Professor Michael Backes
CISPA, Saarland University & MPI-SWS
The Internet has undergone dramatic changes in the last two decades, evolving from a mere communication network to a global multimedia platform in which billions of users not only actively exchange information, but increasingly conduct sizable parts of their daily lives. While this transformation has brought tremendous benefits to society, it has also created new threats to online privacy that existing technology is failing to keep pace with.
In this talk, I will outline a grand research vision for understanding and controlling privacy in open settings at large. I will in particular discuss the feasibility of a concept called privacy advisor, which inspects online communication as well as information about to be published by a user, performs its own inference based on information available online, and warns the user about potential anonymity and privacy leaks. The ultimate, far-reaching goal is to enable users to properly assess the privacy consequences of their online interactions before they have happened, and thereby offer more-privacy friendly alternatives. I will outline concrete research objectives towards achieving this goal, discuss what has been achieved so far, and point out corresponding research opportunities in thus far under-researched areas. This work is supported by the ERC Synergy Grant imPACT.
Short Bio: Michael Backes has the chair for information security and cryptography at Saarland University. He is the director of the German IT-Security research center CISPA, a Max Planck Fellow of the Max Planck Institute for Software Systems, and the speaker of the Collaborative Research Center on Methods and Tools for Understanding and Controlling Privacy. His research covers various aspects of IT security and privacy and ranges from the design, analysis, and verification of protocols and systems, mechanisms for protecting end-user privacy, research on new attack vectors, to universal solutions in software and network security. Michael has received many awards for his work, including the ERC Synergy Grant in 2014 as Europe's most distinguished research award. He has been the rogram Chair ESORICS 2009, IEEE CSF 2010 and 2011, IEEE S&P 2013 and 2014, and IEEE EuroS&P 2016.
Professor Giovanni Vigna
University of California in Santa Barbara
Despite the rise of interpreted languages and the World Wide Web, binary analysis has remained the focus of much research in computer security. There are several reasons for this. First, interpreted languages are either interpreted by binary programs or Just-In-Time compiled down to binary code. Second, "core" OS constructs and performance-critical applications are still written in languages (usually, C or C++) that compile down to binary code. Third, the rise of the Internet of Things is powered by devices that are, in general, very resource-constrained. Without cycles to waste on interpretation or Just-In-Time compilation, the firmware of these devices tends to be written in languages (again, usually C) that compile to binary.
Unfortunately, many of these languages provide few security guarantees, often leading to vulnerabilities. For example, buffer over ows stubbornly remain as one of the most-common discovered software flaws despite efforts to develop technologies to mitigate such vulnerabilities. Worse, the wider class of "memory corruption vulnerabilities", the vast majority of which also stem from the use of unsafe languages, make up a substantial portion of the most common vulnerabilities. This problem is not limited to software on general-purpose computing devices: remotely exploitable vulnerabilities have been discovered in devices ranging from smart locks, to pacemakers, to automobiles.
However, finding vulnerabilities in binaries and generating patches that fix exploitable aws is challenging because of the lack of high-level abstractions, such as type information and control ow constructs. Current approaches provide tools to support the manual analysis of binaries, but are far from being completely automated solutions to the vulnerability analysis of binary programs.
To foster research in automated binary analysis, in October of 2013, DARPA announced the DARPA Cyber Grand Challenge (CGC). Like DARPA Grand Challenges in other fields (such as robotics and autonomous vehicles), the CGC pits teams from around the world against each other in a competition in which the participants are autonomous systems. During the CGC competition, these systems must identify, exploit, and patch vulnerabilities in binary programs, without any human in the loop. Millions of dollars in prize money were announced: the top 7 teams to complete the CGC Qualifying Event (held in June, 2015) received 750,000 USD, and the top 3 teams in the CGC Final Event (held in August, 2016) will receive 2,000,000 USD, 1,000,000, and 750,000, respectively.
The Shellphish hacking team is one of the qualified teams. This talk presents some insights into the field of automated binary analysis exploitation and patching, gained through the participation in the CGC competition. In addition, the talk provides a discussion of the use of competitions to foster both research and education, based on the experience in designing and running a large-scale live security hacking competition (called the iCTF) for the past 13 years.
