10:15-11:15: Defender's Dilemma — Virgil Gligor (JPH)
Advances in computing and communication technologies have posed persistent dilemmas for security defenders over the past half a century, each seemingly more daunting than the previous ones. For example, in the late 1960’s and 1970’s, a dilemma arose in designing processor protection mechanisms, which exhibited significant vulnerabilities in instruction-set architectures (ISAs). That is, given the three key processor design objectives, namely performance, object-code compatibility, and security of new ISAs, any two objectives are easy to meet but meeting all three is very hard. This raised the dilemma of which pair of objectives should one meet? Over the years, new hardware production models relying on outsourced processor fabrication, system-board manufacturing, and distribution posed a new dilemma. Should production be done in-house, where one can retain control of security at a higher cost, or outsourced at a low production cost but face the possibility of deliberate addition of malicious hardware? The past decade also posed a basic dilemma for commodity software markets. Rapid innovation in commodity software, which has been fueled by zero-cost of market entry, zero liability for insecure systems, and zero regulation, has led to low-cost, no-assurance components. This raises the question of whether there ever be a market case for high-assurance secure products, given that these will undoubtedly have higher cost? Security-unfavorable answers to these above questions suggest a general defender’ s dilemma: given that cyber-security is a fundamental problem of secondary importance in the Internet, how can a defender ever win against an attacker? (A similar dilemma seems to be posed by privacy, despite regulatory initiatives taking shape in both Europe and the US.) In this presentation, I will give a new example of a defender’s dilemma in the current Internet and suggest an approach where the defender can win. Specifically, I will show that non-traditional, large-scale link- flooding attacks, which can cause massive denial of service as recently experienced by Protonmail in Switzerland, are enabled minimum-cost routing – a fundamentally desirable feature of Internet. Although minimum cost routing does not degrade end-point host connectivity during ordinary Internet use, it causes routing bottlenecks that can be exploited by an adversary to degrade connectivity substantially. The defender’s dilemma arises because these bottlenecks cannot be removed for the purpose of countering link- flooding attacks since that would also remove a key routing feature that reduces communication cost. The approach one can take is to deter an adversary from exploiting a feature that cannot be removed despite the fact that is causes an exploitable vulnerability. Although current law does not offer effective deterrence against large-scale link-flooding attacks due to lack uniform marginal enforcement, technical deterrence appears to work. That is, it forces an untenable tradeoff for a cost-sensitive adversary: either the adversary must pay an unaffordable price for the attack or be detected using low-cost countermeasures. This approach requires higher-cost collaborative defenses among ISPs to counter less frequent link-flooding attacks by cost-insensitive adversaries.
Bio: Virgil D. Gligor received his B.Sc., M.Sc., and Ph.D. degrees from the University of California at Berkeley. He taught at the University of Maryland between 1976 and 2007, and is currently a Professor of ECE at Carnegie Mellon University. Between 2007 and 2015 he was the co-Director of CyLab. Over the past forty years, his research interests ranged from access control mechanisms, penetration analysis, and denial-of- service protection, to cryptographic protocols and applied cryptography. Gligor was an editorial board member of several ACM and IEEE journals and the Editor in Chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Information Systems Security Award jointly given by NIST and NSA, the 2011 Outstanding Innovation Award of the ACM SIG on Security Audit and Control, and the 2013 Technical Achievement Award of the IEEE Computer Society.
11:15-12:15: Machine Learning and Privacy: Friends or Foes? — Vitaly Shmatikov (slides) (BAF)
Machine learning is eating the world. Modern machine learning methods, especially deep learning based on artificial neural networks, rely on the training data collected from millions of users to achieve unprecedented accuracy and enable powerful AI-based services.
In this talk, I will discuss the complex relationship between machine learning and digital privacy. This includes new threats, such as adversarial use of machine learning to recover hidden user data, and new benefits, such as privacy-preserving machine learning that protects the confidentiality of training data while constructing accurate models.
13:30-14:30: Towards Developer-Proof Cryptography — Pascal Junod (slides) (BAF)
Forty years after the publication of Diffie and Hellman seminal paper, cryptographic technologies have become ubiquitous and are used by millions of people on a daily basis. However, the quality and security of most cryptographic implementations are often horrifyingly bad. In this talk, we will demonstrate that a vast majority of cryptographic APIs are designed in such a way that they significantly increase the likelihood of misuse by software developers. A list of requirements leading to better crypto APIs will also be discussed.
