Abstract: Programmable mobile phones and personal digital assistants (PDAs) with microphones permit voice-driven user interfaces in which a user provides input by speaking. In this talk, we summarize our efforts to exploit this capability to generate strong, repeatable cryptographic keys on such devices from a spoken passphrase. Rather than deriving the cryptographic key from merely the passphrase that was spoken---which would constitute little more than an exercise in automatic speech recognition---we strive to generate a substantially stronger cryptographic key with entropy drawn both from the passphrase spoken and how the user speaks it. Moreover, the cryptographic key is designed to resist cryptanalysis even by an attacker who captures and reverse-engineers the device on which this key is generated. We describe some of the hurdles to achieving this on an off-the-shelf PDA bearing a 206 MHz StrongArm CPU and an inexpensive microphone. We also evaluate our approach using multiple data sets, one recorded on the device itself, to clarify the effectiveness of our implementation against various attackers.

This is joint work with Fabian Monrose, Qi Li, Dan Lopresti and Chilin Shi.

Abstract: The Ubiquitous Computing community has been touting the "disappearing computer" for some time now. What they mean is not that there should be no more computers. Rather, they believe that small, unobtrusive computers will be so ubiquitous (think smart wallpaper) that we won't even notice them. In my talk, I will argue that security mechanisms need to "disappear", in the same sense, for two reasons: First, to secure the "disappearing computer" we need to come up with novel, unobtrusive, security mechanisms. Second, "disappearing" security can actually make things more secure, because it gives users less opportunity to get things wrong. I will give some examples of such "disappearing" security mechanisms.

Abstract: This talk is a retrospective on the first couple of years' work on Java security at Sun, focusing on the total overhaul of the Java security architecture that occured during JDK 1.2. The talk covers the most difficult problems encountered, most critical "life-saving" features present, features that should have gotten in (JDK 1.2) but did not, features that should not but did, as well surprises and headaches.

Abstract: IBM Research has a long history in programming languages and analysis. More recently, within the Network Security, Privacy and Cryptography department, we have been developing static analysis tools to enable analysis of middleware libraries, the Java runtime itself, parts of the Linux kernel, as well as other large software products. The goal is to reduce the number of coding defects in our own code, as well as in code written by our customers. This talk will briefly cover two of our projects:

SPADE: Security and Privacy Aware Development Environment – Initially this project was focused on Java, where we used the JaBA (JAva Bytecode Analysis) tool we developed to identify authorization requirements for very large Java applications. The tool also allows us to address other security-related questions, including reachability and accessibility of specific objects, as well as mutability of classes. We have subsequently applied the same analysis framework to the analysis of Linux kernel code (e.g., Linux Security Modules) to identify paths that are missing appropriate authorization calls.

SABER: Smart Analysis-Based Error Reduction – this projects analyzes large Web applications to identify errors that are due to violations of the J2EE specification and/or known "best practices". Some of these violations can result in security and/or privacy problems.

Abstract: I describe how type systems can be used to improve software security in practice.

Abstract: In addition to the traditional security risks, web companies that provide large scale applications to millions of users face new kinds of exploits, which consist of a combination of several legitimate acts that together make up abusive behavior. I will give many examples of such exploits, discuss existing counter measures, and present open problems.

Abstract: Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines, they can provide early warning of and response to new attacks and they allow in-depth examination of adversaries during and after exploitation of a honeypot. However, deploying physical honeypots is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system. This talk presents Honeyd, a framework for virtual honeypots, that simulates virtual computer systems at the network level. To fool network fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems. The Honeyd framework can help in many areas of system security; examples range from detecting worms and distracting adversaries to preventing the spread of spam email.

Abstract: Longstaff will cover the current software security problems recently reported to the CERT/CC and will cover some of the research projects underway at the CERT Research Center to address a few of the root causes.

Abstract: It has been clear since 1998 that self-propagating code can quickly spread across a network by exploiting the vulnerabilities in a homogeneous infrastructure. However, in the last several the frequency and virulence of such "worm" epidemics has increased dramatically. Outbreaks such as CodeRed have infected hundreds of thousands of hosts in less than a day, while the recent Slammer/Sapphire worm probed an equivalent number of hosts in a matter of minutes. This talk focuses on the research and engineering challenges posed by building defenses against such worms. I will discuss the requirements that we currently understand, the technologies that are being developed to meet them, and the significant open problems left to be solved.

Abstract: I will present an end-point, reactive mechanism to network worms that patches vulnerable software using a number of heuristics, guided by analysis of the worm's infection vector in a software sandbox. A preliminary analysis of the effectiveness of the mechanism indicates a success rate of 82% against 17 known vulnerable applications. Contrary to traditional security measures that typically terminate a targeted application, our approach ensures not only the safety but also the availability of vulnerable services. Furthermore, the performance overhead is minimal, since fixes are localized, "near" the vulnerability itself. Many challenges remain, such as determining the correctness of the patches application and dealing with other classes of software vulnerabilities.

NGSCB: Description, Applications, Security Model and Policy Implications [.ppt]
John Manferdelli

Abstract: I’ll discuss the general design and security model of the Next Generation Secure Computing Base including the hardware changes, software architecture and the important privacy and policy implications which governed its design. In addition, I’ll discuss its suitability as the foundation of a Trusted Computing Base for Credential based security in the style of Lampson, Abadi, Wobber and Rivest. If there’s enough time I’ll try and explain how anyone could change the name of a project from Palladium to NGSCB.

Enabling Trusted Software Integrity [.ppt]
Darko Kirovski

Abstract: Preventing execution of unauthorized software on a given computer plays a pivotal role in system security. The key problem is that although a program at the beginning of its execution can be verified as authentic, while running, its execution flow can be redirected to externally injected malicious code using, for example, a buffer overflow exploit. Existing techniques address this problem by trying to detect the intrusion at run-time or by formally verifying that the software is not prone to a particular attack.

We take a radically different approach to this problem. We aim at intrusion prevention as the core technology for enabling secure computing systems. Intrusion prevention systems force an adversary to solve a computationally hard task in order to create a binary that can be executed on a given machine. In this paper, we present an exemplary system |SPEF| a combination of architectural and compilation techniques that ensure software integrity at run-time. SPEF embeds encrypted, processor-specific constraints into each block of instructions at software installation time and then verifies their existence at run-time. Thus, the processor can execute only properly installed programs, which makes installation the only system gate that needs to be protected.

Originally presented at ASPLOS 2002 based on a paper by Darko Kirovski (Microsoft Research), Milenko Drinic (Microsoft Research), Miodrag Potkonjak (University of California, Los Angeles)

Abstract: In this talk I will discuss three types of attack on the intellectual property contained in software, and three corresponding technical defenses. A defense against malicious reverse engineering is obfuscation, a process that renders software unintelligible but still functional. A defense against software piracy is watermarking, a process that makes it possible to determine the origin of software. A defense against tampering is tamper-proofing, so that unauthorized modifications to software (for example to remove a watermark) will result in non-functional code.

I will also discuss the design of SandMark, our framework for studying the obfuscation, watermarking, and tamper-proofing of Java bytecode.