- On Adversarial Testing of Cellular Network Protocols
Omar Chowdhury, Assistant Professor, Department of Computer Science
The University of Iowa
Abstract: Cellular networks are an indispensable part of a nation's critical infrastructure enabling global-scale communication and a wide range of novel applications and services, including earthquake and tsunami warning system (ETWS), telemedicine, and smart-grid electricity distribution. Cellular networks thus have been an attractive target of adversaries ranging from rogue individuals to more resourceful adversaries such as foreign intelligence agencies. Unfortunately, security- and privacy-enhancing considerations, however, have often played second fiddle to quality-of-service, interoperability, and bandwidth concerns during cellular protocol design. As a consequence, cellular protocols, including the most recent generation, have been often plagued with debilitating attacks due to design weaknesses and deployment slip-ups. In this talk, I will start by discussing an automated analysis approach to reason about the security and privacy properties of cellular network protocol. Next, I will discuss several side-channel attacks that can give away a victim's geographical location as well as its persistent identifier, when the adversary only knows the victim's phone number. I will conclude the talk by discussing several low-cost defense mechanisms whose inclusion can raise the bar for the attackers.
Bio: Dr. Omar Haider Chowdhury is an Assistant Professor of Computer Science at the University of Iowa where he currently co-directs the Computational Logic Center (CLC). He received his Ph.D. from the University of Texas at San Antonio and was post-doctoral research associates at Carnegie Mellon University and Purdue University before joining Iowa. His research focuses on applying techniques from computational logic and automated reasoning to solve practically-relevant computer security and privacy problems. His work has been awarded as the distinguished papers at ACM SACMAT, ACSAC, and ACNS. He was inducted to the GSMA Mobile Security Hall of Fame for his work on cellular network security. In addition, his research has received funding from NSF and DARPA, including a DARPA Young Faculty Award.
Formalizing Data Deletion in the Context of the Right to be Forgotten
Sanjam Garg, Assistant Professor, Computer Science Division
University of California, Berkeley
Abstract: The right of an individual to request the deletion of their personal data by an entity that might be storing it -- referred to as the right to be forgotten -- has been explicitly recognized, legislated, and exercised in several jurisdictions across the world, including the European Union, Argentina, and California. However, much of the discussion surrounding this right offers only an intuitive notion of what it means for it to be fulfilled -- of what it means for such personal data to be deleted. In this work, we provide a formal definitional framework for the right to be forgotten using tools and paradigms from cryptography. In particular, we provide a precise definition of what could be (or should be) expected from an entity that collects individuals' data when a request is made of it to delete some of this data. Our framework captures several, though not all, relevant aspects of typical systems involved in data processing. While it cannot be viewed as expressing the statements of current laws (especially since these are rather vague in this respect), our work offers technically precise definitions that represent possibilities for what the law could reasonably expect, and alternatives for what future versions of the law could explicitly require. Finally, with the goal of demonstrating the applicability of our framework and definitions, we consider various natural and simple scenarios where the right to be forgotten comes up. For each of these scenarios, we highlight the pitfalls that arise even in genuine attempts at implementing systems offering deletion guarantees, and also describe technological solutions that provably satisfy our definitions. These solutions bring together techniques built by various communities.
(Based on joint work with Shafi Goldwasser and Prashant Nalini Vasudevan)
Bio: Sanjam Garg is an Assistant Professor at the University of California, Berkeley. Previously, he was a Josef Raviv Memorial Postdoctoral Fellow at IBM Research T.J. Watson. His research interests are in cryptography and security. He obtained his Ph.D. from the University of California, Los Angeles in 2013 and his undergraduate degree from the Indian Institute of Technology, Delhi in 2008. He is the recipient of various honors such as the 2013 ACM Doctoral Dissertation Award, the 2020 Sloan Research Fellowship and the best paper awards at EUROCRYPT 2013, CRYPTO 2017 and EUROCRYPT 2018.
- Insecurity Analysis of the IoT Platforms and Systems
Peng Liu, Raymond G. Tronzo, M.D. Professor of Cybersecurity
Pennsylvania State University
Abstract: In this talk, I present our findings of two new families of security vulnerabilities associated with IoT platforms and systems. (Family 1) state out-of-sync vulnerabilities; and (Family 2) privilege separation vulnerabilities. In addition, I will provide a systematic classification of the recently identified security-related logic bugs in IoT platforms and systems. Our study shows that new kinds of security vulnerabilities indeed exist in emerging IoT applications and platforms. I also comment on the difficulties of removing these vulnerabilities.
Bio: Peng Liu received his BS and MS degrees from the University of Science and Technology of China, and his PhD from George Mason University in 1999. Dr. Liu is the Raymond G. Tronzo, M.D. Professor of Cybersecurity, founding Director of the Center for Cyber-Security, Information Privacy, and Trust, and founding Director of the Cyber Security Lab at Penn State University. His research interests are in all areas of computer security. He has published numerous papers on top conferences and journals. His research has been sponsored by NSF, ARO, AFOSR, DARPA, DHS, DOE, AFRL, NSA, TTC, CISCO, and HP. He has served as a program (co-)chair or general (co-)chair for over 10 international conferences (e.g., Asia CCS 2010) and workshops (e.g., MTD 2016). He will serve as the PC Co-Chair for IEEE/IFIP DSN 2022. He chaired the Steering Committee of SECURECOMM during 2008-14. He has served on over 100 program committees and reviewed papers for numerous journals. He is the Editor in Chief of Journal of Computer Security. He was an associate editor for IEEE TDSC. He is a recipient of the DOE Early Career Principle Investigator Award. He has co-led the effort to make Penn State a NSA-certified National Center of Excellence in Information Assurance Education and Research. He has advised or co-advised over 35 PhD dissertations to completion.
