Information Assurance Center

Events


Information Session

Open to Public

Information Assurance Programs and Scholarships

Friday, April 22, 2016
1:30 p.m. to 2:45 p.m.
Brickyard (BYAC), Room 210
699 South Mill Avenue, Tempe, Arizona

Key Points:

  • Information Assurance, and its importance
  • Job market relevant to Information Assurance
  • Information Assurance Educational Programs
  • Information Assurance Research Programs
  • Federal IA Scholarship Programs

Seminars

All open to Public

Believing without Seeing: Cryptographic Integrity Guarantees in Outsourced Computation

Mr. Dimitris Papadopoulos
PhD Candidate
Boston University

Thursday, March 17, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

An integral component of modern computing is the ability to outsource data and computation to powerful remote servers. But this model of interaction also introduces new security issues, as one's data no longer resides within their "zone of trust". In particular, how can a party be assured that an outsourced computation was performed correctly by the remote server? I will discuss cryptographic protocols that achieve integrity of computation. These protocols accompany each computation with a short and efficiently verifiable proof of correctness. Existing constructions in the literature typically come in two flavors: general-purpose schemes that can verify any computation but entail very high overheads for the server, and function-specific schemes that are more efficient, but only target limited functionalities. My approach takes the best of both worlds: I use function-specific schemes as building blocks, and compose these building blocks by leveraging ideas from the general-purpose approaches. This results in constructions that enjoy the low overheads of function-specific schemes, while providing significantly more expressiveness. Finally, I will show that the problem of securing the domain name system (DNS) is at its core a problem of integrity of outsourced computation, and present our design and implementation of NSEC5, a proposal for augmenting the security of DNS.

Speaker's Bio:

Dimitrios Papadopoulos is a PhD candidate in the Computer Science Department of Boston University, and a member of the BU Security Group. He received his Diploma in Applied Mathematics in 2010 from the National Technical University of Athens, Greece. He has worked as a research intern at IBM Zurich and Verisign Labs. His research interests are on applied cryptography, network security, and secure cloud computing.

Non-traditional DDoS Attacks and Defenses

Mr. Min Suk Kang
PhD Candidate
Carnegie Mellon University

Tuesday, March 15, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Today's Internet has serious security problems. Of particular concern are distributed denial-of-service (DDoS) attacks, which coordinate large numbers of compromised machines to make a service unavailable to other users. DDoS attacks are a constant security threat with over 20,000 DDoS attacks occurring globally every day. They cause tremendous damage to businesses and have catastrophic consequences for national security. In particular, over the past few years, adversaries have started to turn their attention from traditional targets (e.g., end-point servers) to non-traditional ones (e.g., ISP backbone links) to cause much larger attack impact. In this presentation, I will review recent results regarding non-traditional DDoS attacks and potential defense mechanisms. First, I will review a non-traditional type of link-flooding attack, called the Crossfire attack, which targets and floods a set of network links in core Internet infrastructure, such as backbone links in large ISP networks. Using Internet-scale measurements and simulations, I will show that the attack can cause huge connectivity losses to cities, states, or even countries for hours or even days. Second, I will introduce the notion of the routing bottlenecks, or small sets of network links that carry the vast majority of Internet routes, and show that it is a fundamental property of Internet design; i.e., it is a consequence of route-cost minimizations. I will also illustrate the pervasiveness of routing bottlenecks around the world, and measure their susceptibility to the Crossfire attack. Finally, I will explore the possibility of building a practical defense mechanism that effectively removes the advantages of DDoS adversaries and deters them from launching attacks. The proposed defense mechanism utilizes a software-defined networking (SDN) architecture to protect large ISP networks from non-traditional DDoS attacks.

Speaker's Bio:

Min Suk Kang is a Ph.D. candidate in Electrical and Computer Engineering (ECE) at Carnegie Mellon University. He is advised by Virgil D. Gligor in CyLab. Before he joined Carnegie Mellon, he worked as a researcher as part of Korean military duty at the Department of Information Technology at KAIST Institute. He received B.S. and M.S. degrees in Electrical Engineering and Computer Science (EECS) at Korea Advanced Institute of Science and Technology (KAIST) in 2006 and 2008, respectively. His research interests include network and distributed system security, wireless network security, and Internet user privacy.

Automated Privacy Policy Compliance

Dr. Omar Chowdhury
Postdoctoral Research Associate
Purdue University

Thursday, March 3, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Privacy regulations often govern data sharing and data use practices of organizations that collect personally identifiable information from their clients. For instance, in the US, healthcare organizations must comply with the federally mandated Health Insurance Portability and Accountability Act (HIPAA). Monetary penalties for non-compliance are high. The current practice of manual auditing for privacy violation is error-prone, cumbersome, and it does not scale well. It is thus crucial for the research community to develop automated tools and techniques to aid organizations in checking privacy policy compliance. Within this context, I will first present encryption schemes that enable an organization to outsource the storage of audit logs and the computation of compliance checking to an untrusted cloud without completely giving up on privacy. Next, I will present an efficient compliance checker called precis, which leverages techniques from runtime verification and logic programming. Finally, I will conclude with a discussion of some remaining obstacles to practical deployment.

Speaker's Bio:

Omar Chowdhury is a Post-Doctoral Research Associate in the Department of Computer Science at Purdue University. Before joining Purdue, he was a Post-Doctoral Research Associate in Cylab at Carnegie Mellon University. He received his Ph.D. in Computer Science from the University of Texas at San Antonio. His research interest broadly lies in investigating practically relevant problems of Computer Security and Privacy. His current research focuses on leveraging formal verification and program analysis techniques to check compliance of a system implementation, against well-defined policies and properties. He won the best paper award at the ACM SACMAT'2012. He has also served as a program committee member of ACM SACMAT and ACM CCS.

Effective network security in the golden age of online threats

Mr. Lorenzo de Carli
PhD Candidate
University of Wisconsin-Madison

Wednesday, March 2, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Intrusion prevention systems (IPSs), which analyze network traffic to detect signs of malicious activity, are a long-standing cornerstone of network security. Nowadays, the combination of advanced, targeted online threats and increasing bandwidth usage is making existing tools increasingly ineffective. In order to cope with the large amounts of data moved by network links, current IPSs limit themselves to simple threat detection strategies which match each network flow against a set of attack signatures. This approach is fragile and limited in expressiveness: signatures can be often evaded by small tweaks in the attack strategy, and fail to capture various classes of attacks altogether. In my talk I will describe the design of a flexible IPS platform which supports complex threat detection strategies, while satisfying the performance requirement through parallelization. In particular, my work proposes a domain-specific concurrency model, in which a work scheduler partitions network traffic into subsets that can be analyzed independently for threat detection purposes. This scheduler drives a multi-threaded IPS in which concurrent threads always process independent slices of network traffic, making synchronization and inter-thread communication unnecessary. The system uses a novel program analysis technique to automatically generate a suitable work scheduler given any user-defined threat detection algorithm. This makes parallelization general and fully transparent to the operator.

