This Science News Wire page contains a press release issued by an organization and is provided to you "as is" with little or no review from Science X staff.

New research is working to prevent digital data leaks

May 20th, 2023 Matt Davenport

With so much of our lives being stored online and in digital databases, it's reassuring to know that there are people out there like Borzoo Bonakdarpour, an associate professor in the Department of Computer Science and Engineering at Michigan State University.

He's working to prevent private information from leaking into public spheres.

"We sort of trust that computer programmers don't make mistakes," Bonakdarpour said. "But they're still human, right? They make mistakes all the time. This can introduce bugs that are accidental, but they can still result in massive security breaches."

Bonakdarpour and his team recently won a grant from the National Science Foundation to develop what he calls "enforcers," programs that can automatically spot and remedy those digital gaffes before they do harm.

The following is an edited Q&A with Bonakdarpour about his work.

Where does your work fit into the big picture of cybersecurity?

My focus is on what's called information-flow security and on developing algorithms that can verify the correctness of computer programs with respect to information flow. Information-flow security is about how secrets can leak into observable public channels.

Where can you find information-flow security concerns?

There are a lot of companies—from very big to small—that are paying attention to the correctness of information flow.

One area it's really important is in cloud services. For example, Amazon is very interested in this. If there's a bad flow of information from user to user on the cloud, that could mean a company disaster.

Another big area is hardware design. Intel learned this the hard way in 1995 when, at the time, there was bug in the Pentium processor code. They had to recall everything.

Then a few years ago, we found out there were different bugs in processor designs. They were called Spectre and Meltdown and they were very famous because virtually any computer could leak information.

Companies started developing software patches for that and the problem isn't bad now, but it just shows how subtle and intricate these problems can be.

Can you give an example of what that subtlety can look like?

For instance, how long it takes for a program to run can depend on a secret value. So, if you run the program twice, I can infer the value of the secret just by how long the program takes to execute each time.

There's an algorithm for encryption, and early implementations could not sense that your private encryption key determined its execution time. So, an attacker could guess your encryption key based on that time. The countermeasure is that the algorithm runs constantly, no matter what the key is, so an attacker cannot guess it.

And attacks can be even more sophisticated, like using the radiation or heat signature from your processor to reveal information.

What is your lab doing to help address these vulnerabilities?

We're developing algorithms to verify the correctness of computer programs with respect to information flow—sort of taking humans, who can introduce bugs, out of the loop. We're working to develop programs that can automatically generate other programs that we know are correct by construction.

With our new NSF grant, we're taking the first step. We're not generating those top-level programs, but we are generating what we call "enforcers." Enforcers look at what goes in and out of your computing system, and if it senses that something is not right, it starts addressing it.

It's kind of like a safety net, but more active. It doesn't just raise a red flag, it also tries to correct it. It doesn't fix the code—that's another cool problem called program repair that I have another pending proposal for—but it can take actions based on inputs and outputs.

I'll give you an analogy as an example. Imagine something goes wrong with the traffic light at an intersection. If there's a problem and both directions have a green light, there can be accidents.

An enforcer would force one or both lights to be red. It doesn't necessarily solve the root problem, but it prevents an accident until somebody can.

Do you have any advice on how those of us who aren't cybersecurity experts can keep our information safe?

This is not necessarily related to security, but my personal view is that we are sharing too much information with companies.

Two years ago, my wife Googled mattresses for our kids and the next day I'm getting Facebook ads for mattresses. We haven't declared that we're married on Facebook, but somehow it knows we're connected.

I'm actually not a secretive person at all, but I think we should share as little as possible with these companies. At the same time, these companies and their services have privacy instructions. They have knobs and settings you can adjust to take care of your information, so be sure you're paying attention to those.

Provided by Michigan State University

Citation: New research is working to prevent digital data leaks (2023, May 20) retrieved 21 August 2025 from https://sciencex.com/wire-news/446016595/new-research-is-working-to-prevent-digital-data-leaks.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
Back to list