MSR PhD studentship on improving the usability of SSL/TLS APIs

Fully funded 3 year PhD studentship for UK/EU students to work on the problem of SSL/TLS library usability.

The student would work with Dr Kami Vaniea (Edinburgh) and Dr Antoine Delignat-Lavaud (Microsoft Research Cambridge) on SSL/TLS library usability. The studentship will be at the University of Edinburgh, with the potential of summer internships located at MSR Cambridge.

The overall goal of this studentship is to develop a usable SSL/TLS API by studying how developers with limited security background approach adding encryption to their projects, followed by identifying common sources of error, and then iteratively designing an API that supports adding security as part of the developer's typical work model.

SSL/TLS is used to encrypt communication between devices on the internet, but many developers make errors when attempting to incorporate these libraries into their projects, leading to serious security problems such as data leakage and potential compromise of devices. It is estimated that as many as 88% of Android apps contain at least one cryptographic API usage mistake, e.g., using constants for keys, salt, seeds, or choosing the wrong encryption mode [1].

Just like any other human computer interface, APIs need to be designed to be usable, minimize accidental error, and generally support the workflow of users. When these principles are not taken into account, it becomes easy for even highly skilled developers to make mistakes. Wile several HCI methods exist for exploring API usability and creating new API designs in general there have been few attempts to apply them to security libraries. The PhD studentship would be fully funded for three years which includes tuition and a stipend. Ideally the candidate would start in September of 2017 though this is not strictly required. The research is a collaboration with MSR Cambridge. As part of the studentship there is a possibility of summer internships at MSR Cambridge, but this is not guaranteed.

See the PhD Studies page for details about getting a PhD from the University of Edinburgh's School of Informatics. To apply for this studentship, follow the normal application process for a PhD with the ILCC or LFCS institutes.

If you are interested in the studentship it is recommended that you contact Dr Kami Vaniea in advance of applying.

[1] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in Android applications. In Proc. ACM CCS’13, pages 73–84. ACM, 2013.