CERIAS Weekly Security Seminar - Purdue University

Scott Carr, DataShield: Configurable Data Confidentiality and Integrity

Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating.Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages...

Scott Carr, "DataShield: Configurable Data Confidentiality and Integrity"

Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating. Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming...

Tawei (David) Wang, "CIO Risk Appetite and Information Security Management"

After a series of recent high profile information security breach incidents, the role of Chief Information Officers, particularly their role in information security risk management, has been in a heated debate among practitioners. However, little is known in academic literature about how a CIOs’ risk aversion level affects the effectiveness of information security management. Using reported information security breach incidents during 2003-2015, this study examines how a CIO’s risk av...

Tawei (David) Wang, CIO Risk Appetite and Information Security Management

After a series of recent high profile information security breach incidents, the role of Chief Information Officers, particularly their role in information security risk management, has been in a heated debate among practitioners. However, little is known in academic literature about how a CIOs' risk aversion level affects the effectiveness of information security management. Using reported information security breach incidents during 2003-2015, this study examines how a CIO's risk aversion l...

Stephen Reynolds, The Rise of Cyber-Crime: A Legal Perspective

Whether it is a spear phishing attack, social engineering, or malware specifically tailored to obtain online banking credentials, hundreds of thousands of dollars are at risk to fund transfer fraud and other cyber-crime. Beyond the financial consequences of these cyber-attacks, entities face an increasingly complex array of legal obligations and issues in the aftermath of one of these events. This presentation will give an overview of trends in cyber-crime, legal issues that may arise from t...

Stephen Reynolds, "The Rise of Cyber-Crime: A Legal Perspective"

Whether it is a spear phishing attack, social engineering, or malware specifically tailored to obtain online banking credentials, hundreds of thousands of dollars are at risk to fund transfer fraud and other cyber-crime. Beyond the financial consequences of these cyber-attacks, entities face an increasingly complex array of legal obligations and issues in the aftermath of one of these events. This presentation will give an overview of trends in cyber-crime, legal issues that may arise...

Yonghwi Kwon, A2C: Self Destructing Exploit Executions via Input Perturbation

Malicious payload injection attacks have been a serious threat to software for decades. Unfortunately, protection against these attacks remains challenging due to the ever increasing diversity and sophistication of payload injection and triggering mechanisms used by adversaries.In this talk, I will present A2C, a system that provides general protection against payload injection attacks. A2C is based on the observation that payloads are highly fragile and thus any mutation would likely break t...

Yonghwi Kwon, "A2C: Self Destructing Exploit Executions via Input Perturbation"

Malicious payload injection attacks have been a serious threat to software for decades. Unfortunately, protection against these attacks remains challenging due to the ever increasing diversity and sophistication of payload injection and triggering mechanisms used by adversaries. In this talk, I will present A2C, a system that provides general protection against payload injection attacks. A2C is based on the observation that payloads are highly fragile and thus any mutation would like...

Ashish Hota, "Behavioral and Computational Aspects of Network Security Games"

In this talk, we will leverage the framework of game theory to understand the effects of decentralized decision-making on the robustness and security of large-scale networked systems. In the first part of this talk, we will consider a setting where each node in the network is an independent decision maker who wants to protect itself, and the probability of attack on a node is a function of the security investment by the node and its immediate neighbors in the network. Accordingly, th...

Ashish Hota, Behavioral and Computational Aspects of Network Security Games

In this talk, we will leverage the framework of game theory to understand the effects of decentralized decision-making on the robustness and security of large-scale networked systems. In the first part of this talk, we will consider a setting where each node in the network is an independent decision maker who wants to protect itself, and the probability of attack on a node is a function of the security investment by the node and its immediate neighbors in the network. Accordingly, the securit...

Neil Cassidy, Cyber Security in Large Complex Corporations

Large corporations evolve over time. The technology they produce, the services they provide, the working practices and the IT that supports are changing at an ever increasing rate. From its formation in 1906, Rolls-Royce has been synonymous will high quality engineering and currently develops power systems to propel commercial airliners to Luxury Yachts. The company strives to maintain its market leading position through considerable investment in R&D and the Intellectual Property and engine...

Neil Cassidy, "Cyber Security in Large Complex Corporations"

Large corporations evolve over time. The technology they produce, the services they provide, the working practices and the IT that supports are changing at an ever increasing rate. From its formation in 1906, Rolls-Royce has been synonymous will high quality engineering and currently develops power systems to propel commercial airliners to Luxury Yachts. The company strives to maintain its market leading position through considerable investment in R&D and the Intellectual Property and...

Vincent Urias, "Network Deception as a Threat Intelligence Platform"

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, and context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics, and Procedures (TTP). T...

