CERIAS Weekly Security Seminar - Purdue University
1,160 episodes - English - Latest episode: about 1 month ago - ★★★★ - 6 ratingsCERIAS -- the Nation's top-ranked interdisciplinary academic education and research institute -- hosts a weekly cyber security, privacy, resiliency or autonomy speaker, highlighting technical discovery, a case studies or exploring cyber operational approaches; they are not product demonstrations, service sales pitches, or company recruitment presentations. Join us weekly...or explore 25 years of archives for the who's-who in cybersecurity.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Mitchell Parker, "Lessons Learned From the Retrocomputing Community"
February 21, 2018 21:30 - 196 MB VideoThe purpose of this presentation is to show that successful retrocomputing projects and groups which currently exist follow patterns we can use to help low-resource and industrial organizations that need to secure their devices. Can retrocomputing breathe new life into older technology to help secure the enterprise?
Adil Ahmad, OBLIVIATE: A Data Oblivious File System for Intel SGX
February 14, 2018 21:30 - 58 minutes - 212 MB VideoTrusted computing is the key component in achieving confidentiality and integrity in modern cloud environments. Commodity trusted hardware such as Intel SGX and ARM Trustzone allow programs to execute and store sensitive data in secure memory regions. It is envisioned that these systems will enable important applications from trusted data analytics and Private Information Retrieval (PIR) in the cloud to content protection and secure financial services in mobile settings.This talk deals with t...
Adil Ahmad, "OBLIVIATE: A Data Oblivious File System for Intel SGX"
February 14, 2018 21:30 - 212 MB VideoTrusted computing is the key component in achieving confidentiality and integrity in modern cloud environments. Commodity trusted hardware such as Intel SGX and ARM Trustzone allow programs to execute and store sensitive data in secure memory regions. It is envisioned that these systems will enable important applications from trusted data analytics and Private Information Retrieval (PIR) in the cloud to content protection and secure financial services in mobile settings. This talk de...
Brian Lynch, Eli Lilly's Path to a Successful Threat Intelligence Program
February 07, 2018 21:30 - 45 minutes - 330 MB VideoEli Lilly's Threat Intelligence team (CTI) was officially established in July of 2016 tasked with several key objectives that would need to be met for the overall Security organization to be successful. This talk is going to cover the CTI team's journey over the past year, where they started from, how they got the start, the current state, as well as the future direction of the Threat Intelligence program. This will not be a deep technical talk, but rather a process-based talk covering a wi...
Brian Lynch, "Eli Lilly's Path to a Successful Threat Intelligence Program"
February 07, 2018 21:30 - 330 MB VideoEli Lilly’s Threat Intelligence team (CTI) was officially established in July of 2016 tasked with several key objectives that would need to be met for the overall Security organization to be successful. This talk is going to cover the CTI team’s journey over the past year, where they started from, how they got the start, the current state, as well as the future direction of the Threat Intelligence program. This will not be a deep technical talk, but rather a process-based talk coverin...
Matt Dimino, State of Cybersecurity in Healthcare
January 31, 2018 21:30 - 1 hour - 395 MB VideoThe public health sector cannot deliver efficient and safe patient care without digital interconnectivity among devices. If the healthcare system is connected, but insecure, the interconnectivity could betray patient safety, subjecting patients to uncalculated and unnecessary risks with insurmountable costs, including death. Our nation must realize the dangers imposed on patients due to the reliance on interconnectivity amongst devices and information systems. Healthcare delivery organizatio...
Matt Dimino, "State of Cybersecurity in Healthcare"
January 31, 2018 21:30 - 395 MB VideoThe public health sector cannot deliver efficient and safe patient care without digital interconnectivity among devices. If the healthcare system is connected, but insecure, the interconnectivity could betray patient safety, subjecting patients to uncalculated and unnecessary risks with insurmountable costs, including death. Our nation must realize the dangers imposed on patients due to the reliance on interconnectivity amongst devices and information systems. Healthcare delivery orga...
Lotfi ben-Othmane, " What Roles Can Empirical Research Play to Advance Software Security Knowledge?"
January 24, 2018 21:30 - 243 MB VideoSoftware is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as in...
Lotfi ben-Othmane, "What Roles Can Empirical Research Play to Advance Software Security Knowledge?"
January 24, 2018 21:30 - 243 MB VideoSoftware is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as in...
Lotfi ben-Othmane, What Roles Can Empirical Research Play to Advance Software Security Knowledge?
January 24, 2018 21:30 - 57 minutes - 243 MB VideoSoftware is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as incrementa...
