Professor N. Asokan has joined the David R. Cheriton School of Computer Science as a Professor and Cheriton Chair in Software Systems, effective September 2019. This position is supported by the David R. Cheriton Endowment for Excellence in Computer Science, which was established in 2005 to support faculty, fellowship, and graduate scholarships.
Asokan has been a Professor of Computer Science at Aalto University since 2013. He was a Professor of Computer Science at the University of Helsinki from 2012 to 2017. Between 1995 and 2012, he worked in industrial research laboratories, designing and building secure systems, first at the IBM Zurich Research Laboratory as a Research Staff Member and then at Nokia Research Center, most recently as Distinguished Researcher.
Asokan’s primary research theme is systems security broadly, including topics like the development and use of novel platform security features, applying cryptographic techniques to design secure protocols for distributed systems, applying machine learning techniques to security and privacy problems, and understanding and addressing the security and privacy of machine learning applications themselves.
Asokan received his doctorate in Computer Science from the University of Waterloo, an MS in Computer and Information Science from Syracuse University, and a BTech (Honours) in Computer Science and Engineering from the Indian Institute of Technology at Kharagpur. He became an ACM Fellow in 2018, an IEEE Fellow in 2017 and an ACM Distinguished Scientist in 2015.
Tell us a bit about yourself.
I spent the bulk of my career as a practitioner, first at the University of Waterloo working for MFCF as a software specialist, and later in industrial research labs at IBM and Nokia. My approach to research was shaped by this experience. I want to address real-world security and privacy problems. Even after becoming an academic, I consider transferring technology to practice as the most satisfying impact of research.
My parents were both teachers. Growing up, I saw the extent to which students appreciate the impact of their teachers in their lives. I guess that experience also influenced my choosing an academic career after my stint in industry.
What attracted you to the Cheriton School of Computer Science?
As an alumnus and former staff member, I had first-hand experience not only of computer science at the University of Waterloo but also of living and working at Waterloo. Additionally, the Cheriton School attracts top students at all levels. That is a very compelling attraction and I look forward to instructing and advising these exceptional young scholars.
Tell us about your research in systems security.
My main interest has been in platform security — designing security mechanisms for computing platforms as well as using already deployed platform security mechanisms in novel ways to secure applications and services. I became interested in this topic about 15 years ago, when my former colleagues at Nokia were designing hardware support for trusted execution environments or TEEs in mobile devices.
TEEs allow sensitive computations to be carried out so that they are strongly isolated from all the other computations on the same device. We developed a platform called “On-board Credentials,” which allowed ordinary mobile app developers to safely use this TEE functionality to protect their apps and services. This was deployed on several Nokia device models. There were even some trials of some applications — Nokia with New York’s Long Island Rail Road conducted a trial on mobile transport ticketing using near field communication. Ultimately, it turned out that the technology was somewhat ahead of its time. We also had difficulty publishing our work in academic conferences, perhaps for the same reason. Now the situation has changed dramatically. Pretty much every mobile device has TEEs and research papers on TEEs are now common.
Recently, we have also started looking at other platform security mechanisms. For example, a major current concern for software written in C/C++ is the so-called “run-time attacks,” where the attacker attempts to change the behaviour of a program at run-time without having to change the program code itself. ARM recently introduced a mechanism called “pointer authentication” or PA — a new processor feature that allows data and code pointers to be augmented by an authenticator. My students and I have been exploring how ARM PA can be used to defend against run-time attacks. We will be presenting this work at the Usenix Security Conference this fall.
Beyond platform security, I am broadly interested understanding how to design, build, analyze and sometimes break the security of computing systems. Perhaps the most important lesson I have learned over the long years I spent as a practitioner is that in order to be successful, secure systems need to be not only secure, but also easy-to-use and inexpensive to deploy.
Recently, I have also become interested in the security and privacy of systems based on machine learning. Given the incredible pace with which machine learning–based systems are being designed and deployed, I think their security and privacy is not only interesting but also likely to be very important.
Do you see opportunities for new, collaborative research, given the breadth and depth of research conducted at the school?
Certainly. I am particularly looking forward to working with machine learning experts at the School on understanding security and privacy issues with machine learning. CrySP is already well-known as a world-class centre of excellence for security, privacy, and cryptography. I am looking forward to strengthening CrySP work on systems security.
What do you consider your most significant scientific contribution or accomplishment?
The cellular communication infrastructure is a global-scale infrastructure that can authenticate a user pretty much anywhere in the world. When I first went to work in the mobile communication industry, I wanted to design a protocol to bootstrap a general purpose authentication-as-a-service mechanism from this infrastructure. This involved composing the cellular authentication protocol for user authentication with a protocol like transport layer security or TLS for server authentication.
The first version of our protocol was vulnerable to a “man-in-the-middle attack.” To our surprise, we noticed there were many other instances of the same type of vulnerability in protocols being standardized at that time. Our work resulted in more widespread recognition of the need for “channel binding” when composing protocol instances. Years later, I noticed that the work continues to impact practitioners, for example in Internet Engineering Task Force’s standard specification RFC 6813.
Although I consider this work an accomplishment because it had impact in the technology industry, it is not a significant scientific contribution. This is a common pattern in systems security research: significant scientific contributions and impact on real-world systems do not always coincide.
Were you aware at the time that this research would have such a big impact?
Not at all. Our discovery came about because we made a mistake. It helped me understand why studying failures in security and privacy is as important as studying successes.
Who has inspired you most in your life?
Arthur C. Clarke. As a teenager learning to read in English, I read all his books I could lay my hands on.
What’s one thing no one would guess about you?
I have worked in six different countries in three continents. Perhaps some may find this a little unusual — but in this age of ubiquitous large-scale data collection, and the ease of accessing such data, we would be hard put to find something about anyone that we can confidently assert as being unguessable!