Stephen Magill of Galois Inc. was all grins as his name was called to approach the stage and accept his award for verification toolchain for C++ cryptographic libraries. Alex Stamos, Facebook’s CSO, and I offered the Secure the Internet Grants award with a $100,000 grant to pursue the project.

Magill was one of the 10 winners of our Secure the Internet Grants program, which awarded more than $800,000. Last year during the Black Hat USA conference keynote, we announced that we would fund up to $1 million toward defense-based security research in 2018. We will be awarding another $200,000 through the Internet Defense Prize later this month at the USENIX Security Symposium, as we have done since 2014.

The Secure the Internet Grants call for submissions last year invited university researchers and faculty, non-profit organizations, and NGOs to send research proposals to improve the security, privacy, and safety of internet users. The goal was to spur development of technology that may be applied in practice, rather than pure research, in a wide range of topics. A committee of Facebook security engineers reviewed the submissions and hand-picked the set of winners below (listed in order of grant payout, along with brief submission abstracts):

$100,000 to Stephen Magill, Mike Dodds, Joey Dodds, and Aaron Tomb of Galois Inc. for “Verified C++ Cryptography with SAW and Cryptol” — “In this project, we will build a verification toolchain for C++ cryptographic libraries. C++ is widely used in industry but poorly supported by current tools – our project will help remedy this situation. We will verify the HKDF key derivation algorithm from two C++ implementations of TLS1.3: the open-source Botan library and Facebook’s internal implementation. The key outcomes of our project will be: 1) a C++ version of our SAW verification tool, along with public-facing documentation of its new capabilities; 2) proofs of two verified HKDF implementations to serve as examples of use; and 3) CI-ready verification scripts for our proofs.” $100,000 to Jessica Dheere of Social Media Exchange Association for “Enhancing Online & Offline Safety During Internet Disruptions in Times of War” — “With this qualitative research project, we aim to 1) obtain a more comprehensive understanding of the effects of internet disruptions on people’s physical safety and security in times of war in a variety of contexts; 2) document the services people need during these times, as well as the workarounds they employ; and 3) using this information recommend features that Facebook, and its subsidiary applications, could develop to improve consistency of access to online services, and in turn user safety and security, during armed conflict.” $92,000 to Gianluca Stringhini of University College London for “Understanding the Use of Hijacked Facebook Accounts in the Wild” — “In this proposal we aim to perform a data-driven study on the factors that influence the malicious activity performed by a criminal on a hijacked Facebook account after they get access to it … Our aim is to provide Facebook, the research community, and the wider public with a better understanding of how account hijackers operate, with the goal of identifying better mitigation techniques against the problem.” $80,045 to Nicola Dell of Cornell University for “Advancing Digital Privacy and Security for Novice Internet Users in the Global South” — “The goal of my proposed research is to understand and mitigate the privacy challenges faced by novice internet users in the Global South, focusing on Bangladesh as a first case study … My work addresses these challenges by: 1) collecting empirical data to understand novice internet users’ patterns and privacy concerns; 2) distilling privacy threat models and assessing the relevance, severity, and likelihood of attacks; and 3) using the new threat models to design and deploy novel interventions that improve digital privacy by supporting alternative usage models and increasing awareness of privacy.” $80,000 to Thomas Ristenpart of Cornell Tech and Yevgeniy Dodis of New York University for “Improving Encrypted Messaging” — “The goal of the proposed research is to consider two natural extensions of the basic Signal functionality: 1) “asynchronous group messaging” where more than two peers can securely communicate in a fully asynchronous environment, while enjoying the strongest possible correctness and security guarantees; and 2) “message franking”, which is a mechanism to provide abuse reporting to the service provider, despite the fact that the latter cannot read any of the ‘normal’, unreported messages.” $75,000 to Mahesh Banavar, Daqing Hou, and Stephanie Schuckers of Clarkson University for “Behavioral Biometrics for Post-password Authentication” — “To supplement existing Facebook authentication and detect imposters after initial log-in, we propose to develop behavior-based authentication, where user profiles consist of identifiers derived from user interactions with desktop and mobile devices (e.g. keystrokes, mouse, swipes). We will extract higher-order activity such as widget interaction, Likes, and Shares from Facebook and combine these with basic identifiers to create stronger authentication, with shorter detect time.” $75,000 to Stefan Savage and Geoff Voelker of University of California, San Diego for “Evaluating Security Outcomes: Applying Evidence-based Security to Improve Cybersecurity Risk” — “The goal of our proposed work to provide the data and analyses is to bring large portions of cybersecurity under an evidence-based umbrella. Our approach is to correlate concrete cybersecurity outcomes (e.g., whether a particular machine is compromised or a credential is stolen) with concrete security behaviors (e.g., is the software patched, does the user of the machine visit file sharing sites, etc.). We hope to use this approach to both empirically evaluate particular hypotheses (i.e., a correlation between the use of file-sharing sites and host compromise might be explained by the poisoning of the file sharing ecosystem with malware). We will develop network measurement tools to extract a broad array of security-relevant behaviors as well as indicators of outcomes, using the machines connected to UCSD’s network as the basis of study.” $75,000 to Rosario Gennaro of The City College of New York for “Public Evaluation of Private Perceptual Hash Algorithms” — “The open research question is the design of adversarially robust perceptual hashing where the algorithm can be publicly evaluated [without the adversary manipulating the image to bypass the algorithm]. This proposal puts forward some possible approaches to this problem from many different angles.” $67,000 to Marshini Chetty of Princeton University and Susan Wyche of Michigan State University for “Understanding How Mobile Users’ Understand and Manage Privacy On Social Media in South Africa” — “We are applying to understand how mobile users, particularly low income users, understand and manage privacy on social media platforms in a developing world context. Our research will inform the design of improved privacy settings, controls, and ways of handling user data for Facebook platforms geared towards “unconnected” users in marginalized settings.” $60,000 to Alan Mislove of Northeastern University and Krishna Gummadi of Max Planck Institute for Software Systems for “Towards privacy-protecting aggregate statistics in PII-based targeted advertising” — “We propose to develop techniques for revealing advertising statistics that provide hard guarantees of user privacy, based on a (principles-first) approach. Our goal is to develop a differential privacy-like approach that can be applied to existing advertising systems.”

We gave out the awards at a ceremony last night in Las Vegas, where other Facebook security leaders and I had a chance to meet and talk with the winners about their projects. It was really interesting to hear from these people and the research they’re doing to help secure the internet.

While this is the first time we have offered the Secure the Internet Grants, we are continuing to award the Internet Defense Prize, which will provide an additional $200,000 to researchers on August 15 at the USENIX Security Symposium. We are considering other investments in the future.

This program has been a great success, and it’s encouraging to see so much research being directed toward defense-based security to help better secure the internet.