Three Systems Security group members complete DPhils
Posted: 11th July 2011
Three members of the System Security group have all passed (or as it’s technically known, “been granted leave to supplicate for”) their DPhils – the Oxford equivalent to a PhD – at the same time. Completing a PhD is huge achievement; but with the relatively small size of the group, three people completing at the same time is unusual. Many congratulations to John Lyle, Ronald Kainda and Shamal Faily.
John's thesis investigates how we can gain confidence in the security and trustworthiness of web servers hosted on the internet. For example: how can you be sure that my online bank is free from viruses, or that your online travel agent is not going to steal your credit card details? One solution is to use computers which can securely report the identity of the software they are currently using. This process is known as ‘attestation’. For example, a server might attest that it is running Microsoft Windows Vista and has been fully updated. Attestation uses a hardware chip called a Trusted Platform Module to make sure that the server cannot lie about the result. However, there are many challenges with using a Trusted Platform Module, and this thesis investigates how these problems can be solved to make attestation significantly more practical.
Ronald’s research involved analysing the technical requirements of mobile device security protocols and developing ways through which users can interact with these protocols with minimum effort without compromising security. In the course of this research he developed a framework for reasoning about human factors in relation to technical security requirements. In addition, he developed a methodology for analysing security and usability of a system and a process for evaluating them. The theme surrounding this research is that users have needs and to design systems that are usably secure, designers must take these needs into account. His research was particularly interesting because it interfaces between what are currently considered two different areas of research (security and human factors).
Shamal's doctoral research explored how design techniques and tools from security, usability, and software engineering can be synthesised when specifying requirements for software systems. This research led to the development of the IRIS (Integrating Requirements and Information Security) framework that software designers can use to guide security and usability design activities, as well as the CAIRIS (Computer Aided Integration of Requirements and Information Security) software tool which supports this framework; CAIRIS is freely downloadable from http://www.cs.ox.ac.uk/cairis.