Interview with Daniel Votipka
Professor Daniel Votipka, who is currently completing a cybersecurity-focused doctorate at the University of Maryland, will be joining the Computer Science department for one semester starting this January. JumboSec's Social Media Manager, Madeline McLaughlin '23, interviewed him to learn more about his work.
How did you get interested in security and how do you suggest that students gain experience and knowledge in the field if they are just getting started/interested?
I first got interested in security in high school, but I only had a vague notion of what that meant and I had very little understanding of how to be successful beyond going to a college that had security courses. It wasn't until I did an internship at the National Security Agency (NSA) during college that I really started to have a concrete notion of security challenges. What I learned fascinated me the most is the idea that in security you have an active adversary. This is unlike most programming challenges where you're trying to optimize according to some relatively static benchmark (e.g., time/space complexity, accuracy, etc.). Therefore, you not only have to consider how well your defenses work, but you also have to consider the capabilities of your adversary, how they might think or behave (not always rationally), and how users of your system will respond (also, not necessarily rationally).
Throughout my career, I've had the privilege to talk to many security professionals about how they developed the necessary skills to be effective in this field (check out this paper for more specifics). From these discussions, there have been two main takeaways: 1) get a good understanding of how systems actually work, and 2) expose yourself to examples of how things go wrong.
For the first point, it's important to understand how any system you're trying to protect or exploit actually works under the hood. This means understanding things like the underlying algorithms, how memory management works, assumptions made by APIs, etc. If you just know how something works at the surface level, you won't be able to identify the odd edge cases that can lead to problems. This type of expertise is what you're hopefully learning at Tufts as we teach the underlying computer science theory behind the technology you use and you'll learn even more through practical experience building your own programs.
The second point is much more specific to security. What I've found in talking with and watching security experts is that they've generally got a mental rolodex of vulnerabilities they're checking for as they go through analyzing systems. They try to understand as much as they can about how the system functions and then compare that to similar vulnerable systems they've seen in the past to see if an exploit they've seen before might fit. The more experience they have, the more problems they're able to recognize (and typically the faster they're able to do it). There are several ways you can start to develop this experience. One of the most common is by participating in online hacking exercises like picoCTF, pwn.college, or root-me.org. In addition to the actual challenges they provide, they also give a lot of really good walkthroughs and general security information that should be helpful to people who are new to security. Another useful method for developing experience is reading writeups for publicly disclosed vulnerabilities (here's a list of good writeups of vulnerabilities submitted to Bugcrowd). Once you get a bit of experience, there are plenty of real-world targets you can start to investigate with the growth of public bug bounty programs (BugCrowd, HackerOne, Synack). Finally, I'd also recommend trying any of these things with others. It can be hard to figure out some of these security challenges the first time or really parse what's going on in a writeup, so it helps to have the support and encouragement of someone else struggling alongside you (i.e., other JumboSec members).
Could you elaborate on the research/work you’ve done in the past relating to reverse engineering and vulnerability discovery?
Prior to starting my PhD, I worked as a reverse engineer at the NSA for three years. During that time, it became very clear that there wasn't much consideration of the people actually doing reverse engineering when RE tools were built. You basically needed to read a textbook on any particular tool before you could use it. Also, integrating any interesting security analysis into your pipeline was a significant challenge. When I started my PhD, I had some familiarity with the growing field of research into usability for end-users, but there wasn't much work considering these challenges faced by security professionals (who are still users, just of a generally more complex tool). So, I set out to better understand the needs of security professionals -- mostly in reverse engineering and vulnerability discovery due to my background, but I also have done some work in network defense. This research has followed two directions. First, I've investigated how practitioners actually look for vulnerabilities and reverse engineer programs, using my findings to develop more usable tools for vulnerability discovery. I've also done work looking at how security is taught (here and here) and thinking about ways we can improve the current model.
What kind of research are you doing at Tufts?
The research I've been doing in vulnerability discovery is still in its early phases, so I plan to continue this work. I'm looking for interesting ways we can apply lessons learned from how professionals find vulnerabilities to integrate advanced program analysis techniques into their workflow. For example, I'm currently working with Dr. Foster to develop program synthesis-based approaches to produce simplified versions of programs to reverse engineers, helping them limit the scope of their search to only relevant program components. I'm also continuing to investigate the educational aspects of vulnerability discovery. This includes both developing and evaluating novel methods for education, but also investigating barriers to entry and retention for some students in the current ecosystem, with an eye toward improving diversity in the vulnerability discovery community.
I'm also interested in expanding my work to consider human factors in other areas of security work. For example, understanding the challenges faced by software developers when trying to write secure code or systems administrators when trying to set up and maintain large systems. One thing I am most interested in here is how team dynamics interact with security.
Finally, I'm generally just interested in studying human factors challenges in security and privacy, so if you have an idea or thought that you're curious about, I'd love to hear it. There might be a really interesting research project in there for us to work on!
What are you most looking forward to at Tufts—what kinds of classes you’ll be teaching or anything else Tufts-related?
I'm most looking forward to getting to work with all the people at Tufts. Everyone I've met so far is excited and thoughtful and that's definitely true of JumboSec. I can't wait to get to hear all your ideas and questions and learn more about security with you.
What course are you teaching in the Spring?
I'm teaching a special topics course on Human Factors in Security and Privacy (COMP 150-4). The course will cover a wide range of problems in usable security (passwords, mobile authentication, secure development, etc.) and teach students the necessary skills to run your own user study.
Madeline McLaughlin '22
November 1, 2020