Vincent Urias, Network Deception as a Threat Intelligence Platform

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, and context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics, and Procedures (TTP). This incr...

Jean Camp, "Changing the Economics of the Network"

BGP enables as a network of networks, and is also a network of trust. The most clear instantiation of that trust is the updating of router tables based on unsubstantiated announcements. The positive result of this trust is that the network can be extremely responsive to failures, and recover quickly. Yet the very trust that enables resilience creates risks from behavior lacking either technical competence or benevolence. Threats to the control plane have included political interferenc...

Jean Camp, Changing the Economics of the Network

BGP enables as a network of networks, and is also a network of trust. The most clear instantiation of that trust is the updating of router tables based on unsubstantiated announcements. The positive result of this trust is that the network can be extremely responsive to failures, and recover quickly. Yet the very trust that enables resilience creates risks from behavior lacking either technical competence or benevolence. Threats to the control plane have included political interference, misgu...

Nick Sturgeon, "Emerging Cyber Threats"

Cybersecurity threats are constantly evolving and becoming more sophisticated. This has been observed through advanced spear phishing campaigns, increase in ransomware families/variants and the use of IoT devices for DDOS attacks. As well, the tactics, techniques and procedures (TTPs) utilize by bad actors are evolving with the technology and seemingly staying one step ahead of security technologies. This presentation will look at some of the trends from the past year and look at the ...

Nick Sturgeon, Emerging Cyber Threats

Cybersecurity threats are constantly evolving and becoming more sophisticated. This has been observed through advanced spear phishing campaigns, increase in ransomware families/variants and the use of IoT devices for DDOS attacks. As well, the tactics, techniques and procedures (TTPs) utilize by bad actors are evolving with the technology and seemingly staying one step ahead of security technologies. This presentation will look at some of the trends from the past year and look at the emerging...

Aniket Kate, Differential Guarantees for Cryptographic Systems

Differential privacy aims at learning information about the population as a whole, while protecting the privacy of each individual. With its quantifiable privacy and utility guarantees, differential privacy is becoming standard in the field of privacy-preserving data analysis. On the other hand, most cryptographic systems for their privacy properties rely on a stronger notion of indistinguishability, where an adversary should not be able to (non-negligibly) distinguish between two scenarios. ...

Aniket Kate, "Differential Guarantees for Cryptographic Systems"

Differential privacy aims at learning information about the population as a whole, while protecting the privacy of each individual. With its quantifiable privacy and utility guarantees, differential privacy is becoming standard in the field of privacy-preserving data analysis. On the other hand, most cryptographic systems for their privacy properties rely on a stronger notion of indistinguishability, where an adversary should not be able to (non-negligibly) distinguish between two sce...

Yinqian Zhang, When Side Channel Meets Row Hammer: Cache-Memory Attacks in Clouds and Mobile Devices

Processor caches and memory chips are hardware components used by all software programs on a computer system. They are designed, and thereafter fine-tuned over the years, for better performance and power efficiency, but not for strong isolation between mutually distrustful software programs. However, modern computing paradigm has been shifting towards resource sharing without full trust: In multi-tenant public clouds, virtual machines controlled by different customers are scheduled to run on ...

Yinqian Zhang, "When Side Channel Meets Row Hammer: Cache-Memory Attacks in Clouds and Mobile Devices"

Processor caches and memory chips are hardware components used by all software programs on a computer system. They are designed, and thereafter fine-tuned over the years, for better performance and power efficiency, but not for strong isolation between mutually distrustful software programs. However, modern computing paradigm has been shifting towards resource sharing without full trust: In multi-tenant public clouds, virtual machines controlled by different customers are scheduled to...

Abhilasha Bhargav-Spantzel, "Digital Identity Protection"

Abhilasha Bhargav-Spantzel, Digital Identity Protection

Corey Holzer, The Application of Natural Language Processing to Open Source Intelligence for Ontology Development in the Advanced Persistent Threat Domain

Over the past decade, the Advanced Persistent Threat (APT) has risen to forefront of cybersecurity threats. APTs are a major contributor to the billions of dollars lost by corporations around the world annually. The threat is significant enough that the Navy Cyber Power 2020 plan identified them as a "must mitigate" threat in order to ensure the security of its warfighting network.This presentation and its related research applies the science of Natural Language Processing Open Source Intelli...

Corey Holzer, "The Application of Natural Language Processing to Open Source Intelligence for Ontology Development in the Advanced Persistent Threat Domain"

Over the past decade, the Advanced Persistent Threat (APT) has risen to forefront of cybersecurity threats. APTs are a major contributor to the billions of dollars lost by corporations around the world annually. The threat is significant enough that the Navy Cyber Power 2020 plan identified them as a “must mitigate” threat in order to ensure the security of its warfighting network. This presentation and its related research applies the science of Natural Language Processing Open Sour...

