IEEE Secure Development Conference

October 18 - 20, 2021
Virtual Conference

Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy


2021 schedule

Posted on: September 29th, 2021 by SecDev

Note: The times listed below are in EDT.

Monday October 18
 Tutorial Track A
09:00am-12:00pm Tutorial: The Correctness-by-Construction Approach to Programming.
Technical Assistant: Kaiyuan Li
Ina Schaefer, Tobias Runge (TU Braunschweig); Loek Cleophas (Eindhoven University of Technology); Bruce W. Watson (Stellenbosch University)
Abstract: The Correctness-by-Construction tutorial focuses on a structured programming approach for correct software development. Besides functional correctness, also non-functional properties such as security properties can be guaranteed using the CbC approach. In this tutorial, the participants learn a good practice to develop software that is midway between formal approaches and a “hack into correctness” style.
12:00pm-01:00pm Break
01:00pm-02:30pm Tutorial: Investigating Advanced Exploits for System Security Assurance.
Technical Assistant: Zichao Zhang
Salman Ahmed (Virginia Tech); Long Cheng (Clemson University); Hans Liljestrand (University of Waterloo); N. Asokan (University of Waterloo and Aalto University); Danfeng (Daphne) Yao (Virginia Tech)
Abstract: Investigation of existing advanced exploits is crucial for system security assurance. One way to achieve system security assurance is through evaluating defenses using qualitative security metrics and accurate measurement methodologies. Analyzing existing exploit techniques can provide crucial insights about qualitative security metrics and measurement methodologies.

In this tutorial, we investigate existing advanced exploit techniques by dividing the exploits into their constituent components. Our analyses focus on the impact of different defense techniques on the individual exploit components. These impact analyses provide insights for finding security metrics/methodologies as well as improving existing defenses. In this tutorial, we aim to focus on Return-Oriented Programming (ROP), Just-In-Time Return-Oriented Programming (JITROP), and Data-Oriented Attacks (DOAs). We aim to cover defenses such as fine-grained Address Space Layout Randomization (ASLR) and pointer protection techniques. More specifically, we aim to quantify the impact of fine-grained ASLR on different components of advanced ROP attacks. Besides, we will demonstrate a data-oriented exploit–an attack technique that circumvents currently deployed defenses– and explore defense techniques for defending against DOAs.

02:30pm-02:45pm Break
02:45pm-04:15pm Tutorial: A Lightweight Web Application for Software Vulnerability Demonstration.
Technical Assistant: Zichao Zhang
Onyeka Ezenwoye, Brandon Steed, David Lee (Augusta University); Yi Liu (UMass Darthmouth)
04:15pm-04:30pm Break
04:30pm-06:00pm Tutorial: Hands-on Tutorial: How Exploitable is Insecure C Code?
Technical Assistant: Miles Frantz
David Svoboda (Software Engineering Institute)
Abstract: C is still one of the most widely-used programming languages today, yet writing insecure code in C is frighteningly easy, and exploiting insecure code is also too easy. This tutorial aims to teach attendees about C from a security perspective, and includes an exercise in understanding how a simple C program works, and can be exploited when written insecurely.


 Tutorial Track B
09:00am-12:00pm Tutorial: LLVM for Security Practitioners.
Technical Assistant: Yiting Sun
John Criswell, Ethan Johnson, Colin Pronovost. (University of Rochester)
12:00pm-01:00pm Break
01:00pm-02:30pm Tutorial: Using RLBox to sandbox unsafe C code.
Technical Assistant: Miles Frantz
Shravan Narayan, Craig Disselkoen, Deian Stefan (UC San Diego)
Abstract: RLBox is a C++ framework for building secure systems from untrusted libraries. RLBox uses a static type system to (1) abstract isolation mechanisms like WebAssembly (2) make data and control flow across the application-library boundary explicit and safe, and (3) help developers retrofit their application with sandboxing. In this tutorial, we first give an overview of RLBox and demonstrate how the RLBox framework helps sandbox a (buggy) C library in a simple C++ application. Then, we walk through the process of using RLBox to sandbox libraries in larger C++ codebases like the Firefox Web browser.
02:30pm-02:45pm Break
02:45pm-06:00pm Tutorial: Making C Programs Safer with Checked C. Preprint
Technical Assistant: Haichuan Ken Xu
Jie Zhou (University of Rochester); Michael Hicks (Correct Computation, Inc.); Yudi Yang, John Criswell (University of Rochester)
Abstract: Despite its well-known lack of memory safety, C is still widely used to write both new code and to maintain legacy software. Extensive efforts to make C safe have not seen wide adoption due to poor performance and a lack of backward compatibility. Checked C is an open-source, safe extension to C that addresses these problems. This hands-on tutorial will introduce attendees to Checked C and provide guidance in the use of 3C, a semi-automatic tool that converts legacy C code to Checked C.
Tuesday October 19
08:50am-09:00am Welcome
09:00am-10:00am Invited Talk I
Session chair: Frank Piessens (KU Leuven)
Technical Assistant: Haichuan Ken Xu

