Wednesday, November 2


Early Registration 3:00 – 6:00 pm

Thursday, November 3


Registration 7:00 – 8:00 am

Breakfast 8:00 – 9:00 am

General Chair Introduction

IEEE SecDev 20169:00 – 9:15 am
–R. Cunningham

Lorrie Faith Cranor
US Federal Trade Commission's Chief Technologist
Professor, Carnegie Mellon University
Adventures in Usable Privacy and Security: From Empirical Studies to Public Policy9:15 – 10:00 am

Lorrie portraitWhy are usability studies important for security and privacy? How can usable security researchers put study participants in realistic risky situations without actually putting them at risk? Why might it be counterproductive to mandate frequent password changes? How are identity thieves able to hijack mobile phone accounts? Lorrie Cranor will discuss the answers to these and other questions she has been exploring as both a usable security researcher and the Chief Technologist at the Federal Trade Commission.

Jonathan Katz
Director, Maryland Cybersecurity Center
Professor, University of Maryland
How to Think about Cryptography: Common Crypto Flaws and How to Avoid Them10:00 – 10:45 am

UMIACS - Dr. Jonathan KatzCryptography offers strong guarantees, even promising things like provable security. Yet in practice, time and again, systems are deployed with crypto flaws of various types. How can we explain this disconnect? We will discuss what provable security means and how it can be usefully interpreted by developers, cover some common crypto errors, and offers suggestions for how to improve current practice.


Refreshments10:45 – 11:15 am

Jeremy Epstein
DARPA, Information Innovation Office Program Manager
Developing Automated Analysis Tools for Space/Time Sidechannel Detection11:15 – noon

Jeremy Epstein joined DARPA’s Information Innovation Office (I2O) in 2016 as a program manager.  He currently leads the STAC (Space/Time Analysis for Cybersecurity) and Brandeis programs, and is working on defining new programs.  Prior to joining DARPA, he spent four years leading the National Science Foundation’s Secure and Trustworthy Cyberspace (SaTC) program.  His research interests include voting system security and software assurance.  He’s associate editor in chief of IEEE Security & Privacy Magazine, and founder of ACSA’s Scholarships for Women Studying Information Security (SWSIS).  His hobbies include bicycling and chocolate.


Lunchnoon – 1:20 pm

Innovations in Cybersecurity

Research Program Introduction1:20 – 1:40 pm
-Michael Hicks

Towards More Secure Systems
Session Chair: Ulf Lindqvist (SRI International)

You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users1:40 – 2:00 pm
–Y. Acar, S. Fahl (CISPA, Saarland University), M. Mazurek (University of Maryland)

Toward Semantic Cryptography APIs2:00 – 2:20 pm
–S. Indela, M. Kulkarni, K. Nayak, T. Dumitras (University of Maryland)

Operational Security Log Analytics for Enterprise Breach Detection2:20 – 2:40 pm
–Z. Li (RSA), A. Oprea (Northeastern University)


Refreshments2:40 – 3:00 pm

Exploring Secure Design
Session Chair: Vineet Mehta (MITRE)

Hints for High-Assurance Cyber-Physical System Design3:00 – 3:20 pm
–L. Pike (Galois, Inc.)

Design Space Exploration for Security3:20 – 3:40 pm
–E. Kang (University of California, Berkeley)

Static Analysis Alert Audits: Formal Lexicon and Rules3:40 – 4:00 pm
–D. Svoboda, L. Flynn, W. Snavely (CERT)

The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them4:00 – 4:20 pm
–F. Momot (Leviathan Security Group), S. Bratus (Dartmouth College), S. Hallberg (TUHH), M. Patterson (Upstanding Hackers, Inc.)

Software Security Investment: The Right Amount of a Good Thing4:20 – 4:40 pm
–C. Heitzenrater (University of Oxford / US Air Force Research Laboratory), A. Simpson (University of Oxford)


Refreshments4:40 – 5:00 pm

Lightning Talks
Session Chair: Summer Fowler (CERT)

5-Minute Position Papers5:00 – 6:00 pm

A Case for Combining Industrial Pragmatics with Formal Methods; Eric McCorkle (Codiscope)

Avoiding insecure C++; Aaron Ballman, David Svoboda (Carnegie Mellon)

Dependency-based Attacks on Node.js; Brian Pfretzschner (Technical University of Darmstadt, Germany), Lotfi ben Othmane (Fraunhofer SIT, Germany)

Maintaining Authorization Hook Placements Across Program Versions; Nirupama Talele (Penn State University); Divya Muthukumaran (Imperial College, London); Trent Jaeger, Gang Tan (Penn State University)

MOSAIC: A Platform for Monitoring and Security Analytics in Public Clouds; Alina Oprea (Northeastern University); Ata Turk (Boston University); Cristina NIta-Rotaru (Northeastern University); Orran Krieger (Boston University)

