mupuf.org // we are octopimupuf.org

Steve Dodier-Lazaro

Re­search

I’m cur­rently a PhD stu­dent at Uni­ver­sity Col­lege Lon­don. I work across the bound­aries of sev­eral dis­ci­plines, and be­long to the UCL Cen­tre for Re­search on Evo­lu­tion, Search and Test­ing, the Hu­man-Cen­tered Sys­tems and the In­for­ma­tion Se­cu­rity groups. My PhD re­search is su­per­vised by Jens Krinke and An­gela Sasse, and funded by a UCL Com­puter Sci­ence De­part­ment Ex­cel­lence stu­dentship.

My re­search pri­mar­ily fo­cuses on bridg­ing the gap be­tween re­search meth­ods in Hu­man-Com­puter In­ter­ac­tion and Com­puter Se­cu­rity on the one hand, and real-world in­ter­ac­tion and soft­ware de­sign on the other end. I draw on the­o­ries and meth­ods in­spired by Eth­nomethod­ol­ogy, par­tic­u­larly Such­man’s Sit­u­ated Ac­tion, and Dour­ish’s writ­ings on con­text and ap­pro­pri­a­tion. I’m also in­ter­ested in the ap­pli­ca­tion of Ac­tor-Net­work The­ory, con­tro­versy map­ping and Phro­netic so­cial sci­ence to prob­lems of de­ploy­ing (se­cu­rity) tech­nolo­gies at scale.

Cur­rent work

My PhD the­sis fo­cuses on the ap­pro­pri­ate­ness and ap­pro­pri­a­tion of con­fine­ment tech­nolo­gies. Specif­i­cally, I’m in­ter­ested in con­fin­ing desk­top ap­pli­ca­tions on the typ­i­cal com­puter of the typ­i­cal in­for­ma­tion worker or pro­duc­tive com­puter user. Dig­i­tal cre­ators of all sorts have se­cu­rity needs just like the av­er­age ne­ti­zen but of­ten have far more com­plex ex­pec­ta­tions from their ap­pli­ca­tions, which can rarely be met when sand­boxes and ac­cess con­trol mech­a­nisms are in­tro­duced. For in­stance, ap­pli­ca­tions com­monly ma­nip­u­late user files in au­to­mated ways, ei­ther to im­ple­ment the re­trieval of re­sources re­lated to a user’s task at hand (of­fice macros, movie sub­ti­tles and meta­data, etc.) or to build bulk pro­cess­ing fea­tures (use­ful e.g. in photo ed­i­tors, pro­gram­ming apps, etc.). Find­ing a mid­dle­ground be­tween such com­plex needs and file ac­cess over-en­ti­tle­ment is not triv­ial, and yet needed for such users.

Be­sides, ad­vanced mod­els like ac­tiv­ity-based con­fine­ment or con­tent-based con­fine­ment, just as much as pol­icy-based con­fine­ment sys­tems, rely on the spec­i­fi­ca­tion of le­git­i­mate con­texts of use to en­force ac­cess to user re­sources and de­vice ca­pa­bil­i­ties. It is of­ten said that con­text is an im­por­tant source of in­for­ma­tion for un­der­stand­ing users’ ac­tiv­i­ties and needs, yet con­text as a phys­i­cal en­vi­ron­ment for com­pu­ta­tion re­lates to users’ be­hav­iour and goals only to a lim­ited ex­tent. My opin­ion is that se­cu­rity mech­a­nisms should be en­tirely ag­nos­tic to the en­vi­ron­ment in which they are de­ployed, es­pe­cially when sens­ing one’s en­vi­ron­ment is yet an­other chan­nel for at­tack­ers to tam­per a sys­tem. My ap­proach, based on Dour­ish’s con­tex­tu­al­ity re­la­tion­ship, is to at­tempt to cap­ture the re­la­tion­ships be­tween the com­put­ing re­sources of users, ex­pos­ing con­tex­tual re­la­tion­ships to end users and let­ting users ma­nip­u­late them in ways mean­ing­ful to them. I am cur­rently eval­u­at­ing the fea­si­bil­ity of ad­ver­sar­ial un­su­per­vised re­cur­rent ac­tiv­ity learn­ing, in or­der to progress to­wards this goal.

