From Tweets to Quantum
Darmstadt, Germany | May 15 – 16, 2017
Ammar Alkassar (Rohde & Schwarz)
Prof. N. Asokan (Aalto University)
Fast client-side phishing detection: a case-study in applying machine learning to solve security/privacy problems
Abstract: Machine learning techniques are being employed to solve a variety of problems in the digital world. Security/privacy problems are no exception. Traditionally, machine learning techniques have been used for detecting anomalies. Recently they are also being deployed to design intuitive and usable security and privacy solutions. In this talk, I will first discuss some recent work done in my group to address the problem of how to steer users away from potential phishing sites effectively without impacting their privacy. I will then discuss some challenges and potential pitfalls in applying machine learning for improving security or privacy.
Bio: N. Asokan is a professor of Computer Science at Aalto University and University of Helsinki. His research interests are in systems security. He is the lead academic PI of Intel Collaborative Research Center in Finland and is the director of Helsinki-Aalto Center for Information Security. More information about him and his research at asokan.org/asokan/
Robert Broberg (CISCO)
L3 Source Attribution: Can trust be built in to internet transport?
Abstract: Robert will give historical perspective of compute trust chaining and efforts made to secure IP transport since the 1990's drawing analogies of successes and failures in both. He will then review how trusted computing technologies may be applied to L3 transport.
Bio: Robert Broberg is a member of Cisco's Advanced Security Research and Government group and a Visiting Scholar at the University of Pennsylvania. Robert's research focuses on new approaches to secure the Internet. Trained as a Chemical Engineer, Robert entered the networking field in 1984 working for Ungermann Bass. At UB, Robert worked on one of the first TCP/IP stacks for NICs that enabled IP communications for early PCs. At UB, Robert led a team in Japan that transitioned terminal servers, channel attach gateways, and PC NICs from XNS to TCP/IP. Robert moved to Cisco Systems in 1993 and was a senior technical contributor on many core router projects including the paradygm shifting works of IP Packet over Sonet. Starting in 1998, Robert joined the Physical Science Division of Bell-Labs before returing to industry in 2001. Amongst many projects, Robert led a joint industry and academic team that built the first fault tolerant network operating system for core routers. Robert continues to find innovation and excitment in the Internet and enjoys bringing positive impact working with both industry and academic experts.
Dr. Sunny Consolvo (Google)
Exploratory studies of privacy- & security-related beliefs and practices
Abstract: This talk will present the results of two exploratory studies of people’s privacy- and security-related practices. In the first study, we explore how people living in the same household share their devices and accounts. In the second study, we explore the digital privacy and security motivations, practices, and challenges of survivors of intimate partner abuse.
Bio: Sunny Consolvo leads Google's Security & Privacy User Experience team. Sunny and her team spend most of their time focusing on usable privacy and security. Sunny received her Ph.D. in Information Science from the University of Washington. She is a member of the Editorial Board for IEEE Pervasive Computing and the PACM on Interactive, Mobile, Wearable, and Ubiquitous Technologies (IMWUT). She became a Certified Information Privacy Professional (US) in 2013.
Prof. George Danezis (University College London)
Modern anonymous Communications
Abstract: The field of anonymous communications has been dominated for the past 15 years by onion routing designs, that are performant but susceptible to traffic analysis attacks by adversaries that we know today to be realistic. This has led us to pursue a research program around new generation anonymous communications, that both relax security notions of anonymity aiming to disrupt mass surveillance, as well as revisit the use of mixing and cover traffic to protect against traffic analysis. We also show how anonymous communications primitives may be used to implement more efficient private lookups and ORAM – which are useful both as building blocks for anonymity systems as well as other privacy-preserving protocols. In this talk I will give a tour of those results, and point to new directions for this field of research.
