IEEE Secure Development Conference
& IEEE Digital Privacy Workshop

October 7 - 10, 2024
Carnegie Mellon University Software Engineering Institute
Pittsburgh, PA

Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy

Agenda

Posted on: May 17th, 2018 by Yousef Iskander
SecDev 2018 Agenda

Sunday, September 30, 2018

Registration

12:30pm – 7:00pm

Exhibits open

1:30pm – 5:00pm

Tutorial Session A

1:30pm – 3:00pm

Building Secure and Trustworthy Blockchain Applications. Chengjun Cai, Huayi Duan, and Cong Wang (City University of Hong Kong)

Secure Coding Practices, Automated Assessment Tools and the SWAMP. (Part I) Barton P. Miller and Elisa Heymann (University of Wisconsin-Madison)

Secure Your Things: Secure Development of IoT Software with Frama-C. (Part I) Allan Blanchard (Inria Lille – Nord Europe, France), Nikolai Kosmatov (CEA, Software Reliability and Security Lab, France), Frédéric Loulergue (School of Informatics Computing and Cyber Systems, Northern Arizona University)

Continuous Verification of Critical Software. (Part I) Mike Dodds, Stephen Magill, Aaron Tomb (Galois, Inc.)

DeepState: Bringing Vulnerability Detection Tools into the Development Cycle. (Part I) Peter Goodman, Gustavo Grieco (Trail of Bits, Inc.), Alex Groce (School of Informatics, Computing & Cyber Systems, Northern Arizona University)

Parry and RIPOSTE: Honing Cybersecurity Skills with Challenge-Based Exercises. (Part I) Jan Werner (University of North Carolina at Chapel Hill), Fabian Monrose (University of North Carolina at Chapel Hill)

BREAK

3:00pm – 3:30pm

Tutorial Session B

3:30pm – 5:00pm

Principles and Practices of Secure Coding. Sazzadur Rahaman, Na Meng, Daphne Yao (Virginia Tech)

Secure Coding Practices, Automated Assessment Tools and the SWAMP. (Part II) Barton P. Miller and Elisa Heymann (University of Wisconsin-Madison)

Secure Your Things: Secure Development of IoT Software with Frama-C. (Part II) Allan Blanchard (Inria Lille – Nord Europe, France), Nikolai Kosmatov (CEA, Software Reliability and Security Lab, France), Frédéric Loulergue (School of Informatics Computing and Cyber Systems, Northern Arizona University)

Continuous Verification of Critical Software. (Part II) Mike Dodds, Stephen Magill, Aaron Tomb (Galois, Inc.)

DeepState: Bringing Vulnerability Detection Tools into the Development Cycle. (Part II) Peter Goodman, Gustavo Grieco (Trail of Bits, Inc.), Alex Groce (School of Informatics, Computing & Cyber Systems, Northern Arizona University)

Parry and RIPOSTE: Honing Cybersecurity Skills with Challenge-Based Exercises. (Part II) Jan Werner (University of North Carolina at Chapel Hill), Fabian Monrose (University of North Carolina at Chapel Hill)

Reception

5:00pm – 7:00pm

Poster Session

5:00pm – 7:00pm

List of accepted posters here.

 

Monday, October 1, 2018

Registration

7:00am – 5:00pm

Exhibits

8:00am – 5:00pm

Breakfast

7:30am – 8:30am

Opening Remarks

8:30am – 8:40am

Keynote I: Building and Deploying Secure Systems in Practice: Lessons, Challenges and Future Directions

8:40am – 10:00am

Professor Dawn Song (University of California, Berkeley)

Moderator: Daphne Yaom Virginia Tech

In this talk, I will share the lessons learned during the process of designing and developing technologies for building secure systems and deploying them in practice. I will first give a few examples of our work that has been deployed in practice. Our work (in collaboration with Google) on Context-sensitive Auto-Sanitization of Web Applications helps eliminate XSS vulnerabilities from web applications and has been used to secure many high-profile applications such as GMail and Google Docs. Our work in mobile security has led to a successful startup (Ensighta Security, later acquired by FireEye, Inc). Its mobile security product and features have been deployed worldwide to protect major enterprises and institutions and have detected numerous real-world mobile malware. Our work on new technology for secure browsing has become the core product of Menlo Security that my team has co-founded, winning numerous awards including Information Week’s 10 Innovative Network Security Startups and Forbes’ Hottest Cybersecurity startup.

Our recent work on new techniques to enable practical, privacy-preserving data analytics and machine learning has been deployed at Uber. This is one of the first real-world deployments for general privacy-preserving data analytics with differential privacy. Our most recent work on scalable and confidentiality-preserving smart contracts has led to a new venture, Oasis Labs, aiming to build the next-generation blockchain to enable fundamentally new applications on blockchain that couldn’t be built before.

From the experiences gained from these examples, I will summarize the lessons learned and discuss the challenges and future directions in building and deploying secure systems.

