September 24-26, 2017 At the Hyatt Regency, Cambridge, MA

IEEE Secure Development Conference



Posted on: June 30th, 2017 by Yousef Iskander
Sunday, September 24 2017


12:30pm – 7:00pm

Exhibits open

1:30pm – 5:00pm

Tutorial Session A

1:30pm – 3:00pm

Auditing Static Analysis Alerts Using a Lexicon & Rules

Lori Flynn, David Svoboda, William Snavely (SEI)

angr – The Next Generation of Binary Analysis, Part I

Fish (Ruoyu) Wang, Yan Shoshitaishvili, (Arizona State University)


3:00pm – 3:30pm

Tutorial Session B

3:30pm – 5:00pm

Input Handling Done Right: Building Hardened Parsers using Language-theoretic Security

Prashant Anantharaman (Dartmouth College), Michael C. Millian (Dartmouth College), Sergey Bratus (Dartmouth College), Meredith L. Patterson (Upstanding Hackers, Inc.)

angr – The Next Generation of Binary Analysis, Part II

Fish (Ruoyu) Wang, Yan Shoshitaishvili, (Arizona State University)


5:00pm – 7:00pm

Poster session

5:00pm – 7:00pm

Blockchain Technology for Intelligent Vehicles
Madhusudan Singh (Yonsei Institute of Convergence Technology, South Korea), and Shiho Kim (Yonsei University)

Dynamic Flow Isolation
Richard Skowyra (MIT Lincoln Laboratory), Steven Gomez (MIT Lincoln Laboratory), David Bigelow (MIT Lincoln Laboratory) , James Landry (MIT Lincoln Laboratory), and Hamed Okhravi (MIT Lincoln Laboratory)

Semi-Automatic Synthesis of Security Rules
Leo St. Amour and George Baah (MIT Lincoln Laboratory)

Enabling Large-scale Anonymous-yet-Accountable Crowdsensing
Sazzadur Rahaman (Virginia Tech), Long Cheng (Virginia Tech), Danfeng (Daphne) Yao (Virginia Tech), He Li (Virginia Tech), and Jung-Min (Jerry) Park (Virginia Tech)

Identifier Binding Attacks and Defenses in Software-Defined Networks
Samuel Jero (Purdue University), William Koch (Boston University), Richard Skowyra (MIT Lincoln Laboratory), Hamed Okhravi (MIT Lincoln Laboratory), Cristina Nita-Rotaru (Northeastern University), and David Bigelow (MIT Lincoln Laboratory)

Creating Abuse Cases Based on CAPEC Attack Patterns
Imano Williams (North Carolina Agricultural & Technical State University), Xiaohong Yuan (North Carolina Agricultural & Technical State University)

Practical Challenges of Type Checking in Control Flow Integrity
Reza Mirzazade Farkhani (Northeastern University), Sajjad Arshad (Northeastern University), Saman Jafari (Northeastern University)


Monday, September 25 2017


7:00am – 5:00pm


8:00am – 5:00pm


8:00am – 9:00am


9:00am – 9:15am

9:15am – 10:15am

Christoph Kern (Google)

Traditionally, software security assurance has focused largely on discovering bugs after the fact (through (fuzz) testing, static analysis, or code review), with a bit of developer education added in. Our experience at Google shows that in practice, this doesn’t work all that well, especially for certain classes of vulnerabilities such as those related to complex, whole-system flows of untrusted data.A step towards addressing this unsatisfactory state of affairs is to change focus from chasing down instances of implementation-level defects and vulnerabilities, and instead treat the mere potential that a particular type of defect could exist as a design flaw at the application architecture and frameworks level.

Over the past several years we have developed design patterns that, when applied to application architecture, API and framework design, do indeed result in a drastic reduction if not elimination of the potential for certain types of defects to occur in application code.

This talk will briefly summarize our perception of the limitations of traditional approaches to software security. We will then give examples of secure design patterns we have developed, and discuss how we were able to apply them at scale to frameworks and APIs that form the basis of Google flagship products such as GMail, Docs, Search, G+ and many others.


