I am an associate professor in the Khoury College of Computer
Sciences at Northeastern University, and a member of the Cybersecurity and Privacy Institute.
My research is primarily in the areas of distributed systems and
networking, with a recent focus on privacy, security, transparency, and mobile systems.
My research approach is to combine science and engineering to understand and improve the performance, reliability, and security of Internet systems. With respect to science, I empirically measure computer systems that interact over the Internet to understand how well they match existing models and assumptions, then investigate the root causes for violations of those models/assumptions—often then leading to the design of new models. In many cases, our observations also suggest the design of systems that exploit previously unknown information about how our Internet-enabled systems work, and as an engineer I build and evaluate such systems in a way that other researchers, users, and policy makers can benefit from the result. To date, the software artifacts of my research have more than one million users, and my research teams have produced reports and datasets that informed additional research, policy debates, regulators, and legislators.
- Prospective students! I am currently
looking to admit Ph.D. students starting in the Fall 2020. Please see this page
for more information. I am particularly interested in researchers at the intersection of privacy, security and networking, and are interested in projects involving mobile and IoT systems.
Also, I am always on the lookout for Northeastern MS and undergraduate students
who are interested in privacy, security, net neutrality, and building mobile systems.
- 7/19/19 Very excited to report that two papers I coauthored will appear at IMC 2019.
- In Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach, led by my recently graduated PhD student Dr. Jingjing Ren, we conduct a multidimensional analysis of privacy exposure from 81 devices located in labs in the US and UK, using more than 34,000 automated and manual experiments. We characterize privacy exposure in terms of destinations of Internet traffic, whether the contents of communication are protected by encryption, what are the IoT-device interactions that each destination learns about, and whether there are unexpected exposures of sensitive information (eg video surreptitiously transmitted by a recording device). This is joint work with Daniel J. Dubois, Anna Maria Mandalari, Roman Kolcun, and Hamed Haddadi.
- In RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins, led by former NEU postdoc Taejoong Chung, we study the evolution of the RPKI deployment using a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed. We find that the RPKI has seen a rapid increase in adoption over the past two years, and recently misconfigurations are rare, meaning that the deployment is ready for prime time and ready for ISPs to drop RPKI invalid routes. This is joint work with Emile Aben, Tim Bruijnzeels, Balakrishnan Chandrasekaran, Dave Levin, Bruce Maggs, Alan Mislove, Roland van Rijswijk-Deij, John P. Rula, and Nick Sullivan
- 6/7/19 Tenure achievement unlocked! I am beyond excited to report that the President and Board of Trustees of Northeastern University have approved my promotion to Associate Professor with tenure. I have so many people to thank, including all of my outstanding collaborators and colleagues, and of course my family for supporting me along this long and fruitful journey.
- 5/3/19 Beyond proud to report that my PhD student's work on analyzing global net neutrality violations using Wehe was accepted to SIGCOMM 2019! This was a multiyear effort with tons of support from the rest of the research team (Arian Niaki and Phililpa Gill from UMass, and Alan Mislove and me at NEU), along with important contributions to app and system development from Kirill Voloshin, Harsh Modi, I-Farn Chen, and more. I'd also like to think the 100,000+ users who have run tests using our Wehe apps, Arcep for our collaboration on auditing net neutrality violations in France, and our other partners/sponsors (the NSF, Google, Verizon Labs, and Measurement-Lab, and Amazon AWS).
- 8/3/18 I will be co-chairing the program committee for the 20th edition of the Passive and Active Measurement (PAM) Conference, to be held in Chilean Patagonia (Puerto Varas)! More details at the PAM 2019 website. Looking forward to seeing great measurement submissions.
- 7/31/18 Pleased to report that our work on measuring whether we're ready to move to HTTPS certificate validation via OSCP was accepted to IMC '18. Joint work with Taejoong Chung, Jay Lok, Balakrishnan Chandrasekaran, Dave Levin, Bruce Maggs, Alan Mislove, John Rula, Nick Sullivan (Cloudflare) and Christo Wilson.
- 7/3/18 Coverage of our work on apps that spy on you. TL;DR: We didn't see abuse of microphone or cameras, but we did see how apps are recording your every move and sending images/videos of this to third parties. We responsibly disclosed to Google and others, they took action to mitigate this privacy risk. More details in our paper.
- 5/4/18 My recently graduated Ph.D. student, Dr. Arash Molavi Kakhki, won the 2018 Northeastern CCIS Excellence in Research Award. Congrats, Arash!
- 5/2/18 Just a few end-of-semester updates:
- Our paper "Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications" was accepted to PETs 2018. We found some scary stuff and are in the process of responsible disclosure, so stay tuned.
- Our paper "A First Look at Certification Authority Authorization (CAA)" appeared in SIGCOMM CCR's April issue. This is joint work with TUM, RWTH Aachen, University of Twente, and University of Sydney.
- I'm co-chairing the IRTF Applied Networking Research Workshop to be held at IETF 102. We received over 40 submissions in this reboot of the workshop, which promises to feature a great program.
- My PhD student Jingjing Ren presented her NDSS work on privacy leaks over time at the FTC's annual PrivacyCon event.
- I testified again at the MA state legislature on the topic of net neutrality.
- We've now received more than a half million tests from our Wehe app. Download it now for iOS and Android, learn if your ISP is violating net neutrality.
- 2/20/18 Our paper, Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach, won the Cisco Network Security Best Paper Award at NDSS! Joint work with Samuel Jero, Endadul Hoque, Alan Mislove, and Cristina Nita-Rotaru.
- 2/12/18 First update of the new year. Just a few things happened...