Bio: George Danezis is a Professor of Security and Privacy Engineering at the Department of Computer Science of University College London, and Head of the Information Security Research Group. He has been working on anonymous communications, privacy enhancing technologies (PET), and traffic analysis since 2000. He has previously been a researcher for Microsoft Research, Cambridge; a visiting fellow at K.U.Leuven (Belgium); and a research associate at the University of Cambridge (UK), where he also completed his doctoral dissertation under the supervision of Prof. R.J. Anderson.His theoretical contributions to the Privacy Technologies field include the established information theoretic and other probabilistic metrics for anonymity and pioneering the study of statistical attacks against anonymity systems. On the practical side he is one of the lead designers of the anonymous mail system Mixminion, as well as Minx, Sphinx, Drac and Hornet; he has worked on the traffic analysis of deployed protocols such as Tor.His current research interests focus around secure communications, high-integirty systems to support privacy, smart grid privacy, peer-to-peer and social network security, as well as the application of machine learning techniques to security problems. He has published over 70 peer-reviewed scientific papers on these topics in international conferences and journals.He was the co-program chair of ACM Computer and Communications Security Conference in 2011 and 2012, IFCA Financial Cryptography and Data Security in 2011, the Privacy Enhancing Technologies Workshop in 2005 and 2006. He sits on the PET Symposium board and ACM CCS Steering committee and he regularly serves in program committees of leading conferences in the field of privacy and security. He is a fellow of the British Computing Society since 2014.
Prof. Lucas Davi (University of Duisburg-Essen)
Dangerous Bit Flips in Memory: Rowhammer Attacks and Defenses
Abstract: The high density of memory cells in modern DRAM chips caused the so-called Rowhammer bug. This bug allows an attacker to induce dangerous bit flips in memory to undermine memory access control mechanisms without requiring any software vulnerability. Recently, the Rowhammer bug has been exploited to circumvent browser sandboxes such as NativeClient, compromise cryptographic material in co-located virtual machines, and launch privilege escalation attacks against the operating system kernel. In this talk, we elaborate on the evolution of Rowhammer attacks and defenses. Specifically, we examine Rowhammer attacks on contemporary architectures such as x86 and ARM, and discuss hardware and software-based mitigation techniques.
Bio: Lucas Davi is assistant professor for system security at University of Duisburg-Essen, Germany and associated researcher at the Intel Collaborative Research Institute for Secure Computing (ICRI-SC) at TU Darmstadt, Germany. He received his PhD from TU Darmstadt in computer science. His research focus includes aspects of system security and trusted computing, particularly software exploitation techniques and defenses. He received best paper awards at DAC, ACM ASIACCS, and IEEE Security & Privacy. His PhD thesis on code-reuse attacks and defenses has been awarded with the ACM SIGSAC Dissertation Award 2016.
Prof. Jens Grossklags (TU München)
Bug Bounty Platforms: Empirical Analysis and Economic Challenges
Abstract: Despite significant progress in software-engineering practices, software utilized for web and mobile computing remains insecure. At the same time, the consumer and business information handled by these programs is growing in its richness and monetization potential, which triggers significant privacy and security concerns.
In response to these challenges, companies are increasingly harvesting the potential of external (ethical) security researchers through bug bounty programs to crowdsource efforts to find and ameliorate security vulnerabilities. More recently, several commercial bug bounty platforms have emerged (e.g., HackerOne, BugCrowd, Cobalt, Wooyun) which successfully facilitate the process of building and maintaining bug bounty programs for organizations. To cite just one success story, on HackerOne, more than 40,000 security vulnerabilities have been reported and fixed for hundreds of organizations.
In this talk, I will discuss our research over the last three years which systematically studies these platforms. In particular, I will present empirical results demonstrating the growing popularity and practical contributions of two of these platforms, HackerOne and Wooyun. Unfortunately, the data also reveals a number of economic challenges which may limit the success of these platforms in the future. To respond to these hurdles, I will discuss different economic policies to improve their efficiency. I will close with a conversation about pressing policy considerations.
The talk is based on joint work with Mingyi Zhao, Aron Laszka, and Thomas Maillart.
Bio: Jens Grossklags is Professor of Cyber Trust in the Department of Informatics at the Technical University of Munich. Previously, he directed the Security, Privacy and Information Economics Lab, and served as the Haile Family Early Career Professor at Penn State. He was a Postdoctoral Research Associate at the Center for Information Technology Policy at Princeton University, and received his Ph.D. from UC Berkeley. He studies security and privacy challenges from the economic and behavioral perspectives with a variety of methodologies.