Bio: Pascal holds a MSc in computer science from ETH Zurich and a PhD in cryptography from EPF Lausanne. He is currently a professor of information security at the University of Applied Sciences and Arts Western Switzerland, where he teaches industrial cryptography, software reverse engineering and software protection. He is also a co-founder of the startup strong.codes, which is active in the domain of software protection. Before that, he has been employed as an applied cryptographer in the Pay-TV industry, designing and analyzing secure broadcasting systems.
His current research interests are applied cryptography, automated software reverse engineering as well as software protection.
14:30-15:30: Long-term Security — Johannes Buchmann (JPH)
With increasing digitization, the amount of data that require long-term protection increases rapidly. Examples are medical data, electronic land registers, and classified information. However, much of the security technology used today appears to be inappropriate for the task of long-term protection. This is particularly true for cryptography. Keys chosen today will be too short in the future or they may be leaked over time. New attacks may be discovered that threaten cryptographic schemes which are now considered to be secure. In this talk a new framework is presented that allows for long-term integrity and confidentiality protection. It uses a combination of cryptographic techniques with quantum key distribution. We discuss the concept and its security and present a prototype implementation. This is joint work of researchers at TU Darmstadt and NICT, Tokyo.
15:45-16:45: How can Quantum Cryptography Contribute to Cyber Security — Nicolas Gisin (slides) (JPH)
Quantum physics is a natural source of entropy: randomness out of (almost) nothing! Moreover, the same random event can manifest itself at several locations. Hence quantum physics is a natural building block for cryptography, i.e. it offers Quantum Key Distribution.
16:45-17:45: Exploring the Future of Smart Contracts — Ari Juels (slides) (JPH)
Smart contracts are programs that execute autonomously atop a blockchain. Ethereum, for example, is a well known smart contract system based on a decentralized blockchain resembling Bitcoin’s. Smart contracts promise to give rise to a broad range of applications in finance, insurance, and rights management, but their success will require solutions to a number of technical challenges. In this talk I’ll enumerate the most important of these challenges and discuss exploration of solutions and applications in the Initiative for CryptoCurrencies and Contracts (IC3). Among other topics, I’ll present the Town Crier authenticated data feed system, recent work mapping existing elements of contract law onto smart contracts, and applications ranging from flight insurance to bug-bounty marketplaces.
10:15-11:15: Efficient Zero-Knowledge Proofs — Jens Groth (slides) (SV)
Zero-knowledge proofs enable a prover to convince the verifier that a statement is true without revealing anything else. Zero-knowledge proofs are useful to guarantee a party is following a protocol honestly, yet at the same time protecting the confidentiality of the party's private data. Applications include voting, mix-nets, verifiable outsourced computation, ring and group signatures, virtual currencies, and multi-party computation. In the first part of the talk we will introduce zero-knowledge proofs and applications. In the second part we will put the emphasis on non-interactive zero-knowledge proofs and present a new construction from EUROCRYPT 2016 with very small proofs consisting of only 3 group elements each.
11:15-12:15: Secure Positioning: From GPS to IoT — Srdjan Capkun (JPH)
In this talk I will review security issues in today’s navigation and close-range positioning systems. I will discuss why GNS systems like GPS are hard to fully secure and will present novel solutions that can be used to improve the robustness of GNS systems to attacks. I will then show how a different design of a positioning system can enable secure positioning, but also that this requires solving a set of relevant physical- and logical- layer challenges. Finally, I will present a fully integrated IR UWB secure distance measurement (distance bounding) system that solves these challenges and enables secure distance measurement and secure positioning in IoT applications.
13:30-14:30: Foundations of Blockchain Protocols — Aggelos Kiayias (SV)
The rise of bitcoin and other cryptocurrencies puts forth a wealth of interesting problems in distributed systems and cryptography that relate to building decentralized systems. In this talk, we discuss what is the exact problem that the bitcoin protocol solves and then go on to investigate whether and in what ways the protocol can be improved. The protocol itself will be abstracted in a simple algorithmic form, termed as the bitcoin backbone, and subsequently provable properties like chain quality, common prefix and chain growth will be detailed. The concept of a robust transaction ledger will be defined, as captured by two basic properties, persistence and liveness. Alternatives to the main protocol such as GHOST will be overviewed as well as the relation of the defined properties and protocols to the consensus problem.
14:30-15:30: Cryptographically Secure Mix-Nets — Helger Lipmaa (SV)
TBA.
