2021 schedule
Note: The times listed below are in EDT.
Monday October 18
Tutorial Track A
| 09:00am-12:00pm | Tutorial: The Correctness-by-Construction Approach to Programming.   Technical Assistant: Kaiyuan Li Ina Schaefer, Tobias Runge (TU Braunschweig); Loek Cleophas (Eindhoven University of Technology); Bruce W. Watson (Stellenbosch University) |
| Abstract: The Correctness-by-Construction tutorial focuses on a structured programming approach for correct software development. Besides functional correctness, also non-functional properties such as security properties can be guaranteed using the CbC approach. In this tutorial, the participants learn a good practice to develop software that is midway between formal approaches and a “hack into correctness” style. | |
| 12:00pm-01:00pm | Break |
| 01:00pm-02:30pm | Tutorial: Investigating Advanced Exploits for System Security Assurance. Technical Assistant: Zichao Zhang Salman Ahmed (Virginia Tech); Long Cheng (Clemson University); Hans Liljestrand (University of Waterloo); N. Asokan (University of Waterloo and Aalto University); Danfeng (Daphne) Yao (Virginia Tech) |
| Abstract: Investigation of existing advanced exploits is crucial for system security assurance. One way to achieve system security assurance is through evaluating defenses using qualitative security metrics and accurate measurement methodologies. Analyzing existing exploit techniques can provide crucial insights about qualitative security metrics and measurement methodologies.
In this tutorial, we investigate existing advanced exploit techniques by dividing the exploits into their constituent components. Our analyses focus on the impact of different defense techniques on the individual exploit components. These impact analyses provide insights for finding security metrics/methodologies as well as improving existing defenses. In this tutorial, we aim to focus on Return-Oriented Programming (ROP), Just-In-Time Return-Oriented Programming (JITROP), and Data-Oriented Attacks (DOAs). We aim to cover defenses such as fine-grained Address Space Layout Randomization (ASLR) and pointer protection techniques. More specifically, we aim to quantify the impact of fine-grained ASLR on different components of advanced ROP attacks. Besides, we will demonstrate a data-oriented exploit–an attack technique that circumvents currently deployed defenses– and explore defense techniques for defending against DOAs. |
|
| 02:30pm-02:45pm | Break |
| 02:45pm-04:15pm | Tutorial: A Lightweight Web Application for Software Vulnerability Demonstration. Technical Assistant: Zichao Zhang Onyeka Ezenwoye, Brandon Steed, David Lee (Augusta University); Yi Liu (UMass Darthmouth) |
| 04:15pm-04:30pm | Break |
| 04:30pm-06:00pm | Tutorial: Hands-on Tutorial: How Exploitable is Insecure C Code? Technical Assistant: Miles Frantz David Svoboda (Software Engineering Institute) |
| Abstract: C is still one of the most widely-used programming languages today, yet writing insecure code in C is frighteningly easy, and exploiting insecure code is also too easy. This tutorial aims to teach attendees about C from a security perspective, and includes an exercise in understanding how a simple C program works, and can be exploited when written insecurely. | |
Tutorial Track B
| 09:00am-12:00pm | Tutorial: LLVM for Security Practitioners. Technical Assistant: Yiting Sun John Criswell, Ethan Johnson, Colin Pronovost. (University of Rochester) |
| 12:00pm-01:00pm | Break |
| 01:00pm-02:30pm | Tutorial: Using RLBox to sandbox unsafe C code. Technical Assistant: Miles Frantz Shravan Narayan, Craig Disselkoen, Deian Stefan (UC San Diego) |
| Abstract: RLBox is a C++ framework for building secure systems from untrusted libraries. RLBox uses a static type system to (1) abstract isolation mechanisms like WebAssembly (2) make data and control flow across the application-library boundary explicit and safe, and (3) help developers retrofit their application with sandboxing. In this tutorial, we first give an overview of RLBox and demonstrate how the RLBox framework helps sandbox a (buggy) C library in a simple C++ application. Then, we walk through the process of using RLBox to sandbox libraries in larger C++ codebases like the Firefox Web browser. | |
| 02:30pm-02:45pm | Break |
| 02:45pm-06:00pm | Tutorial: Making C Programs Safer with Checked C. Technical Assistant: Haichuan Ken Xu Jie Zhou (University of Rochester); Michael Hicks (Correct Computation, Inc.); Yudi Yang, John Criswell (University of Rochester) |
| Abstract: Despite its well-known lack of memory safety, C is still widely used to write both new code and to maintain legacy software. Extensive efforts to make C safe have not seen wide adoption due to poor performance and a lack of backward compatibility. Checked C is an open-source, safe extension to C that addresses these problems. This hands-on tutorial will introduce attendees to Checked C and provide guidance in the use of 3C, a semi-automatic tool that converts legacy C code to Checked C. | |
Tuesday October 19
| 08:50am-09:00am | Welcome |
| 09:00am-10:00am | Invited Talk I Session chair: Frank Piessens (KU Leuven) Technical Assistant: Haichuan Ken Xu |
| 10:00am-10:30am | Break |
| 10:30am-11:30am | Session I: Security/Threat Analysis Session chair: Hasan Yasar (CMU) Technical Assistant: Zichao Zhang
|
| 11:30am-01:00pm | Break |
| 01:00pm-02:00pm | Panel: Understanding and Mitigating Software Supply Chain Security Risks. Technical Assistant: Yiting Sun |
| 02:00pm-02:20pm | Break |
| 02:20pm-03:20pm | Session II: Secure Development Session chair: Scott Constable (Intel) Technical Assistant: Miles Frantz
|
| 03:20pm-03:40pm | Break |
| 03:40pm-05:10pm | Panel: Challenges and Opportunities in Implementation and Verification of Cryptography. Technical Assistant: Kaiyuan Li |
Wednesday October 20
| 09:00am-10:00am | Session III: Security Focused Designs Session chair: Tuba Yavuz (UF) Technical Assistant: Miles Frantz
|
| 10:00am-10:20am | Break |
| 10:20am-11:50am | IEEE Cybersecurity Award for Practice Ceremony. Technical Assistant: Kaiyuan Li
|
| 11:50am-01:00pm | Break |
| 01:00pm-02:00pm | Invited Talk II Session chair: Limin Jia (CMU) Technical Assistant: Haichuan Ken Xu |
| 02:00pm-02:20pm | Break |
| 02:20pm-03:00pm | Session IV: Formal Verification Session chair: Marco Patrignani (Standford University) Technical Assistant: Zichao Zhang
|
| 03:00pm-03:20pm | Break |
| 03:20pm-04:20pm | BOF (Future of SecDev) Technical Assistant: Yiting Sun |