Dr. Krishna Gummadi (Max Planck Institute for Software Systems)
Privacy and Fairness Concerns with PII-based Targeted Advertising on Social Media
Abstract: All popular social media sites like Facebook, Twitter, and Pinterest are funded by advertising, and the detailed user data that these sites collect make them attractive platforms for advertisers. Historically, these advertising platforms allowed advertisers to target users with certain attributes, but not to target users directly. Recently, most advertising platforms have begun allowing advertisers to target users directly by uploading the personal information of the users who they wish to advertise to (e.g., their names, email addresses, phone numbers, etc). Such targeting is referred to as custom audience targeting.
In this talk, I will discuss numerous privacy and fairness concerns that arise with such custom audience targeting on the Facebook ad platform. I will show how custom audience targeting would allow malicious advertisers to leverage existing public records (e.g., voter records) for discriminatory advertising (i.e., excluding people of a certain race), and how this type of discrimination is significantly more difficult for Facebook to detect automatically. We also find that the custom audiences can be abused by malicious advertisers to learn about hundreds of demographic, behavioral, and interest attributes of a Facebook user even with limited knowledge about their PII like their email addresses or phone numbers. Finally, we find that users generally have no control over their data that is used to create custom audiences. Overall, our results indicate that advertising platforms need to more carefully consider the privacy and fairness concerns that arise out of custom audience targeting.
Bio: Krishna Gummadi is a tenured faculty member and head of the Networked Systems research group at the Max Planck Institute for Software Systems (MPI-SWS) in Germany. Krishna's research interests are in the measurement, analysis, design, and evaluation of complex Internet-scale systems. His current projects focus on understanding and building social computing systems. Specifically, they tackle the challenges associated with (i) assessing the credibility of information shared by anonymous online crowds, (ii) understanding and controlling privacy risks for users sharing data on online forums, (iii) understanding, predicting and influencing human behaviors on social media sites (e.g., viral information diffusion), and (iv) enhancing fairness and transparency of machine (data-driven) decision making in social computing systems. Krishna's work on online social networks, Internet access networks, and peer-to-peer systems has led to a number of widely cited papers and award papers at IW3C2's WWW, NIPS's ML & Law Symposium, ACM's COSN, ACM/Usenix's SOUPS, AAAI's ICWSM, Usenix's OSDI, ACM's SIGCOMM IMC, and SPIE's MMCN conferences. He has also co-chaired AAAI's ICWSM 2016, IW3C2 WWW 2015, ACM COSN 2014, and ACM IMC 2013 conferences.
J. Trevor Hughes (President & CEO of IAPP)
Three Apples: The History of Privacy and Technology
Abstract: The tension between technological innovation and privacy is well covered as a topic. This session will look further back, and examine the relationship between advances in technology and our understanding of privacy. Specific focus will be placed on the normative and policy reactions to the introduction of disruptive technologies.
Bio: J. Trevor Hughes is the President and CEO of the International Association of Privacy Professionals (IAPP), the world’s largest association of privacy professionals. Hughes is an experienced attorney in privacy, technology and marketing law. He has provided testimony on privacy issues before several committees within the U.S. Congress, British Parliament and EU Parliament. Hughes previously served as the executive director of the Network Advertising Initiative and the Email Sender and Provider Coalition. He is an adjunct professor of law at the University of Maine School of Law and frequently speaks about privacy issues at conferences around the world.
Sridhar Iyengar (Intel)
Securing the Autonomous Automobile
Abstract: Autonomous driving have come a long way since the 2004 DARPA grand challenge where cars navigated obstacles in the Mojave Desert for about 12 miles. Today, autonomous driving has reached the top of the hype curve with car manufacturers, hardware and software companies making huge investments. While safety remains priority #1, the auto ecosystem has largely ignored security. The large number of computers in an automobile, remote wireless access, combined with physical access to the automobiles make them particularly vulnerable to malicious attacks. This talk addresses the challenges and opportunities of securing the autonomous automobiles, including securing the automobile platform, wireless communication and the analytics.
