Research

Areas of interest include, but are not limited to, the following:

1. Program analysis (for security): Reducing security risks in code by program analysis, including static analysis, dynamic analysis, type systems, deductive verification, and formal methods in general. Includes new analysis techniques as well as methods to make existing techniques usable, e.g., easier to customize or to scale up to large codebases. Examples of work solicited include, but are not limited to, the following:

• Techniques for building code that is correct by construction or verifiably satisfies security properties
• Techniques for finding security vulnerabilities in source code, especially if applicable to widely used open source libraries
• Techniques to scale up existing program analyses to multicore and distributed architectures
• Techniques to effectively incorporate runtime data to refine the accuracy of static analyses
• Theoretical studies are in scope if the approach has clear applications in mitigating the risk from security bugs
• Methods for efficiently filtering, sorting, or ranking security bug reports to reduce the time to find and fix security vulnerabilities; case studies demonstrating effectiveness
• Tools and libraries for reducing the time and effort required to build new analyses, or to extend existing analyses to new platforms
• Effective methods of education for non-experts in writing static analysis rules, or in otherwise educating non-experts to use security-focused program analysis techniques
• Community data sets or evaluation techniques that reasonably would reduce the time for new analysis techniques to show impact on widely used open source libraries
• Studies of allocating finite budget between competitive techniques or similar approaches to efficiently combining techniques to reduce overall risk

2. System and hardware security: Better ways to build system software and hardware to prevent security issues. Examples of work solicited include, but are not limited to, the following:

• Methods for detection and remediation of side channel attacks in system software or hardware, e.g., Spectre/Meltdown; methods for re-designing hardware to reduce or eliminate such attacks
• New methods for sandboxing malicious code running in a datacenter, or reducing the performance overhead of existing sandbox techniques
• New methods for sandboxing malicious code running on a handset, or reducing the performance overhead of existing sandbox techniques
• Ways to reduce the effort required to retrofit legacy code to take advantage of sandboxing or other techniques to reduce risk from existing security issues
• Novel architectures or architecture extensions that reduce or eliminate risk from a large class of security bugs, e.g., memory safety errors
• Effective methods of education for non-experts in applying this class of techniques

3. Applied cryptography: Approaches to improve the safety of cryptography or to safeguard the correct configuration and use of cryptographic protocols. Examples of work solicited include, but are not limited to, the following:

• Novel attacks on commonly deployed protocols such as TLS or IPSec, including, but not limited to, flaws in the protocol, flaws in use of randomness, or flaws if misconfigured
• Novel methods for verifying correctness of protocols for carrying out cryptographic tasks
• Verification efforts for open source libraries implementing cryptographic protocols
• Program analysis techniques for effectively detecting misconfigurations of libraries implementing cryptographic protocols (see also program analysis above)
• Studies of fundamental limitations or impossibility results (may be subject to precisely stated assumptions) in applied cryptography
• Effective methods of education for non experts in applying this class of techniques

4. Intrusion detection, forensics, and incident response: Techniques that improve the detection of threat actors, or techniques that aid in reliably analyzing or mitigating attacks after the fact. Examples of work solicited include, but are not limited to, the following:

• Malware detection and response, including new methods for evading existing detection approaches
• Novel techniques for post-intrusion forensics
• Methods for evading known forensic techniques
• Case studies and new methods for increasing effectiveness of incident responders
• Effective methods of education for non experts in applying this class of techniques

5. Usable security and human-centered design: Making it easier for end users to do the secure thing and putting people at the center of security design. Examples of work solicited include, but are not limited to, the following:

• Critiques of existing systems for helping people achieve security (whether at Meta or elsewhere), which may include user studies
• Studies of novel techniques for improving usability of security systems, e.g., password recovery or multi-factor authentication
• Observational or experimental studies of attacks that succeed because of poor usability, e.g., phishing attacks
• Critiques of existing designs for achieving security and privacy (whether at Meta or elsewhere)
• Novel approaches for using crowdsourcing to address security challenges
• Novel approaches to design for inclusion in addressing security challenges
• Effective methods of education for non-experts in applying this class of techniques