I’m cur­rently in­ves­ti­gat­ing the dri­ving forces of con­fine­ment re­search, and shed­ing light on the open prob­lems of­ten left aside that may be the key to de­ploy­ing con­fine­ment for pro­duc­tive users. I’m do­ing so by com­par­ing con­fine­ment re­search to the­o­ries of hu­man ac­tion and by col­lect­ing ev­i­dence in-the-wild of what is ac­tu­ally go­ing on on desk­top sys­tems. This ev­i­dence will al­low me to pro­vide a ba­sis for eval­u­at­ing clas­sic and al­ter­na­tive mod­els of process con­fine­ment and a list of re­quire­ments that con­fine­ment tech­nolo­gies must hold on to. My re­search is per­formed ex­clu­sively in the wild, and I place a strong em­pha­sis on not prim­ing users’ mo­ti­va­tions, in­ves­ti­gat­ing mean­ing­ful and re­al­is­tic in­ter­ac­tions and not in­flu­enc­ing how they ex­press their se­cu­rity needs and ex­pec­ta­tions. My data col­lec­tion sys­tem, once com­plete, will pro­vide the ev­i­dence needed to progress to­wards all of the above ques­tions, and more.

I also de­velop and main­tain a se­ries of tools for in-the-wild data col­lec­tion along with many awe­some UCL stu­dents and our head of group An­gela Sasse. We’re cur­rently build­ing tools to cap­ture pass­words on Google Chrome, to cap­ture mul­ti­task­ing and ap­pli­ca­tion be­hav­iour met­rics on Linux and generic web­sites for sup­port­ing the eth­i­cal and lo­gis­tic re­quire­ments of field stud­ies.

The pass­word col­lec­tion tool is the start­ing point of two side pro­jects, led by UCL stu­dents which I su­per­vise: a pro­ject to build tools for pass­word reuse cal­cu­la­tion, and risk met­rics based on the quan­tity and type of pass­word reuse; and a cross-cul­tural study of pass­word habits across lan­guages, types of key­board lay­outs and cul­tural sites. If you’re a UCL un­der­grad­u­ate stu­dent or MSc (HCI-E or IS) stu­dent and in­ter­ested in do­ing a pro­ject, or if you’re a re­searcher out­side the US and UK and would like to col­lab­o­rate with us, do con­tact me!

Why fo­cus­ing on peo­ple?

My tools and meth­ods al­low me to go in the wild, and to take a truly per­son-cen­tric stance on in­for­ma­tion se­cu­rity. Rather than ster­ile dis­cus­sions on the tech­ni­cal de­tails of se­cu­rity, we aim to un­der­stand what it’s like for lay cit­i­zens to jug­gle with the se­cu­rity re­quire­ments of the ser­vices they use, and to de­sign prod­ucts that solve their prob­lems rather than ours. In my PhD re­search, I’m not in­ter­ested in how easy it is for re­searchers to hook on sys­tem calls and en­force an ar­bi­trary pol­icy, but in why their de­fault pol­icy al­lows users to be pro­duc­tive and how eas­ily users can tame abus­ing ap­pli­ca­tions (for in­stance, I’m abashed that An­droid pre­vents me from re­vok­ing per­mis­sions to mis­be­havers).

Sim­i­larly, our pass­word col­lec­tion plu­gin fo­cuses on pass­word reuse. This prob­lem of cre­den­tial reuse is well-known, but is truly not a con­cern of ei­ther ap­pli­ca­tion de­vel­op­ers or se­cu­rity re­searchers who pro­vide al­ter­na­tives to pass­word. IT ac­tors fo­cus on what it costs them to de­ploy and how much they are to blame in case of se­cu­rity breaches, rather than how much their re­quire­ments will add to the strain their users face. Yet, users have to deal with tens of au­then­ti­ca­tion meth­ods and se­cu­rity rit­u­als, and need cop­ing mech­a­nisms. Many re­searchers who de­velop al­ter­na­tives to pass­words ig­nore this re­al­ity and never study how the ac­cu­mu­la­tion of se­cu­rity in­ter­ac­tions would im­pact users and what cop­ing mech­a­nisms would emerge. By qual­i­fy­ing and quan­ti­fy­ing reuse, we can help users be strate­gic about how they cope to re­duce risk with­out in­creas­ing ef­fort. This is only pos­si­ble with a fo­cus on peo­ple rather than tech­nol­ogy, and by go­ing in the wild.