Speaker's Bio:

Lorenzo De Carli is a Ph.D. candidate in Computer Science at the University of Wisconsin-Madison, advised by Somesh Jha. His research interests focus on networking and security, including intrusion prevention and packet processing. His contributions include parallelization strategies for intrusion prevention, hardware accelerator for packet inspection and forwarding, and analysis of malware communications. He has also worked on optimized signature matching and instruction scheduling for novel processor architectures. Lorenzo received a B.Sc. (2004) and a M.Sc. (2007) in Computer Engineering from Politecnico di Torino, Italy, and a M.Sc. in Computer Science (2010) from the University of Wisconsin-Madison.

Protecting Computer Systems by Eliminating Vulnerabilities

Mr. Byoungyoung Lee
PhD Candidate
Georgia Institute of Technology

Tuesday, March 1, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Many system software are performance critical, and they are typically implemented in unsafe programming languages that are efficient but prone to security vulnerabilities. Existing approaches to address vulnerable software tend to address some specific harmful effects (e.g., detection based on evidence of an exploit), and thus have limited effectiveness. For example, there have been many unfortunate cases where security holes are again uncovered in the supposed "patched" or protected systems security. My research aims to eliminate the root cause of vulnerabilities. In this talk, I will present two tools that I have developed, DangNull and CaVer. These tools protect a system from well-known as well as emerging memory corruption vulnerabilities including use-after-free and bad-casting. Specifically, DangNull relies on the key observation that the root cause of use-after-free is that pointers are not nullified after the target object is freed. Thus, DangNull instruments a program to trace the object's relationships via pointers and automatically nullifies all pointers when the target object is freed. Similarly, CaVer relies on the key observation that the root cause of bad-casting is that casting operations are not properly verified. Thus, CaVer uses a new runtime type tracing mechanism to overcome the limitation of existing approaches, and performs efficient verification on all type casting operations dynamically. We have implemented these protection solutions and successfully applied them to Chrome and Firefox browsers. Our evaluation showed that DangNull and CaVer imposes 29% and 7.6% benchmark overheads in Chrome, respectively. We have also tested seven use-after-free and five bad-casting exploits in Chrome, and DangNull and CaVer safely prevented them all.

Speaker's Bio:

Byoungyoung Lee is a Ph.D candidate in Computer Science at the Georgia Institute of Technology. His research is in the general area of computer security and privacy. In particular, his focus is in systems security, designing and implementing secure systems through analyzing and eliminating vulnerabilities. His research identified and helped to fix more than 100 security critical vulnerabilities in the major software including the Linux Kernel, Chrome, Firefox, and Safari. He received the Internet Defense Prize by Facebook and USENIX and the best applied security research paper (the 3rd place) by CSAW. His work has been published in top-tier security conferences (Oakland, USENIX Security, CCS, and NDSS) as well as other top-tier computer science conferences (SOSP, KDD, and WWW).

Protecting Users in the Age of the Social Web

Dr. Jason Polakis
Postdoctoral Research Scientist
Columbia University
New York, NY

Wednesday, February 24, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

An ever-increasing part of our professional, social and personal life involves the Internet and online services. This has exposed users to significant risk to their private information, as the constant stream of bad news in the media will attest. In this talk I will focus on my research efforts to better understand and protect against such loss. I will start with a focused review on the importance of online privacy, and highlight the privacy risks of location proximity, which has been adopted by major web services and mobile apps. This work demonstrated novel threats that can neutralize existing countermeasures used by the industry and pinpoint a user's location with high accuracy within seconds. To protect users, I developed a practical defense in the form of privacy-preserving proximity that obfuscates the user's location, which has been adopted by Facebook and Foursquare. I will demonstrate how user privacy also affects security mechanisms, and present my analysis of the threat surface of Facebook's social authentication system. I will then present a novel social authentication system that is robust against advanced targeted attacks and prevents adversaries from compromising user accounts, and conclude by sharing my thoughts for future directions.

Speaker's Bio:

Jason Polakis is a postdoctoral research scientist at Columbia University. He earned his PhD in 2014 from the Computer Science Department of the University of Crete, Greece, where he was supported by the Foundation of Research and Technology Hellas (FORTH). He is broadly interested in identifying the security and privacy limitations of Internet technologies, designing robust defenses and privacy-preserving techniques, and enhancing our understanding of the online ecosystem and its threats. His research has revealed significant flaws in popular services, and major vendors such as Google, Facebook and Foursquare have deployed his proposed defenses. His work has been published in top tier security conferences (Oakland, CCS, and NDSS) as well as other top tier computer science conferences (WWW).

Preventing exploits against memory corruption vulnerabilities

Mr. Chengyu Song
PhD Candidate
College of Computing
Georgia Institute of Technology
Atlanta, Georgia

Tuesday, February 16, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

The most common cyber attack vector is an exploit of software vulnerability. Despite much efforts toward building secure software, software systems of even modest complexity still routinely have serious vulnerabilities. More alarmingly, even the trusted computing base (e.g. OS kernel) still contains vulnerabilities that would allow attackers to subvert security mechanisms such as the application sandbox on smartphones.

Memory corruption is one of the most ancient, prevalent, and devastating vulnerabilities. In this talk, I will discuss my research on mitigating this threat. In particular, there are three general ways to exploit a memory corruption vulnerability---attacking the code (a.k.a. code injection attack), the control data (a.k.a. control-flow hijacking attack), and the non-control data (a.k.a. data-oriented attack). Theoretically, code injection attack can be prevented with the executable XOR writable policy; but in practice, this policy is conflicted with another important technique---dynamic code generation (e.g. JIT engines). In the first half of the talk, I will show why this conflict is non-trivial to resolve, then I introduce a new design paradigm to fundamentally solve this problem. In the second half of the talk, I will discuss my work on preventing data-oriented attacks against operating system kernel. Using privilege escalation attacks as an example, I will (1) demonstrate why data-oriented attacks are realistic threats; (2) discuss two important challenges for preventing such attacks (i.e., completeness and performance); and (3) present how I combined program analysis techniques and system designs to solve these challenges.

Speaker's Bio:

Chengyu Song is a Ph.D. candidate at the College of Computing in Georgia Institute of Technology. His primary research interests are system and software security. He is co-advised by Prof. Wenke Lee and Prof. Taesoo Kim, and has also worked closely with Prof. William R. Harris. He has published 10 papers in top security and system conferences. One of his co-authored paper won the 2015 Internet defense prize ($100k) and another one won the CSAW'15 best applied security research paper. He received his M.Eng. and B.S. from Peking University in 2010 and 2007.

Designing and Leveraging Trustworthy Provenance-Aware Architectures

Mr. Adam Bates
PhD Candidate
Computing Systems and Cybersecurity
University of Florida
Gainesville, Florida

Thursday, February 18, 2016
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

In a provenance-aware system, mechanisms gather and report metadata that describes the history of each object being processed on the system, allowing users to understand how data objects came to exist in their present state. However, little attention has been given to securing provenance-aware systems. Provenance itself is a ripe attack vector, and its authenticity and integrity must be guaranteed before it can be put to use. In this talk, I will detail my efforts to bring trustworthy data provenance to computing systems. These efforts have led to the design and implementation of a provenance-aware operating system anchored in trusted hardware, and a mechanism that leverages the confinement properties provided by Mandatory Access Controls to perform efficient policy-based provenance collection. Using these architectures, I will demonstrate that provenance is an invaluable tool for combating critical security threats including data exfiltration, SQL injection, and even binary exploitation. By addressing key security and performance challenges, this work paves the way for the further proliferation of provenance capabilities.

