Agenda
Registration
12:30pm – 7:00pm
Exhibits open
1:30pm – 5:00pm
Tutorial Session A
1:30pm – 3:00pm
Java Deserialization Vulnerabilities and Mitigations
Robert Seacord (NCC Group)
Auditing Static Analysis Alerts Using a Lexicon & Rules
Lori Flynn, David Svoboda, William Snavely (SEI)
angr – The Next Generation of Binary Analysis, Part I
Fish (Ruoyu) Wang, Yan Shoshitaishvili, (Arizona State University)
BREAK
3:00pm – 3:30pm
Tutorial Session B
3:30pm – 5:00pm
Input Handling Done Right: Building Hardened Parsers using Language-theoretic Security
Prashant Anantharaman (Dartmouth College), Michael C. Millian (Dartmouth College), Sergey Bratus (Dartmouth College), Meredith L. Patterson (Upstanding Hackers, Inc.)
Automated Assessment Tools and the Software Assurance Marketplace (SWAMP)
James A. Kupsch (University of Wisconsin)
angr – The Next Generation of Binary Analysis, Part II
Fish (Ruoyu) Wang, Yan Shoshitaishvili, (Arizona State University)
Reception
5:00pm – 7:00pm
Poster session
5:00pm – 7:00pm
Blockchain Technology for Intelligent Vehicles
Madhusudan Singh (Yonsei Institute of Convergence Technology, South Korea), and Shiho Kim (Yonsei University)
Dynamic Flow Isolation
Richard Skowyra (MIT Lincoln Laboratory), Steven Gomez (MIT Lincoln Laboratory), David Bigelow (MIT Lincoln Laboratory) , James Landry (MIT Lincoln Laboratory), and Hamed Okhravi (MIT Lincoln Laboratory)
Semi-Automatic Synthesis of Security Rules
Leo St. Amour and George Baah (MIT Lincoln Laboratory)
Enabling Large-scale Anonymous-yet-Accountable Crowdsensing
Sazzadur Rahaman (Virginia Tech), Long Cheng (Virginia Tech), Danfeng (Daphne) Yao (Virginia Tech), He Li (Virginia Tech), and Jung-Min (Jerry) Park (Virginia Tech)
Identifier Binding Attacks and Defenses in Software-Defined Networks
Samuel Jero (Purdue University), William Koch (Boston University), Richard Skowyra (MIT Lincoln Laboratory), Hamed Okhravi (MIT Lincoln Laboratory), Cristina Nita-Rotaru (Northeastern University), and David Bigelow (MIT Lincoln Laboratory)
Creating Abuse Cases Based on CAPEC Attack Patterns
Imano Williams (North Carolina Agricultural & Technical State University), Xiaohong Yuan (North Carolina Agricultural & Technical State University)
Practical Challenges of Type Checking in Control Flow Integrity
Reza Mirzazade Farkhani (Northeastern University), Sajjad Arshad (Northeastern University), Saman Jafari (Northeastern University)
Registration
7:00am – 5:00pm
Exhibits
8:00am – 5:00pm
Breakfast
8:00am – 9:00am
Welcome
9:00am – 9:15am
Keynote I: Secure Design: A Better Bug Repellent
9:15am – 10:15am
Over the past several years we have developed design patterns that, when applied to application architecture, API and framework design, do indeed result in a drastic reduction if not elimination of the potential for certain types of defects to occur in application code.
This talk will briefly summarize our perception of the limitations of traditional approaches to software security. We will then give examples of secure design patterns we have developed, and discuss how we were able to apply them at scale to frameworks and APIs that form the basis of Google flagship products such as GMail, Docs, Search, G+ and many others.