BREAK

10:00am – 10:20am

Session 1: Best Practices of Security

10:20am – 12:00pm

Best Practices of Security Session Chair: Christoph Kern, Google

BP: Formal Proofs, the Fine Print and Side Effects

Toby Murray (University of Melbourne) and Paul van Oorschot (Carleton University)

BP: Integrating Cyber Vulnerability Assessments Earlier into the Systems Development Lifecycle

Sonja Glumich, Juanita Riley, Paul Ratazzi, and Amanda Ozanam (Air Force Research Laboratory Information Directorate)

BP: DECREE: A Platform and Benchmark Corpus for Repeatable and Reproducible Security Experiments.

Lok Yan (Air Force Research Laboratory), Benjamin Price (MIT Lincoln Laboratory), Michael Zhivich (MIT Lincoln Laboratory), Brian Caswell (Lunge Technology), Christopher Eagle (Naval Postgraduate School), Michael Frantzen (Kudu Dynamics), Holt Sorenson (Google Inc.), Michael Thompson (Naval Postgraduate School), Timothy Vidas (Carnegie Mellon University), Jason Wright (Thought Networks), Vernon Rivet (MIT Lincoln Laboratory), Samuel Colt VanWinkle (MIT Lincoln Laboratory), and Clark Wood (MIT Lincoln Laboratory)

BP: Profiling Vulnerabilities on the Attack Surface

Christopher Theisen, Hyunwoo Sohn, Dawson Tripp, and Laurie Williams (North Carolina State University)

Lunch

12:00pm – 1:30pm

Session 2: Data Access Security

1:30pm – 2:45pm

Data Access Security Session Chair: Michael Hicks, University of Maryland, College Park

Tyche: A Risk-Based Permission Model for Smart Homes.

Amir Rahmati (Samsung Research America/Stony Brook University), Earlence Fernandes (University of Washington), Kevin Eykholt (University of Michigan), and Atul Prakash (University of Michigan)

Detecting leaks of sensitive data due to stale reads

Will Snavely, William Klieber, Ryan Steele, David Svoboda, and Andrew Kotov (Software Engineering Institute – Carnegie Mellon University)

Transforming Code to Drop Dead Privileges

Xiaoyu Hu (BitFusion.io Inc.), Jie Zhou (University of Rochester), Spyridoula Gravani (University of Rochester), and John Criswell (University of Rochester)

Break

2:45pm – 3:00pm

Session 3: Secure Coding and Analysis

3:00pm – 4:40pm

Secure Coding and Analysis Session Chair: Toby Murray, University of Melbourne

Checked C: Making C Safe by Extension

Archibald Samuel Elliott (University of Washington), Andrew Ruef (University of Maryland), Michael Hicks (University of Maryland), and David Tarditi (Microsoft Research)

SGL: A domain-specific language for large-scale analysis of open-source code

Darius Foo, Ang Ming Yi, Jason Yeo, and Asankhaya Sharma (SourceClear, Inc.)

Light-touch Interventions to Improve Software Development Security

Charles Weir (Lancaster University, UK), Lynne Blair (Lancaster University, UK), Ingolf Becker (University College London, UK), Angela Sasse (University College London, UK), and James Noble (Victoria University of Wellington, NZ)

A Lingua Franca for Security by Design

Alexander van den Berghe (imec-DistriNet, KU Leuven), Koen Yskout (imec-DistriNet, KU Leuven), Riccardo Scandariato (Software Engineering Division, University of Gothenburg), and Wouter Joosen (imec-DistriNet, KU Leuven).

Break

4:40pm – 5:00pm

Birds of a Feather Sessions

5:00pm – 6:00pm

Women in Cybersecurity –led by Leslie Weiner Alger

Leslie Weiner Alger Is the founder of Creative Edge Leadership, an executive coaching and leadership development firm with a focus on transforming technical managers and experts into outstanding leaders. As an executive coach Leslie has extensive experience working with leaders in fields such as engineering, information technology, science, and finance; helping them to make their leadership skills as outstanding as their technical skills. Leslie draws upon her extensive leadership experience to infuse her coaching and workshops with real-world examples and strategies. With an academic background in Electrical Engineering from MIT, Leslie has 20 years experience leading large groups of engineers, IT professionals and financial analysts in a fast paced R&D environment at MIT Lincoln Laboratory (MIT LL). She also has over 15 years experience leading diverse teams in an international nonprofit organization.

Moving Target: Where to Next? – led by Hamed Okhravi, MITLL; Marco Carvalho, FIT; Andrew Gearhart, JHU APL; Rosalie McQuaid, MITRE

The static nature of current computing systems has made them easy to attack and hard to defend. Adversaries have an asymmetric advantage in that they have the time to study a system, identify its vulnerabilities, and choose the time and place of attack to gain the maximum benefit. The idea of moving-target defense (MTD) is to impose the same asymmetric disadvantage on attackers by making systems dynamic and therefore harder to explore and predict. MTD techniques refer to those that enhance the resilience of a system through diversification, randomization, and dynamism. There has been a large body of literature in the area of MTD. This Birds of a Feather session focuses on the outlook of the field, the research questions that need to be answered, and the way forward in research and practices of MTD.