- A defence against trojan attacks on deep neural networks
Surya Nepal, Principal Research Scientist
Data61, CSIRO, Australia
Abstract: Backdoor attacks insert hidden associations or triggers to the deep learning models to override correct inference such as classification and make the system perform maliciously according to the attacker-chosen target while behaving normally in the absence of the trigger. As a new and rapidly evolving realistic attack, it could result in dire consequences, especially considering that the backdoor attack surfaces are broad. This talk first provides a brief overview of backdoor attacks, and then present a countermeasure, STRong Intentional Perturbation (STRIP). STRIP intentionally perturbs the incoming input, for instance by superimposing various image patterns, and observe the randomness of predicted classes for perturbed inputs from a given deployed model - malicious or benign. A low entropy in predicted classes violates the input-dependence property of a benign model and implies the presence of a malicious input.
Bio: Dr Surya Nepal is a Senior Principal Research Scientist at CSIRO Data61. He currently leads the distributed systems security group comprising 30+ research staff and 50+ postgraduate students. His main research focus is in the development and implementation of technologies in the area of cybersecurity and privacy, and AI and Cybersecurity. He has more than 250 peer-reviewed publications to his credit. He is a member of the editorial boards of IEEE Transactions on Service Computing, ACM Transactions on Internet Technology, IEEE Transactions on Dependable and Secure Computing, and Frontiers of Big Data- Security Privacy, and Trust. He is currently a theme leader of Cybersecurity Cooperative Research Centre (CRC), a national initiative in Australia.
- Access Control Convergence: Challenges and Opportunities
Ravi Sandhu, Professor of Computer Science and Executive Director, Institute for Cyber Security (ICS)
University of Texas at San Antonio
Abstract: There have been a handful of ground-breaking concepts in access control over the past half century which have received significant traction in practical deployments. These include the fundamental policy-mechanism and operational-administrative distinctions, along with the authorization models of discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), attribute-based access control (ABAC) and relationship-based access control (ReBAC). In this talk we will argue that modern cyber systems require an effective convergence of these concepts, in that they must coexist in mutually supportive synergy. We will highlight some challenges and opportunities in making this vision a practical reality.
Bio: Ravi Sandhu is Professor of Computer Science, Executive Director of the Institute for Cyber Security and Lead PI of the NSF Center for Security and Privacy Enhanced Cloud Computing at the University of Texas at San Antonio, where he holds the Lutcher Brown Endowed Chair in Cyber Security. Previously he served on the faculty at George Mason University (1989-2007) and Ohio State University (1982-1989). He holds BTech and MTech degrees from IIT Bombay and Delhi, and MS and PhD degrees from Rutgers University. He is a Fellow of IEEE, ACM and AAAS, and has received numerous awards from IEEE, ACM, NSA, NIST and IFIP, including the 2018 IEEE Innovation in Societal Infrastructure award for seminal work on role-based access control (RBAC). A prolific and highly cited author, his research has been funded by NSF, NSA, NIST, DARPA, AFOSR, ONR, AFRL, ARO and private industry. His seminal papers on role-based access control established it as the dominant form of access control in practical systems. His numerous other models and mechanisms have also had considerable real-world impact. He served as Editor-in-Chief of the IEEE Transactions on Dependable and Secure Computing, and previously as founding Editor-in-Chief of ACM Transactions on Information and System Security. He was Chairman of ACM SIGSAC, and founded the ACM Conference on Computer and Communications Security, the ACM Symposium on Access Control Models and Technologies and the ACM Conference on Data and Application Security and Privacy. He has served as General Chair, Steering Committee Chair, Program Chair and Committee Member for numerous security conferences. He has consulted for leading industry and government organizations, and has lectured all over the world. He is an inventor on 31 security technology patents and has accumulated over 39,000 Google Scholar citations for his papers. At UTSA his team seeks to pursue world-leading research in both the scientific foundations of cyber security and their applications in diverse 21st century cyber technology domains, including cloud computing, internet of things, autonomous vehicles, big data and blockchain. Particular focus is on foundations and technology of attribute-based access control (ABAC) as a successor to RBAC in these contexts. His web site is at www.profsandhu.com.
Timed Data Release Mechanisms using Smart Contracts
Balaji Palanisamy, University of Pittsburgh, and
Chao Li, Beijing Jiaotong University.
This tutorial will first introduce key concepts and fundamentals behind the design of blockchains. The first part of the tutorial will introduce the Ethereum framework and its key components including accounts, data structures and consensus protocols. We will discuss the concept of transactions in Ethereum and their structure and categories. We will then introduce the notion of smart contracts and illustrate how does a smart contract work in Ethereum. We will discuss the basics of Solidity, a widely-used programming language for creating Ethereum smart contracts.
The second part of the tutorial will discuss our recent research on developing timed data release mechanisms using smart contracts. Timed data release refers to protecting data until a prescribed release time and automatically releasing the data at the release time. Blockchain technologies provide significant support for decentralized implementation of timed data release mechanisms through the use of smart contracts. We will discuss our recent efforts on developing credible and enforceable smart contracts for timed data release in Ethereum. We will demonstrate that by employing a set of Ethereum peers to jointly follow the timed-release service protocol, the smart contract allows the participating peers to earn a remuneration paid by the service users. We will also demonstrate that through a careful design of the smart contract based on game theory, we can ensure that the best choice of any rational Ethereum peer in such techniques is to always honestly follow the correct protocol.
Finally, this tutorial will introduce the development environment, Remix + MetaMask + EtherScan + Kovan/Rinkeby for creating smart contracts and provide a step-by-step illustration on how to create a new smart contract. We will discuss how to deploy the contract to the Ethereum test network and ways to interact with the contract.