Speaker's Bio:

Adam Bates is a PhD candidate at the University of Florida, where he is advised by Professor Kevin Butler in the study of computer systems and cyber security. Adam has conducted research on a variety of security topics, including SSL/TLS, cloud computing, USB attack vectors, financial services, and telephony infrastructure. His dissertation is in the area of data provenance, particularly the construction of secure provenance-aware systems. He received his B.Sc. in Computer Science in 2006 from the University of Maryland, his M.S. in Computer Science in 2012 from the University of Oregon, and will earn his Ph.D in Computer Science from the University of Florida in the Spring of 2016. Adam has participated in graduate internships at MIT Lincoln Laboratory and EMC.


Symposium on Information Assurance Research and Education

Friday, November 13, 2015
Ventana Ballroom, Memorial Union
301 E. Orange Mall, Tempe, Arizona

Information Assurance Center
Arizona State University

This year's Symposium will be focusing on several important IA research and educational issues, including predictive security, mining Big data, intrusion detection and prevention in critical embedded systems, information governance and information propagation, security, privacy and social awareness. The program includes a panel session focusing on the grand challenges in information assurance. Posters on information assurance research will be presented by students and faculty at ASU. The symposium program will cover both research and practical aspects of information assurance.

The IA Symposium program can be downloaded [here]

The list of posters can be downloaded [here]


Information Session

Open to Public

Information Assurance Programs and Scholarships

Friday, October 23, 2015
1:00 p.m. to 2:15 p.m.
Brickyard (BYENG), Room 510
699 South Mill Avenue, Tempe, Arizona

Key Points:

  • What is Information Assurance and its importance?
  • Job market relevant to Information Assurance
  • IA Educational and Research Programs at ASU
  • Information Assurance Center
  • Federal IA Scholarship Programs
  • Other relevant information

Seminars

All open to Public

CSE Faculty Talk Series: Empirical Analysis Meets Security Assessment

Prof. Gail-Joon Ahn
School of Computing, Informatics, Decision Systems Engineering
Arizona State University

Friday, February 27, 2015
3:10 p.m.
Brickyard Artisan Court 150
699 South Mill Avenue, Tempe, Arizona

Abstract:

Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8 operating system adopts such an alternative authentication to complement traditional text-based authentication. In this talk, we discuss an empirical analysis of picture gesture authentication. Based on the findings of our analysis, we propose a security assessment framework that is capable of evaluating passwords on previously unseen pictures in a picture gesture authentication system and measuring the quality of each password. In addition, we share our evaluation results that show the proposed approach could evaluate a considerable portion of collected picture passwords under different settings.

Speaker's Bio:

Gail-Joon Ahn, Ph.D, CISSP is a Professor of Computer Science and Engineering Program in the School of Computing, Informatics and Decision Systems Engineering (CIDSE) and Fulton Entrepreneurial Professor at Arizona State University (ASU). He is also the Director of Laboratory of Security Engineering for Future Computing (SEFCOM) at ASU. His principal research and teaching interests are in information and systems security. His research foci include security analytics and big data driven security intelligence, vulnerability and risk management, access control and security architecture for distributed systems, identity and privacy management, cyber crime analysis, security-enhanced computing platforms, and formal models for computer security. His research has been supported by National Science Foundation (NSF), National Security Agency (NSA), Department of Defense (DoD), Office of Naval Research (ONR), Army Research Office (ARO), Department of Justice (DoJ), Department of Energy (DoE), Bank of America, CISCO, GoDaddy, Hewlett Packard, Freeport McMoRan Copper & Gold, Google, Microsoft and Robert Wood Johnson Foundation. He is a recipient of Department of Energy CAREER Award, the Educator of the Year Award from the Federal Information Systems Security Educators' Association (FISSEA), and Best Researcher Award from CIDSE. Also, he serves as Associate Editor-in-Chief of IEEE Transactions on Dependable and Secure Computing, Associate Editor of ACM Transactions on Information and Systems Security, and Editorial Board of Computers & Security. He is also the Steering Committee Chair of ACM Symposium on Access Control Models and Technologies and was the General Chair of ACM Conference on Computer and Communications Security (CCS 2014). In addition, he has received 5 U.S. patents. Prior to ASU, he was an Associate Professor of College of Computing and Informatics and Founding Director of Center for Digital Identity and Cyber Defense Research (DICyDER) at UNC Charlotte.


Symposium on Information Assurance Research and Education

Thursday, October 16, 2014
Memorial Union
301 E. Orange Mall, Tempe, Arizona

Information Assurance Center
Arizona State University

This year's Symposium focused on several important IA research and educational issues, including secure building management, mining Big data, intrusion detection and prevention in critical embedded systems, information governance and information propagation, security, privacy and social awareness. The program included a panel session focusing on the grand challenges in information assurance. Posters on information assurance research by students and faculty at ASU were also presented. The symposium program will cover both research and practical aspects of information assurance.

The IA Symposium program can be downloaded [here]

The list of posters can be downloaded [here]

Seminars

All open to Public

When SDN Meets Security: New Opportunities and Challenges

Dr. Guofei Gu
Department of Computer Science & Engineering
Texas A&M University

Thursday, November 6, 2014
2:30 p.m.
Gold Water Center 487
Tempe, Arizona

Abstract:

Software Defined Networking (SDN) is a new networking paradigm that decouples the control logic from the closed and proprietary implementations of traditional network data plane infrastructure. SDN enables researchers to more easily design and distribute innovative flow handling and network control algorithms. We believe that SDN can, in time, prove to be one of the more impactful technologies to drive a variety of innovations in network security. However, to date there remains a stark paucity of SDN security research.In this talk, I will discuss some new opportunities as well as challenges in this new research direction, and demonstrate with our recent research results. In the first half of the talk, I will discuss how SDN can enhance network security, e.g., by offering a dramatic simplification to the way we design and integrate complex network security applications/services into large networks. I will introduce our work on FRESCO, a new SDN/OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of SDN-enabled security modules (e.g., for threat detection and mitigation). In the second half of the talk, I will discuss some unique security problems inside SDN, e.g., control plane saturation attacks, and introduce our work on AvantGuard to enhance the robustness and flexibility of SDN.

Speaker's Bio:

Dr. Guofei Gu is an associate professor in the Department of Computer Science & Engineering at Texas A&M University (TAMU). Before coming to Texas A&M, he received his Ph.D. degree in Computer Science from the College of Computing, Georgia Institute of Technology. His research interests are in network and system security, such as Internet malware analysis/detection/defense, software-defined networking security, web and social network security, mobile and Android security, and intrusion/anomaly detection. Dr. Gu is a recipient of 2010 NSF CAREER Award, 2013 AFOSR Young Investigator Award, 2010 IEEE Symposium on Security & Privacy (S&P'10) Best Student Paper Award, and a Google Faculty Research Award. He is currently directing the SUCCESS (Secure Communication and Computer Systems) Lab at TAMU.

