Research OverviewI am a Professor and Canada Research Chair in Secure and Reliable Computer Systems in the Edward S. Rogers Department of Electrical and Computer Engineering and Department of Computer Science at the University of Toronto. I am affiliated with the Computer Group. I received my M.S. and Ph.D from Stanford University and my B.A.Sc from Engineering Science at the University of Toronto.
My research goal is to make computer systems safer and more reliable. With the large degree that computing has permeated our lives, from mobile smartphones to ubiquitous cloud computing, it is crucial that this infrastructure that we rely so heavily on be secure and reliable. I take a variety of approaches to achieving this goal, including techniques using operating systems, computer architecture, formal verification and networking. I like building prototypes with my students to demonstrate our ideas and some projects I am currently working on include:
- Smartphone Security and Reliability: In 2010, there were more Smartphones shipped than desktop PCs and the trend is continuing. For many users, the smart phone will be the main device they use to interact with the Internet. We are in an environment where users will likely own multiple devices that must all interact with each other, including a phone, a tablet, PCs and game consoles. To this end, I am interested in building smart phone operating systems and software that seeks to be secure, reliable and intuitive. We are working on building systems such as Unicorn and Mercury, which leverage the capabilities of smart phones to help protect users against malware and phishing. Most recently, we have explored using smartphones to secure data stored in the cloud in a system called Caelus. In addition, I believe smart phones themselves need to be secure, so we've built a couple of tools such as PScout (source code and datasets here), and IntelliDroid to help understand and secure smartphones.
- Security in Cloud Computing: Cloud computing offers a new exciting form of service to users in need of compute infrastructure. It provides users a pay-as-you go model, and allows users to outsource costs such as management, power and cooling, procurement and provisioning. Unfortunately, cloud computing poses serious security concerns. Users want to ensure the security of their data and code while executing in the cloud. At the same time cloud providers want to protect their infrastructure from being abused. We elaborate on these issues in our HotOS paper, VEE paper, and our paper on location-based SLAs on cloud providers. We have also been exploring the use of trusted computing to protect user data stored in the cloud using a system called Unicorn. More recently we have been working on Unity, an untrusted cloud storage system, and H-One, and IaaS cloud auditing framework. We have built and studied Caelus, a system that uses a smartphone to monitor a cloud for malicious activity. You can also check out our survey on the State of IaaS Cloud Security.
- System reliability: With the complexity of computer systems today, it is all too easy for them to become misconfigured. One our research goals is reducing the pain of system configuration and make misconfiguration repair easier. To that end, our tool Ocasta, uses unsupervised machine learning to infer which configuration settings might be related and uses an automated configuration search and rollback tool to semi-automate the repair of configuration errors. Following on this work, we have also explored the use of automatically software workarounds that can be used to rapidly mitigate security vulnerabilities. These software workarounds for rapid response (SWRRs) are automatically generated by a tool called Talos, and can mitigate more than 2x more vulnerabilities than traditional configuration workarounds.
- January, 2017: I'm really excited to be starting a collaborative project funded by a Connaught Global Challenge Award with my colleagues Lisa Austin in the Faculty of Law and Avi Goldfarb in Rotman looking at digital transparency.
- September, 2016: Congratulations to Wei for getting his LMP paper accepted at ACSAC 2016!
- August, 2016: I'm spending my sabbatical at Google in their Visiting Faculty Program.
- July, 2016: I've been promoted to Full Professor!
- May, 2016: I'm pleased to announce that the source code for our IntelliDroid project has been released here.
- May, 2016: Congratulations to Dhaval for succesfully defending his Master's. We wish him all the best as he starts his job at NVIDIA!
- March, 2016: James (Zhen)'s paper on automatically generated Software Workarounds for Rapid Response (SWRRs) was accepted at Oakland 2016. You can read the paper here! Great work James!
- February, 2016: Michelle just gave an awesome talk on IntelliDroid at NDSS 2016! We plan to share the source code soon so please check back here shortly for more information on where the code will be available.
- February, 2016: Congratulations to Sukwon Oh on completing his Master's thesis. Welcome to the PhD program Sukwon!
- January, 2016: Thanks UBC for hosting me for a great Distinguished Lecture visit! You can see the talk I gave about the great things my students and I been doing in my group on Smartphone Security.