10:15am – 10:40am

Session 1: Helping Developers

10:40am – 12:15pm

Session Chair: Daphne Yao, Virginia Tech

Raghudeep Kannavara, Gilad Gressel, Damilare Fagbemi, Richard Chow (Intel Corp)

Jim Whitmore, Will Tobin (IBM)

Yasemin Acar (Leibniz University Hannover); Christian Stransky, Dominik Wermke (CISPA, Saarland University); Charles Weir (Lancaster University); Michelle Mazurek (University of Maryland, College Park); Sascha Fahl (Leibniz University Hannover)


12:15pm – 1:15pm

Keynote II: Defense-in-depth at Facebook with Static Analysis

1:15pm – 2:15pm


2:15pm – 2:40pm

Session 2: Preventing Vulnerabilities Systematically

2:40pm – 4:45pm

Session Chair: Christian Skalka, University of Vermont

Komail Dharsee, Ethan Johnson, John Criswell (University of Rochester)

Jonathan Ganz, Sean Peisert (University of California, Davis)

Scott Ruoti (MIT Lincoln Laboratory); Kent Seamons, Daniel Zappala (Brigham Young University)

Sam Weber (New York University); Michael Coblenz, Brad Myers, Jonathan Aldrich, Joshua Sunshine (Carnegie Mellon University)

Invited Talk: Enhancing Cybersecurity Education Through Active, Challenge­-Based, Learning Exercises

4:45pm – 5:05pm

Fabian Monrose

It is well accepted that student­-centered learning, and in particular, challenge based learning (CBL) ­­­ which employs a multidisciplinary approach in encouraging students to use their knowledge and technology to solve real­world problems ­­­ can be a very effective teaching strategy. In CBL exercises, learners are challenged to draw on prior learning, acquire new knowledge, and use their creativity to arrive at solutions for a specific active learning exercise. Active learning exercises can be thought of as anything that all students in a class are called upon to do other than simply listening to a lecture and taking notes. Typically, learners participate in some form of competition, and so for the most part, learning accelerates because participants are often motivated by the common goal of winning a big prize afterwards.

For educators, a key challenge lies in designing experiences that invite students to explore creative applications of what they know as a means to solving a semi­-structured, or even unstructured, problem. Passive exercise (e.g., that tell students what to do or provide a series to commands to run) rarely hold learners attention or engage them in ways that promote mastery of the subject, and do not promote independence in learning. On the other hand, for students to become lifelong learners, it is imperative that they take responsibility for their own professional development beyond the classroom. Toward that end, we have embarked on an effort to create an engaging, fun, challenge-­based tournament that provides learners with material that holds their interest and engage them in ways that encourages independent or team­-based learning through an active exercise. The exercise is built on the belief that in order to advance cybersecurity education, we must provide platforms that allow individual learners to perform tasks in ways that are most similar to the real­-world environment for which they are preparing.

Specifically, in this short talk, we introduce a challenge-­based game framework called Riposte1 built to support active learning exercises in protocol and binary reverse engineering. In Riposte, student learners are challenged to find ways to defeat automated clients (that, for example, collude against the learner) in a top-­down multi­-player shooter game. As the learners’ skills improve (e.g., by reaching different levels in the game), the automated clients also adapt their offensive strategies, thereby forcing the learner(s) to enhance their own skills to reach the next level. To stay atop the leaderboard, learners can choose to collaborate to accomplish several tasks, including taking advantage of weak client authentication, abusing weaknesses in data confidentiality to decrypt client-­server messages, leveraging weaknesses in integrity protections (e.g., via bit-­flipping attacks) to unmask new game functionality, mapping network messages to game play, redirecting code paths, etc. For educators, the framework provides mechanisms that allow for a fresh version of the game client to be downloaded every time client connects to the game server, thereby encouraging learners to design automated ways to patch a new client or adapt their existing (modified) client in ways that still abide to the learned protocol specifications. For educators, we also provide a simplified language for writing the automated clients, ways to support formation of teams, hints for learners, game documentation, all within IEEE’s Try-­CybSI web platform. We also report on our experience using Riposte as part of a semester-­long tournament at our home institution.