15:45-16:45: Forward Secrecy in TLS: A Systematic Study — Nick Sullivan (slides) (BAF)
Perfect Forward Secrecy (PFS) was a concept first introduced by Günther in 1990 to describe a property of key exchange protocols like Diffie-Hellman: past key exchanges are secure against future attackers. In Transport Layer Security protocol (TLS), the ciphersuites for which certificate private key compromise does not allow an attacker to retroactively decrypt previously recorded connections are said to be PFS. However, a close examination of how keys are managed in real-world TLS deployments show that PFS is not a strong enough guarantee to ensure secrecy of past (or future) communications in all scenarios. In this talk we describe a more specific set of security guarantees afforded to TLS during both stateless and stateless session resumption in TLS 1.2, and explore the improvements to forward security in the upcoming TLS 1.3.
Bio: Nick Sullivan is a leading cryptography and security technologist. At CloudFlare, a top Internet performance and security company, Nick is responsible for overseeing all cryptographic products and strategy. Prior to joining CloudFlare, he was a digital rights management pioneer, helping build and secure Apple’s multi-billion dollar iTunes store. He is the author of more than a dozen computer security patents and holds an MSc in Cryptography.
16:45-17:45: Cryptography for Privacy — Jan Camenisch (slides) (BAF)
The amount of personal information that is collected, stored, and processed continues to increase daily, making our lives ever easier. At the same time, it becomes increasingly hard to protect personal information, putting ourselves at risk. In this talk we discuss a number of cryptographic mechanisms that can provide all the benefits of a digital world while strong cryptographic protection.
10:15-11:15: Tracking Your Every Move - Today and Tomorrow — Jakob Eriksson (slides) (BAF)
Not too long ago, tracking the movements of individuals was an obscure activity largely reserved for detective novels and the occasional creepy stalker. Lately, however, massive-scale continuous location surveillance has quietly become a fact of life, pursued by organizations as diverse as Google, Amazon, the Drug Enforcement Agency, and the Department of Transportation, not to mention cyber-criminals, jealous spouses and helicopter parents. An equally wide range of technologies is used for this virtual stakeout job, including spyware on your laptop and mobile devices, roadside radio receivers (Wi-Fi, Bluetooth and more), license plate reading devices, face-recognizing surveillance cameras, RFID tags and readers, and more.
In this talk, we will review some of the more pervasive people-tracking methods in use today, together with some of their more (or less) well-known uses. We'll then put on a pair of decidedly rose-colored glasses, and try to see what good our Orwellian future may bring, and what challenges lie ahead, beyond the quaint notion of protecting your location privacy.
Bio: Jakob Eriksson is an Associate Professor of Computer Science at the University of Illinois at Chicago. Prior to that, he did a two year stint at MIT CSAIL as a postdoc, received his Ph.D. at UC Riverside, and his undergraduate degree at the Royal Institute of Technology (KTH) in Stockholm, Sweden. His research interests include mobile computing, operating systems, and computer vision.
11:15-12:15: How to Compute with Secrets and not Die Trying — Jean-Philippe Aumasson & Luis Merino (BAF)
In this presentation we give an introduction to a recent trusted computing implementation, followed by our assessment of the cryptographic mechanisms behind it.
13:30-14:30: Haystack: A Multi-Purpose Mobile Vantage Point in User Space — Christian Kreibich (slides) (KA)
Despite our growing reliance on mobile phones for a wide range of daily tasks, their operation remains largely opaque. In this talk I will introduce Haystack, a platform that leverages the VPN API on mobile devices to create a mobile measurement platform that operates exclusively on the device, providing full access to the device’s network traffic and local context without requiring root access. I will present the design of Haystack and its implementation in an Android app available in the Google Play store. Using data collected from 450 users of the app, I will exemplify Haystack’s ability to provide meaningful insights about protocol usage, its ability to identify security and privacy concerns of mobile apps, and to characterize mobile traffic performance. I will conclude with an outlook on our plans for Haystack's future and potential avenues for collaboration.
11:15-12:15: Blockchain, Cryptography, and Consensus — Christian Cachin (BAF)
A blockchain is a public ledger for recording transactions, maintained by many nodes without central authority through a distributed cryptographic protocol. All nodes validate the information to be appended to the blockchain, and a consensus protocol ensures that the nodes agree on a unique order in which entries are appended. Distributed protocols tolerating faults and adversarial attacks, coupled with cryptographic tools are needed for this. The recent interest in blockchains has revived research on consensus protocols, ranging from the proof-of-work method in Bitcoin's “mining” protocol to classical Byzantine agreement.
