Aron Laszka
Publications RNS Lab Teaching CV
Bug-Bounty Programs
Ratio of valid vulnerability reports can be very low, even on bug-bounty platforms.

Funded in part by the National Science Foundation Award CNS-1850510

Many organizations and companies have recently chosen to use so-called bug-bounty programs (also known as vulnerability reward programs), which allow outside security experts to evaluate the security of an organization's products and services and to report security vulnerabilities in exchange for rewards. Bug-bounty programs provide unique benefits by allowing organizations to publicly signal their commitment to security and to harness the diverse expertise of thousands of security experts in an affordable way. Despite their rapidly growing popularity, bug-bounty programs are not well understood and can be mismanaged. As a result, bug bounty programs can waste substantial resources and they rarely live up to their potential to improve cybersecurity. This project will significantly improve the efficiency of bug-bounty programs by collecting and publishing comprehensive datasets on the bug-bounty ecosystem, by establishing a sound theory of bug-bounty programs, and by providing practical recommendations for organizations and regulators. The project will directly benefit organizations and companies by enabling them to manage bug-bounty programs more efficiently, which will allow them to eliminate security vulnerabilities at a lower cost; and it will also benefit users by improving the security of software products and services.

This project comprises four research thrusts. The first thrust will build a dataset that captures the entire bug-bounty ecosystem by collecting activity data and rule descriptions from public bug-bounty programs, conducting interviews and focus-group studies with experts who regularly participate in programs, collecting social-media posts, and incorporating existing datasets, such as vulnerability databases. The second thrust will analyze this dataset to understand the ecosystem and its actors' incentives and actions, and to characterize processes, such as discovering and reporting vulnerabilities and rewarding reports. To code textual data, the project will first develop a terminology and taxonomy of bug-bounty related concepts. Driven by the results of the data analysis, the third thrust will develop a formal model of the bug-bounty ecosystem, which will incorporate technological processes as well as behavioral and economic incentives. To capture all aspects of such a complex ecosystem, the project will employ models and techniques from multiple disciplines and areas, including economics and cybersecurity. Building on this model, the fourth thrust will propose and evaluate novel approaches for improving the efficiency and scalability of bug-bounty programs. The project will consider policies for individual bug-bounty programs, such as rules for rewarding vulnerability reports, as well as mechanisms for regulating bug-bounty programs and for instigating coordination between them.

Paper in PDFAn Empirical Study of Android Security Bulletins in Different Vendors
The Web Conference (WWW 2020)
Paper in PDFThe Rules of Engagement for Bug Bounty Programs
22nd International Conference on Financial Cryptography and Data Security (FC 2018)
Paper in PDFDevising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery
Journal of Information Policy, 2017
Paper in PDFBanishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms
21st European Symposium on Research in Computer Security (ESORICS 2016)

Keywords: bug bounty data science economics of security vulnerability discovery behavioral economics
High-dimensional Data-driven Energy optimization for Multi-Modal transit Agencies (HD-EMMA)
We collect high-resolution datasets from CARTA's fleet of buses, car sharing, and e-bike sharing vehicles, and analyze them using deep learning.

Funded in part by the Department of Energy Award DE-EE0008467

The goal of this project is to develop a high-resolution system-level data capture and analysis framework to revolutionize the operational planning of a regional transportation authority, specifically the Chattanooga Area Regional Transportation Authority (CARTA). There is existing research on improving energy efficiency in transportation networks through analyzing energy consumption data per vehicle type and driving context. However, these studies are based on trip specific estimation and thus cannot be applied to a regional transportation network. Further, a number of these studies are based on simplified model estimation that is used within a simulation framework for analysis and are therefore difficult to validate during actual driving/road conditions that are not captured in the training dataset (which is typically limited in size and features).

The availability of ubiquitous high-speed networking in Chattanooga provides us with a unique opportunity to change this status quo by providing mechanisms to significantly improve the operational efficiency of fleet operations. Specifically, we collect high-resolution datasets containing all information about engine status, vehicle location, fuel usage, etc. in real-time from CARTA's fleet of buses, car sharing, and e-bike sharing vehicles and send them to a central station for analysis. Additionally, we get state of charge data from the electric vehicles, which can then be used to estimate vehicle health using data-driven prognostic algorithms developed by the team. Combined with the traffic congestion information obtained from external sources, such as HERE, this data can help create high-resolution energy consumption predictors, contextualized with features such as vehicle types and events in the city. These predictors can then be used by agencies like CARTA for operational optimization.