- October, 2015: Michelle's paper on IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware has been accepted at NDSS 2016! Congratulations Michelle!
- Sept, 2015: Welcome Peter and Diego, new MASc students in our group!
- June, 2015: Our survey on The State of Public Infrastructure-as-a-Service Cloud Security has been published in the Journal of ACM Computing Surveys. Congrats to Wei for putting this together!
- April, 2015: I'm the PC co-chair for the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) this year. Please consider submitting a paper!
- March, 2015: Congratulations to Ben Kim, whose paper on Caelus: Verifying the Consistency of Cloud Services with Battery-Powered Devices will appear at Oakland Security 2015! Well done Ben!
- January, 2015: Congratulations to Michelle Wong for succesfully defending her MASc Thesis!
- September, 2014: Welcome Mariana D'Angelo and Dhaval Miyani to our group!
- September, 2014: Zheng's paper LazyTainter: Memory-Efficient Taint Tracking in Managed Runtimes was accepted at SPSM 2014.
- February, 2014: James' paper Ocasta: Clustering Configuration Settings For Error Recovery was accepted at DSN 2014! See the video demo here! Congratulations James!
- September, 2013: Please welcome Sukwon Oh, who just joined our group.
- June, 2013: I gave an invited talk this year at the Trusted Infrastructure Workshop in Penn State about virtualization and trusted computing.
- March 15, 2013: I have been awarded the Canada Research Chair in Secure and Reliable Computer Systems.
- January, 2013: I will have one or two summer undergraduate research positions open through the NSERC USRA program. 2nd and 3rd year students will be given preference. Please send me a copy of your transcript and a resume/CV if interested
- November, 2012: Kathy Au just successfully defended her MASc thesis and will be joining Google next year. Congratulations Kathy!
- September 26, 2012: We've made the PScout source code and permission maps available here. Hope you find them useful!
- August 15, 2012: We have two workshop papers at CCS this year. A paper on Unity, a system that provides secure cloud storage by Ben Kim and Wei Huang at CCSW 2012, and a paper on H-One, a IaaS cloud auditing proposal by Afshar Ganjali.
- July 20, 2012: Kathy's paper on Android permission analysis using PScout was accepted at CCS 2012! You can read about the tool and the analysis here.
- May, 2012: Phillipa Gill will be joining Stony Brook University as an assistant professor in 2013 after a post-doc in the Citizen Lab here at U of T. Congratulations Phillipa!
- March 1, 2012: I'm starting at 2.5 year stint as the Associate Chair of Graduate Studies for ECE at U of T. Wish me luck!
- February 6, 2012: The folks at UT Austin were nice enough to write a news article about Unicorn after my recent visit there.
- August 21, 2011: Our position paper on how and why one should build tools to automatically populate permission lists for smartphone operating systems will appears at SPSM 2011.
- August 12, 2011: We have a cool paper at CCS this year introducing a novel technique, called two-factor attestation, which raises the bar against attacks that use malware or phishing to get at personal data. Read about Unicorn, our prototype system that demonstrates this idea.
- December 20, 2010: Lionel's paper on Patch Auditing in public clouds was accepted at VEE 2011! You can read the paper here.
- December 17,
2010: Mannan's paper on Mercury,
a system for secure
password recovery will appear at FC
In this paper, we describe a cool way to recover your password simply
and easily using a mobile phone.
- June 1, 2010: Phillipa's paper on subverting measurement-based IP geolocation was accepted at USENIX Security 2010! It turns out that they can be subverted, and that surprisingly, the more advanced and precise the technique, the more susceptible it is.
- February 8, 2010: Lee's paper on Kivati was accepted in EuroSys 2010! Kivati describes a system that leverages hardware watchpoints to quickly detect and prevent atomicity violations at run time.
- June 22, 2009: David Lie has been promoted to Associate Professor with tenure.
- March 20, 2009: Our paper on cloud computing security was accepted at HotOS 2009.
- March 19, 2009: I'm the Software Security Theme leader and member of the Scientific Advisor Board for the national ISSNet Strategic Network. See the official announcement for the NSERC Strategic Networks.
- Click here for older news.
- Wei Huang, Zhen Huang, Dhaval Miyani and David Lie. LMP: Light-Weighted Memory Protection with Hardware Assistance To appear in the 2016 Annual Computer Security Applications Conference (ACSAC 2016), December 2016.