Cyber-I Privacy Model: Towards Approximating and Adapting to Individual Privacy Preferences

Dr. Runhe Huang
Professor, Faculty of Computer and Information Science
Hosei University
Tokyo, Japan

Friday, October 10, 2014
1:30 p.m. to 2:30 p.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Cyber-I (or Cyber-Individual) is a digital clone of a real person (Real-I), which is continuously approximating to the Real-I. It was proposed in 2009 and a research team led by Dr. Jianhua Ma has been working on its conceptual definitions and system designs [1]. After a brief introduction of the concept of Cyber-I, this talk will focus on one of the challenging issues: privacy of personal data. In this talk, a Cyber-I privacy model which is a systematic description of a Real-I's privacy preferences and needs will be presented. Our preliminary effort has been on the following three aspects: (1) A generic privacy preference setting based on a Real-I's personal inputs and Cyber-I model; (2) A dynamic awareness mechanism of the Real-I's privacy concerns in using different applications. (3) A semi-automatic adaptation mechanism of the Real-I's personal data access policy and control based on the dynamic awareness of Real-I. The Cyber-I privacy model, as a subset model of Cyber-I, is the key to this research, and the significant advantages of this approach are twofold: able to adapt to a Real-I's changing preferences for different applications; and able to continuously approximating a Real-I's generic privacy preferences along lifetime. Finally, I will address some challenging issues and seek for some potential collaborations regarding further R&D on Cyber-I.

[1]Jianhua Ma, Jie Wen, Runhe Huang, and Benxiong Huang, "Cyber-Individual Meets Brain Informatics", IEEE Intelligent Systems, Special Issue on Brain Informatics, Vol.26, No.5, pp. 30-37, September/October 2011. Introduced in IEEE Computing Now, "Cyber-Individual Meets Brain Informatics with an Open Access", November, 2011.

Speaker's Bio:

Dr. Runhe Huang is currently a professor on the Faculty of Computer and Information Sciences, Hosei University, Tokyo, Japan. She received her B.Sc. in Electronics Technology, National University of Defense Technology, China, in 1982 and Ph.D. in Computer Science and Mathematics, the University of the West of England, UK, in 1993. She worked in the University of Aizu, Japan, during 1993-1999. She has been on the faculty of Hosei University since 2000. Her current research interests include distributed and ubiquitous intelligence computing, big data mining, service computing, cloud computing, and hyper-world modeling and intelligence.

Automated Approaches for Security Testing of Web Applications: Bug Finding in the Ever-Changing Web

Mr. Adam Doupe
PhD Candidate
Department of Computer Science
University of California, Santa Barbara
Santa Barbara, California

Thursday, February 27, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Web applications are an integral part of our lives and culture. We use web applications to manage our bank accounts, interact with friends, and file our taxes. A single vulnerability in one of these web applications could allow a malicious hacker to steal your money, to impersonate you on Facebook, or to access sensitive information, such as tax returns. It is vital that we develop new approaches to discover and fix these vulnerabilities before the cybercriminals do.

In this talk, I will present my research on securing the web against current threats and future threats. First, I will discuss my work on improving black-box vulnerability scanners, which are tools that can automatically discover vulnerabilities in web applications. Then, I will describe a new type of web application vulnerability: Execution After Redirect, or EAR, and an approach to automatically detect EARs in web applications. These examples show that, in order to secure web applications, we must develop novel approaches to combat current threats while also keeping our focus on developing web applications that are secure by design.

Speaker's Bio:

Adam Doupe is a PhD student in Computer Science at UC Santa Barbara. His main research interests are at the intersection of computer security and program analysis, and he is also interested in situational awareness, educational hacking competitions, and excellent scientific writing.

Making Physical Inferences to Enhance Wireless Security

Dr. Jie Yang
Assistant Professor
Department of Computer Science and Engineering
Oakland University
Rochester, Michigan

Tuesday, February 25, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

The ubiquity of wireless is redefining security challenges as the increasingly pervasive wireless networks make it easier to conduct attacks for new and rapidly evolving adversaries. There is an urgent need to seek security solutions that can be built into any wireless network stack to defend against attacks across the current heterogeneous mix of wireless technologies, which do not require extensive customization on wireless devices and cannot be undermined easily even when nodes are compromised. In particular, security solutions that are generic across all wireless technologies and can complement conventional security methods must be devised. My research efforts are centered around exploiting physical properties correlated with pervasive wireless environments to enhance wireless security and make inferences for context-aware applications. In this talk, I will present my research work in exploiting spatial correlation as a unique physical property inherited from any wireless device to address identity-based attacks including both spoofing and Sybil. These attacks are especially harmful as the claimed identity of a wireless device is often considered as an important first step in an adversary's attempt to launch a variety of attacks in different network layers. Our proposed techniques address several challenges include 1) detecting identity-based attacks in challenging mobile environments, (2) determining the number of attackers, and (3) localizing multiple adversaries. I will also present our work in secret key generation for facilitating secure data communication in the increasing dynamic wireless environments. Our work addressed the problem of collaborative secret key extraction for a group of wireless devices without relying on a key distribution infrastructure. Moreover, in order to provide efficient secret key generation, we exploit fine-grained physical layer information, such as the channel state information made available from OFDM system, to improve the secret key generation rate and make the secret key extraction approach more practical.

Speaker's Bio:

Jie Yang received his Ph.D. degree in Computer Engineering from Stevens Institute of Technology in 2011. He is currently an assistant professor in the Department of Computer Science and Engineering at Oakland University. His research interests include cyber security and privacy, and mobile and pervasive computing, with an emphasis on network security, smartphone security and applications, security in cognitive radio and smart grid, location systems and vehicular applications. His research is supported by National Science Foundation (NSF) and Army Research Office (ARO). He is the recipient of the Best Paper Runner-up Award from IEEE Conference on Communications and Network Security (CNS) 2013 and the Best Paper Award from ACM MobiCom 2011. His research has received wide press coverage including MIT Technology Review, The Wall Street Journal, NPR, CNET News, and Yahoo News.

Integrated Security, Performance, and Control of Networked Cyber-Physical Systems

Mr. Andrew Clark
PhD Candidate
Network Security Lab
Department of Electrical Engineering
University of Washington - Seattle
Seattle, Washington

Monday, February 17, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Cyber-physical systems (CPS) consist of physical systems tightly integrated with networked cyber devices in applications including energy, transportation, health, and manufacturing. Preventing attacks on CPS while preserving characteristics such as availability, robustness, and safety requires an integrated, scientific approach at the intersection of security, control, and networking. In this talk, I will describe such an approach for two areas of CPS control and security. First, I will consider the problem of selecting a set of leader nodes to steer a networked CPS towards a desired operating point. The choice of leader nodes impacts design metrics such as robustness to environmental and adversarial noise, convergence rate of the dynamics, and controllability. I show that these metrics have a common mathematical structure that enables efficient leader selection with provable optimality, and describe connections to related problems in biological networks. Second, I will consider modeling and design of deception and moving target cyber defenses, which prevent an adversary from gathering information of the targeted system and hence reduce the effectiveness of attacks. I will present a control-theoretic methodology for achieving a desired trade-off between the security of the system and the performance, as measured by service disruptions to real users.