Overall, this project will enable the development and evaluation of tools to promote energy efficiency within a mobility-as-a-service transportation model in a mid-sized city. In addition to energy efficiency within each specific mode of operation, such as electric bus and electric car, this project will identify network mobility and energy efficiency associated with movement throughout the continuum of transportation choice present within Chattanooga. Further, the proposed project can complement the DoE national labs effort on vehicle energy consumption model by exploiting new data to investigate impacts of road/driver factors on vehicle energy consumption. In addition, the project can supplement DoE national labs efforts by providing more data on electric bus operations under various driving conditions for model validation.

Paper in PDFData-Driven Prediction of Route-Level Energy Use for Mixed-Vehicle Transit Fleets
6th IEEE International Conference on Smart Computing (SMARTCOMP 2020)

Keywords: artificial intelligence transportation machine learning cyber-physical system Internet of Things
Blockchains for Transactive Energy
Power grids are undergoing major changes due to rapid growth in renewable energy resources, such as wind and solar power.

Funded in part by Siemens Corporate Technology

Due to rapid growth in renewable energy resources and improvements in battery technology, power grids are undergoing major changes, which create significant management and control challenges. To tackle these challenges, decentralized solutions are needed, which can support the evolution of electrical power distribution systems. Transactive energy is a decentralized solution for dynamically balancing demand and supply, in which consumers, prosumers (i.e., consumers with energy storage or generation capabilities), providers, etc. can trade energy in an open market.

However, transactive energy solutions must also satisfy security, safety, and privacy requirements, which often seem to contradict each other. For example, to provide safety, detailed energy consumption and production information might need to be disseminated, but this threatens the privacy of prosumers. As another example, the complex and computationally expensive solutions required to provide security might not abide the real-time constraints of power systems.

In this project, we create a transactive energy system based on blockchain technology, using the distributed ledger provided by a blockchain to implement an energy trading platform. We develop protocols, smart contracts, middleware, and control algorithms to provide security, safety, and privacy for transactive energy.

Paper in PDFBlockchains for Transactive Energy Systems: Opportunities, Challenges, and Approaches
IEEE Computer
Paper in PDFSafe and Private Forward-Trading Platform for Transactive Microgrids
ACM Transactions on Cyber-Physical Systems
Paper in PDFCyber-Attacks and Mitigation in Blockchain Based Transactive Energy Systems
3rd IEEE International Conference on Industrial Cyber-Physical Systems (ICPS 2020)
Paper in PDFCyber-Physical Simulation Platform for Security Assessment of the Transactive Energy Systems
7th Workshop on Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES 2019)
Paper in PDFTRANSAX: A Blockchain-based Decentralized Forward-Trading Energy Exchange for Transactive Microgrids
24th IEEE International Conference on Parallel and Distributed Systems (ICPADS 2018)
Paper in PDFSolidWorx: A Resilient and Trustworthy Transactive Platform for Smart and Connected Communities
2018 IEEE International Conference on Blockchain (Blockchain-2018 2018)
Paper in PDFProviding Privacy, Safety, and Security in IoT-Based Transactive Energy Systems using Distributed Ledgers
7th International Conference on the Internet of Things (IoT 2017)
Paper in PDFPlaTIBART: A Platform for Transactive IoT Blockchain Applications with Repeatable Testing
4th Workshop on Middleware and Applications for the IoT (M4IoT 2017)
Paper in PDFOn the Design of Communication and Transaction Anonymity in Blockchain-Based Transactive Microgrids
1st Workshop on Scalable and Resilient Infrastructures for Distributed Ledgers (SERIAL 2017)

Keywords: blockchain transactive energy smart contract privacy applied cryptography
Secure and Resilient Cyber-Physical Systems
The 2015 and 2016 cyberattacks against the Ukrainian power grid have demonstrated that remote attackers can cause significant physical impact.

As cyber-physical systems become more prevalent, ensuring that they are resilient to cyber-attacks becomes a critical issue. For instance, cyber-physical attacks against smart water and transportation networks can pose a serious threat to public health and safety. Owing to the severity of these threats, a variety of techniques have been proposed for improving the resilience of a cyber-physical system, such as deploying redundant components and intrusion detection systems.

