Research Directions (T. Kohno)My goal is to help protect the security, privacy, and safety of users of future computer technologies.
I structure my research around four broad themes, which I briefly summarize below. A complete list of my publications is available here.
Computer security is a very broad field, and I also have a number of past and present projects that do not fall squarely under the above themes. For example, I recently did some work on "seeing through" obscure glass , I am involved with the integrity preservation of records from the International Criminal Tribunal for Rwanda , I conduct research at the intersection between applied and theoretical cryptography, e.g., [45, 46, 47, 48, 49, 50], and I am a member of the Skein hash function design team . Please see my publications for additional information about these and other projects.
Emerging Technologies, Security, and Privacy. I am deeply drawn to overcoming the computer security and privacy challenges associated with emerging, embedded, pervasive technologies and applications. I try to stay one step ahead of the "bad guys" by identifying emerging technologies that might have significant security and privacy risks and then developing solutions for mitigating those risks before real threats manifest. I have focused on a number of different technologies over the years, including electronic voting machines [1, 2, 3, 4, 5], RFIDs [6, 7], wireless robots and toys , and other personal ubicomp devices . Today, most of my active research is focused on computer security and privacy for wireless medical devices [10, 11, 12, 13, 14, 15, 16, 17] and automobiles [18, 19], though I have also recently done some work on privacy and home powerline measurements , home device security in general , and privacy controls for sensed data [22, 23].
The Cloud, The Network, Security, and Privacy. I am committed to helping protect the security and privacy of our information as we become increasingly reliant on networks and the cloud. There are three key inter-related strands to this work. First, I identify and assess new weaknesses within the Internet, e.g., our work on remotely fingerprinting physical machines based on their clock skews . Second, I measure properties of the Internet at a large scale, e.g., our measurement study of ISP modifications to Web traffic between Web servers and users , our study of the practices with which recording studios send DMCA takedown notices , and our study of the Web tracking ecosystem . Third, I design and build new systems with strong security and privacy properties, e.g., our design and analysis of new anonymous wireless networks , wired networks that offer both user anonymity and forensic capabilities [29, 30], privacy-respecting systems for tracking lost or stolen mobile devices , methods for auditing accesses to files on lost or stolen devices , systems for controlling the lifetimes of data on the Web [33, 34], new methods for avoiding certain types of Web tracking , new methods for authentication , methods for user-driven access control , and a user-interface toolkit designed for security .
Humans and Computer Security. Third, I believe that technologies should not be designed nor evaluated in isolation; rather, technologies should be considered in the broader milieu of users, other people in the users' environments, manufacturers, government bodies, public interest groups, and so on. This perspective permeates my research. Usability is part of this broader consideration, e.g., our study of graphical password usability . But usability is only one part. My current work is focused on understanding the interactions and trade-offs between security/privacy and other critical human values [15, 40]. For example, we interviewed cardiac device patients, found that some of the proposed security solutions for wireless implantable medical devices may interact with a person's self-image, sense of dignity, or psychological comfort, and then proposed defensive directions that account for these human values .
Education. I am very interested in developing techniques to help increase the overall awareness and understanding of key computer security concepts amongst broad collections of individuals, including students (both those enrolled in computer security courses and those enrolled in general, introductory computing courses, including at the high school level), industry professionals (both technical and non-technical), and the general public. I introduced security reviews, current events reports, and science fiction prototyping into my undergraduate computer security course . Variants of these approaches have now been used at a number of universities, and my course's use of "security reviews" was discussed in Wired. In 2012 we introduced Control-Alt-Hack(TM), a computer security-themed card game designed to not only be fun to play, but to also help address our educational goals .
Additional information can be found at the UW Security and Privacy Research Lab home page. If you are interested in supporting UW CSE, please visit this URL (for general departmental support) or this URL (and search for "computer security").