Speaker's Bio:

Andrew Clark is currently a Ph.D. candidate in the Network Security Lab, Department of Electrical Engineering, at the University of Washington - Seattle. He received the BS degree in Electrical Engineering and the MS degree in Mathematics from the University of Michigan - Ann Arbor in 2007 and 2008, respectively.His research interests include performance and security of cyber-physical systems, modeling and design of adaptive and proactive network defenses, lightweight cryptography, and vulnerability metrics. He was co-author of the IEEE/IFIP William C. Carter award paper (2010) and the WiOpt Best Paper (2012), and was a finalist for the IEEE CDC 2012 Best Student Paper Award. He holds a patent on privacy-preserving constant-time identification in RFID systems.

"SCADA Singularity & Discovery", Case Studies of Intrusion Detection Theories & Methods for Cyber-Physical Systems

Dr. Bonnie Zhu
R & D Engineer/Scientist
Department of Electrical Engineering and Computer Science
University of California at Berkeley
Berkeley, California

Thursday, February 13, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

From Slammer to Stuxnet to Shamoon, is securing SCADA an odd crush or Stranglove? And how should we nip the odds in the bud ? To answer these questions, we look into intrusion detection theories and methods for SCADA systems, some of which can be extended to securing dynamical cyber-physical systems in general. Specifically, in the first half of the talk, I will present Robust General likelihood Ratio Test (RGLRT), an early detection algorithm based on robust statistics, including its advantages, applications & generalization; Additionally, Xware, an overall architecture for intrusion detection and resilient control for SCADA systems will be introduced. In the second half of the talk, in a boarder sense, the problem of network intrusion detection will be studied as games against attackers of different capacity classes, particularly those stealth attacks that generate less than salient traces apart from the nominal traffic; furthermore, I will leverage behavioral game theory to investigate human irrationality, e.g. the influence of immediate past experience, to predict attack strategies and rend pragmatic resource projections in security responses & risk countermeasures.

Speaker's Bio:

Dr. Bonnie Zhu works on providing an integrated SCADA-specific cyber-physical security solution and reliable delivery of clean energy in smart grids. She holds a PhD in Electrical Engineering and Computer Science from Berkeley and a Certificate in Management of Technology from Haas Business School, among several graduate degrees. Her work on securing SCADA system has won Dr. Zhu, inter alia, multiple fellowships from National Science Foundation and the Sustainability Consortium. Dr. Zhu has also done research on cross-layer optimization for wireless sensor network in addition to her prior EDA industry experience as software developer for telecommunication equipment.

The Cyberspace Battle for Information: Combating Internet Censorship

Dr. Amir Houmansadr
Postdoctoral Scholar
Department of Computer Science
University of Texas at Austin
Austin, Texas

Wednesday, February 12, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

The Internet has become ubiquitous, bringing many benefits to people across the globe. Unfortunately, Internet users face threats to their security and privacy: repressive regimes deprive them of freedom of speech and open access to information, governments and corporations monitor their online behavior, advertisers collect and sell their private data, and cybercriminals hurt them financially through security breaches.

My research aims to make Internet communications more secure and privacy-preserving. In this talk, I will focus on the design, implementation, and analysis of tools that help users bypass Internet censorship. I will discuss the major challenges in building robust censorship circumvention tools, introduce two novel classes of systems that we have developed to overcome these challenges, and conclude with several directions for future research.

Speaker's Bio:

Amir Houmansadr is a postdoctoral scholar at the University of Texas at Austin. He received his Ph.D. from the University of Illinois at Urbana-Champaign in August 2012. Amir's research revolves around various network security and privacy problems, including Internet censorship circumvention, network traffic analysis, and anonymous communications. He has received several awards for his research, including the Best Practical Paper Award at the IEEE Symposium on Security & Privacy (Oakland) 2013.

Exploring New Security Vulnerabilities inside the Cloud

Dr. Haining Wang
Wilson & Martha Stephens Distinguished Associate Professor
Department of Computer Science
College of William and Mary
Williamsburg, Virginia

Tuesday, February 11, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

As a new paradigm of "pay-as-you-go", cloud computing has been widely used for providing low-cost, scalable, and utility-based IT services to end-users. In general, a public/private cloud consists of multiple large-scale data centers and each data center contains hundreds of thousands of virtualized servers. Thus, data center and virtualization are the two fundamental underpinnings beneath the cloud, in which data centers provide the physical computing infrastructure for accommodating servers while virtualization is the key technique for hosting computing services. In this talk, we explore the new security vulnerabilities from the data center and virtualization perspectives, respectively. In particular, we investigate the energy vulnerability inside a data center and data exfiltration in a virtualized system. We will introduce new security attacks, demonstrate their feasibilities and damages, and discuss potential countermeasures.

Speaker's Bio:

Haining Wang is the Wilson and Martha Stephens Distinguished Associate Professor of Computer Science at the College of William and Mary, Williamsburg VA, USA. He received his Ph.D. in Computer Science and Engineering from the University of Michigan at Ann Arbor in 2003 and joined the College of William and Mary since then. His research interests lie in the areas of security, networking systems, cloud computing, and mobile computing. He is a senior member of IEEE.

Batch Zero-Knowledge Proofs with Applications to Privacy Enhancing Technologies

Mr. Ryan Henry
PhD Candidate
Cheriton School of Computer Science
University of Waterloo
Waterloo, Canada

Thursday, January 30, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

The Internet can be a dangerous place to visit. Every online action exposes data about us to unseen and unknowable third parties: fraudsters and identity thieves, intrusive advertising companies, oppressive governments, and countless unknown others. The implications for privacy are huge: massive data breaches and revelations about dragnet Internet surveillance by the NSA and others have dominated news headlines since the summer of 2013. Privacy enhancing Technologies (PETs) seek to mitigate online threats to privacy in a variety of ways, often involving sophisticated cryptographic techniques. One such technique is zero-knowledge proofs (ZKPs) --- protocols with the seemingly magical ability to "prove" statements without conveying any information beyond their veracity. ZKPs underlie many promising PET system in the literature. Alas, zero-knowledge does not come free; the ZKPs in such constructions often exhibit poor scalability that hinders their deployability. In this talk, I will present new "batch" techniques from my thesis, which can help speed up a wide range of common ZKPs. I will also sketch novel PET constructions for four important applications: 1) anonymous blacklisting and reputation systems, 2) privacy-preserving e-commerce, 3) privacy-preserving computation, and 4) coercion-resistant Internet voting. The efficiency and security of each construction is due in part to the aforementioned batch techniques.