Bio: Sridhar R. Iyengar is a vice president at Intel Labs and the director of security and privacy research at Intel Corporation. He is responsible for innovations in security and privacy that differentiate Intel products and establish trustworthiness as a fundamental value on all Intel platforms. His areas of research include new security architectures and software solutions to protect confidentiality, integrity, identity and privacy. Iyengar joined Intel in 1983 and has focused much of his career on advanced research. As director of the Security Research Lab since 2008, his work has led to breakthroughs in areas such as anti-malware, cryptography and data protection. His team has won three Intel Achievement Awards for significant security advances, including anti-malware CPU features, McAfee’s DeepSAFE solution and Intel Software Guard Extensions. As director of the Platform Software Lab, Iyengar led advances in virtualization, scalable operating systems and partitioning that influenced new architectures such as Intel Virtualization Technology. Before joining Intel Labs, Iyengar focused on the engineering side, including work on products such as Intel ProShare, Intel debuggers and the Ada compiler for the Intel 960XA architecture. Iyengar earned his bachelor’s degree in electrical engineering from the Indian Institute of Technology Madras in India, and his master’s degree in computer science from the University of Wisconsin, Madison. He holds five patents in collaborative computing and audio processing.
Prof. Ramesh Karri (New York University Polytechnic School of Engineering)
Bio Chip Security
Abstract: This presentation will explore the security implications of biochips that are envisioned for use in lab-on-chips. We will discuss how attackers in the bio-chip supply chain can undermine proprietary biochemical protocols or alter their results, with serious consequences for laboratory analysis, healthcare, and biotechnology innovation.
Bio: Ramesh Karri is a Professor of Electrical and Computer Engineering at New York University Tandon School of Engineering and is a co-founder of NYU Center for Cybersecurity. Professor Karri's research interests include trustworthy hardware (integrated circuits to processor architectures); electronics supply chain security; VLSI Design and Test; and interactions between security and reliability. A recipient of the Humboldt Fellowship and the National Science Foundation CAREER Award, he has authored over 190 journal and conference publications. In addition, Professor Karri is the co-founder of the Trust-HUB and organizes the annual red team/blue team event at NYU, the Embedded Systems Security Challenge. He received a PhD and MS degree at the University of California at San Diego, a Master of Technology degree at the University of Hyderabad, and Bachelor of Engineering at Andhra University.
Prof. Norbert Lütkenhaus (University of Waterloo)
Protecting Privacy using Optical Quantum Communication
Abstract: Quantum Physics gives rise to a qualitative advantages over classical communication, as demonstrated in Quantum Key Distribution. It also offers quantitative advantages, for example, saving communication cost in comparing classical data in the simultaneous message passing model and other multi-party computations. This is explored in the area of quantum communication complexity. More recently, also the field of quantum information complexity has been established, asking the question how much information can be learned by parties during multi-party computation protocols. In this presentation I will show the status of translating abstract protocols of these quantitative and qualitative advantage into practical protocols, using technology available in today’s optical telecommunication industry.
Bio: Norbert Lütkenhaus is Professor at the University of Waterloo, Canada, and a member of the Institute for Quantum Computing, and an affiliate member of the Perimeter Institute. He is working in the overlap area of Quantum Communication Theory and Quantum Optics, reaching from fundamental abstract questions to applications. He is well known for bringing theory and practise of quantum communication protocols together, thus enabling emerging quantum technology to become practical. The scientific career included stages in Glasgow, Innsbruck, Helsinki and Erlangen (Emmy Noether Research Group) before moving to Waterloo. His career also includes industrial elements, such as a position with MagiQ Technologies to develop the first commercial Quantum Key Distribution device. He is also co-founder and CTO of evolutionQ, a company centered around services and products in quantum-safe technologies.
Prof. Christof Paar (Ruhr-Universität Bochum)
How to Attack the IoT with hardware Trojans
Abstract: Countless systems ranging from consumer electronics to military equipment are dependent on integrated circuits (ICs). A surprisingly large number of such systems are already security-critical, e.g., automotive electronics, medical devices, or SCADA systems. If the underlying ICs in such applications are maliciously manipulated through hardware Trojans, the security of the entire system can be compromised. In recent years, hardware Trojans have drawn the attention of the scientific community and government. Initially, the primary attacker model was a malicious foundry that could alter the design, i.e., introduce hardware Trojans which could interfere with the functionality of a chip. Many other attacker models exist too. For instance, a legitimate IC manufacturer, such as a consumer electronics company, might be in cohort with a national intelligence agency and could alter its products in a way that compromises their security.