Ben Harsha, The Economics of Offline Password Cracking
January 17, 2018 21:30 - 48 minutes - 260 MB VideoPassword leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen f...
Ben Harsha, "The Economics of Offline Password Cracking"
January 17, 2018 21:30 - 260 MB VideoPassword leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords ...
Nat Shere, "Penetration Testing: What? Why? How?"
December 06, 2017 21:30 - 308 MB VideoPenetration testing, or "Ethical Hacking", is the practice of testing systems, environments, and even employees in the manner of a real-world hacker. As news of security breaches and wide-spread hacks increase, companies are increasingly pursuing penetration testing services. This talk will discuss what penetration testing is and different approaches that vendors bring to it, why penetration testing is so important to a security program, and how penetration tests are implemented to si...
Nat Shere, Penetration Testing: What? Why? How?
December 06, 2017 21:30 - 49 minutes - 308 MB VideoPenetration testing, or "Ethical Hacking", is the practice of testing systems, environments, and even employees in the manner of a real-world hacker. As news of security breaches and wide-spread hacks increase, companies are increasingly pursuing penetration testing services. This talk will discuss what penetration testing is and different approaches that vendors bring to it, why penetration testing is so important to a security program, and how penetration tests are implemented to simulate r...
Kirsten Bay, "Securing the Future of Business: Broadening the Role of Security Technology"
November 29, 2017 21:30 - 416 MB VideoSecurity technology has long been relegated as part of the IT stack, but the consistent stream of attacks on our government, corporations, and individuals alike have shown that the relationship between security technology and the business needs to be reconsidered. As we look at events such as manipulating news on Facebook, Equifax, WannaCry, NotPeta, and Uber, how do we engage a wider audience to be part of the conversation of understanding the challenges and solutions? What are the m...
Kirsten Bay, Securing the Future of Business: Broadening the Role of Security Technology
November 29, 2017 21:30 - 45 minutes - 416 MB VideoSecurity technology has long been relegated as part of the IT stack, but the consistent stream of attacks on our government, corporations, and individuals alike have shown that the relationship between security technology and the business needs to be reconsidered. As we look at events such as manipulating news on Facebook, Equifax, WannaCry, NotPeta, and Uber, how do we engage a wider audience to be part of the conversation of understanding the challenges and solutions? What are the mechanism...
Abhishek Ray, Ad-Blockers: Extortionists or Digital Age Robin Hoods?
November 15, 2017 21:30 - 36 minutes - 131 MB VideoIntrusive online advertising has given birth to the trend of ad-blockers. Initially dismissed by the online advertising industry as inconsequential, ad-blockers have evolved from a mere plugin tool on browsers to full-fledged platforms that derive benefits from certifying quality of advertisers and reducing disutility of users from intrusive activities such as user tracking. However, are ad-blocking platforms the optimal solution to improving user experience online? There is no clear answer. ...
Abhishek Ray, "Ad-Blockers: Extortionists or Digital Age Robin Hoods?"
November 15, 2017 21:30 - 131 MB VideoIntrusive online advertising has given birth to the trend of ad-blockers. Initially dismissed by the online advertising industry as inconsequential, ad-blockers have evolved from a mere plugin tool on browsers to full-fledged platforms that derive benefits from certifying quality of advertisers and reducing disutility of users from intrusive activities such as user tracking. However, are ad-blocking platforms the optimal solution to improving user experience online? There is no clea...
Nikita Borisov, "Refraction Networking: Censorship Circumvention in the Core of the Internet"
November 08, 2017 21:30 - 342 MB VideoInternet users around the world are facing censorship. To access blocked websites, they use circumvention services that most commonly consist VPN-like proxies. The censors, in turn, try to block such proxies, creating a sort of cat-and-mouse game. Refraction networking takes a different approach by placing refracting routers inside ISP networks. By spending a special signal, a user can ask a router to refract *any* connection that transits the ISP to another, blocked destination, in a...
Nikita Borisov, Refraction Networking: Censorship Circumvention in the Core of the Internet
November 08, 2017 21:30 - 1 hour - 342 MB VideoInternet users around the world are facing censorship. To access blocked websites, they use circumvention services that most commonly consist VPN-like proxies. The censors, in turn, try to block such proxies, creating a sort of cat-and-mouse game. Refraction networking takes a different approach by placing refracting routers inside ISP networks. By spending a special signal, a user can ask a router to refract *any* connection that transits the ISP to another, blocked destination, in a process...
