University of Birmingham

School of Computer Science
Personal Web Page

Skip past menu to page content

Computer Science
Home

Research

My research focuses on computer security, although I'm also interested in distributed systems, security-centric aspects of usability, and natural language processing. I'm a member of the School's Formal Verification & Security Group and, more widely, CryptoForma.

Information leakage

My PhD is based around the concept of information leakage. Programs take inputs, perform some processing on those inputs, and produce outputs. Nearly all programs, by their nature, will leak information about the inputs in their outputs; for example, consider a password-checking program that prints yes if a given password is correct and no if it isn't — the respective output (yes or no) will expose information about the given input (the password). Sometimes a programmer wants the inputs for a program to remain secret, especially if they contain sensitive data (e.g. the passwords in the previous example), and this can become problematic if an attacker can observe the program's outputs — the attacker might notice patterns or other occurrences that can be used to guess what the secret inputs might have been, depending on how the program was written. Clearly information leakage is therefore a large security concern.

My work focuses on measuring the severity of information leaks. With Tom Chothia, Yusuke Kawamoto and Dave Parker, I've developed a model that defines the information leakage from an arbitrary number of secret variable values in a program to the program's observable output, and have applied the model to the semantics of a bespoke probabilistic programming language named CH-IMP. The eventual aim is to produce a similar information leakage-checking tool for a major programming language that is fast, accurate, and informative for the programmer; my current work is focusing on the best way to achieve that in Java.

Monitoring of peer-to-peer networks

One of my side-interests is the monitoring of peer-to-peer networks — particularly BitTorrent — by third parties. It's well-known that copyright enforcement agencies gather information about BitTorrent users sharing copyrighted movies and music; usually, they collect information that can be used to indirectly identify infringing users (such as their IP addresses), then subpoena ISPs into revealing the names and addresses of subscribers suspected of committing copyright infringement, and (sometimes very publicly) sue them on behalf of the copyright holders. The technique used to collect the IP addresses, which we call "indirect monitoring", is fraught with false positives; a more reliable alternative — which we name "direct monitoring" — has been proposed, but it isn't clear whether it's in widespread use.

From 2009 to 2011, we studied the behaviour of BitTorrent peers in swarms for torrents indexed by The Pirate Bay, a famous file-sharing web site. We found that copyright enforcement agencies are still engaging in indirect monitoring, and that some of them are now performing a weak form of direct monitoring (the evidence they're collecting hasn't been tested in court yet, but we think it's unlikely to prove conclusively that a user has shared a particular file). We observed the monitors' behaviour and proposed a set of metrics that can be used to help identify which users in a BitTorrent swarm are copyright enforcement agencies performing direct monitoring.

Page maintained by: Chris Novakovic
Content last updated: July 3 2013