6. App attestation: Preventing user harm from unofficial clients and other malicious Apps on Android play store. We observe cases where people use phones with unofficial/custom Android OS and unofficial clients for Meta services are pre-installed. Unfortunately, in some cases, these clients can steal auth cookies/keys/credentials and sell them to make money. This results in user account compromise, which breaks user experience and trust. Examples of work solicited include, but are not limited to, the following:

• Detect unofficial app usage on custom Android or third-party OS
• Detect unofficial apps that read user credentials and upload it to a third-party server
• Detect malicious apps on genuine Android OS that read data from an official client

Proposals should include

• A summary of the project (one to two pages), in English, explaining the area of focus, a description of techniques, any relevant prior work, and a timeline with milestones and expected outcomes
• A draft budget description (one page) including an approximate cost of the award and explanation of how funds would be spent
• Curriculum Vitae for all project participants
• Organization details; this will include tax information and administrative contact details

Eligibility

• The proposal must comply with applicable U.S. and international laws, regulations, and policies.
• Applicants must be current full-time faculty at an accredited academic institution that awards research degrees to PhD students or an employee of a non-profit organization.
• Applicants must be the Principal Investigator on any resulting award.
• Meta cannot consider proposals submitted, prepared, or to be carried out by individuals residing in or affiliated with an academic institution located in a country or territory subject to comprehensive U.S. trade sanctions.
• Government officials (excluding faculty and staff of public universities, to the extent they may be considered government officials), political figures, and politically affiliated businesses (all as determined by Meta in its sole discretion) are not eligible.

Meta’s decisions will be final in all matters relating to Meta RFP solicitations, including whether or not to grant an award and the interpretation of Meta RFP Terms and Conditions. By submitting a proposal, applicants affirm that they have read and agree to these Terms and Conditions.

• Meta is authorized to evaluate proposals submitted under its RFPs, to consult with outside experts, as needed, in evaluating proposals, and to grant or deny awards using criteria determined by Meta to be appropriate and at Meta sole discretion. Meta’s decisions will be final in all matters relating to its RFPs, and applicants agree not to challenge any such decisions.
• Meta will not be required to treat any part of a proposal as confidential or protected by copyright, and may use, edit, modify, copy, reproduce and distribute all or a portion of the proposal in any manner for the sole purposes of administering the Meta RFP website and evaluating the contents of the proposal.
• Personal data submitted with a proposal, including name, mailing address, phone number, and email address of the applicant and other named researchers in the proposal may be collected, processed, stored and otherwise used by Meta for the purposes of administering Meta’s RFP website, evaluating the contents of the proposal, and as otherwise provided under Meta’s Privacy Policy.
• Neither Meta nor the applicant is obligated to enter into a business transaction as a result of the proposal submission. Meta is under no obligation to review or consider the proposal.
• Feedback provided in a proposal regarding Meta products or services will not be treated as confidential or protected by copyright, and Meta is free to use such feedback on an unrestricted basis with no compensation to the applicant. The submission of a proposal will not result in the transfer of ownership of any IP rights.
• Applicants represent and warrant that they have authority to submit a proposal in connection with a Meta RFP and to grant the rights set forth herein on behalf of their organization. All awards provided by Meta in connection with this RFP shall be used only in accordance with applicable laws and shall not be used in any way, directly or indirectly, to facilitate any act that would constitute bribery or an illegal kickback, an illegal campaign contribution, or would otherwise violate any applicable anti-corruption or political activities law.
• Funding for winning-RFP proposals will be provided to the academic institution with which the primary investigator/applicant is affiliated pursuant to a gift or other funding model as specified in the RFP call. Applicants understand and acknowledge that their affiliated academic institution will need to agree to the terms and conditions of such gift or other agreement to receive funding.
• Applicants acknowledge and agree that by submitting an application they are consenting to their name, university / organization’s name and proposal title being made public on Meta’s blog on the research.facebook.com website if they are chosen as an RFP winner or finalist. If an applicant is selected as a winner or finalist, they will then have the opportunity to provide written notification that they do not consent to the research.facebook.com blog inclusion.