Sanjai Narain, A Science of Cyber Infrastructure Configuration

Configuration is the glue for logically integrating cyber infrastructure components to satisfy end-to-end requirements on security and functionality. Every component has a finite number of configuration variables that are set to definite values. It is well-documented that configuration errors are responsible for 50%-80% of infrastructure vulnerabilities and downtime and it can take months to set up and adapt infrastructure. This is because the large conceptual gap between requirement and conf...

Sanjai Narain, "A Science of Cyber Infrastructure Configuration"

Configuration is the glue for logically integrating cyber infrastructure components to satisfy end-to-end requirements on security and functionality. Every component has a finite number of configuration variables that are set to definite values. It is well-documented that configuration errors are responsible for 50%-80% of infrastructure vulnerabilities and downtime and it can take months to set up and adapt infrastructure. This is because the large conceptual gap between requirement ...

Victor Raskin, "New Research and Resources in NL IAS at Purdue"

The paper will briefly review the achievements of natural language information assurance and security, a Purdue-native innovative stand of research and applications, from NL watermarking and tamperproofing to deception detection, anonymization and now to implicit meaning, conceptual defaults, computational humor, and robotic intelligence and security. I will also briefly show a new acquisition and processing resource at https://engineering.purdue.edu/~ost/.

Victor Raskin, New Research and Resources in NL IAS at Purdue

The paper will briefly review the achievements of natural language information assurance and security, a Purdue-native innovative stand of research and applications, from NL watermarking and tamperproofing to deception detection, anonymization and now to implicit meaning, conceptual defaults, computational humor, and robotic intelligence and security. I will also briefly show a new acquisition and processing resource at https://engineering.purdue.edu/~ost/. About the speaker: Victor Raskin, C...

Jeremiah Blocki, Usable and Secure Human Authentication

A typical computer user today manages passwords for many different online accounts. Users struggle with this task ---often forgetting their passwords or adopting insecure practices, such as using the same passwords for multiple accounts and selecting weak passwords. Before we can design good password management schemes it is necessary to address a fundamental question: How can we quantify the usability or security of a password management scheme? In this talk we will introduce quantitative us...

Jeremiah Blocki, "Usable and Secure Human Authentication"

A typical computer user today manages passwords for many different online accounts. Users struggle with this task ---often forgetting their passwords or adopting insecure practices, such as using the same passwords for multiple accounts and selecting weak passwords. Before we can design good password management schemes it is necessary to address a fundamental question: How can we quantify the usability or security of a password management scheme? In this talk we will introduce quantit...

Terry Ching-Hsiang Hsu, "Enforcing Least Privilege Memory Views for Multithreaded Applications"

Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilitie...

Terry Ching-Hsiang Hsu, Enforcing Least Privilege Memory Views for Multithreaded Applications

Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilities caused...

Tony Sager, Growing Up In Cyber, But Is Cyber Growing Up?

Communications Security, Computer Security, Information Security, Information Assurance, Information Operations, Cyber Security: through a 35-year career at the National Security Agency, and now with the non-profit Center for Internet Security, Tony has been a participant, observer, and shaper of the world we now call Cyber Security. Since he?s never had another job (or some might say, never had a real job), through the lens of his career he will share his observations about the evolution o...

Tony Sager, "Growing Up In Cyber, But Is Cyber Growing Up?"

Communications Security, Computer Security, Information Security, Information Assurance, Information Operations, Cyber Security: through a 35-year career at the National Security Agency, and now with the non-profit Center for Internet Security, Tony has been a participant, observer, and shaper of the world we now call Cyber Security. Since he?s never had another job (or some might say, never had a real job), through the lens of his career he will share his observations about the evolu...

Nicholas Reuhs, The role of cyber insurance in security and risk management

Cyber-liability insurance has grown from a niche product into a multi-billion-dollar market in less than a decade. It has also become a negotiating point in technology-related contracts and a buzzword for corporate boards. In this seminar, we will discuss how this new insurance market has developed -- surveying the spectrum of "cyber" insurance products and outlining what events these products are (and are not) intended to cover. We will also discuss underwriting problems (information asym...

Nicholas Reuhs, "The role of cyber insurance in security and risk management"

Cyber-liability insurance has grown from a niche product into a multi-billion-dollar market in less than a decade. It has also become a negotiating point in technology-related contracts and a buzzword for corporate boards. In this seminar, we will discuss how this new insurance market has developed -- surveying the spectrum of “cyber” insurance products and outlining what events these products are (and are not) intended to cover. We will also discuss underwriting problems (information...