IBM is actively involved the development of a blockchain for the enterprise. In this context an industry-wide collaborative effort, the Hyperledger Project, has been established in early 2016 to develop an open-source blockchain. Being one of the key partners in Hyperledger, IBM has already contributed code for running an enterprise blockchain fabric.
This talk will present an overview of blockchain concepts, the cryptographic building blocks and consensus mechanisms, and discuss current efforts in the Hyperledger Project.
13:30-14:30: The Quest for Scalable Blockchain — Marko Vukolic (slides) (RG)
Bitcoin cryptocurrency demonstrated the utility of global consensus across thousands of nodes, changing the world of digital transactions forever. In the early days of Bitcoin, the performance of its probabilistic proof-of-work (PoW) based consensus fabric, also known as blockchain, was not a major issue.
The situation today is radically different and the poor performance scalability of early PoW blockchains no longer makes sense. Specifically, the trend of modern cryptocurrency platforms, such as Ethereum, is to support execution of arbitrary distributed applications on blockchain fabric, needing much better performance. This approach, however, makes cryptocurrency platforms step away from their original purpose and enter the domain of the classical state-machine replication, and in particular its Byzantine fault-tolerant (BFT) variants.
In this talk, we contrast PoW-based blockchains to those based on BFT state-machine replication, focusing on their scalability limits. We also discuss recent proposals to overcoming these scalability limits and outline key outstanding open problems in the quest for the “ultimate” blockchain fabric(s). We further reflect on our practical experiences in building the Hyperledger open-source blockchain fabric.
Bio: Dr. Marko Vukolic is a Research Staff Member at IBM Research - Zurich. Previously, he was a faculty at EURECOM and a visiting faculty at ETH Zurich. He received his PhD in distributed systems from EPFL in 2008 and his engineering degree in telecommunications from University of Belgrade in 2001. Dr. Vukolic is currently a steering committee member of Eurosys, was a PC co-chair of the SOFSEM 2011 conference, and a member of numerous program committees of major conferences. His research was awarded Eurosys 2010 Best Paper Award and the IBM Outstanding Technical Achievement Award. His research interests lie in the broad area of distributed algorithms and systems, including fault-tolerance, blockchain and distributed ledgers, cloud computing security and distributed storage.
14:30-15:30: Hardware Trojans: An Emerging Threat for the Internet of Things — Ilia Polian (slides) (BAF)
Historically, IT security concentrated on attack scenarios targeting software and communication networks, but more recently, the system hardware moved into the focus of attackers. Hardware-related threats are relevant even for extremely software-dominated systems, which still contain some amount of hardware on which the software runs; compromising this hardware makes the entire system vulnerable. Even worse, many software-centric security solutions rely on a hardware-based root of trust which stores secret keys and provides essential security functions; successful attacks on such root-of-trust blocks renders the entire security concept ineffective. With the emergence of paradigms like cyberphysical systems, internet of things, or Industrie 4.0 that connect the physical world, IT systems and global connectivity, hardware blocks are at risk to become the Achille’s heel of entire infrastructures.
The presentation will focus on one emerging attack scenario: Hardware Trojans. These are malicious modification of system hardware with the purpose to gain control over its functionality and, e.g., be able to deactivate the affected block at the attacker’s will (“kill switch”), or establish a side-channel to access confidential data processed by the device (“backdoor”). Hardware Trojans may be planted by an external foundry who manufactures the integrated circuit, by a rogue in-house designer, by an external provider of intellectual property blocks integrated into the design, or even by an electronic design automation tool. Even though hard evidence of their occurrence in actual systems is largely lacking, hardware Trojans are receiving substantial attention by academia and by governmental agencies. The presentation will discuss the feasibility of such attacks, recapitulate early proof-of-concept demonstrations, and explain novel, more sophisticated Trojans on all levels. It will also discuss the capability of various kinds of countermeasures, from silicon measurements and runtime monitoring to formal methods, to detect the presence of Trojans and/or prevent the attacks when they happen.