- Our Wehe app for detecting net neutrality violations got quite a bit of attention, in large part due to Apple rejecting our app and then later reversing its decision. Our work was subsequently covered by dozens of news outlets, and a piece about net neutrality featuring this work appeared on VICE News. Thanks to this publicity we have received over 100,000 tests worldwide, and we will be updating our website with our findings as we process the data.
- I testified to the Massachusetts State Senate Committee on Net Neutrality and Consumer Protection, you can find coverage here.
- Arash Molavi Kakhki, my recently graduated PhD student, won the IRTF's Applied Networking Research Prize for his work on QUIC that was published at IMC 2017.
- 12/24/17 Year-end update:
- Our longitudinal study on app privacy (to appear in NDSS'18) was selected for presentation at FTC PrivacyCon 2018.
- A first look at in-flight WiFi (joint work with Northwestern) was accepted to WWW'18.
- I led a panel on tools for data transparency at the DTL'17 conference, featuring Ashkan Soltani, Kashmir Hill, Justin Brookman, Franck Baudot, and Andrea Martens.
- ReCon was awarded a grant from the Comcast Innovation Fund.
- Wehe, our tool for detecting net neutrality violations, has been selected by ARCEP (the French telecom regulator) for providing consumers in France the ability to monitor and report ISPs that unlawfully differentiate network traffic.
- More exciting news to report in 2018!
- 10/30/17 Excited to report that I will have two papers appearing at NDSS 2018! "Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions" -- joint work with UCSB, U of Helsinki and IMDEA/ICSI -- explores how app privacy leaks change over time. "Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach" -- joint work with Purdue and FIU -- combines the generality of implementation-agnostic fuzzing with the precision of runtime analysis to find attacks against implementations of TCP congestion control.
- 9/8/17 I gave a talk about DPI middleboxes and their implications for policymakers at TPRC 45. Read my paper on the topic here.
- 8/21/17 The Harvest documentary film, which is based on data gathered from the ReCon Project, is now available online for free! This short film (11 minutes) appeared at several presitigious film festivals, including Aspen Shortsfest, HotDocs, Seattle International Film Festival, and Rooftop Films summer series.
- 8/16/17 Our paper on studying DNSSEC and its improper deployments won the Distinguished Paper award at USENIX Security '17! Congratulations to the lead author, Taejoong Chung, and all the rest of our coauthors!
- 7/28/17 Northeastern continues its strong presence in IMC, with four papers appearing in the conference! I am involved all four of them:
More details to come after camera-ready versions are prepared.
- "Taking a Long Look at QUIC: An Approach for Rigorous Evaluation of Rapidly Evolving Transport Protocols"
- "lib·erate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently" (with UMass-Amherst)
- "Understanding the Role of Registrars in DNSSEC Deployment" (with Maryland, Duke/Akamai, University of Twente)
- "The Record Route Option is an Option!" (with Rutgers/USC/Columbia/Microsoft and Waikato)
- 6/23/17 Many updates after a long hiatus.
- Harvest will appear at Rooftop Films in NYC, where we will be running an interactive event using ReCon. It's a free event, register here.
- Our paper on studying DNSSEC and its improper deployments was accepted to USENIX Security. This completes my first-ever "cycle" for top security conferences (CCS, NDSS, Oakland, USENIX). Wouldn't have been able to do it without the my ridiculously talented collaborators.
- Our poster on studying the DNSSEC root key rollover event was accepted to the SIGCOMM poster session.
- Our traffic differentiation work was covered in the ARCEP (French national telecom regulator) annual report (page 73).
- ReCon was in the news (again)! A great article by Fast Company and a TV story by NBC News Boston.
- 5/4/17 Harvest continues its film festival appearances, with announcments today that it will appear at BAMcinemaFest in NYC and the Seattle International Film Festival.
- 4/26/17 After a successful world premiere in Aspen, the Harvest documentary film will have its international premeiere at the HotDocs Film Festival in Toronto this weekend!
- 3/14/17 Thrilled to announce that Harvest, a documentary film that used our ReCon project to identify and highlight privacy risks when using mobile apps, will be premiering at the Aspen Film Festival in April!
- 3/10/17 ReCon was mentioned in the Danish news site Version2.
- 2/15/17 Our ReCon project was mentioned in a Boston Globe article about mobile privacy.
- 2/14/17 Renata Teixeira (Inria) and I were awarded a Google Faculty Research Award for our proposal on diagnoising and improving QoE. Thanks, Google!
- Older news...
For those who don't know me, the following passage has become a theme
that runs through my life. In short, I "push the rock," just like Sisyphus from Greek
mythology. But Camus tells it better:
As for this myth, one
sees merely the whole effort of a body straining to raise the huge
stone, to roll it and push it up a slope a hundred times over; one sees
the face screwed up, the cheek tight against the stone, the shoulder
bracing the clay-covered mass, the foot wedging it, the fresh start
with arms outstretched, the wholly human security of two earth-clotted
hands. At the very end of his long effort measured by skyless space and
time without depth, the purpose is achieved. Then Sisyphus watches the
stone rush down in a few moments toward that lower world whence he will
have to push it up again toward the summit. He goes back down to the
plain. It is during that return, that pause, that Sisyphus interests
me. A face that toils so close to stones is already stone itself! I see
that man going back down with a heavy yet measured step toward the
torment of which he will never know the end. That hour like a
breathing-space which returns as surely as his suffering, that is the
hour of consciousness. At each of those moments when he leaves the
heights and gradually sinks toward the lairs of the gods, he is
superior to his fate. He is stronger than his rock.
-- Albert Camus, The Myth of Sisyphus