Mikhail J. Atallah, Opportunities and Perils of the Cyber Revolution
November 01, 2017 20:30 - 1 hour - 564 MB VideoRebroadcast from the original Oct. 30 talk.WEST LAFAYETTE, Ind. — Mikhail Atallah, distinguished professor of computer science and a professor of electrical and computer engineering (courtesy), has been chosen as the 2017 Arden L. Bement Jr. Award recipient. One of Purdue University's top three research honors, the Bement Award is the most prestigious award the university bestows in pure and applied science and engineering.Atallah is being honored for his significant contributions in the desi...
Mikhail J. Atallah, "Opportunities and Perils of the Cyber Revolution"
November 01, 2017 20:30 - 564 MB VideoRebroadcast from the original Oct. 30 talk.WEST LAFAYETTE, Ind. — Mikhail Atallah, distinguished professor of computer science and a professor of electrical and computer engineering (courtesy), has been chosen as the 2017 Arden L. Bement Jr. Award recipient. One of Purdue University's top three research honors, the Bement Award is the most prestigious award the university bestows in pure and applied science and engineering. Atallah is being honored for his significant contributions i...
Jerome Edge, "Applying commercial best practices to DoD risk management to offer suggestions how to move from risk avoidance to cost effective risk management"
October 25, 2017 20:30 - 152 MB VideoThe Department of Defense has mandated a risk management rather than risk avoidance approach in Cybersecurity. All Department of Defense programs are being directed to the Risk Management Framework (RMF) process. No Cyber system can be 100% secure. RMF mandates that we clearly determine the "value" of assets, such as information and intellectual property, and design systems to properly protect those assets. The commercial domain embraces the mantra that an organization should not spen...
Jerome Edge, Applying commercial best practices to DoD risk management to offer suggestions how to move from risk avoidance to cost effective risk management
October 25, 2017 20:30 - 48 minutes - 152 MB VideoThe Department of Defense has mandated a risk management rather than risk avoidance approach in Cybersecurity. All Department of Defense programs are being directed to the Risk Management Framework (RMF) process. No Cyber system can be 100% secure. RMF mandates that we clearly determine the "value" of assets, such as information and intellectual property, and design systems to properly protect those assets. The commercial domain embraces the mantra that an organization should not spend more t...
Tianhao Wang, "Locally Differential Private Protocols for Frequency Estimation"
October 18, 2017 20:30 - 106 MB VideoProtocols satisfying Local Differential Privacy (LDP) enable parties to collect aggregate information about a population while protecting each user’s privacy, without relying on a trusted third party. LDP protocols (such as Google’s RAPPOR) have been deployed in real-world scenarios. In these protocols, a user encodes his private information and perturbs the encoded value locally before sending it to an aggregator, who combines values that users contribute to infer statistics about th...
Tianhao Wang, Locally Differential Private Protocols for Frequency Estimation
October 18, 2017 20:30 - 47 minutes - 106 MB VideoProtocols satisfying Local Differential Privacy (LDP) enable parties to collect aggregate information about a population while protecting each user's privacy, without relying on a trusted third party. LDP protocols (such as Google's RAPPOR) have been deployed in real-world scenarios. In these protocols, a user encodes his private information and perturbs the encoded value locally before sending it to an aggregator, who combines values that users contribute to infer statistics about the popula...
Tianhao Wang, " Locally Differential Private Protocols for Frequency Estimation"
October 18, 2017 19:30 - 106 MB VideoProtocols satisfying Local Differential Privacy (LDP) enable parties to collect aggregate information about a population while protecting each user’s privacy, without relying on a trusted third party. LDP protocols (such as Google’s RAPPOR) have been deployed in real-world scenarios. In these protocols, a user encodes his private information and perturbs the encoded value locally before sending it to an aggregator, who combines values that users contribute to infer statistics about th...
Jeremiah Blocki, Memory Hard Functions and Password Hashing
October 11, 2017 20:30 - 54 minutes - 147 MB VideoIn the last few years breaches at organizations like Yahoo!, Dropbox, Lastpass, AshleyMadison and Adult FriendFinder have exposed billions of user passwords to offline brute-force attacks. Password hashing algorithms are a critical last line of defense against an offline attacker who has stolen password hash values from an authentication server. An attacker who has stolen a user's password hash value can attempt to crack each user's password offline by comparing the hashes of likely password ...
Jeremiah Blocki, "Memory Hard Functions and Password Hashing"
October 11, 2017 20:30 - 147 MB VideoIn the last few years breaches at organizations like Yahoo!, Dropbox, Lastpass, AshleyMadison and Adult FriendFinder have exposed billions of user passwords to offline brute-force attacks. Password hashing algorithms are a critical last line of defense against an offline attacker who has stolen password hash values from an authentication server. An attacker who has stolen a user's password hash value can attempt to crack each user's password offline by comparing the hashes of likely p...
