics (Ruth West from the University of North Texas, Sheldon Brown from UC San Diego, and others) as well as industry experts, including Jared Sandrew of Legend 3D, Amir Rubin of Sixense, and Jeffrey Johnson from Aero Glass.

  • Howard University Alumnus Awarded Sloan Ph.D. Fellowship in Computer Science at UC San Diego

    Jeremy Blackstone is the first graduate student selected to receive a fellowship from the Alfred P. Sloan Foundation Minority Ph.D. Program to do a doctorate in Computer Science and Engineering at the University of California, San Diego. He graduated magna cum laude in computer science from Howard University, where he also earned his M.S. degree, but Blackstone is not a newcomer to the UC San Diego campus. For the past two summers, he worked in the lab of CSE Professor Ryan Kastner in an eight-week program for Master’s and undergraduate students.

    The fellowship follows the Sloan Foundation’s naming of UC San Diego, MIT and the University of Illinois at Urbana-Champaign as University Centers for Exemplary Mentoring in the foundation program started in 2014. They join five previous universities selected for the Sloan Scholars program: Pennsylvania State, University of Iowa, Georgia Tech, and the University of South Florida. Cornell University was selected in 2013.

    At UC San Diego, the program provides support for 12 incoming Ph.D. scholars in the Jacobs School of Engineering or the Division of Physical Sciences. Each scholar is awarded $40,000 over four years in addition to other financial support typically provided to each student.

    The Sloan Minority Ph.D. Program is a three-year, multi-million-dollar initiative to support underrepresented minority graduate students in STEM fields. According to the Computing Research Association, African Americans represent only 1.2% of Ph.D.’s awarded annually in computer science nationwide.  Sloan Scholars will participate in professional development activities and attend the Institute for Teaching and Mentoring at least twice during their graduate program at UC San Diego.

    Combining foundation and university funds, 122 minority graduate students will receive tuition, stipends, and professional development support at UC San Diego, MIT and UIUC over the next three years. “Increasing the diversity of graduate education in the sciences, mathematics, and engineering means getting talented minority candidates into quality Ph.D. programs and helping them succeed once they get there,” says Elizabeth S. Boylan, Director of the STEM Higher Education program at the Sloan Foundation. “These universities really stand out for the depth of their commitment to minority Ph.D. students in the sciences and engineering.”

    UC San Diego itself is implementing ambitious campus-wide reforms aimed at ensuring that one of every five applications, offers, and acceptances to their graduate programs in engineering and physical sciences comes from a minority scholar. In addition to significant fellowship and tuition support, UC San Diego is aggressively recruiting and providing a host of services to entering students, including guest lectures, networking mixers, a one-month orientation for newly admitted students, and a peer-mentoring program that matches new students with more-advanced colleagues.

    Jeremy Blackstone is originally from Annapolis, MD, and the Sloan Foundation was impressed with his credentials as a mentor to other minority students. “I became interested in mentoring during my experience as a teaching assistant at Howard University, which I began as a freshman,” recalled Blackstone. “It helped me realize that some of the most powerful ways I can affect change in people’s lives is through education and service.”

    According to Blackstone, as the computer science curriculum at Howard became more challenging, he helped fellow students understand difficult concepts and assisted them in debugging their code. He volunteered to help new computer science students during their lab, and even tutored his friends in math and taught them basic programming skills.

    “I like that by helping others overcome their obstacles they can be afforded similar opportunities as I have been given,” he added. “My parents and community sacrificed to ensure that I had a proper foundation for my education and I want to help provide that same foundation for others.”

    While at Howard, Blackstone became a team leader in Alternative Spring Break, a program that sent him as a team leader to New Orleans for spring break, where the students cleared fields so that displaced victims of Hurricane Katrina could return to their homes. The following year he was a team leader in Atlanta, mentoring elementary school students and encouraging them to achieve higher academic goals. During the school year, Blackstone worked for Project Dream Big and DC Metropolitan High School, an alternative school where he tutored students struggling in math and science.

