- Keynote 1: Virgil Gligor
- Title: Establishing and Maintaining Root of Trust on Commodity Computer Systems
- Date : July 9th, 2019
Abstract:
Suppose that a trustworthy program must be booted on a commodity system that may contain persistent malware. Establishing root of trust (RoT) assures the system has all and only the content chosen by a trusted verifier or the verifier discovers unaccounted content, with high probability. Hence, RoT establishment assures that verifiable boot takes place in a malware-free state, whp. Obtaining such an assurance is challenging because malware can survive in system states across repeated secure- and trusted-boot operations and act on behalf of a powerful remote adversary; e.g., anti-malware tools do not have malware-unmediated access to device controllers’ processors and memories nor prevent remote malware connections over the internet. I this presentation, I will illustrate both the theoretical and practical challenges of RoT establishment unconditionally; i.e., without secrets, privileged modules (e.g., TPMs, RoMs, HSMs), or adversary computation bounds. I will also illustrate the only unconditional solution to these challenges known in security or cryptography known to date.
Establishing root of trust is important because makes all persistent malware ephemeral and forces the adversary to repeat the malware-insertion attack, perhaps at some added cost. Nevertheless, some malware-controlled software can always be assumed to exist in commodity operating systems and applications. The inherent size and complexity of their components (aka the “giants”) render them vulnerable to successful attacks. In contrast, small and simple software components with rather limited function and high-assurance layered security properties (aka the “wimps”) can, in principle, be resistant to all attacks. Maintaining root of trust assures a user that a commodity computer’s wimps are isolated from, and safely co-exist with, adversary-controlled giants. However, regardless how secure program isolation may be (e.g., based on Intel’s SGX), I/O channel isolation must also be achieved despite the pitfalls of commodity architectures that encourage I/O hardware sharing, not isolation. In this presentation, I will also illustrate the challenges of I/O channel isolation and present and approach that enables the co-existence secure wimps with insecure giants, via an example of an experimental system; i.e., on-demand isolated I/O channels, which were designed and implemented at CMU’s CyLab.
Biography:
Virgil D. Gligor received his B.Sc., M.Sc., and Ph.D. degrees from the University of California at Berkeley. He taught at the University of Maryland between 1976 and 2007, and is currently a Professor of ECE at Carnegie Mellon University. Between 2007 and 2015 he was the co-Director of CyLab. Over the past forty-five years, his research interests ranged from access control mechanisms, penetration analysis, and denial-of-service protection, to cryptographic protocols and applied cryptography. Gligor was an Associate Editor of several ACM and IEEE journals and the Editor in Chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Information Systems Security Award jointly given by NIST and NSA, the 2011 Outstanding Innovation Award of the ACM SIG on Security Audit and Control, and the 2013 Technical Achievement Award of the IEEE Computer Society. In 2019 he was inducted to the National Cyber Security Hall of Fame.
- Keynote 2: Surya Nepal
- Title: Security is the Weakest Link: Prevalent Culture of Victim Blaming in Cyberattacks
- Date : July 10th, 2019
Abstract:
The effectiveness of cybersecurity measures is often questioned in the wake of hard-hitting security events. Despite much work being done in the field of cybersecurity and general cybersecurity awareness, cyber-attacks and data breaches are on the rise every year. Humans are considered the weakest link in the information security chain. However, most of the blame is put on the end users and their awareness of security and safe use of the cyber systems. It is often forgotten that these systems are also built by humans and they should also bear some responsibilities for introducing bugs and vulnerabilities that can be easily exploited by cyber attackers. This talk aims to highlight the current culture of blaming the victims prevalent in the cybersecurity research community, present the current research initiatives in human centric cybersecurity, and outline the potential future research areas.
Biography:
Dr Surya Nepal is a Senior Principal Research Scientist at CSIRO Data61. He currently leads the distributed systems security group consisting of 15 staff and 57 PhD students. His main research focus is in the development and implementation of technologies in the area of distributed systems (including cloud, IoT and edge computing) and social networks, with a specific focus on security, privacy and trust. He has more than 200 peer-reviewed publications to his credit. He has co-edited three books including security, privacy and trust in cloud systems by Springer, and co-invented 3 patents. He has successfully supervised a number of PhD students. He is a member of the editorial boards of IEEE Transactions on Service Computing, ACM Transactions on Internet Technology and Frontiers of Big Data- Security Privacy, and Trust. He is currently a theme leader of Cybersecurity Cooperative Research Centre (CRC), a national initiative in Australia. He holds conjoint faculty position at UNSW and an honorary professor position at Macquarie University.
- Keynote 3: Heiko Mantel
- Title: From Attacker Models to Reliable Security
- Date : July 11th, 2019
Abstract:
Attack trees are a popular graphical notation for capturing threats to IT systems. They can be used to describe attacks in terms of attacker goals and attacker actions. By focusing on the viewpoint of a single attacker and on a particular attacker goal in the creation of an attack tree, one reduces the conceptual complexity of threat modeling substantially. Aspects not covered by attack trees, like the behavior of the system under attack, can then be described using other models to enable a security analysis based on a combination of the models.
Despite the high popularity of attack trees in security engineering for many years, some pitfalls in their use were identified only recently. In this talk, I will point out such difficulties, outline how attack trees can be used in combination with system models, and clarify the consequences of different combinations for security analysis results. After a security analysis of an abstract model, the insights gained need to be mapped to reality. I will introduce an automata-based model of run-time monitors and will show how defenses in this model can be realized at runtime with the CliSeAu system.
Biography:
Heiko Mantel is a full professor for Computer Science at TU Darmstadt. His research interests in IT security include language-based security, security engineering, information-flow security, and side-channel analysis. From 2010 to 2017, he was the spokesman of the national research initiative Reliably Secure Software Systems, funded by the German Science Foundation. Since 2018, he leads the Software-Factory 4.0 project, which aims for efficient, flexible and reliable solutions to software re-engineering, funded by the state of Hesse. He is and has been involved in many other research projects as principal investigator, including CASED, CRISP, CROSSING, and EC-SPRIDE.
Before joining TU Darmstadt in 2007, Heiko Mantel was an assistant professor at RWTH Aachen, a postdoc at ETH Zurich, and a researcher at the German Research Center for Artificial Intelligence in Saarbrucken. He received his Ph.D. from Saarland University in 2003.