1The term for a counterattack or quick retaliatory move in fencing.

Day 1 Wrap-up

5:05pm – 5:15pm

Birds of a Feather Sessions

5:15pm – 6:00pm

Women in Cybersecurity

How are professional developers to find out what they need to know? –led by Charles Weir
Location: Paul Revere room

We tell software developers to create threat models, to use secure environments, and to keep their libraries and frameworks up to date. We tell them to use security code review tools, and maybe even fuzzing test techniques. But how are they best to find out what is currently a threat in their domain, which environments are best and which libraries are out of date. How do they decide which code review tools are best for their needs, or whether specific test techniques are worth the effort to set them up? This BoF will use a ‘goldfish bowl’. The organiser will take notes on a whiteboard, and deliver a write-up afterwards.
Helping Organize SecDev 2018 –led by Ulf Lindqvist & Dinara Doyle

6:00pm – 6:45pm

Dinner on your own


Tuesday 26 September 2017


7:00am – 5:00pm


8:00am – 3:00pm


8:00am – 9:00am

IEEE Awards

9:00am – 9:30am

The IEEE Cybersecurity Award for Practice
The IEEE Cybersecurity Award for Innovation
General Chair Report and Awards (Committees)
PC Chair Report and Awards (Best Paper, Best Reviewer)

Eric Baize (SAFECode, Dell EMC)

For almost two decades, software security practitioners have successfully defined advanced techniques and tools that can effectively be applied to develop secure software. Today, with tens of millions of developers creating code for all kinds of software-enabled devices, mobile apps and cloud services, we need to expand the conversation to how to scale software security. This talk will challenge developers, organizations and technology buyers to change their culture in order to deliver software security at scale. It will lay out a vision for a Software Culture Code ingrained with security. It will also identify the many stakeholders who are shaping today’s software culture. These stakeholders can have a direct or indirect influence over people and organizations creating or using software and change the way we work, leading to the delivery and deployment of more secure software.


10:30am – 10:55am

Session 3: Program Support to Improve Security, Part I

10:55am -12:00pm

Session Chair: Stephen Chong, Harvard University

Gustavo Durand (Harvard University); Michael Bar-Sinai (Ben-Gurion University of the Negev); Mercè Crosas (Harvard University)

Sazzadur Rahaman (Virginia Tech); Danfeng (Daphne) Yao (Virginia Tech)


12:00pm – 12:55pm

Session 4: Program Support to Improve Security, Part II

12:55pm – 2:00pm

Session Chair: Leigh Metcalf, SEI/CERT

Fraser Brown (Stanford); Sunjay Cauligi, Yunlu Huang, Brian Johannesmeyer, Gary Soeller, Ranjit Jhala, Deian Stefan (UC San Diego)

Isis Rose (ICASA/NMT); Nicholas Felts (Praxis Engineering); Alexander George, Emily Miller, Max Planck (ICASA/NMT)

Lightning Talks

2:00pm – 2:50pm

Creating Abuse Cases Based on Attack Patterns: A User Study

Imano Williams and Xiaohong Yuan (North Carolina A&T State University)

Evaluation of Software Vulnerabilities in Vehicle Electronic Control Units

Jesse Edwards, Ameer Kashani, Gopalakrishnan Iyer (DENSO International America Inc.)