    Blackstone’s desire to give back was amplified after a heart attack as a high school senior, when he was declared dead for 20 minutes. He had been misdiagnosed with asthma, but doctors discovered a rare heart condition that was later reversed with open-heart surgery. He missed some school, but went on to graduate in the top one percent of his class. That same year his dream of going to college became a reality, after receiving a full scholarship to Howard. “I was ecstatic about this because my parents’ level of income would not have been sufficient to pay for tuition, fees, room and board, especially with my younger brother about to graduate high school after me,” explained Blackstone. “The scholarship lifted a huge burden and allowed me to focus on my studies and continue with my academic success.”

    “Overcoming these challenges has allowed me to be an example of hope for other African-American students who may have similar financial or health backgrounds,” said Blackstone. “I seek to foster a community of students by openly sharing what I have experience and encouraging others to do the same. I hope this will empower them to believe that they can achieve as well.”

    While still at Howard, Blackstone was accepted into the UC San Diego-Howard University Partnership for Graduate Success program, which leverages the Summer Training Academy for Research in the Sciences (STARS) program to provide a mentored summer research experience for up to 10 Howard students for eight weeks each summer.

    In 2013 and 2014, Blackstone was mentored by CSE Prof. Ryan Kastner on two of his key projects. The first year, he worked in the Engineers for Exploration program, co-directed by Kastner, to develop an “intelligent camera trap” to automatically detect and classify the behaviors of captive animals (first deployed in the tiger enclosure at the San Diego Zoo). Blackstone developed an infrared tiger detector as well as an automated computer-vision algorithm based on Haar features (using OpenCV) for detecting the tiger. Then in summer 2014, Blackstone helped a team in Kastner’s lab developing the Reusable Integration Framework for FPGA Accelerators (RIFFA). The RIFFA system is a framework for communicating data from a host computer processor to an FPGA via a PCI Express bus. Blackstone created interfaces to a variety of external memories that sit on the RIFFA board (involving programming of device drivers and hardware).

  • Faculty Startup Highlighted on Front Page of San Diego Business Journal

    The growing popularity of the networking app Whova, particularly with conference and other event organizers, is focusing new attention on the small startup founded by CSE Prof. Yuanyuan Zhou and a few of her postdoctoral researchers. They made the front page of the San Diego Business Journal (pictured l-r: Soyeon Park, Weiwei Xiong, YY Zhou, and Tianwei Sheng), which is a lot of publicity for a team of computer scientists who tend to be shy. Indeed, their app aims to help students and any conference-goer "to get out of their shells and mingle with strangers," as Zhou told the Journal's technology reporter, Brad Graves. He goes on to note that Zhou considers networking "a career skill that will be just as necessary as knowing the fine points of computer code. Zhou's third startup business, in fact, is kind of a technological work-around for introverted people who find themselves thrown together at conferences."

    The Whova app briefs the user on fellow conference attendees, especially information that could be a conversation starter (e.g., if they went to the same school). There is even a one-touch utility to say "hi" to someone else using the app in the vicinity. Whova recently completed its first six months of offering the service commercially, and customers have included TEDx, MIT, and a number of conferences held at UC San Diego (including CSE's 25th anniversary celebration). In those first six months, the app was deployed at more than 1,000 conferences. The article notes that Zhou learned her lesson after launching her second company, Pattern Insight, in the Bay Area -- and then having to commute back and forth from San Diego since moving here from the University of Illinois at Urbana-Champaign in 2009.  Much of Pattern Insights assets were eventually sold to VMware, but when she decided to launch Whova, she opted to locate it on Sorrento Mesa, an easy reach from campus, where she holds the Qualcomm Endowed Chair in Mobile Computing.