Xiaonan Guo, Friend or Foe? Your Wearable Devices Reveal Your Personal PIN
October 04, 2017 20:30 - 40 minutes - 132 MB VideoThe proliferation of wearable devices, e.g., smartwatches and activity trackers, with embedded sensors has already shown its great potential on monitoring and inferring human daily activities. In this talk, I will present a serious security breach of wearable devices in the context of divulging secret information (i.e., key entries) while people accessing key-based security systems. Existing methods of obtaining such secret information relies on installations of dedicated hardware (e.g., vide...
Xiaonan Guo, "Friend or Foe? Your Wearable Devices Reveal Your Personal PIN"
October 04, 2017 20:30 - 132 MB VideoThe proliferation of wearable devices, e.g., smartwatches and activity trackers, with embedded sensors has already shown its great potential on monitoring and inferring human daily activities. In this talk, I will present a serious security breach of wearable devices in the context of divulging secret information (i.e., key entries) while people accessing key-based security systems. Existing methods of obtaining such secret information relies on installations of dedicated hardware (e....
Tony Huffman, "Vulnerability Scanning, how it works and why"
September 27, 2017 20:30 - 94 MB VideoA vulnerability comes out and you need to know if you are vulnerable so you open up your vulnerability scanner and scan your systems to understand what you need to patch but what is that scanner doing to determine you are vulnerable. This talk will describe what that vulnerability scanner is doing and how we at Tenable write local, remote, and malware checks.
Tony Huffman, Vulnerability Scanning, how it works and why
September 27, 2017 20:30 - 39 minutes - 94 MB VideoA vulnerability comes out and you need to know if you are vulnerableso you open up your vulnerability scanner and scan your systems tounderstand what you need to patch but what is that scanner doing todetermine you are vulnerable. This talk will describe what thatvulnerability scanner is doing and how we at Tenable write local,remote, and malware checks. About the speaker: My name is Tony Huffman, I work at Tenable Network Security as a Sr.Reverse Engineer on the Threat Automation team. I hav...
Vince D'Angelo, "Counter UAS Challenges and Technology"
September 20, 2017 20:30 - 123 MB VideoUnmanned airborne systems (UAS) provide a wide range of capabilities in areas such as agriculture, environmental monitoring, disaster relief, delivery of goods, media & communications and surveillance. While these systems are producing numerous benefits today they also can be used in manners that enable a broad range of security concerns. This talk will introduce the some of the technical challenges concerning the use of UAS, and approaches for counter UAS (C-UAS). SRC’s Silent Archer...
Vince D'Angelo, Counter UAS Challenges and Technology
September 20, 2017 20:30 - 24 minutes - 123 MB VideoUnmanned airborne systems (UAS) provide a wide range of capabilities in areas such as agriculture, environmental monitoring, disaster relief, delivery of goods, media & communications and surveillance. While these systems are producing numerous benefits today they also can be used in manners that enable a broad range of security concerns. This talk will introduce the some of the technical challenges concerning the use of UAS, and approaches for counter UAS (C-UAS). SRC's Silent Archer ™ syst...
Vince D'Angelo, " Counter UAS Challenges and Technology"
September 20, 2017 19:30 - 123 MB VideoUnmanned airborne systems (UAS) provide a wide range of capabilities in areas such as agriculture, environmental monitoring, disaster relief, delivery of goods, media & communications and surveillance. While these systems are producing numerous benefits today they also can be used in manners that enable a broad range of security concerns. This talk will introduce the some of the technical challenges concerning the use of UAS, and approaches for counter UAS (C-UAS). SRC’s Silent Archer...
Bob Cheripka, "Advanced Testing Assessments in the Power & Utilities Industry"
September 13, 2017 20:30 - 135 MB VideoThis first portion of the presentation will explore the emerging cyber threats facing the industrial control systems network environments with a focused look at the Power & Utility industry. It will then discuss the challenges faces advanced technical testing (i.e., Attack & Penetration Testing and Red Teaming) within this environment. The first section concludes with a discussion of current testing approaches and in the face of the above challenges, why testing remains an important c...
Bob Cheripka, Advanced Testing Assessments in the Power & Utilities Industry
September 13, 2017 20:30 - 47 minutes - 135 MB VideoThis first portion of the presentation will explore the emerging cyber threats facing the industrial control systems network environments with a focused look at the Power & Utility industry. It will then discuss the challenges faces advanced technical testing (i.e., Attack & Penetration Testing and Red Teaming) within this environment. The first section concludes with a discussion of current testing approaches and in the face of the above challenges, why testing remains an important capabil...