Speaker's Bio:

Ryan Henry is a PhD candidate in the Cheriton School of Computer Science at the University of Waterloo, advised by Ian Goldberg. He obtained his MMath from Waterloo and his B.Sc. from Brandon University. Ryan holds a Vanier Canada Graduate Scholarship, Canada's most prestigious graduate scholarship. His research focuses on the systems challenges of applied cryptography, with a particularly emphasis on using cryptography to build secure systems that preserve the privacy of their users.

Secure Isolation and Switch between Trusted and Untrusted Computing Environments

Dr. Kun Sun
Research Scientist
Center for Secure Information Systems (CSIS)
George Mason University
Washington, D.C.

Tuesday, January 28, 2014
10:30 a.m. to 11:30 a.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Protecting commodity systems with commercial Operating Systems without significantly degrading performance or usability still remains an open problem. Recent research has shown the need for context-dependent trustworthy environments where the user can segregate different activities to lower risk of cross-contamination after an infection and safeguard private information. We introduce a novel BIOS-assisted mechanism to enable secure instantiation and management of trusted execution environments, tailored to separate security-sensitive activities from untrusted ones on x86 architecture. A key characteristic of our system is usability: the capability to quickly and securely switch between operating environments in a single physical machine without requiring any specialized hardware or OS and application code modifications. Our goal is to eliminate any mutable, non-BIOS code sharing while securely reusing existing hardware. We demonstrate that, even if the untrusted OS becomes compromised, there is no potential for exfiltration or inference attack against data in the trusted OS. Using our prototype implementation, we measured the switching process to be approximately six seconds on average. This quick and user-friendly switching process empowers the user to frequently and seamlessly alternate between trusted and untrusted environments. Recently, we are developing a TrustZone-based framework on ARM architecture to provide trusted execution environments with minimal trusted computing base (TCB) for smart phones. Our prototype on Freescale i.MX53 board shows that the switching time is less than 20 ms.

Speaker's Bio:

Dr. Kun Sun is a Research Scientist in Center for Secure Information Systems (CSIS) at George Mason University. He received his Ph.D. in Computer Science from North Carolina State University in 2006. Dr. Sun was a Research Scientist in Intelligent Automation Inc. between 2006 and 2010. This industrial experience makes him realize that his true interests were in academia. In 2010, Dr. Sun joined George Mason University to restart his academic career. Since then, he has published 24 research papers/book chapters and won a number of research grants from DoD. His current research focuses on trustworthy computing environment, adaptive cyber defense, cloud security, smart phone security, and wireless security.

Scalable Attack and Defence Modeling for Security Assessment

Dr. DongSeong Kim
Lecturer (equivalent to an assistant professor in US ranking system)
Computer Science and Software Engineering
University of Canterbury, New Zealand

Tuesday, January 14, 2014
2:00 p.m. to 3:00 p.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

How secure is your network? It is not easy to measure security. To assess the network security, attack and defense models (a.k.a., Attack representation Model (ARM)) can be used. Purely graph based ARM (e.g., Attack Graph) has a state-space explosion problem. Moreover, the complex relationship between the host and the vulnerability information in attack models create difficulty in adjusting to changes in the network, which is impractical for modern dynamic network systems. Generating ARM and evaluation the security suffer from a scalability problem when the size of the networked system is very large (e.g., 10,000 computer hosts in the network with a complex network topology). In this talk, to deal with the above-mentioned issues, we propose hierarchical attack representation models (HARM). The main idea is to seperate the network topology information (in the upper level) from the vulnerability information of each host (in lower level). We propose to use HARM in the different phases of lifecycle of the ARMs. [1] We compare HARMs with exsisting attack models, in particular attack graph, and compare their performance in the phase of construction and evaluation, respectively. [2] We propose to use k-importance measures to generate a two-layer HARM, which can improve the scalability of an ARM model generation and security evaluation. [3] We porpose centrality based network security analysis by ranking importance hosts based on network centrality measures, and vulnerabilities based on security metric values. Finally, research revenues in security assessment will be briefly introduced.

Speaker's Bio:

Dong-Seong Kim is currently a lecturer (tenured and continuing academic staff, equivalent to an assistant professor in the US ranking system) in computer science and software engineering department at the University of Canterbury, Christchurch, New Zealand since August 2011. He received Ph.D degree in Computer Engineering from Korea Aerospace University (KAU), South Korea in February 2008. And he was a visiting researcher at University of Maryland at College park, MD, USA during year of 2007 in Virgil D. Gligor (Former ACM SIGSAC chair) Group. From June 2008 to July 2011, he was a post doctoral researcher at Duke University, Durham, NC, USA in Kishor S. Trivedi's DHAAL (Duke High Availability Assurance Lab) research group. His research intrests are in dependability and security modeling and analysis for systems and networks; in particular, intrusion detection using data mining, security and survivability for wireless ad hoc and sensor networks, virtualization, and cloud computing system, and quntitative security and resilience modeling and analysis.

Private Matching for Proximity-based Mobile Social Networking

Dr. Yanchao Zhang
Associate Professor
School of Electrical, Computer and Energy Engineering
Arizona State University

Friday, October 25, 2013
3:00 p.m. to 4:00 p.m.
BYENG, Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Proximity-based mobile social networking (PMSN) becomes increasingly popular due to the explosive growth of smartphones and tablets. It refers to the social interaction among physically proximate mobile users directly through the Bluetooth/WiFi interfaces on their smartphones or other mobile devices. As a valuable complement to web-based online social networking, PMSN enables more tangible face-to-face social interactions in public places, such as bars, airports, trains, and stadiums. Profile matching means two users comparing their personal profiles before real social interaction and is often the first step towards effective PMSN. It, however, conflicts with users' growing privacy concerns about disclosing their personal profiles to complete strangers before deciding to interact with them. In this talk, I will discuss how to break the circular dependency between profile exchanging and social interaction via private matching, which allows two users to compare their personal profiles without disclosing their profiles to each other. Specifically, I will first introduce a private matching protocol based on homomorphic encryption, which is effective but computationally expensive. I will then discuss how to significantly reduce the computation overhead using a Bloom filter at the expense of moderate sacrifice in matching accuracy and privacy. Finally, I will discuss how to realize fine-grained private matching at different privacy levels.

Speaker's Bio:

Yanchao Zhang received the B.E. in Computer Science & Technology from Nanjing University of Posts & Telecom, China, in 1999, the M.E. in Computer Science & Technology from Beijing University of Posts & Telecom, China, in 2002, and the Ph.D. in Electrical and Computer Engineering from the University of Florida, Gainesville in 2006. He joined Arizona State University in 2010 as an Associate Professor of School of Electrical, Computer, and Energy Engineering. Before ASU, he was an Assistant Professor of Electrical and Computer Engineering at New Jersey Institute of Technology from 2006 to 2010. His research focuses on security and privacy issues in wireless/mobile networks and systems, wireless/mobile health, social networks, smart grids, and cloud computing. He is also interested in networking issues in emerging wireless/mobile systems. He is an editor of IEEE Transactions on Vehicular Technology and a technical editor of IEEE Wireless Communications. He received the NSF CAREER Award in 2009.