    Read the full article (subscription required)

  • Bioinformatics Pioneers Launch First Online Bioinformatics Specialization on Coursera

    Next week, learners around the world will have the opportunity to enroll in a series of courses designed for biologists eager to gain computational skills and for computer scientists who want to explore the frontier of bioinformatics. UC San Diego will launch its six-course Specialization in Bioinformatics on Coursera, which culminates in a Capstone Project using software tools and big data provided by Illumina, a leading company in genome sequencing and the emerging field of personalized medicine.

    The new Bioinformatics Specialization will allow learners to earn a Specialization Certificate that serves as a mini-degree in this fast-growing, cutting-edge field. “Our online courses are identical to a core class in the Bioinformatics and Systems Biology Program at the University of California, San Diego, one of the top programs in the world. Actually, they have even more content,” said Pavel Pevzner, a professor of computer science and engineering at UC San Diego, who co-developed the Specialization with longtime colleague Phillip Compeau (far right with Pevzner), who this month joined the computational biology faculty at Carnegie Mellon University. “In fact, the Specialization will cover twice as much material as we teach in our UC San Diego course, so online learners can acquire world-class skills, even if they don’t know anything yet about biology – or computer programming.”

    The Bioinformatics Specialization gives learners the option of participating in one of two separate tracks: one for students who already have programming skills, the other designed largely for biologists who don’t code but do want to learn how to use popular bioinformatics tools to solve practical problems.

    “Biologists use bioinformatics tools such as BLAST in their daily lives,” said Compeau. “BLAST is like the Google of biology: everybody uses it, even if they don’t know how it works. But it’s important for a biologist to know how BLAST works to avoid pitfalls, so we explain how these tools work even if the learner doesn’t know how to program.” Learners who already know how to program will take a “hacker track” that will automatically test their programming skills using over 100 algorithmic puzzles motivated by modern biology.

    Each of the Bioinformatics courses will run for four weeks, and the starter course in the series, Finding Hidden Messages in DNA, will begin August 31 and replay every six weeks. Subsequent courses include: Genome Sequencing; Comparing Genes, Proteins, and Genomes; Deciphering Molecular Evolution; Genomic Data Science and Clustering; and Finding Mutations in DNA and Proteins. These courses are followed by a Capstone Project, Big Data in Biology, which includes challenges in bioinformatics and personalized medicine developed jointly with scientists at Illumina. “In the Capstone, students will face the same kind of challenges that researchers in the biotech and pharmaceutical industry face,” said Compeau. Pevzner added, “Each section of the Capstone will include a motivating example illustrating how the emerging field of personalized medicine has contributed to decoding the causes of mysterious diseases that traditional approaches failed to diagnose.”

    All sections of the Capstone have been developed jointly with scientists led by Semyon Kruglyak, the Senior Director of Informatics Research at Illumina. “Illumina cares about education.  We offer continued education to our own scientists, and we have the BaseSpace cloud platform that thousands of biologists around the world use.  We are making our data sets and analysis on BaseSpace available to people taking these courses,” said Kruglyak. “Illumina is most interested in educating biologists in bioinformatics because bioinformatics plays an important role in experimental design and data interpretation, but the subject is largely missing from even some of the best biology programs.  This course seems like an ideal way to close that gap quickly.”

    Plus, noted Kruglyak, “success in this Specialization could lead to Illumina job opportunities, because the company is looking for employees who can tackle biological Big Data.”

  • Computer Science at UC San Diego #14 in Global Ranking

    Computer science at UC San Diego is ranked #14 in the world, and #13 in the United States, according to the 2015 Academic Ranking of World Universities (ARWU). For the third year in a row, UC San Diego overall was also ranked the #14 best university in the world (#12 in the U.S.), while the engineering program in general also ranked #14. The rankings are released by the Center for World-Class Universities at Shanghai Jiao Tong University. 

    In addition to broad subject fields such as life sciences and engineering, ARWU ranks schools in five specific fields. Among those, UC San Diego's best performance was in computer science (#14), trailed by chemistry (#18), economics (#19), mathematics (#30), and physics (which ranked below #51).