Secure Coding for Real-Time Embedded Systems: Cert Run-Time Profile for Ada; Mable Benjamin (Georgia Tech Research Institute)

Secure MPC for Analytics as a Web Application; Andrei Lapets, Nikolaj Volgushev, Azer Bestavros, Frederick Jansen, Mayank Varia (Boston University)

Secure Multiparty Computation for Cooperative Cyber Risk Assessment; Kyle Hogan, Noah Luther, Nabil Schear, Emily Shen, David Stott, Sophia Yakoubov, Arkady Yerukhimovich (MIT Lincoln Laboratory)

Towards building practical secure multi-party databases; Yuzhe Tang, Wenqing Zhuang (Syracuse University)


Ballroom6:00 – 8:00 pm

Friday, November 4


Breakfast 8:00 – 9:00 am

Security Enforcement Techniques
Session Chair: Sam Weber (NYU)

Security Guarantees for the Execution Infrastructure of Software Applications9:00 – 9:20 am
–F Piessens, D. Devriese, J. Tobias Muehlberg, R. Strackx (KU Leuven)

Applying the Opacified Computation Model to Enforce Information Flow Policies in IoT Applications9:20 – 9:40 am
–A. Rahmati, E. Fernandes, A. Prakash (U. of Michigan)

Certified Lightweight Contextual Policies for Android9:40 – 10:00 am
–N. Seghir, D. Aspinall, L. Marekova (U. of Edinburgh)

Enforcing Content Security by Default within Web Browsers10:00 – 10:20 am
–C. Kerschbaumer (Mozilla Corporation)

Leveraging Data Provenance to Enhance Cyber Resilience10:20 – 10:40 pm
–T. Moyer, P. Cable, K. Chadha, R. Cunningham, N. Schear, Warren Smith (MIT Lincoln Laboratory)


Refreshments10:40 – 11:00 am

Secure Defenses
Session Chair: Stelios Sidiroglou-Douskos (MIT)

Self-Verifying Execution11:00 – 11:20 am
–M. McCutchen (MIT), D. Song (Rice), S. Chen, S. Qadeer (Microsoft Research)

Code Randomization: Haven’t We Solved This Problem Yet?11:20 – 11:40 am
–S. Crane, A. Homescu, P. Larsen (Immunant, Inc.)

Automated Code Repair Based on Inferred Specifications11:40 – noon
–W. Klieber (SEI | CMU)

Building Robust Distributed Systems and Network Protocols by Using Adversarial Testing and Behavioral Analysisnoon – 12:20 pm
–E. Hoque, C. Nita-Rotaru (Northeastern University)


Tutorial Announcement12:20 – 12:30 pm
–Stelios Sidiroglou-Douskos

SecDev 201712:30 pm
–Summer Fowler


Registration for student guests and discussions with donors12:30 – 1:30 pm

Full tutorial descriptions are found here

Tutorials, Session 1

Security of Web Design Adopting Strict Content Security Policy for XSS Protection
1:30 – 3:00 pm
-Lukas Weichselbaum, Michele Spagnuolo, Artur Janc (Google)

Static Analysis Techniques How to Find and Fix Software Vulnerabilities with Coverity Static Analysis1:30 – 3:00 pm
-Bill Baloglu (Coverity)

Dynamic Testing Techniques Continuous fuzzing with libFuzzer and AddressSanitizer1:30 – 3:00 pm
-Kostya Serebryany (Google)

Security Engineering Beyond errno: Error Handling in “C”1:30 – 3:00 pm
-David Svoboda (SEI | CMU)

Secure Development Operations Software Vulnerabilities, Defects, and Design Flaws: A Technical Debt Perspective1:30 – 3:00 pm
-Robert L Nord, Ipek Ozkaya (SEI | CMU)


Refreshments3:00 – 3:30 pm

Tutorials, Session 2

Security of Web Design Safe Client/Server Web Development with Haskell3:30 – 5:00 pm
-Mark Mazumder, Timothy Braje (MIT Lincoln Laboratory)

Static Analysis Techniques Auditing Code for Security Vulnerabilities with CodeSonar3:30 – 5:00 pm
-David Vitek (GrammaTech, Inc)

Dynamic Testing Techniques Using Dr. Fuzz, Dr. Memory, and Custom Dynamic Tools for Secure Development3:30 – 5:00 pm
-Derek Bruening, Qin Zhao (Google)

Security Engineering Codiscope SecureAssist™ – The Developer’s Security Assistant3:30 – 5:00 pm
-Nivedita Murthy (Cigital Inc)

Secure Development Operations Secure DevOps Process and Implementation3:30 – 5:00 pm
-Hasan Yasar, Kiriakos Kontostathis (SEI | CMU)