Blockchain Based Secure Decentralized Vehicle Communication

Madhusudan Singh and Shiho Kim (Yonsei University)

Complexity: The Silent Cyber Adversary

Robert Gardner (New World Technology Partners) and Isis Rose (New Mexico Institute of Mining and Technology)

Challenges and Solutions for Automated Repair of C Code

William Klieber (Software Engineering Institute-Carnegie Mellon University)

Secure and Trustworthy Cyberspace (SaTC) Program

Sol Greenspan (National Science Foundation)

Proposed College Curriculum Changes for Producing Secure Developers

Christine Fossaceca (MIT Lincoln Laboratory), Leah Goggin (Massachusetts Institute of Technology), and Elitza Neytcheva (University of Massachusetts-Amherst)


2:50pm – 3:15pm

Panel: Building a Business Around Secure Development

3:15pm – 4:45pm

Dr. Nadia Carlsten, Reed Sturtevant, Chris Wysopal, John Steven, and Stephen Boyer
Moderator: Robert Cunningham

In the wake of on-going cyber-attacks against users (WannaCry), companies (Dyn), and countries (Petya), secure development is becoming increasingly important. Although these attacks are all recent, members of this panel are pioneers who anticipated these attacks. In some cases they are seeking to bring new tools and technologies to defend against these attacks, and in others they have already brought some of the best available tools to market. This panel will explore the process of finding a great idea that will matter, getting some seed funding to build a product, getting help from an incubator, and bringing that product to market.

Dr. Nadia Carlsten is the program manager for the Transition to Practice (TTP) program in the Cyber Security Division (CSD) of the Homeland Security Advanced Research Projects Agency in the DHS S&T. The TTP program identifies promising federally funded cybersecurity research and accelerates transition from the laboratory to the marketplace through partnerships and commercialization. Prior to her position in CSD, Dr. Carlsten led projects to improve Intellectual Property (IP) management and enterprise innovation, drive research and industrial partnerships, and promote technology transfer and commercialization at Accenture and the U.S. Department of Energy. She also is the founder of Carlsten Innovation LLC, a consultancy that specializes in providing services and solutions for implementing Open Innovation, leveraging IP, and quantifying innovation. She completed the Management of Technology Program at the Haas School of Business and earned degrees in physics and chemistry from the University of Virginia and a doctorate in engineering from the University of California, Berkeley.

Reed Sturtevant is a General Partner at The Engine, a technology venture fund launched by MIT. Reed was a Managing Director at seed venture fund Project 11 and Techstars Boston. He attended MIT and has a background in software. He ran Microsoft Startup Labs in Cambridge and was VP of Technology at Idealab, Boston. Early in his career he created Freelance Graphics which was acquired by Lotus Development Corp. He has been a lecturer at MIT Sloan and is a frequent speaker in MIT entrepreneurship courses and programs.

Chris Wysopal is Co-Founder, Chief Technology Officer at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990’s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software. Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

John Steven is the Senior Director of Security Technology and Applied Research at Synopsys, with two decades of hands-on experience in software security. Mr. Steven’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, Mr. Steven has provided strategic direction as a trusted adviser to many multinational corporations. Mr. Steven’s keen interest in automation keeps Synopsys technology at the cutting edge. Prior to acquisition by Synopsys, he was CTO and founder of Codiscope, a startup where he led the research and development of next-generation eLearning and static analysis products for developers. He also served as internal CTO of Cigital, the largest independent software security consulting firm prior to its acquisition. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. He speaks with regularity at conferences and trade shows. Mr. Steven holds a B.S. in Computer Engineering and an M.S. in Computer Science both from Case Western Reserve University.

Stephen Boyer is the cofounder and CTO of BitSight Technologies. BitSight provides evidence-based ratings of security effectiveness to help organizations manage their security risk. Previously, Stephen was President & Cofounder of Saperix. He also led R&D programs at MIT Lincoln Laboratory, and he designed, developed, and tested products at Caldera Systems. He holds a Bachelors in Computer Science from BYU and Master of Science in Engineering and Management from MIT.

The panel will be moderated by Dr. Robert Cunningham of MIT Lincoln Laboratory. Dr. Cunningham is the leader of the Secure Resilient Systems and Technology Group and is responsible for initiating and managing research and development programs in cyber resilience and computer security. He also chairs the IEEE Cybersecurity Initiative.

Send advance questions to the Panel through twitter by referencing #IEEESecDev.

Wrap up and see you at SecDev 2018!

4:45pm – 5:00pm