    “It is an honor for UC San Diego to be recognized as a world-class university with strengths across multiple disciplines,” said Chancellor Pradeep K. Khosla. “This recognition can be attributed to our stellar faculty and outstanding students who are dedicated to producing research that changes lives, solves critical problems and benefits society.”

    The Academic Ranking of World Universities uses five indicators to evaluate world universities in the computer science field: the number of alumni and staff winning Turing Awards; the number of highly-cited researchers in computer science; the number of articles indexed in the Science Citation Index - Expanded in Computer Science fields; and the percentage of paper published in the top 20% of computer science journals compared to total publications in all computer science journals.

    Given that UC San Diego is a relatively young campus and that CSE boasts no alumni nor current staff winners of the prestigious Turing Award (the highest in computer science), the university gets zero points on the first two scores that make up 25% of the total field score. On the other hand, CSE has a strong track record publishing in top journals and getting cited by other academics, which largely accounts for the score that qualified the department to be ranked #14 in the world.

  • Alumnus, Postdoc Offer Way to Make Embedded Systems More Secure

    CSE postdoctoral researcher Karl Koscher (near left) was the first author on another paper presented at the Workshop on Offensive Technologies, jointly with Microsoft’s David Molnar and CSE alumnus Tadayoshi Kohno (PhD ’06) (far left), who was Koscher’s advisor at the University of Washington. They presented a system called SURROGATES to emulate and instrument embedded systems in near-real time, enabling a variety of dynamic analysis techniques. To do so, the researchers used a custom, low-latency FPGA bridge between the host’s PCI Express bus and the system being tested, giving the emulator full access to the system’s peripherals. Koscher and his co-authors built and evaluated a system that enables dynamic analysis of embedded systems at an unprecedented scale. “This will ultimately enable embedded systems developers to take advantage of several dynamic analysis techniques that were previously available only to traditional software developer,” they noted in the paper’s conclusions, “allowing them to deliver safer and more secure embedded systems.” The findings could ultimately offset some of the security concerns related to the Internet of Things, which is effectively a massive network of embedded systems.

    In a related story, a former CSE postdoc, Damon McCoy (right), also had a paper on the WOOT 2015 program. McCoy, who recently moved from George Mason University to the International Computer Science Institute in Berkeley, is the senior author on “Fuzzing E-mail Filters with Generative Grammars and N-Gram Analysis.”  Email filtering is the primary defense against email phishing attacks, and McCoy proposes a system that uses generative grammars to create large sets of unique phishing emails, which are then used for ‘fuzzing’ input against email filters. As the authors concluded, “this approach can be used to ensure the delivery of emails without the need to white-list” email from reliable sources.

    Read the full paper “SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems”.
    Read the full paper “Fuzzing E-mail Filters with Generative Grammars and N-Gram Analysis”.

  • Pinpointing a Security Vulnerability in How Computers Use Memory

    In the Workshop on Offensive Technologies (WOOT) where the paper on automotive hacking was presented (see stories above), another former member of CSE’s Security and Cryptography group had new research to present. 

    CSE alumnus Stephen Checkoway (PhD ‘12) presented a paper with the eye-catching title, “Run-DMA”. Checkoway (pictured as a CSE grad student), who recently moved from Johns Hopkins University to the University of Illinois at Chicago, was referring to the direct memory access (DMA) hardware engines used by computers to transfer data into and out of main memory. DMA engines are designed to free up CPU cycles to perform more challenging computations. According to Checkoway’s paper with Johns Hopkins PhD student Michael Rushanan, they showed that “the ability to chain together such memory transfers, as provided by commodity hardware, is sufficient to perform arbitrary computation.” This opens up the DMA engine to “malicious behavior”, and the researchers built a proof-of-concept DMA rootkit that modifies kernel objects in memory to perform “privilege escalation for target processes.” The researchers were the first to build malware entirely out of DMA data transfers, and they considered a variety of countermeasures that could be helpful in containing the security risk associated with DMA engines – up to a point. “Given the current lack of strong defenses against DMA abuse and the ability of DMA to do both Turing-complete and resource-complete computation,” concluded Checkoway and Rushanan, “it is clear that more work on secure defenses is needed.”