Helping Organize SecDev 2019 -led by Lee Lerner

Dinner on your own

 

Tuesday October 2, 2018

Registration

7:00am – 5:00pm

Exhibits

8:00am – 5:00pm

Breakfast

7:30am – 8:30am

IEEE Awards

8:30am – 9:45am

General Chair Report and Awards

Best Papers and Best Reviewer Awards

The IEEE Cybersecurity Award for Practice

Lujo Bauer, Nicolas Christin, Lorrie Cranor, Saranga Komanduri, Michelle Mazurek, William Melicher, Sean Segreti, Rich Shay, and Blase Ur
Title: TBA

The IEEE Cybersecurity Award for Innovation

Alessandro Acquisti, Carnegie Mellon University
Title: The Economics and Behavioral Economics of Privacy

BREAK

9:45am – 10:00am

Keynote II: Provably Eliminating Exploitable Bugs

10:00am – 11:20am

Kathleen Fisher (Tufts University, Former Program Manager of DARPA’s HACMS Program)

Moderator: Stephen Chong, Harvard University
For decades, formal methods have offered the promise of software that doesn’t have exploitable bugs. Until recently, however, it hasn’t been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. It has been proven to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and to enforce integrity and confidentiality properties. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler. A number of factors have enabled this revolution in the formal methods community, including increased processor speed, better infrastructure like the Isabelle/HOL and Coq theorem provers, specialized logics for reasoning about low-level code, increasing levels of automation afforded by tactic languages and SAT/SMT solvers, and the decision to move away from trying to verify existing artifacts and instead focus on co-developing the code and the correctness proof.

In this talk I will explore the promise and limitations of current formal methods techniques for producing useful software that provably does not contain exploitable bugs. I will discuss these issues in the context of DARPA’s HACMS program, which had as its goal the creation of high-assurance software for vehicles, including quad-copters, helicopters, and automobiles.

BREAK

11:20am – 11:30am

Practitioners Session A: Enterprise Threat Modeling

11:30am -12:30pm

Practitioners Session A: Enterprise Threat Modeling Session Chair: Richard Chow, Intel

Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

Francois Gauthier, Nathan Keynes, Nicholas Allen, Diane Corney, and Padmanabhan Krishnan (Oracle Labs, Australia)

Applied Threat Driven Security Verification

Danny Dhillon and Vishal Mishra (Dell)

Rethinking Secure DevOps Threat Modeling: The Need for a Dual Velocity Approach

Altaz Valani (Security Compass)

Automating Threat Intelligence for SDL

Raghudeep Kannavara (Intel Corp), Jacob Vangore (Olivet Nazarene University), William Roberts (Olivet Nazarene University), Marcus Lindholm (Intel Corp), and Priti Shrivastav (Intel Corp)

Lunch

12:30pm – 2:00pm

Session 4: Vulnerability Assessment

2:00pm – 3:15pm

Session 4: Vulnerability Assessment Chair: Sonja Glumich, Air Force Research Laboratory

Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems

Hang Hu, Peng Peng, and Gang Wang (Virginia Tech)

There’s a Hole in the Bottom of the C: On the Effectiveness of Allocation Protection

Ronald Gil (MIT CSAIL), Hamed Okhravi (MIT Lincoln Laboratory), and Howard Shrobe (MIT CSAIL).

BP: Security Concerns and Best Practices for Automation of Software Deployment Processes – An Industrial Case Study

Vaishnavi Mohan (Deloitte Analytics Institute), Lotfi ben Othmane (Iowa State University), and Andre Kres (IBM)

BREAK

3:15pm – 3:45pm

Practitioners Session B: New Security Needs and Approaches

3:45pm – 5:15pm

Practitioners Session B: New Security Needs and Approaches Session Chair: Sarah Chmielewski, MIT Lincoln Laboratories

Reducing Attack Surface via Executable Transformation

Sukarno Mertoguno, Ryan Craven, Daniel Koller, and Matthew Mickelson (ONR)

Designing Secure and Resilient Embedded Avionics Systems

Jason H. Li (Intelligent Automation Inc.), Douglas Schafer (Air Force Research Laboratories), David Whelihan (MIT Lincoln Laboratories), Stefano Lassini (GE Aviation Systems), Nicholas Evancich (Intelligent Automation Inc.), Kyung Joon Kwak (Intelligent Automation Inc.), Mike Vai (MIT Lincoln Laboratories), and Haley Whitman (MIT Lincoln Laboratories)

Data Integrity: Recovering from Ransomware and Other Destructive Events

Timothy McBride (NIST), Anne Townsend (MITRE), Michael Ekstrom (MITRE), Lauren Lusty (MITRE), and Julian Sexton (MITRE)

Securing Wireless Infusion Pumps

Andrea Arbelaez (NIST), Sue Wang (MITRE), Sallie Edwards (MITRE), Kevin Littlefield (MITRE), and Kangmin Zheng (MITRE)

Best Practice for Developing Secure and Trusted Enterprise Storage & Computing Products

Xuan Tang (Dell)

Experiment: Sizing Exposed Credentials in GitHub Public Repositories for CI/CD

Hasan Yasar (Software Engineering Institute, CMU)

Wrap up and see you at SecDev 2019!