Even though hardware Trojans have been studied for a decade or so in the literature, little is known about how they might look, especially those that are particularly designed to avoid detection. In this talk we introduce several low-level manipulation attacks against embedded system, targeting two popular types of hardware platforms, ASICs and FPGAs.
Bio: Christof Paar has the Chair for Embedded Security at Ruhr University Bochum and is affiliated professor at the University of Massachusetts Amherst. He co-founded CHES (Cryptographic Hardware and Embedded Systems), the leading international conference on applied cryptography. Christof’s research interests include efficient crypto implementations, hardware security, and security analysis of real-world systems. He also works on applications of embedded security, e.g., in cars or consumer devices. He holds an ERC Advanced Grant in hardware security and is spokesperson for the doctoral research school SecHuman. Christof has over 180 peer-reviewed publications and he is co-author of the textbook Understanding Cryptography. He is Fellow of the IEEE and was recipient of an NSF CAREER Award, the German IT Security Award and the Innovation Prize NRW. He has given numerous invited talks, including presentations at MIT, Yale, Stanford, IBM Research and Intel.
Prof. Bart Preneel (University of Leuven)
The Future of Security
Abstract: This talks looks at the major trends in information technology and their impact on security: this include the Internet of Things, Big Data, and the shift towards cloud architectures. While society is becoming more and more critically dependent on these technologies, governments are exploiting them for mass surveillance and are escalating a cyber war with a major risk for proliferation of powerful tools. At the same time, the crypto wars the 1990s are returning to center stage. This talk will reflect on how these new threat models affect future research in cryptology and information security.
Bio: Bart Preneel is a full professor at the KU Leuven, where he heads the imec-COSIC research group, that has 80 members. He has authored numerous scientific publications and is inventor of five patents. His research interests are cryptography, cybersecurity and privacy. He is president of LSEC and has been president of the IACR. He has been invited speaker at more than 120 conferences in more than 40 countries. In 2014 he received the RSA Award for Excellence in the Field of Mathematics and in 2016 he received the Kristian Beckman Award from IFIP TC11. He is a fellow of the IACR and a member of the Academia Europaea. He frequently consults for the technology and financial sectors and is involved with several start-ups in the area of e-security.
Gang Qu (University of Maryland)
Hardware Security: A Battle of Information
Abstract: Hardware is the root of computing and communication and should also be the root for security and trust. In this talk, we will discuss the problems that hardware security research community have been facing and the solutions we have provided in the part two decades from the angle of information battle between attackers and defenders. The topics will include intellectual property protection (watermarking, fingerprinting, logic obfuscation), side channel analysis, physical unclonable function, and hardware Trojan.
Bio: Gang Qu received his B.S. in mathematics in the University of Science and Technology of China and Ph.D. in computer science from the University of California, Los Angeles. He is currently a professor in the Department of Electrical and Computer Engineering and Institute for Systems Research in the University of Maryland at College Park, where he is also a member of the Maryland Cybersecurity Center and the Maryland Energy Research Center. Dr. Qu is the director of Maryland Embedded Systems and Hardware Security (MeshSec) Lab and the Wireless Sensors Laboratory. His primary research interests are in the area of embedded systems and VLSI CAD with focus on low power system design and hardware related security and trust. He is known for his contributions to dynamic voltage scaling and VLSI intellectual property protection with digital watermark and fingerprint, as well as silicon physical unclonable functions, trusted integrated circuit design, and hardware assisted IoT security. He has served as general chair and program chair for ACM GLSVLSI, IEEE HOST, IEEE AsianHOST and more than a half dozen workshops related to cybersecurity. He teaches a popular coursera MOOC on “Hardware Security”.
Prof. Peter Ryan (Universität Luxemburg)
Securing the Foundations of Democracy
Abstract: Democracy is under threat. This has been high-lighted by the recent US presidential election which was fraught with suspicions of hacking of voting technologies, the campaign processes, media bias and fake news, information bubbles in social media etc. Many of these problems arise from insecurities in digital technologies. The partial recounts conducted, against fierce legal opposition, in Pennsylvania, Michigan and Wisconsin did not produce evidence of vote manipulation, but they did serve to expose the serious vulnerabilities in many US voting technologies, in particular the pure electronic, paperless (DRE) devices.