15:45-16:45: Data Analytic in Anonymized Networks: Is There Hope for Privacy? — Negar Kiyavash (slides) (JPH)
The proliferation of online social networks has helped in generating large amounts of graph data which has immense value for data analytics. Network operators, like Facebook, often share this data with researchers or third party organizations, which helps both the entities generate revenues and improve their services. As this data is shared with third party organizations, the concern of user privacy becomes pertinent. Hence, it becomes essential to balance utility and privacy while releasing such data. Advances in graph matching and the resulting recent attacks on graph datasets paints a grim picture. We discuss the feasibility of privacy preserving data analytics in anonymized networks and provide an answer to the question “Does there exist a regime where the network cannot be deanonymized, yet data analytics can be performed?.“
Bio: Negar Kiyavash is Willett Faculty Scholar and an Associate of Center for Advance Study at the University of Illinois at Urbana-Champaign. She is a joint Associate Professor of Industrial and Enterprise Engineering and Electrical and Computer Engineering. She is also affiliated with the Coordinated Science Laboratory (CSL) and the Information Trust Institute. She received her Ph.D. degree in electrical and computer engineering from the University of Illinois at Urbana-Champaign in 2006. Her research interests are in design and analysis of algorithms for network inference and security. She is a recipient of National Science Foundation's CAREER and The Air Force Office of Scientific Research Young Investigator awards, and the Illinois College of Engineering Dean's Award for Excellence in Research.
16:45-17:45: Privacy in Epigenetics: Temporal Linkability of MicroRNA Expression Profiles — Mathias Humbert (slides) (JPH)
The decreasing cost of molecular profiling tests, such as DNA sequencing, and the consequent increasing availability of biological data are revolutionizing medicine, but at the same time create novel privacy risks. The research community has already proposed a plethora of methods for protecting genomic data against these risks. However, the privacy risks stemming from epigenetics, which bridges the gap between the genome and our health characteristics, have been largely overlooked so far, even though epigenetic data is no less privacy sensitive. In this talk, I will first provide some background on epigenetics, notably how it relates to the human health ecosystem. I will then show how personal miRNA expression data, despite their variability, can be successfully tracked over time. I will also present two mechanisms for mitigating the linkability threat: (i) hiding a subset of disease-irrelevant miRNA expressions, and (ii) probabilistically sanitizing the miRNA expression profiles. I will conclude by presenting open challenges related to miRNA expression data and, more generally, epigenetic privacy.
10:15-11:15: Practical Examples of Physical Layer Security Schemes — Arsenia Chorti (slides) (SV)
The security and integrity of communication systems, and especially wireless networks, is a matter of increasing importance, affecting government, industry, commerce and the privacy and financial security of us all. In next generation wireless systems (5G) the overhead and latency imposed by cryptography is expected to increase, while at the same time requiring simpler and less energy-intensive wireless nodes. On the other hand, it was shown by Shannon, in 1949 (and further developed by Wyner in 1975), that unconditionally secure communication is possible. Specifically Wyner showed that for the wiretap channel, in which the eavesdropper (“Eve”) has a poorer channel than the legitimate receiver (“Bob”), the sender (“Alice”) can transmit confidential data to Bob irrespective of Eve’s computational power. This concept, known as physical layer security (PLS), has attracted significant attention in recent years. However the concept has until now very largely been information theoretic, and work in the area has not adequately addressed practical issues which could give users sufficient confidence to put the methods into operation. In this talk we discuss two practical PLS schemes that could find use in future generations of heterogeneous wireless networks (5G and beyond). In particular, we will first discuss an explicit encoder construction with guaranteed secrecy for wireless network coding schemes with untrusted relays. The proposed encoder is built around simple M-QAM modulators and could find use in secure device-to-device communications. Secondly, we will review a simple scheme for the generation of symmetric keys of guaranteed entropy from shared randomness and we will discuss the robustness of such schemes to denial of service attacks in the form of jamming.
Bio: Dr Arsenia Chorti joined the School of Computer Science and Electronic Engineering of the University of Essex in October 2013 as a Lecturer. She obtained her PhD from Imperial College London and has served as a Senior Lecturer at Middlesex University between 2008 and 2010. From 2010 to 2013 she was as a Marie Curie International Outgoing Fellow (MC-IOF) at Princeton University where she currently holds a Visiting Researcher status. Her research interests include, among others, physical layer security, physical layer network coding, signal processing for communications. She is a member of the IEEE and of the IEEE ComSoc Signal Processing, Communications and Electronics Technical Committee (SPCE TC).
11:15-12:15: Traffic Analysis - When Encryption is not Enough to Protect Privacy — Carmela Troncoso (slides) (JPH)
Intuitively, privacy is associated to the confidentiality of content. Yet, the meta data associated with this content it, e.g., the sender, the receiver, the time and length of messages, in itself may reveal private information. Using anonymous communication systems as running example, this talk will provide an overview of traffic analysis approaches. We will show how these techniques can be used to extract information from secure systems in which information is encrypted.