BREAK
10:15am – 10:40am
Session 1: Helping Developers
10:40am – 12:15pm
Session Chair: Daphne Yao, Virginia Tech
10:45am – 11:15am
Raghudeep Kannavara, Gilad Gressel, Damilare Fagbemi, Richard Chow (Intel Corp)
11:15am – 11:45am
Jim Whitmore, Will Tobin (IBM)
Yasemin Acar (Leibniz University Hannover); Christian Stransky, Dominik Wermke (CISPA, Saarland University); Charles Weir (Lancaster University); Michelle Mazurek (University of Maryland, College Park); Sascha Fahl (Leibniz University Hannover)
Lunch
12:15pm – 1:15pm
Keynote II: Defense-in-depth at Facebook with Static Analysis
1:15pm – 2:15pm
BREAK
2:15pm – 2:40pm
Session 2: Preventing Vulnerabilities Systematically
2:40pm – 4:45pm
Session Chair: Christian Skalka, University of Vermont
2:45pm – 3:15pm
Komail Dharsee, Ethan Johnson, John Criswell (University of Rochester)
3:15pm – 3:45pm
Jonathan Ganz, Sean Peisert (University of California, Davis)
Scott Ruoti (MIT Lincoln Laboratory); Kent Seamons, Daniel Zappala (Brigham Young University)
Sam Weber (New York University); Michael Coblenz, Brad Myers, Jonathan Aldrich, Joshua Sunshine (Carnegie Mellon University)
Invited Talk: Enhancing Cybersecurity Education Through Active, Challenge-Based, Learning Exercises
4:45pm – 5:05pm
For educators, a key challenge lies in designing experiences that invite students to explore creative applications of what they know as a means to solving a semi-structured, or even unstructured, problem. Passive exercise (e.g., that tell students what to do or provide a series to commands to run) rarely hold learners attention or engage them in ways that promote mastery of the subject, and do not promote independence in learning. On the other hand, for students to become lifelong learners, it is imperative that they take responsibility for their own professional development beyond the classroom. Toward that end, we have embarked on an effort to create an engaging, fun, challenge-based tournament that provides learners with material that holds their interest and engage them in ways that encourages independent or team-based learning through an active exercise. The exercise is built on the belief that in order to advance cybersecurity education, we must provide platforms that allow individual learners to perform tasks in ways that are most similar to the real-world environment for which they are preparing.
Specifically, in this short talk, we introduce a challenge-based game framework called Riposte1 built to support active learning exercises in protocol and binary reverse engineering. In Riposte, student learners are challenged to find ways to defeat automated clients (that, for example, collude against the learner) in a top-down multi-player shooter game. As the learners’ skills improve (e.g., by reaching different levels in the game), the automated clients also adapt their offensive strategies, thereby forcing the learner(s) to enhance their own skills to reach the next level. To stay atop the leaderboard, learners can choose to collaborate to accomplish several tasks, including taking advantage of weak client authentication, abusing weaknesses in data confidentiality to decrypt client-server messages, leveraging weaknesses in integrity protections (e.g., via bit-flipping attacks) to unmask new game functionality, mapping network messages to game play, redirecting code paths, etc. For educators, the framework provides mechanisms that allow for a fresh version of the game client to be downloaded every time client connects to the game server, thereby encouraging learners to design automated ways to patch a new client or adapt their existing (modified) client in ways that still abide to the learned protocol specifications. For educators, we also provide a simplified language for writing the automated clients, ways to support formation of teams, hints for learners, game documentation, all within IEEE’s Try-CybSI web platform. We also report on our experience using Riposte as part of a semester-long tournament at our home institution.
________
1The term for a counterattack or quick retaliatory move in fencing.
Day 1 Wrap-up
5:05pm – 5:15pm
Birds of a Feather Sessions
5:15pm – 6:00pm
Women in Cybersecurity
Location: Paul Revere room
6:00pm – 6:45pm
Dinner on your own
Registration
7:00am – 5:00pm
Exhibits
8:00am – 3:00pm
Breakfast
8:00am – 9:00am
IEEE Awards
9:00am – 9:30am
The IEEE Cybersecurity Award for Practice |
The IEEE Cybersecurity Award for Innovation |
General Chair Report and Awards (Committees) |
PC Chair Report and Awards (Best Paper, Best Reviewer) |
9:30am – 10:30am
Eric Baize (SAFECode, Dell EMC)
BREAK
10:30am – 10:55am
Session 3: Program Support to Improve Security, Part I
10:55am -12:00pm
Session Chair: Stephen Chong, Harvard University
11:00am – 11:30am
Gustavo Durand (Harvard University); Michael Bar-Sinai (Ben-Gurion University of the Negev); Mercè Crosas (Harvard University)
Sazzadur Rahaman (Virginia Tech); Danfeng (Daphne) Yao (Virginia Tech)
Lunch
12:00pm – 12:55pm
Session 4: Program Support to Improve Security, Part II
12:55pm – 2:00pm
Session Chair: Leigh Metcalf, SEI/CERT
1:00pm – 1:30pm
Fraser Brown (Stanford); Sunjay Cauligi, Yunlu Huang, Brian Johannesmeyer, Gary Soeller, Ranjit Jhala, Deian Stefan (UC San Diego)
1:30pm – 2:00pm
Isis Rose (ICASA/NMT); Nicholas Felts (Praxis Engineering); Alexander George, Emily Miller, Max Planck (ICASA/NMT)
Lightning Talks
2:00pm – 2:50pm
Creating Abuse Cases Based on Attack Patterns: A User Study
Imano Williams and Xiaohong Yuan (North Carolina A&T State University)
Evaluation of Software Vulnerabilities in Vehicle Electronic Control Units
Jesse Edwards, Ameer Kashani, Gopalakrishnan Iyer (DENSO International America Inc.)