In this project, we explore a synergistic approach that combines multiple techniques in order to provide resilience against cyber-attacks. We study and model how the impact and feasibility of cyber-attacks depend on both the physical and cyber aspects of a system. Based on these models, we provide novel results on how to combine multiple techniques for improving resilience, considering static, dynamic, and adaptive defenses.

Paper in PDFIntegrating Redundancy, Diversity, and Hardening to Improve Security of Industrial Internet of Things
Cyber-Physical Systems, 2020
Paper in PDFDetection and Mitigation of Attacks on Transportation Networks as a Multi-Stage Security Game
Computers & Security, 2019
Paper in PDFA Game-Theoretic Approach for Selecting Optimal Time-Dependent Thresholds for Anomaly Detection
Autonomous Agents and Multi-Agent Systems, 2019
Paper in PDFSynergistic Security for the Industrial Internet of Things: Integrating Redundancy, Diversity, and Hardening
2018 IEEE International Conference on Industrial Internet (ICII 2018)
Paper in PDFApplication-Aware Anomaly Detection of Sensor Measurements in Cyber-Physical Systems
Sensors, 2018
Paper in PDFImproving Network Connectivity and Robustness Using Trusted Nodes with Application to Resilient Consensus
IEEE Transactions on Control of Network Systems, 2018
Paper in PDFA Game-Theoretic Approach for Integrity Assurance in Resource-Bounded Systems
International Journal of Information Security, 2018
Paper in PDFSynergic Security for Smart Water Networks: Redundancy, Diversity, and Hardening
3rd International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater 2017)
Paper in PDFResilient Wireless Sensor Networks for Cyber-Physical Systems
Cyber-Physical System Design with Sensor Networking Technologies
Paper in PDFImproving Network Connectivity Using Trusted Nodes and Edges
2017 American Control Conference (ACC 2017)
Paper in PDFOptimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments
7th Conference on Decision and Game Theory for Security (GameSec 2016)
Paper in PDFOptimal Thresholds for Intrusion Detection Systems
3rd Annual Symposium and Bootcamp on the Science of Security (HotSoS 2016)
Paper in PDFScheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems
1st ACM Workshop on Cyber-Physical Systems Security and Privacy, in conjunction with ACM CCS 2015 (CPS-SPC 2015)

Keywords: cyber-physical system security survivable architecture game theory critical infrastructure
Correct-by-Design Blockchain-based Smart Contracts
Smart contract design and verification workflow.

The adoption of blockchain based distributed ledgers is growing fast due to their ability to provide reliability, integrity, and auditability without trusted entities. One of the key capabilities of these emerging platforms is the ability to create self-enforcing smart contracts. However, the development of smart contracts has proven to be error-prone in practice, and as a result, contracts deployed on public platforms are often riddled with security vulnerabilities. This issue is exacerbated by the design of these platforms, which forbids updating contract code and rolling back malicious transactions. In light of this, it is crucial to ensure that a smart contract is secure before deploying it and trusting it with significant amounts of cryptocurrency.

This project introduces a framework for the formal verification of contracts that are specified using a transition-system based model with rigorous operational semantics. Our model-based approach allows developers to reason about and verify contract behavior at a high level of abstraction. Our framework allows the generation of smart-contract code from the verified models, which enables the correct-by-design development of smart contracts.

Paper in PDFVerified Development and Deployment of Multiple Interacting Smart Contracts with VeriSolid
2nd IEEE International Conference on Blockchain and Cryptocurrency (ICBC 2020)
Paper in PDFVyper: A Security Comparison with Solidity Based on Common Vulnerabilities
2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS 2020)
Paper in PDFSmart Contract Development from the Perspective of Developers: Topics and Issues Discussed on Social Media
4th Workshop on Trusted Smart Contracts (WTSC 2020)
Paper in PDFVeriSolid: Correct-by-Design Smart Contracts for Ethereum
23rd International Conference on Financial Cryptography and Data Security (FC 2019)
Paper in PDFTool Demonstration: FSolidM for Designing Secure Ethereum Smart Contracts
7th International Conference on Principles of Security and Trust (POST 2018)
Paper in PDFDesigning Secure Ethereum Smart Contracts: A Finite State Machine Based Approach
22nd International Conference on Financial Cryptography and Data Security (FC 2018)

Keywords: smart contract security correct-by-design formal verification blockchain