illustration of lock, four asterisks and a shield with a fingerprint on it on a green gradient background

Security, privacy, and cryptography

lock icon on green background

Leveraging Large Language Models for Automated Proof Synthesis in Rust

photos of PhD students Anunay Kulshrestha and Karan Newatia with a photo of Senior Cryptographer Josh Benaloh in the middle with a microphone icon on a blue and purple gradient background

Intern Insights: Dr. Josh Benaloh with Anunay Kulshrestha and Karan Newatia

Bayes Security (β*, higher better) of DP-SGD against membership and attribute inference on the Adult and Purchase datasets as a function of the number of training steps. The green dashed line shows the corresponding DP budget (ε). Membership and attribute inference curves decrease monotonically as the model is trained for longer and the accuracy and DP budget grow.

Closed-Form Bounds for DP-SGD against Record-level Inference

MSR Systems Networking Graphic

ProvCam: A Camera Module with Self-Contained TCB for Producing Verifiable Videos

Current selections

Sort by: Most recent

Clear selections

Video

When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs

September 24, 2025 | Hanna Kim

Recent advancements in Large Language Models (LLMs) have established them as agentic systems capable of planning and interacting with various tools. These LLM agents are often paired with web-based tools, enabling access to diverse sources…

graphical user interface, website

Video

A Formal Analysis of Apple’s iMessage PQ3 Protocol

September 24, 2025 | Felix Linker

We present the formal verification of Apple’s iMessage PQ3, a highly performant, device-to-device messaging protocol offering strong security guarantees even against an adversary with quantum computing capabilities. PQ3 leverages Apple’s identity services together with a…

Video

Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability

September 24, 2025 | Gang Wang

Email spoofing is a critical technique used in phishing attacks to impersonate a trusted sender. SMTP smuggling is a new vulnerability that allows adversaries to perform email spoofing while bypassing existing authentication protocols such as…

graphical user interface, application

Video

A Framework for Abusability Analysis: The Case of Passkeys in Interpersonal Threat Models

September 24, 2025 | Alaa Daffalla

The recent rollout of passkeys by hundreds of web services online is the largest attempt yet to achieve the goal of passwordless authentication. However, new authentication mechanisms can often overlook the unique threats faced by…

Video

‘Hey mum, I dropped my phone down the toilet’: Investigating Hi Mum and Dad SMS Scams in the UK

September 24, 2025 | Sharad Agarwal

SMS fraud has surged in recent years. Detection techniques have improved along with the fraud, necessitating harder-to-detect fraud techniques. We study one of these where scammers send an SMS to the victim addressing mum or…

Video

zk-promises: Anonymous Moderation, Reputation, & Blocking from Anonymous Credentials with Callbacks

September 22, 2025 | Maurice Shih

Anonymity is essential for free speech and expressing dissent, but platform moderators need ways to police bad actors. For anonymous clients, this may involve banning their accounts, docking their reputation, or updating their state in…

Video

More is Less: Extra Features in Contactless Payments Break Security

September 22, 2025 | Tom Chothia, George Pavlides

The EMV contactless payment system has many independent parties: payment providers, terminal companies, smartphone companies, banks and regulators. EMVCo publishes a 15 book specification that these companies use to operate together. However, many of these…

graphical user interface, website

Publication

Ordered Consensus with Equal Opportunity

Yunhao Zhang, Haobin Ni, Soumya Basu, Shir Cohen, Maofan Yin, Lorenzo Alvisi, R. V. Renesse, Qi Chen, Lidong Zhou

September 2025

Video

Six Years of Rowhammer: Breakthroughs and Future Directions

August 28, 2025 | Stefan Saroiu

This talk presents the work done over the past six years as part of Project STEMA at Microsoft. STEMA stands for Secure, Trusted, and Enhanced Memory for Azure. We discuss our journey in understanding Rowhammer…

chart

Microsoft Research Blog

Crescent library brings privacy to digital identity systems

August 26, 2025 | Christian Paquin, Greg Zaverucha

Crescent helps make digital IDs private by preventing tracking across uses while letting users only disclose what’s necessary from their credentials.