Doug Smith, Secure Code Development
September 06, 2017 20:30 - 46 minutes - 153 MB VideoCurrent and recent events make it clear that cybersecurity requires defense in depth. Software development is both an early opportunity to begin the defense, and the source of many commonly exploited security vulnerabilities. Preventing coding errors and eliminating security flaws during development is an effective way to reduce security risks. This presentation promotes awareness among software practitioners of the how and why to do secure code development and software assurance, coverin...
Doug Smith, "Secure Code Development"
September 06, 2017 20:30 - 153 MB VideoCurrent and recent events make it clear that cybersecurity requires defense in depth. Software development is both an early opportunity to begin the defense, and the source of many commonly exploited security vulnerabilities. Preventing coding errors and eliminating security flaws during development is an effective way to reduce security risks. This presentation promotes awareness among software practitioners of the how and why to do secure code development and software assurance, cov...
Chris Roberts, The Stark Reality of Red vs. Blue and Why it's Not Working
August 30, 2017 20:30 - 58 minutes - 149 MB VideoWe have spent so much time focusing on Red and the images of security ninjas leaping off tall walls with laptops and grappling tools that the role of "blue" has been left in the dark…it's underrated, nobody wants to do the job and typically it's under appreciated and the unloved discipline…it's time to change that. The focus on red has done nothing to help the industry protect our charges, we are still failing to protect those around us and we're still watching helplessly while companies los...
Chris Roberts, "The Stark Reality of Red vs. Blue and Why it's Not Working"
August 30, 2017 20:30 - 149 MB VideoWe have spent so much time focusing on Red and the images of security ninjas leaping off tall walls with laptops and grappling tools that the role of “blue” has been left in the dark…it’s underrated, nobody wants to do the job and typically it’s under appreciated and the unloved discipline…it’s time to change that. The focus on red has done nothing to help the industry protect our charges, we are still failing to protect those around us and we’re still watching helplessly while compan...
Shiqing Ma, "MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning"
August 23, 2017 20:30 - 4 MB VideoOperating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context informati...
Shiqing Ma, MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning
August 23, 2017 20:30 - 49 minutes - 4 MB VideoOperating system level auditing is one of the most important forensics techniques. With operating system level audit systems, e.g., the Linux audit system, investigators can generate attack causal graphs by analyzing the causal relationships between the logged events. However, traditional techniques usually generate large and inaccrute causal graphs. This is because applications are not aware of the existence of the OS level audit systems, and can not provide its own context information. To s...
Adam Bates, Enabling Trust and Efficiency in Provenance-Aware Systems
April 26, 2017 20:30 - 56 minutes - 575 MB VideoIn a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, little attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. In this talk, I will detail our efforts to bring trustworthy data p...
Adam Bates, "Enabling Trust and Efficiency in Provenance-Aware Systems"
April 26, 2017 20:30 - 575 MB VideoIn a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, little attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. In this talk, I will detail our efforts to bring trustworth...
Ron Ross, "Pushing Computers to the Edge: Next Generation Security and Privacy Controls for Systems and IoT Devices"
April 19, 2017 20:30 - 624 MB VideoAs we push computers to “the edge” building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission essential operations and assets in the public and private sectors. “…The Task Force notes th...
Ron Ross, Pushing Computers to the Edge: Next Generation Security and Privacy Controls for Systems and IoT Devices
April 19, 2017 20:30 - 1 hour - 624 MB VideoAs we push computers to "the edge" building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission essential operations and assets in the public and private sectors."…The Task Force notes that the cyb...
Limin Jia, "Information Flow Security in Practical Systems"
April 12, 2017 20:30 - 372 MB VideoUsers routinely type sensitive data such as passwords, credit card numbers, and even SSN into their mobile phone apps and browsers. Rich functionality combined with weak security mechanisms makes protecting users’ data a challenging. In this talk, I will present a few case studies of applying information flow security to protecting users’ data in Android, the Chromium browser, and the IFTTT framework. For these systems, we show that dynamic coarse-grained taint tracking, even though i...
Limin Jia, Information Flow Security in Practical Systems
April 12, 2017 20:30 - 58 minutes - 372 MB VideoUsers routinely type sensitive data such as passwords, credit card numbers, and even SSN into their mobile phone apps and browsers. Rich functionality combined with weak security mechanisms makes protecting users' data a challenging. In this talk, I will present a few case studies of applying information flow security to protecting users' data in Android, the Chromium browser, and the IFTTT framework. For these systems, we show that dynamic coarse-grained taint tracking, even though it allows...