Xing, Liao earn Privacy-Enhancing Technologies Research Award from Facebook

Luyi Xing and Xiaojing Liao, both assistant professors of computer science at the Luddy School of Informatics, Computing, and Engineering, have been granted a Privacy-Enhancing Technologies Research Award from Facebook.

The award, which sought proposals from academics conducting research in applied cryptography, data polices and compliance, differential privacy, and privacy in artificial intelligence, attracted nearly 160 proposals from more than 100 universities around the world. Liao and Xing’s proposal, “Safeguarding user data against cross-library data harvesting,” was one of just 10 projects honored.

“Xiaojing and I are excited to receive this award, which shows high, real-world impact of our research on the IT industry and normal users,” Xing said. “The award will help hire a new Ph.D. student passionate about security and privacy and continue to strengthen our already stellar security program at IU.”

The project stems from a previous award given to Xing as part of Facebook’s Bug Bounty program, which helps the technology giant detect and fix vulnerabilities while spotting new security trends. In that instance, Xing and his colleagues discovered a new type of real-world privacy-harvesting activities, namely illicit software-development kits (SDK) that had been actively harvesting the data of other third-party SDKs that co-locate in mobile applications. These activities went undetected by anti-virus engines, vetting efforts for Google Play and the Apple Store, and previous academic approaches for privacy leakage detection.

That prior research included the development of XFinder, an approach which combines static program analysis and natural language processing to systematically study cross-library data harvesting threats. The new project aims to gain better insights into data harvesting cybercrime in the wild, the techniques favored by the cyber attackers, and the system design weaknesses that most likely lead to privacy damages to mobile users.

“The new insights will help us effectively find and defeat real-world privacy-harvesting cybercrime and urge system security researchers and practitioners to harden modern operating systems for those most high-impact weaknesses,” Xing said. “Modern operating systems, although designed and patched with security in mind, still come with design weaknesses, as we have continuously discovered, and have a lot of trade-offs in favor of performance and usability, which can give attackers tremendous opportunities to impose damages to user privacy.”

The group plans on developing innovative techniques tailored to detect cross-library data harvesting, including privacy-sensitive application programming interface identification—precisely connecting the return value of a software development toolkit’s API to the data item protected by data access and sharing policy of the SDK vendor—and a policy compliance check, which will use policies to determine whether a privacy-sensitive API poses a threat.

“The researchers at the Luddy School are known around the world for their innovative thinking and identify not only the problems that exist but anticipate issues before they become widespread,” said Kay Connelly, associate dean for research at the Luddy School. “Being recognized by a tech giant such as Facebook only reinforces the well-deserved reputation of our secure computing program, and this award will allow Luyi, Xiaojing, and their colleagues to play a pivotal role in improving the security of critical data.”