10:00am-10:30am Break
10:30am-11:30am Session I: Security/Threat Analysis
Session chair: Hasan Yasar (CMU)
Technical Assistant: Zichao Zhang

  • Analyzing OpenAPI Specifications for Security Design Issues.
    Carmen Cheh, Binbin Chen (Singapore University of Technology and Design)
  • Compressing Network Attack Surfaces for Practical Security Analysis.
    Douglas Everson, Long Cheng (Clemson University)
  • Automated Threat Analysis and Management in a Continuous Integration Pipeline.
    Laurens Sion, Dimitri Van Landuyt, Koen Yskout, Stef Verreydt, Wouter Joosen (imec-DistriNet, KU Leuven)
11:30am-01:00pm Break
01:00pm-02:00pm Panel: Understanding and Mitigating Software Supply Chain Security Risks.
Technical Assistant: Yiting Sun
02:00pm-02:20pm Break
02:20pm-03:20pm Session II: Secure Development
Session chair: Scott Constable (Intel)
Technical Assistant: Miles Frantz

  • Towards Improving Container Security by Preventing Runtime Escapes.
    Michael Reeves (Sandia National Labs); Dave (Jing) Tian, Antonio Bianchi, Z. Berkay Celik (Purdue University)
  • Developers are Neither Enemies Nor Users: They are Collaborators.
    Partha Das Chowdhury, Joseph Hallett, Nikhil Patnaik, Mohammad Tahaei, Awais Rashid (University of Bristol)
  • Shhh!: 12 Practices for Secret Management in Infrastructure as Code.
    Akond Rahman, Farhat Lamia Barsha (Tennessee Tech University); Patrick Morrison (IBM)
03:20pm-03:40pm Break
03:40pm-05:10pm Panel: Challenges and Opportunities in Implementation and Verification of Cryptography.
Technical Assistant: Kaiyuan Li
Wednesday October 20
09:00am-10:00am Session III: Security Focused Designs
Session chair: Tuba Yavuz (UF)
Technical Assistant: Miles Frantz

  • Android Remote Unlocking Service using Synthetic Password: A Hardware Security-preserving Approach.
    Sungmin Lee, Yoonkyo Jung, Jaehyun Lee, Byoungyoung Lee, Ted “Taekyoung” Kwon (Seoul National University)
  • Enclave-Based Secure Programming with JE.
    Aditya Oak (TU Darmstadt); Amir M. Ahmadian, Musard Balliu (KTH Royal Institute of Technology); Guido Salvaneschi (University of St.Gallen)
  • Towards Zero Trust: An Experience Report.
    Jason Lowdermilk, Simha Sethumadhavan (Chip Scan, Inc)
10:00am-10:20am Break
10:20am-11:50am IEEE Cybersecurity Award for Practice Ceremony.
Technical Assistant: Kaiyuan Li

  • For Scaling Advanced Static Analyses to Engineering Practice
    Dino Distefano, Manuel Fähndrich, Francesco Logozzo, and Peter O’Hearn (Facebook)

  • For developing Physical Unclonable Functions for Device Authentication
    Srinivas Devadas (MIT)

  • For Work on Site Isolation for Chrome
    Charles Reis, Nasko Oskov, Daniel Cheng, Alex Moshchuk, and Łukasz Anforowicz (Google)
11:50am-01:00pm Break
01:00pm-02:00pm Invited Talk II
Session chair: Limin Jia (CMU)
Technical Assistant: Haichuan Ken Xu

02:00pm-02:20pm Break
02:20pm-03:00pm Session IV: Formal Verification
Session chair: Marco Patrignani (Standford University)
Technical Assistant: Zichao Zhang

  • Layered Formal Verification of a TCP Stack.
    Guillaume Cluzel (AdaCore & ENS de Lyon); Kyriakos Georgiou (AdaCore & University of Bristol); Yannick Moy (AdaCore); Clément Zeller (Oryx Embedded)
  • Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly.
    Rodothea Myrsini Tsoupidi, Musard Balliu, Benoit Baudry (KTH Royal Institute of Technology)
03:00pm-03:20pm Break
03:20pm-04:20pm BOF (Future of SecDev)
Technical Assistant: Yiting Sun