Every 14 seconds, a business falls victim to a cyberattack according to the 2019 Official Annual Cybercrime Report, which is why the global cost of online crime is expected to reach $6 trillion by 2021. Even as encryption makes data more secure, criminals are finding increasingly clever ways to sidestep cryptographic operations and expose weaknesses in software to access private information.
Tegan Brennan, a fifth-year PhD student in UC Santa Barbara’s Computer Science Department, recently discovered a new class of vulnerabilities that can lead to information leaks by noting the changes in program behavior that depend on secret information.
“I discovered that an optimization technique commonly used to improve the performance of programs written in modern programming languages, such as Java and JavaScript, opens the door to information leakage,” said Brennan, who is advised by Professor Tevfik Bultan, an expert on software analysis and computer security and the director of the Verification Lab at UCSB.
Brennan discovered these vulnerabilities are introduced by Just-In-Time (JIT) compilation, a mechanism that converts source code or bytecode into highly-optimized native machine code while the program itself is running. The finding means that cyber criminals using the same software as their victim can gain information without breaking into a computer. Instead, they can extract secret information from changes in the execution time of their own interactions with the software.
“What’s disturbing about her findings is that the mechanism that causes this leakage can impact any Java and JavaScript program. And, almost all online software services these days, from social networking to online banking, use Java or JavaScript languages,” said Bultan. “I cannot emphasize the significance of this discovery enough.”
These types of breaches are known as side-channel attacks (SCAs) because the attacker gains information about a program, not by observing its output, like what it prints on screen, but by observing its other characteristics, like the time it takes to run. The memory and power consumed during computations can provide other sources of information that hackers can exploit.
Brennan authored a paper titled “JIT Leaks: Inducing Timing Side Channels through Just-In-Time Compilation”, which was accepted for publication by the IEEE Symposium on Security and Privacy, the premier forum for presenting developments in computer security and privacy. Brennan is the first person to write an academic article on this type of SCA.
“I’m incredibly excited to present this work to the research community, and I’m grateful for the support of my lab and collaborators,” stated Brennan, who earned her bachelor’s degree in mathematics from Princeton University.
As a result of her research, Brennan also received an invitation to the 2019 Rising Stars in Electrical Engineering and Computer Science (EECS) Workshop hosted by the University of Illinois at Urbana Champaign in October. The annual workshop recognizes the brightest and most promising women, who are interested in pursuing academic careers in computer science, computer engineering and electrical engineering. Participants will present their research, interact with faculty from top-tier universities, and receive advice for advancing their careers. Among the 70 or so women invited this year are two postdoctoral researchers from UCSB’s Electrical and Computer Engineering Department, Chunfeng Cui and Hongwei Zhao.
“I’m hoping to form relationships with the other women in my field. I expect to come back inspired by the hard work, creativity, and contributions of my peers and ready to tackle my next big challenge,” said Brennan. “The experience I’ve gained as a graduate student at UCSB has positioned me to contribute to the greater community by developing impactful tools and techniques to address security-related issues.”
Bultan nominated Brennan for the workshop and described her as a future leader in computer science.
“Tegan is a brilliant computer scientist. Her solid math background and coding skills, combined with her exceptional intellect and work ethic, enable her to make meaningful contributions to any problem that she decides to work on,” said Bultan. “She is definitely a rising star in computing.”