Hummingbird: Privacy at the time of Twitter

Dr. Gene Tsudik
Professor, Computer Science Department
University of California Irvine

Friday, April 5, 2013
2:00 p.m.
Urban Systems Engineering Building, Room 104
651 E. University Dr, Tempe, Arizona

Abstract:

In the last several years, micro-blogging Online Social Networks (OSNs), such as Twitter, have taken the world by storm, now boasting over 100 million subscribers. As an unparalleled stage for an enormous audience, they offer fast and reliable centralized diffusion of pithy tweets to great multitudes of information-hungry and always-connected followers. At the same time, this information gathering and dissemination paradigm prompts some important privacy concerns about relationships between tweeters, followers and interests of the latter. In this talk, we assess privacy in today's Twitter-like OSNs and describe an architecture and a trial implementation of a privacy-preserving service called Hummingbird. It is essentially a variant of Twitter that protects tweet contents, hashtags and follower interests from the (potentially) prying eyes of the centralized server. We argue that, although inherently limited by Twitter's mission of scalable information sharing, this degree of privacy is valuable and viable. We demonstrate, via a working prototype, that Hummingbird's additional costs are tolerably low. We also sketch out some enhancements that might offer better privacy in the long term. NOTE: joint work with Emiliano De Cristofaro (PARC) and Claudio Soriente (ETH Zurich)

Speaker's Bio:

Gene Tsudik is a professor of Computer Science at the University of California, Irvine (UCI). He obtained his PhD in Computer Science from University of Southern California (USC) in 1991. Before coming to UCI in 2000, he was at IBM Zurich Research Laboratory (1991-1996) and USC/Information Sciences Institute (ISI) (1996-2000). Over the years, his research interests included numerous topics in security, privacy and applied cryptography. Since 2009, he serves as the Editor-in-Chief of ACM Transactions on Information and Systems Security (TISSEC).

General-purpose Privacy-preserving Computation in a Real(ish) World

Dr. Yan Huang
Research Associate
University of Maryland
College Park

Wednesday, February 27, 2013
10:30 to 11:30 a.m.
Brickyard Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

"Collaboration" and "privacy" are often two basic but conflicting concerns in designing cyber-systems. For example, designers for a network intrusion detection system might want to scan the traffic of all users but are also motivated to respect legitimate user's privacy on network usage. Other examples of privacy-aware collaborative computing systems include (but not limited to) voting, auction, personal genomics and data analytics. (Intuitive solutions require establishing a trusted third party.) Ambitious cryptographers aim to find more elegant solutions that doesn't require a trusted third party while still capable of accomplishing arbitrary "collaboration" (or computation, in essence). Nonetheless, general secure computation techniques were notoriously expensive and unscalable.

In this talk, I will present my software framework and a set of optimization techniques (including pipelining, circuit width reduction, library-based construction, program partitioning, layered execution, dual execution and symmetric cut-and-choose) that dramatically improve its performance and scalability. We will also examine how effective circuits can be carefully built for example applications such as private set intersection (PSI). I will conclude the talk with speculations on future research projects along the line

Speaker's Bio:

Dr. Yan Huang is a research associate at University of Maryland, College Park. He has worked on a wide range of cyber-security research projects and originated a strain of efforts in leveraging cryptographic primitives effectively to encourage collaboration (for the goodness) between untrusted entities (with individual privacy guaranteed by cryptographic hardness assumptions). Yan earned his Ph.D in computer science at University of Virginia in Charlottesville, where he enjoyed the beauty of Virginia's country yards and got his mind nurtured by the open, friendly and thoughtful atmosphere around the lovely university town. He runs, swims, plays ping-pang, and gets especially excited on making fun out of risks (skating, rock-climbing, and riding roller-coasters, for example).

Tackling Cyber Security Challenges from A Holistic Perspective

Dr. Guanhua Yan
Research Scientist
Information Sciences Group
Los Alamos Laboratory

Wednesday, February 20, 2013
10:30 to 11:30 a.m.
Brickyard Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

The cyberspace is a large complex system. An effective cyber security strategy calls for a holistic approach to addressing existing and emerging cyber threats. Starting with a summary of key challenges facing cyber security, this talk will present techniques on how to improve cyber security along three lines: cyber infrastructure protection, modeling and simulation for cyber security, and data analytics for cyber security. I will further discuss the difficulties involved in defending against DDoS (Distributed Denial of Service) attacks, a simple yet dangerous type of cyber threats that have been haunting the cyberspace for more than a decade, and present a new framework for reasoning about the optimal strategy for attack (from the attacker's perspective) or defense (from the defender's perspective) in a typical DDoS attack and defense scenario.

Speaker's Bio:

Guanhua Yan is a Research Scientist in the Information Sciences Group at Los Alamos National Laboratory. He obtained his Ph.D. in Computer Science from Dartmouth College in 2005. From 2003 to 2005, he was a visiting graduate student in the Coordinated Science Laboratory at the University of Illinois at Urbana-Champaign. His Ph.D. dissertation work won the best paper award at PADS'05, a premier conference/workshop on advanced modeling and simulation techniques. His current research interests span various areas of cyber security, particularly cyber genome, anomaly detection in cyberspace, modeling and simulation for cyber security, and cyber infrastructure protection. He is the principal investigator of a project that aims to develop phylogenetic methods for malware analysis.

Homepage: http://ghyan.weebly.com

Architectural Support for Securing Virtual Machines

Mr. Jakub Szefer
PhD Candidate
Princeton University

Monday, February 11, 2013
10:30 to 11:30 a.m.
Brickyard Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

Cloud computing is becoming a dominant computing paradigm. However, most cloud computing services are built using commodity systems not designed to handle the variety of threats present in this utility-like computing model. In particular, hypervisor vulnerabilities have led many users to become concerned about computing in the remote data centers where they have no control over the servers or the system software such as the hypervisor, which is responsible for creating the abstraction of virtual machines (VMs). The users' concerns and surveys of hypervisor vulnerabilities have motivated our research on protecting VMs from attackers, including a malicious hypervisor. We defined the new concepts of "hypervisor-free virtualization" and "hypervisor-secure virtualization", and proposed a new architecture for each.

Speaker's Bio:

Jakub Szefer's research interests are at the intersection of computer architecture and computer security. His recent work focuses on securing cloud computing, even if the hypervisor running on the cloud servers is compromised. He received B.S. degree with highest honors in Electrical and Computer Engineering from University of Illinois at Urbana-Champaign in 2006, a M.A. in Electrical Engineering from Princeton University in 2009, and expects his Ph.D. also in Electrical Engineering from Princeton University in early 2013. He is part of the Princeton Architectural Lab for Multimedia and Security (PALMS) led by Prof. Ruby B. Lee. In addition to research, he enjoys teaching and has won two outstanding TA awards and the Wu Prize for Excellence.