  • Fast and Vulnerable

    A recent alumnus of CSE’s BS/MS program, Ian Foster (MS ’15), gave a high-profile talk this week at the Aug. 10-11 USENIX Workshop on Offensive Technologies (WOOT 2015) in Washington, D.C., on the eve of the much larger USENIX Security conference. Foster (who is now at Salesforce), CSE Prof. Stefan Savage, Qualcomm Institute programmer-analyst Andrew Prudhomme (who worked on the project in Savage’s CSE 227 class), and CSE postdoctoral researcher Karl Koscher made international headlines with their paper, "Fast and Vulnerable: A Story of Telematic Failures." The researchers examined a popular aftermarket telematics control unit (TCU), which connects to a vehicle via the standard On Board Diagnostics (OBD-II) port, usually below the steering wheel. TCUs are often provided free of charge by auto insurance companies such as Progressive (with its Snapshot dongle) in return for the promise of lower rates, because TCUs can keep track of every time the driver pumps the brakes or presses the accelerator, etc. Indeed, virtually all computerized functions of a car, including lighting and HVAC, can be accessed through the OBD-II port, and the danger is enhanced because TCUs have built-in external networking -- which makes it easier for a hacker to get access to the car's computerized controls.

    "We show that these devices can be discovered, targeted, and compromised by a remote attacker and we demonstrate that such a compromise allows arbitrary remote control of the vehicle," according to the paper’s authors. "This problem is particularly challenging because, since this is aftermarket equipment, it cannot be well addressed by automobile manufacturers themselves." Indeed, a hack can be as easy as sending a text message to disable the car's brakes (as long as the auto is not going over five miles an hour).

    With funding from NSF and UC San Diego's Center for Networked Systems (CNS), the researchers looked specifically at one TCU built by Mobile Devices and distributed by insurance company Metromile, one of many companies that use the device. Metromile provides discounted per-mile insurance to Uber drivers willing to hook the TCU dongle into their car’s dashboard. For the study, a Corvette was used, but any late-model automobile would probably have had similar issues. Pictured in the Corvette: co-authors Karl Koscher (left) and Ian Foster. (Photo courtesy Wired magazine) The researchers were able to demonstrate both local and remote vulnerabilities, resulting from a combination of bad architectural decisions (e.g., the design of the update protocol) and particular configuration options (e.g., the use of text messaging and debugging features in production deployments and the use of identical keys and passwords among such devices). In their experiments with the Mobile Devices TCU, the researchers documented a number of vulnerabilities, including a complete remote compromise via text message. In their paper, the researchers showed how, once compromised, the TCU makes it possible "to remotely control safety-critical automobile features", e.g., the brakes.

    Savage told reporters that Mobile Devices subsequently issued a software update to prevent some of security flaws. "We take these devices far too lightly," Savage told CNN. "This is a class of device that should be considered the same way we consider a medical device. It's a dangerous object that needs to be designed with care." 

    The researchers offered some tips on improving the safety of TCUs, such as firewalls at the controller area network (CAN) bus that allows automotive devices to communicate with each other. However, they warned that in the long run, the auto industry "will require stronger mechanisms for code signing, authentication, and for limiting what kinds of communications a particular device can engage in." CSE’s Savage says that Metromile has been “super responsive” to the researchers’ security findings. Said Savage: “They tell us that they’ve updated all of their units over the air, and that they are no longer vulnerable.” Other companies that make or offer TCUs for fleet management, tracking, insurance and other industries will hopefully follow suit, although there is no proof yet that a completely secure TCU is even possible.

    Read the full paper, "Fast and Vulnerable: A Story of Telematic Failures".

about seo