A Report on CyLab Silicon Valley Briefing (Spring 2011)
By Richard Power
On March 25, 2011, we held our Spring 2011 CyLab Silicon Valley Briefing, at Carnegie Mellon University's Silicon Valley Campus (NASA Research Park, Mountain View, California).
We hold two of these half-day events a year, one in the Spring and one in the Fall.
The attendees consist of a small group of RSVP invitation only guests (no more than 20 or 30), including C-level executives and leading technologists from Bay Area and Silicon Valley companies, as well as select members of the press, board members from security-related professional associations and representatives of Federal law enforcement.
The program is framed around presentations from CyLab researchers, highlighting their work in vital areas of cyber security and privacy, and allows for considerable give and take with the highly engaged attendees.
Here are some glimpses into the content --
In his presentation, Security of Smart Grids: A Cyber-Physical Perspective, CyLab researcher Bruno Sinopoli shared insights from case studies of attacks against control system sensors.
In 2009, Sinopoli recounted, he co-authored a paper modeling an attack in which sensor readings could be record and modified, and then malicious content injected, after which the previous sensor readings could be replayed to fool the control system: "like in Ocean's Eleven."
"People were saying, 'So who cares?' Sixteen months later, I got my revenge."
Israeli Test on Worm Called Crucial in Iran Nuclear Delay
The biggest single factor in putting time on the nuclear clock appears to be Stuxnet, the most sophisticated cyberweapon ever deployed ... The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart. New York Times, 1-15-11
Laughingly, Sinopoli added, "I had nothing to do with Stuxnet, but if you know who did, tell me because I want royalties."
In concluding his presentation (which also included a model for making such attacks profitable), Sinopoli stressed four points:
Security of cyber‐physical systems is of paramount importance
Security needs to be integrated with system theory/knowledge
A science of security for CPS systems needs to be developed
Small attacks that run “under the radar” can have serious consequences
CyLab researcher Anupam Datta spoke on "Privacy Protection via Monitoring and Audit: Computer Science + Healthcare + Law."
Datta's presentation highlighted research focused on personal information governance, which is becoming an increasingly more complex issue as healthcare, in all aspects, becomes increasingly more dependent on IT.
The articulated goal of Datta's research:
Develop methods and tools to help organizations be compliant with privacy regulations and internal policies.
"At a very high level," Datta explained, "the approach we are taking in this work is that we start with privacy laws, which are written out in English, in dense, legal text, and translate it to a computer-readable privacy policy, and then develop techniques to take as input, the audit logs in an organization, and these privacy policies, and detect violations. All of the process will be automated, but we will also require help from human auditors, for other things. The goal is to automate as much of this process as possible, and to guide human auditors in their activities."
Some of the daunting challenges in this area, include those related to representing complex privacy laws, e.g., identifying core privacy concepts in long, dense legal text (HIPAA alone has 84 operational clauses about disclosures of protected health information) and understanding how individual clauses should be combined permitting clauses, denying clauses, cross-references, exceptions.
Results so far?
PrivacyLFP, a first-order logic (language) for representing privacy laws
First complete logical formalization of all disclosure-related clauses in the HIPAA Privacy Rule and the Gramm-Leach-Bliley Act
"A lot of research is going into making the sandbox more secure. If you look at existing browsers, a lot of them do use a sandbox with multiple layers of protection. They will design the browser as defense in depth, so that you can not only protect the user's local file system, but also protect one tab from another tab, if there happens to be a vulnerability in the browser. So that is one class of research we do here, is trying to understand how to design the architecture of the browser to mitigate vulnerabilities in the code of the browser itself.
"Another type of research we do is mitigating web vulnerabilities, where the browser is functioning as intended, but the code of the web server has some bug in it that is causing the application to be insecure. And it turns out that it is extremely hard to write a web application securely. So Browserscope.org is a collaboration we have with Google, and we are using it to track the adoption of various web application security proposals that are require client-side modification. We are actually checking to see if various browsers have adopted the security proposals we have made; the green squares [in the table] are the browsers that have adopted our proposals, and the red squares are those that haven't adopted yet ... We are making a lot of progress in what it takes to build a secure web site."
Privacy Protection via Monitoring and Audit: Computer Science + Healthcare + Law