Short Bio: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, the underground economy, vulnerability assessment, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. In his free time, he leads Shellphish, the longest-running hacking team playing at the DefCon CTF competition.
Professor Yang Xiang
Today's online social networks have pervaded all aspects of our daily lives. With their unparalleled popularity, online social networks have evolved from the platforms for social communication and news dissemination, to indispensable tools for professional networking, social recommendations, marketing, and online content distribution. Their evolution has influenced every technological, societal, and cultural aspect of human beings. They are receiving more and more attention in research communities.
It has been widely recognized that security and privacy are the critical issues in online social networks. On one hand, online social networks have been the effective platform for the attackers to launch attacks and distribute malicious information. On the other hand, privacy leakage through online social networks has become common exercise. New methods and tools, consequently, must follow up in order to adapt to this emerging security paradigm. In this talk, we will discuss the security and privacy issues in social networks and how we can turn challenges into opportunities to build a more secure cyberspace.
Short Bio: Professor Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is currently the Director of Centre for Cyber Security Research at Deakin University. His research interests include network and system security, distributed systems, and data analytics. He has published more than 200 research papers in international journals and conferences, such as IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Information Security and Forensics, and IEEE Transactions on Dependable and Secure Computing. He serves as the Associate Editor of IEEE Transactions on Computers, Security and Communication Networks (Wiley), and the Editor of Journal of Network and Computer Applications (Elsevier). He is a Senior Member of the IEEE.
Dr Feng Bao
This talk aims to provide an overview of IoT security threats, challenges, research opportunities and industrial ecosystems. It is anticipated that trillions of IoT devices will be deployed in the next decade. IoT devices are typically low-cost (resource-constrained), massively deployed, automatically connected, and possibly work without monitoring, while they suppose to collect, process, and control large amount of sensitive information. Thus we first review recent security incidents of early adopted IoT devices for illustrating the importance of security threats faced by IoT devices in different scenarios. Next, we will see how the diversity of IoT devices poses a number of security and privacy challenges. Lastly, we talk about IoT standardizations and industrial alliances, where traditional ICT companies and vertical (crossing-industry) enterprises are competing intensively. We explore the strategies and approaches deployed to tackle the security challenges, and hopefully shed light on building secure IoT architecture.
Short Bio: Dr. Feng Bao is currently the Director of the Shield Lab at Huawei. He received his BS in mathematics and MS in Computer Science from Beijing University, and his PhD in Computer Science from Gunma University, Japan. He was a researcher with Chinese Academy of Science and a Visiting Scientist with Hamburg University. From 1996 to 2012, he was with the Institute for Infocomm Research, A*STAR of Singapore, and took the position of the Principal Scientist and the Head of the Cryptography and Security Dept. His research interests are mainly in cryptography and information security. He has published over 200 papers in the international conferences and journals, which have over 5000 citations. He has 16 patents and has been involved in the management of dozens of industry projects and international collaborations. He is a member of Asiacrypt Steering Committee and the Editorial Member of 2 international journals. He has chaired over 20 international conferences in security.
Mr Peiyuan Zhao
Aiming at the time interval of vulnerabilities was discovered by users and by hackers, and the time interval of vulnerabilities were fixed by the user and exploited by hackers. Research and application of distributed risk-award model Based on community is proposed. BugFeel (Full-time Vulnerabilities Perceive Platform), with strong vulnerabilities plug-in library as a support, can monitor vulnerabilities in real time, and the first time response. That aims to find vulnerabilities before hackers, so that vulnerabilities have been repaired before being used, to avoid the occurrence of attacks. BugFeel opens the era of active security defense!
Short Bio: Peiyuan Zhao is the CTO of Xi'an clover Information Technology Co., Ltd. His research focused on how to help customers quickly find and solve security issues. At present, he led the company’s R&D team and security team developed the first plug-in vulnerability community and the first distributed vulnerability detection platform in China.