Protecting Assets Proactively Through Real-Time Assessment

Written by: Tracey Regan
Computer scientists Kurt Rohloff and Reza Curtmola

Almost daily, there are reports of attacks on the security of the computing data and interconnected devices that make up the digital nervous system of our society, from the computers critical to the functioning of government and business, to information stored in the cloud, to cellphones more powerful than the systems that helped send Apollo astronauts to the moon.

NJIT’s Cybersecurity Research Center was established in 2015 to develop cybersecurity technologies that will protect data from inception to end use, beginning with the production of software to manage it to its remote storage in the cloud.

Broadly, the center identifies systemic weaknesses that make cyber systems vulnerable to attack, designs systems to make them more secure and hardens cyber infrastructure that has already been deployed. More specifically, its researchers develop and apply new approaches to practical encryption, securing cloud-computing services, improving secure software development techniques, data encoding and communication protocols, and researching human factors relevant to cyber technology.

The center is currently working on methods to improve the security of the entire software supply chain.

“Modern software development has a number of stages involving multiple programmers who create several versions of a product during the development process. At any point in this process bad things can happen. Along the way, malicious code can be inserted, for example,” says Reza Curtmola, a codirector of the center and an associate professor of computer science who focuses on applied cryptography, the security of cloud services, software security and privacy in computing.

Curtmola and colleagues are developing a framework for providing greater developmental transparency that has attracted several major open-source software organizations as potential early adopters. The idea is to collect metadata from the various stages of the software development chain and expose it to the end users.

“At present, end users have little idea as to how secure the product they have downloaded may be,” Curtmola says. “Our goal is to give them a better end-to-end guarantee. Important considerations are knowing how many developers have been involved in reviewing the source code – and at what points, what tools were used for testing and what other organizations the supplier used in creating a product.”

Key funders of their projects include the National Security Agency (NSA), the Defense Advanced Research Project Agency (DARPA), the National Science Foundation (NSF), and the Intelligence Advanced Research Projects Activity (IARPA) of the Office of the Director of National Intelligence.

Two projects in progress with DARPA funding involve securing intellectual property and protecting proprietary software.

The center’s SafeWare initiative is focused on thwarting the reverse engineering of software that is used, for example, in a particular manufacturer’s cellphones. At present, this is quite easy to do. This multi-year, multi-million-dollar project aims to produce obfuscation technology that would render the intellectual property in software — proprietary algorithms, for instance — incomprehensible to a reverse engineer, but allow the code to otherwise run normally. The SafeWare effort is tackling the main practical obstacles to implementing this technology so that software can run efficiently for users while being safe from reverse engineering.

Collaborations

To take on multi-angled technology problems, the center assembles teams of NJIT colleagues and experts from partner organizations, notes Kurt Rohloff, the center’s codirector and an associate professor of computer science at the Ying Wu College of Computing who specializes in encrypted computing, distributed information management, highassurance software and digital privacy.

Rohloff, who joined NJIT from Raytheon subsidiary BBN Technologies, where he was a senior scientist in the distributed computing group, draws on his defense industry contacts to foster the center’s collaborations with academia, industry and government. Collaborators include researchers at MIT, New York University, the University of California-San Diego, Raytheon BBN Technologies, Applied Communication Sciences, Lucent and SPAWAR Systems Center Pacific. The productivity of these partnerships is enhanced by the center’s library of open-source code developed for encryption projects, established with the support of the university’s administration.

He recently won a Young Faculty Award from the Defense Advanced Research Projects Agency (DARPA) to improve the utilization of open-source software and ease the automated optimization of open-source software, with specific applications for cryptography and cybersecurity.

“On campus, we are also fortunate to have a number of programmers with industry experience. We follow industrystandard software development practices with some of the best in the world,” Rohloff adds.

Science and Society

The mission of the Cybersecurity Research Center is social and educational, as well as technical. Developing new encryption technology is a major component of the center’s work. “We’re in the business of finding new and better ways to secure and share data,” Rohloff notes. “We want to make the systems used by virtually every type of organization more secure, so that there is greater security for medical files, legal files, financial files — at lower cost for the hosting organization and ultimately their customers.

“But our work also raises questions about the critical balance between practical technical security and personal privacy. I think we also have to do what we can to make sure that policymakers in Trenton or Washington have a more nuanced understanding of the social issues involved, the tradeoffs between public security and privacy, and to help people in general understand those issues.”

Recently, a device as seemingly innocuous as Amazon’s Echo, the speaker and personal assistant that communicates with Amazon servers, ignited legal debate about privacy when police in Arkansas asked Amazon to release a recording that may have been inadvertently made and stored during a crime. In the 21st century, even digital novelties such as Echo add to the critical mass of cybersecurity and privacy issues that reverberate far beyond a request for a favorite song.