In warn­ing re­search for in­stance, a great deal of fo­cus is put on forc­ing users to pay at­ten­tion (by all stretches of the mind, in­clud­ing forc­ing users to re­type the con­tent of warn­ing boxes), even though field ev­i­dence shows users won’t waste more than two sec­onds on warn­ings in daily use. A per­son-cen­tric ap­proach would look at quan­ti­fy­ing the warn­ings users are ex­posed to and pri­ori­tis­ing them or de­sign­ing them away from every-day in­ter­ac­tions. I’m happy to pro­dive con­sul­tancy on this topic or col­lab­o­rate on warn­ing de­sign stud­ies.

This ‘fo­cus on peo­ple’ men­tal­ity, along with a cou­ple of other study de­sign prin­ci­ples we rely on in my group, will be the ob­ject of a pub­li­ca­tion in the fu­ture. Un­til then, feel free to write to me if you’re in­ter­ested in dis­cussing re­search meth­ods on your topic!

Teach­ing

I’m the teach­ing as­sis­tant of a va­ri­ety of courses in UCL’s MSc in In­for­ma­tion Se­cu­rity, in­clud­ing Lan­guage-Based Se­cu­rity and In­for­ma­tion Se­cu­rity I. I’ve also helped out with run­ning courses on Ro­bot­ics Pro­gram­ming and Pri­vacy-En­hanc­ing Tech­nolo­gies.

In Lan­guage-Based Se­cu­rity, I run labs for in­tro­duc­tory courses on dy­namic and sta­tic analy­sis as well as for­mal rea­son­ing about in­for­ma­tion flows in pro­grams. I am gen­er­ally in­ter­ested in hear­ing about re­search in­volv­ing in­for­ma­tion flow con­trol, con­trol-flow in­tegrity, ac­cess con­trol, and pro­gram analy­sis. The lec­ture and labs take the stu­dents through a va­ri­ety of analy­sis and test­ing meth­ods (data flow analy­sis, de­pen­dency analy­sis, fuzz test­ing, bi­nary in­stru­men­ta­tion, in­for­ma­tion flow analy­sis and non-in­ter­fer­ence, in­for­ma­tion flow quan­tifi­ca­tion, de­cen­tralised la­bel mod­els and se­cure multi-ex­e­cu­tion).

In the labs, we learn the ropes of each ap­proach by do­ing, and by openly and in­ter­ac­tively dis­cussing their ad­van­tages and lim­its. We con­nect meth­ods to one an­other by see­ing how they com­ple­ment each other’s weak­nesses. I par­tic­u­larly in­sist on how the meth­ods only re­flect the analy­sis prob­lems at hand, and can be freely de­con­structed, re­con­structed and com­bined to­gether to tackle larger is­sues.

FOSS

I’ve been con­tribut­ing to free and open-source soft­ware since 2009, start­ing as a de­vel­oper for the Xubuntu Linux dis­tri­b­u­tion, as well as sev­eral pieces of soft­ware (Ex­aile and Xfce, mostly bug fix­ing). Un­for­tu­nately, I can’t seem to find the time to do it any more, so I merely con­tribute some patches to the bugs in my own pieces of soft­ware. I still oc­ca­sion­ally pop-up on FOSS pro­jects IRCs to dis­cuss us­abil­ity and to re­port bugs. These days, I help the Xfce De­sign Spe­cial In­ter­est Group, men­tor new­com­ers to Xfce and help pro­mote and speak for the pro­ject. I’m one of the peo­ple be­hind the Xfce Twit­ter feed