Homepage: www.princeton.edu/~szefer

Taking Cryptography Further: The Case of Tampering and Non-malleable Encryption

Dr. Dana Dachman-Soled
Postdoc at Microsoft Research
New England

Monday, January 14, 2013
10:00 to 11:00 a.m.
Brickyard Room 210
699 South Mill Avenue, Tempe, Arizona

Abstract:

We consider achieving security in strong adversarial models that capture complex, realistic computing environments. In particular, we consider two settings that go beyond the scope of traditional cryptography.

In the first setting, we consider adversaries who gain physical control of a device with a secret stored on it (such as a smartcard or an iphone) and continuously tamper with the wires of the device, while observing the outputs. We would like to ensure that the secret state of the circuit is protected even in the face of such an attack. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are continuously tampered with. We consider adversaries who may choose an arbitrary set of wires to corrupt, and may set each wire to 0 or to 1, or toggle with the wire. We prove that such adversaries can learn at most logarithmically many bits of secret information.

In the second setting, we continue the study of non-malleable cryptography, initiated by Dolev et al. (SIAM J. Comput., 2000). Here, we consider active adversaries who control and manipulate network traffic. We study non-malleable encryption schemes, which, in addition to traditional security against eavesdropping adversaries (called semantic security), guarantee that an active adversary cannot maul a ciphertext to create a new ciphertext encrypting a related message. We present the first black-box construction of a non-malleable encryption scheme from any semantically secure one. We thus resolve a complexity-theoretic question while achieving a more efficient construction that avoids the inherent inefficiencies of non-black-box techniques.

Speaker's Bio:

Dana Dachman-Soled is currently a postdoc at Microsoft Research New England. Before that, she completed her PhD in Computer Science at Columbia University, where she was a recipient of the FF SEAS Presidential Fellowship. Dana's main research interests are in the foundations of cryptography. She is also interested in computational learning theory and property testing of Boolean functions.

Cloud-Assisted Mobile Health Systems: Security and Privacy

Yuguang "Michael" Fang, Professor
Department of Electrical and Computer Engineering
University of Florida, Gainesville, Florida

Thursday, November 8, 2012
3:00 to 4:15 p.m.
Brickyard Room 510
699 South Mill Avenue, Tempe, Arizona

With widely deployed wireless telecommunications systems and the surge of popularity of smart mobile devices (e.g., smart phones), modern healthcare systems have revolutionized the way we are living and have steadily improve our quality of life. Mobile health (m-Health) represents one of the important developments along this line, which target at managing the healthcare of people on the move by using smart devices to collect and process needed medical information and provide timely care. Unfortunately, the major stumbling block in the wide deployment of m-Health systems is security and privacy. In this talk, we will focus on the design of a diagnostic m-Health system to articulate how we effectively address security and privacy issues by utilizing a few emerging cryptographic tools. Moreover, we will demonstrate how we shift the computational complexity to the cloud without compromising the security and privacy of medical data, diagnostic program, and participants (including patients and healthcare service providers).

Speaker's Bio:

Yuguang "Michael" Fang (2008) received a Ph.D. degree in the Department of Systems, Control and Industrial Engineering from Case Western Reserve University in January 1994 and a Ph.D. degree in the Department of Electrical and Computer Systems from Boston University in May 1997. He was an assistant professor in the Department of Electrical and Computer Engineering at New Jersey Institute of Technology from July 1998 to May 2000. He then joined the Department of Electrical and Computer Engineering at University of Florida in May 2000 as an assistant professor, got an early promotion to an associate professor with tenure in August 2003 and to a full professor in August 2005. He holds a University of Florida Research Foundation (UFRF) Professorship from 2006 to 2009, a Changjiang Scholar Chair Professorship with Xidian University, China, from 2008 to 2011, and a Guest Chair Professorship with Tsinghua University, China, from 2009 to 2012. He has published over 300 papers in refereed professional journals and conferences. Dr. Fang received the NSF Career Award in 2001 and the ONR Young Investigator Award in 2002, and is the recipient of the Best Paper Award in IEEE International Conference on Network Protocols (ICNP) in 2006 and the recipient of the Best Paper Award at the IEEE Globecom in 2011 and 2002. He has also received a 2010-2011 UF Doctoral Dissertation Advisor/Mentoring Award, 2011 Florida Blue Key/UF Homecoming Distinguished Faculty Award and the 2009 UF College of Engineering Faculty Mentoring Award.

Dr. Fang is also active in professional activities. He is a Fellow of IEEE. He served as the Editor-in-Chief for IEEE Wireless Communications (2009-2012) and serves/served on several editorial boards of technical journals including IEEE Transactions on Mobile Computing (2003-2008, 2011-present), IEEE Transactions on Communications (2000-present), IEEE Transactions on Wireless Communications (2002-2009), IEEE Journal on Selected Areas in Communications (1999-2001), IEEE Wireless Communications Magazine (2003-2009), IEEE Network Magazine (2012-present) and ACM Wireless Networks (2001-present). He served on the Steering Committee for IEEE Transactions on Mobile Computing (2008-2010). He has been actively participating in professional conference organizations such as serving as the Technical Program Co-Chair for IEEE INOFOCOM 2014, the Steering Committee Co-Chair for QShine (2004-2008), the Technical Program Vice-Chair for IEEE INFOCOM'2005, the Technical Program Area Chair for IEEE INFOCOM (2009-2013), Technical Program Symposium Co-Chair for IEEE Globecom'2004, and a member of Technical Program Committee for IEEE INFOCOM (1998, 2000, 2003-2008).


Information Session

All open to Public

Information Assurance Programs and Scholarships

Friday, January 31, 2014
1:30 p.m. to 3:00 p.m.
Brickyard Artisan Court, Room 110
699 South Mill Avenue, Tempe, Arizona

Key Points:

  • What is Information Assurance and its importance?
  • Job market relevant to Information Assurance
  • Information Assurance Programs at ASU
  • Information Assurance Center
  • Federal IA Scholarship Programs
  • Other relevant information

Information Assurance Programs and Scholarships

Friday, September 6, 2013
1:30 p.m. to 3:00 p.m.
Brickyard Artisan Court, Room 110
699 South Mill Avenue, Tempe, Arizona

Key Points:

  • What is Information Assurance and its importance?
  • Job market relevant to Information Assurance
  • Information Assurance Programs at ASU
  • Information Assurance Center
  • Federal IA Scholarship Programs
  • Other relevant information

Workshops

Sixth Annual Workshop on Information Assurance Research and Education

Information Assurance Center
Arizona State University

Wednesday, May 1, 2013
Artisan Court
699 South Mill Avenue, Tempe, Arizona

This year's workshop focused on several important IA research and educational issues, including applications vetting workflow process, mining Big data, detection and prevention of DDOS attacks, and detection and isolation of malwares on websites. The program included a panel session focusing on the grand challenges in information assurance. Posters on information assurance research activities by students and faculty at ASU were also presented.

The workshop program can be downloaded [here]

The list of posters can be downloaded [here]

Speaker session at the workshop

Speaker session at the workshop

Speaker session at the workshop

Panel Session at the workshop

Posters and demonstrations at the workshop

Posters and demonstrations at the workshop

Past Workshops

2012 Workshop on Information Assurance Research and Education