In this talk I focus on the technologies surrounding the conduct of elections, a small but important aliment in the problem, but one in which significant progress has been made in recent years. I argue that elections should be “evidence based”, that is to say they should be conducted in such a way as to produce sufficient evidence to convince even sceptics, e.g. the losers, that the announced result is a true reflection of the legitimately cast votes. But we must of course balance such transparency against requirements of ballot privacy and coercion resistance. I will overview recent advances in “end-to-end verifiable” schemes and risk-limiting audits.
Bio: Peter Ryan is full Professor of Applied Security at the University of Luxembourg. He has over 20 years of experience in cryptography, information assurance and formal verification. He pioneered the application of process algebras to modelling and analysis of secure systems. Ryan has published extensively on cryptography, cryptographic protocols, mathematical models of computer security and, most recently, high assurance voting systems. He is the creator of Prêt à Voter, Pretty Good Democracy (with Vanessa Teague) and OpenVote (with Feng Hoa) and Selene (with P Roenne and V Iovino) verifiable voting schemes. With Feng Hao he proposed the Password Authenticated Key Establishment Protocol J-PAKE. Peter Ryan has been on program committees of numerous prestigious security conferences, notably: IEEE Security and Privacy, IEEE Computer Security Foundations Workshop, the European Symposium On Research In Computer Security (ESORICS), WITS (Workshop on Issues in Security). He was Chair of WITS’04 (Workshop on Issues in the Theory of Security) and Co-chair of ESORICS in 2004 and 2015, co-chair of Frontiers of Electronic Elections FEE 2005, Chair WOTE 2007 (Workshop On Trustworthy Elections). From 1999 to 2007 he was the Chair of the ESORICS Steering Committee. He founded and co-chaired the new workshop series Voting’16 and Voting’17 in association with Financial Crypto. He is a Visiting Professor at the University of Surrey and the ENS Paris
Prof. Moti Yung (Snapchat)
Live and Let Die: Stalking-Free Tracking of Your Internet Things
Abstract: The Internet of Things (IoT) is expecting to connect together a huge number of physical objects over the global Internet. BLE beacons are a typical case of relatively small devices which can compute and broadcast their location so as to allow tracking of objects/ locations (physical things) they are attached to. An example of this is a suitcase which includes a beacon and can broadcast its location so it can be found locally (in an airport) or found globally (in case it is lost in another airport). This global utility application allows tracking and prevents loss, however at the same time it seems to inherently allow stalking (i.e., a stalking adversary can follow the suitcase and imply with high certainty the location of its owner). A system overhaul seems to be needed to cut the above Gordian knot, so as to allow efficient active tracking to live over the globe, while killing attempts of stalkers to violate the privacy of suitcase owners.
In this talk we describe such a solution which involves cryptography, side-channel mitigations, and a collaborative communications efforts among beacons, mobile devices, a global cloud, and a dedicated trusted parties, to all work together to allow functionality, security, and privacy. I will cover the process by which the system was designed in principle, reduced to practice to allow it to perform efficiently, and was implemented, tested, and adopted as an industry standard.
The work demonstrates a design principle of the IoT: A mere transfer of things to the Internet (just adding remote control and communication) opens new attack vectors, due to the new context of global connectivity (and such naive attempts have been shown to fail miserably). In fact, a thing which is made globally connected over the Internet strongly requires the consideration of new adversaries and a completely fresh design from a security and privacy perspective.
Bio: Moti Yung is a computer scientist whose main interests are in cryptography, security, and privacy. He is currently with Snap Inc, and has been holding adjunct faculty appointments at Columbia University where he has co-advised several Ph.D. students over the years. He is a Fellow of ACM, IEEE, IACR, and EATCS. Previously, over 30 years career, he was with IBM Research, CertCo, RSA Lab, and Google Inc. Dr. Yung made extensive contributions to the foundation of modern cryptography and to basic cryptographic and security technology mechanism, as well as to innovative secure industrial technology within actual large scale systems, including the Greek National Lottery system, the security and privacy aspects of Google's global systems such as the Ad Exchange (ADX) and the ephemeral ID efforts for Google’s BLE beacons, and Snap’s “my eyes only memories” cloud security. His invention of the notion of “Cryptovirology” over 20 years ago predicted “ransomware attacks” as well as “algorithm substitution attacks on crypto systems and standards" such as the Dual_EC_DRNG subversion.