- Zhen Huang, Mariana D'Angelo, Dhaval Miyani and David Lie. Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response To appear in the 37th IEEE Symposium on Security and Privacy (Oakland 2016), May 2016.
- Michelle Wong and David Lie. IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware In Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS), Feb 2016.
- Wei Huang, Afshar Ganjali, Beom Heyn Kim, Sukwon Oh and David Lie. The State of Public Infrastructure-as-a-Service Cloud Security ACM Computing Surveys 47, 4, Article 68 (June 2015), 31 pages.
- Beom Heyn Kim and David Lie. Caelus: Verifying the Consistency of Cloud Services with Battery-Powered Devices.In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland 2015). May 2015.
- Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang and David Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). October 2012.[Download Source Code and Permission Maps]
- Lionel Litty, H. Andrés Lagar-Cavilla and David Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proceedings of the 17th USENIX Security Symposium. Pages 243-258. July 2008.
- A complete list of publications can be found here.
I am currently not teaching as I am on sabbatical this year.
- ECE1776: Computer Security, Cryptography and Privacy
- ECE568: Computer Security
- ECE344: Operating Systems
- ECE353: Systems Software (Engineering Science)
- ECE341F: Computer Organization
- ECE352: Computer Organization
- ECE1776: Computer Security, Cryptography and Privacy (2015S)
- ECE1724: Industry Perspectives on Practical Problems in Computer Security, Co-taught with Prof. Reiner (Spring 2009)
Graduate Students: I have several open positions this year for graduate students who enjoy building software/hardware systems. I am looking for students to work on projects in:
- Cloud computing and network security
- Mobile security
- Malware and vulnerability detection
- Vulnerability mitigation and patch generation
- Applications of machine learning for security
If you are interested in applying for graduate studies in ECE, please go here for the application procedure. I supervise students from ECE and CS, if you are not sure which department to apply to, please send me an e-mail. You can find information on my current students here.
Undergradaute Students: I'm looking for strong undergraduate students with interests in security, mobile computing and cloud computing who are interested in summer research positions through the USRA program. 2nd and 3rd year students will be given preference. Please send me a copy of your transcript and a resume/CV if interested.
I have a post-doctoral fellowship position open. The main criteria is
a strong publication record, fit with my group and evidence
of the ability to independently conduct research. Prospective
candidates should e-mail me a CV along with a brief description of relevant
Professional ActivitiesI am currently on the program committee for:
- Mobile Security Technologies (MOST) 2016
- 37th IEEE Symposium on Security and Privacy
- 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI '16)
- 24th USENIX Security Symposium (2015)
- 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM) (PC co-chair)
- The 2016 Network and Distributed System Security Symposium (NDSS)
- The 36th IEEE Symposium on Security and Privacy (Oakland 2015)
- CCSW 2014: The ACM Cloud Computing Security Workshop
- The 35th IEEE Symposium on Security and Privacy (Oakland 2014)
- The 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2014)
- The 23rd USENIX Security Symposium (2014)
- 7th The ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2014)
- The 23rd International Conference on Parallel Architectures and Compilation Techniques (PACT 2014)
- The Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2014)
- CCSW 2013: The ACM Cloud Computing Security Workshop
- The 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013)
- The 22nd International World Wide Web Conference (WWW 2013)
- The 2012 Symposium on Cloud Computing (SOCC 2012)
- The 45th Annual IEEE/ACM International Symposium on Microarchitecture (Micro 2012) (External Review Committee)
- 21st USENIX Security Symposium (2012)
- 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2012)
- 4th International Conference on Trust and Trustworthy Computing
- ACM SIGMETRICS 2011 International Conference on Measurement and Modeling of Computer Systems
- 16th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2011)
- 19th USENIX Security Symposium (2010)
- The International Conference on Virtual Execution Environments 2010 (VEE'10)
- 15th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2010)
- 4th USENIX Workshop on Hot Topics in Security (HotSec '09)
- 18th USENIX Security Symposium (2009)
- IEEE Symposium on Security and Privacy (Oakland 2009)
- Symposium on Operating Systems Design and Implementation (OSDI 2008)
- 17th USENIX Security Symposium (2008)
- 1st Workshop on Architectural and System Support for Improving Software Dependability (ASID 2006)
- Workshop on Architectural Support for Security and Anti-Virus (WASSA 2004)