I’m also loosely in­volved in se­cu­rity dis­cus­sions around the Way­land dis­play pro­to­col. We’re work­ing with Mar­tin Peres from X.​org/​Intel on set­ting up Lib­wsm, an in­fra­struc­ture for ap­pli­ca­tions and com­pos­i­tors to ne­go­ti­ate per­mis­sions. We gave a talk about Lib­wsm at the X.​Org De­vel­oper Con­fer­ence 2014 (slides here). I place fo­cus on al­low­ing each in­di­vid­ual ac­tor (app de­vel­op­ers, com­pos­i­tor de­vel­op­ers, dis­trib­u­tors, sysad­mins and then end users) to de­cide by them­selves what poli­cies should ap­ply, rather than hav­ing a sin­gle ac­tor force a pol­icy onto users. In par­tic­u­lar, my Lib­wsm back­end loads pol­icy from a sin­gle file per ap­pli­ca­tion, in or­der to en­sure full vis­i­bil­ity on ap­plied poli­cies to whomever ed­its them. I also dis­tin­guish be­tween ac­tively writ­ten pol­icy (hard per­mis­sions) and gen­er­ally de­sir­able rules (soft per­mis­sions) which can be mod­i­fied in sit­u­a­tion with mech­a­nisms such as Trusted UIs. I par­tially ported GTK+’s File Chooser di­a­log to act as a Trusted UI, re-in­te­grat­ing fea­tures com­monly needed by desk­top app de­vel­op­ers such as [au­to­matic file type chang­ing (code in a sep­a­rate branch)] (https://​github.​com/​Sidnioulz/​SandboxGtk/​). Part of my PhD re­search’s data col­lec­tion is ded­i­cated to eval­u­at­ing the fea­si­bil­ity of more com­plex Trusted UIs than the tra­di­tional file chooser di­a­logue de­ployed in Win­dows 8 and OS X.

I pro­vide one-off se­cu­rity and us­abil­ity con­sul­tancy for FOSS pro­jects on de­mand, but I don’t have time for sus­tained sup­port. Feel free to get in touch in any case. I can pro­vide con­sul­tancy for busi­nesses if you can fund in­tern­ships / pro­jects for UCL stu­dents aligned with my re­search in­ter­ests, or if you can re­mu­ner­ate me as you would an in­dus­try con­sul­tant.

Soft­ware De­vel­op­ment

I have con­tributed to the fol­low­ing pro­jects in the past:

  • Xfce, a Linux desk­top en­vi­ron­ment, as a mem­ber of the Xfce De­sign SIG, but also by pro­vid­ing se­cu­rity ex­per­tise, bug triag­ing, pub­lic re­la­tions, pro­gram­mer men­tor­ing, and oc­ca­sion­ally by patch­ing Xfce soft­ware
  • Xubuntu, an Xfce based GNU/Linux dis­tri­b­u­tion, con­tribut­ing to var­i­ous ways, by re­view­ing ap­pli­ca­tions for use in Xubuntu, writ­ing soft­ware meant to im­prove user ex­pe­ri­ence, trans­lat­ing apps and doc­u­men­ta­tion, and mostly by piss­ing the Xubuntu de­vel­op­ers off all day long with my opin­ions.
  • Ex­aile, a python mu­sic player, as an ex­ter­nal de­vel­oper propos­ing fea­ture- and bug­fix- patches as a con­se­quence for it’s use in Xubuntu – I’m very likely to keep work­ing on Ex­aile when I find time for it

I also wrote (and am meant to main­tain) the fol­low­ing soft­ware:

  • Rez­Tor­rent, a CLI bit­tor­rent client with very lit­tle de­pen­den­cies, as it’s lead de­vel­oper. RZ was meant to evolve as the most in­ter­est­ing choice for seed­ing servers, but is cur­rently not main­tained since nei­ther I nor the other de­vel­oper can’t find the time to do the code re-fac­tor­ing it re­quires.
  • Xfce4 Vol­ume Dae­mon, as it’s de­vel­oper and main­tainer. XVD is used to con­trol the vol­ume keys and show syn­chro­nous vol­ume no­ti­fi­ca­tions in Xubuntu. Noth­ing ex­tra­or­di­nary here, though…
  • Con­text-Ed­i­tor, an ap­pli­ca­tion for edit­ing, vi­su­al­iz­ing and check­ing ba­sic prop­er­ties on the se­cu­rity prop­er­ties used by Con­textd - the ap­pli­ca­tion fire­wall writ­ten by Mar­tin Peres, for the re­search team Se­cu­rity and Dis­trib­uted Sys­tems of the Lab­o­ra­toire d’In­for­ma­tique Fon­da­men­tale d’Orléans (LIFO). Both pieces of soft­ware are part of the PIGA-SYS­TRANS soft­ware suite.
  • SODA CD, a pro­to­type of VR physics sim­u­la­tion that runs col­li­sion de­tec­tion in a fully dis­trib­uted way. This pro­to­type was writ­ten with Free soft­ware (Bul­let Physics, Ogre 3D and Qt). My work led to a pub­li­ca­tion on the fea­si­bil­ity of col­li­sion de­tec­tion on dis­trib­uted sys­tems. My for­mer su­per­vi­sor Valérie Gouran­ton is look­ing for stu­dents with an in­ter­est in dis­trib­uted sys­tems and con­straint solv­ing to con­tinue this pro­ject and im­ple­ment fully dis­trib­uted col­li­sion han­dling.

I have co-founded the Shim­mer Pro­ject with Pasi Lal­li­naho. It re­lates to de­sign and art­work for desk­top en­vi­ron­ments and ap­pli­ca­tions. As I have for now re­tired from FOSS de­vel­op­ment, Pasi is now man­ag­ing Shim­mer on his own with help from Si­mon Stein­beiß. Shim­mer mostly pro­duces art­work for GTK+ sys­tems, but has know-how on UI de­sign as well.

Short Bio / Ed­u­ca­tion

Be­fore join­ing UCL, I worked at In­ria Rennes as a re­search en­gi­neer where I built the first steps to­wards fully-dis­trib­uted VR physics sim­u­la­tions. I ob­tained a MRes in com­puter sci­ence in Rennes, with a spe­cial­i­sa­tion in dis­trib­uted sys­tems. I also worked on nat­ural lan­guage pro­cess­ing for a short time whilst vis­it­ing FBK in Trento, Italy. There, I worked on the dis­am­bigua­tion and clas­si­fi­ca­tion of named en­ti­ties.

Prior to that, I trained as a com­puter se­cu­rity en­gi­neer at EN­SIB (now INSA-CVL). I have a Diplôme d’ingénieur (equiv­a­lent to a MSc in en­gi­neer­ing) in com­puter se­cu­rity. While at EN­SIB, I com­pleted a few pro­jects aimed at sim­pli­fy­ing sys­tem ad­mis­tra­tion and pol­icy au­thor­ing for PIGA OS, a Linux desk­top OS run­ning a strength­ened ver­sion of SELinux ca­pa­ble of en­forc­ing poli­cies on se­quences of sys­tem calls. One of my pro­jects aimed at prov­ing that sta­tic MAC sys­tems like SELinux are un­able to pro­vide the pro­tec­tion needed on desk­top sys­tems be­cause they can­not rea­son about the con­text in which a sys­tem call oc­curs.

In more an­cient times, I ob­tained my Bach­e­lor’s de­gree of Com­puter Sci­ence from the Uni­ver­sity of Mont­pel­lier II with what’d be First Ho­n­ours in the UK. I wrote Rez­Tor­rent, a low-mem­ory CLI Bit­Tor­rent client along­side Boris Al­bar as part of my un­der­grad work. I was born and raised in Breizh, France, and grew up in a Franco-Span­ish fam­ily. I speak French, Eng­lish and Span­ish flu­ently (al­beit my Span­ish vo­cab­u­lary is ter­ri­bly rusty).