Aniket Kate, The Internet of Value: Privacy and Applications

Over the last seven years we have been observing a tremendous growth of crypto-currencies such as Bitcoin and IOU credit networks such as Ripple. Their decentralized and pseudonymous nature, ability to perform transactions across the globe in a matter of seconds, and potential to monetize everything regardless of jurisdiction have been pivotal to their success so far. Despite some major hiccups, their market capitalization is increasing steadily over the years. It is now believed that, in the...

Aniket Kate, "The Internet of Value: Privacy and Applications"

Over the last seven years we have been observing a tremendous growth of crypto-currencies such as Bitcoin and IOU credit networks such as Ripple. Their decentralized and pseudonymous nature, ability to perform transactions across the globe in a matter of seconds, and potential to monetize everything regardless of jurisdiction have been pivotal to their success so far. Despite some major hiccups, their market capitalization is increasing steadily over the years. It is now believed that...

Di Jin, General Motors Product Cybersecurity Overview

In this presentation the speaker will give an introduction to the GM product cybersecurity organization and the efforts that is being undertaken by this organization to drive a better product cybersecurity posture. Many various interesting aspects will be discussed in the presentation, e.g., vehicle cybersecurity ecosystem, connected vehicle attack surfaces, external industry/academia collaborations, security vulnerability disclosure program, challenges for the automotive industry, future res...

Di Jin, "General Motors Product Cybersecurity Overview"

In this presentation the speaker will give an introduction to the GM product cybersecurity organization and the efforts that is being undertaken by this organization to drive a better product cybersecurity posture. Many various interesting aspects will be discussed in the presentation, e.g., vehicle cybersecurity ecosystem, connected vehicle attack surfaces, external industry/academia collaborations, security vulnerability disclosure program, challenges for the automotive industry, fu...

Maria Andrews, "Improving Outcomes with Services"

I will be discussing Improving Outcomes with Services. Including a deep dive into Advanced Threat Analytics and how Cisco Active Threat Analytics (ATA) integrates deep expertise with cutting-edge technology, leading intelligence, and advanced analytics to detect and investigate threats with great speed, accuracy, and focus. There will be talks and examples of Proactive Threat Hunting: Activities involving seeking out malicious activity not identified by traditional alerting mechanisms...

Maria Andrews, Improving Outcomes with Services

I will be discussing Improving Outcomes with Services. Including a deep dive into Advanced Threat Analytics and how Cisco Active Threat Analytics (ATA) integrates deep expertise with cutting-edge technology, leading intelligence, and advanced analytics to detect and investigate threats with great speed, accuracy, and focus. There will be talks and examples of Proactive Threat Hunting: Activities involving seeking out malicious activity not identified by traditional alerting mechanisms. Hunti...

Srivatsan Ravi, "Towards Safe In-memory Transactions"

Current general-purpose CPUs are multicores, offering multiple computing units within a single chip. The performance of programs on these architectures, however, does not necessarily increase proportionally with the number of cores. Designing concurrent programs to exploit these multicores emphasizes the need for achieving efficient synchronization among threads of computation. When there are several threads that conflict on the same data, the threads will need to coordinate their act...

Srivatsan Ravi, Towards Safe In-memory Transactions

Current general-purpose CPUs are multicores, offering multiple computing units within a single chip. The performance of programs on these architectures, however, does not necessarily increase proportionally with the number of cores. Designing concurrent programs to exploit these multicores emphasizes the need for achieving efficient synchronization among threads of computation. When there are several threads that conflict on the same data, the threads will need to coordinate their actions for...

Michael Taylor, Secure Coding - Patterns and anti-patterns in the design & architecture of secure applications

Applications are only as secure as the network architecture and operating systems in which they operate. It is only a matter of time before services, networks, or applications are targeted by bad actors even if they are not directly exposed to the public Internet. In this seminar we will discuss some of the patterns seen in secure application development and the anti-patterns that should be avoided. Then we will examine how to best implement these practices both as an individual and within o...

Michael Taylor, "Secure Coding - Patterns and anti-patterns in the design & architecture of secure applications"

Applications are only as secure as the network architecture and operating systems in which they operate. It is only a matter of time before services, networks, or applications are targeted by bad actors even if they are not directly exposed to the public Internet. In this seminar we will discuss some of the patterns seen in secure application development and the anti-patterns that should be avoided. Then we will examine how to best implement these practices both as an individual and w...

Christopher N. Gutierrez, ErsatzPasswords - Ending Password Cracking

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site password discovery as well as a deception mechanism to alert administrators of such attempts. Our scheme can be easily integrated wi...

Christopher N. Gutierrez, "ErsatzPasswords - Ending Password Cracking"

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site password discovery as well as a deception mechanism to alert administrators of such attempts. Our scheme can be easily integr...