Blockchain Based Secure Decentralized Vehicle Communication
Madhusudan Singh and Shiho Kim (Yonsei University)
Complexity: The Silent Cyber Adversary
Robert Gardner (New World Technology Partners) and Isis Rose (New Mexico Institute of Mining and Technology)
Secure Systems Require System Engineering
Dan Lyon (Synopsys)
Challenges and Solutions for Automated Repair of C Code
William Klieber (Software Engineering Institute-Carnegie Mellon University)
Secure and Trustworthy Cyberspace (SaTC) Program
Sol Greenspan (National Science Foundation)
Cyber Security for Intelligent Autonomous Vehicles
Shiko Kim (Yonsei University)
Proposed College Curriculum Changes for Producing Secure Developers
Christine Fossaceca (MIT Lincoln Laboratory), Leah Goggin (Massachusetts Institute of Technology), and Elitza Neytcheva (University of Massachusetts-Amherst)
Break
2:50pm – 3:15pm
Panel: Building a Business Around Secure Development
3:15pm – 4:45pm
Dr. Nadia Carlsten, Reed Sturtevant, Chris Wysopal, John Steven, and Stephen Boyer
Moderator: Robert Cunningham
Dr. Nadia Carlsten is the program manager for the Transition to Practice (TTP) program in the Cyber Security Division (CSD) of the Homeland Security Advanced Research Projects Agency in the DHS S&T. The TTP program identifies promising federally funded cybersecurity research and accelerates transition from the laboratory to the marketplace through partnerships and commercialization. Prior to her position in CSD, Dr. Carlsten led projects to improve Intellectual Property (IP) management and enterprise innovation, drive research and industrial partnerships, and promote technology transfer and commercialization at Accenture and the U.S. Department of Energy. She also is the founder of Carlsten Innovation LLC, a consultancy that specializes in providing services and solutions for implementing Open Innovation, leveraging IP, and quantifying innovation. She completed the Management of Technology Program at the Haas School of Business and earned degrees in physics and chemistry from the University of Virginia and a doctorate in engineering from the University of California, Berkeley.
Reed Sturtevant is a General Partner at The Engine, a technology venture fund launched by MIT. Reed was a Managing Director at seed venture fund Project 11 and Techstars Boston. He attended MIT and has a background in software. He ran Microsoft Startup Labs in Cambridge and was VP of Technology at Idealab, Boston. Early in his career he created Freelance Graphics which was acquired by Lotus Development Corp. He has been a lecturer at MIT Sloan and is a frequent speaker in MIT entrepreneurship courses and programs.
Chris Wysopal is Co-Founder, Chief Technology Officer at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990’s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software. Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.
John Steven is the Senior Director of Security Technology and Applied Research at Synopsys, with two decades of hands-on experience in software security. Mr. Steven’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, Mr. Steven has provided strategic direction as a trusted adviser to many multinational corporations. Mr. Steven’s keen interest in automation keeps Synopsys technology at the cutting edge. Prior to acquisition by Synopsys, he was CTO and founder of Codiscope, a startup where he led the research and development of next-generation eLearning and static analysis products for developers. He also served as internal CTO of Cigital, the largest independent software security consulting firm prior to its acquisition. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks with regularity at conferences and trade shows. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.
Stephen Boyer is the cofounder and CTO of BitSight Technologies. BitSight provides evidence-based ratings of security effectiveness to help organizations manage their security risk. Previously, Stephen was President & Cofounder of Saperix. He also led R&D programs at MIT Lincoln Laboratory, and he designed, developed, and tested products at Caldera Systems. He holds a Bachelors in Computer Science from BYU and Master of Science in Engineering and Management from MIT.
The panel will be moderated by Dr. Robert Cunningham of MIT Lincoln Laboratory. Dr. Cunningham is the leader of the Secure Resilient Systems and Technology Group and is responsible for initiating and managing research and development programs in cyber resilience and computer security. He also chairs the IEEE Cybersecurity Initiative.
Send advance questions to the Panel through twitter by referencing #IEEESecDev.
Wrap up and see you at SecDev 2018!
4:45pm – 5:00pm