Thursday, May 22, 2014

IEEE Security and Privacy Symposium 2014: Another Challenging Year, Another Compelling IEEE SSP, and Another Significant Contribution from CMU CyLab


Giovanni Domenico Tiepolo - Procession of the Trojan Horse in Troy (1773)
Another challenging year in cyber security and privacy means another compelling IEEE Security and Privacy Symposium, and another compelling IEEE Security and Privacy Symposium means another significant contribution from Carnegie Mellon University CyLab.

This year, three hundred and thirty three papers were submitted. After a rigorous review process (which included ninety nine "intensive discussions," one thousand two hundred eighteen reviews and a rebuttal phase), forty four papers were selected to be published as part of the Symposium.

Of these forty four worthy contributions, four were singled out for IEEE Security and Privacy Symposium 2014 Best Papers Awards:

Best Paper
 
Secure Multiparty Computations on BitCoin by Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Łukasz Mazurek (University of Warsaw)

Best Practical Paper
 
Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations by Chad Brubaker and Suman Jana (University of Texas at Austin), Baishakhi Ray (University Of California Davis), and Sarfraz Khurshid and Vitaly Shmatikov (University of Texas at Austin)

Best Student Papers

Framing Signals — A Return to Portable Shellcode by Erik Bosman and Herbert Bos (Vrije Universiteit Amsterdam)

Bootstrapping Privacy Compliance in Big Data Systems by Shayak Sen (Carnegie Mellon University), Saikat Guha (Microsoft Research, India), Anupam Datta (Carnegie Mellon University), Sriram Rajamani (Microsoft Research, India), Janice Tsai (Microsoft Research, Redmond), and Jeannette Wing (Microsoft Research)

CMU CyLab researcher Shayak Sen presented the award winning paper co-authored by members of the CyLab and Microsoft Research teams:

In this paper, we demonstrate a collection of techniques to transition to automated privacy compliance compliance checking in big data systems. To this end we designed the LEGALEASE language, instantiated for stating privacy policies as a form of restrictions on information flows, and the GROK data inventory that maps low level data types in code to highlevel policy concepts. We show that LEGALEASE is usable by non-technical privacy champions through a user study. We show that LEGALEASE is expressive enough to capture real-world privacy policies with purpose, role, and storage restrictions with some limited temporal properties, in particular that of Bing and Google. To build the GROK data flow grap we leveraged past work in program analysis and data flow analysis. We demonstrate how to bootstrap labeling the graph with LEGALEASE policy datatypes at massive scale. We note that the structure of the graph allows a small number of annotations to cover a large fraction of the graph. We report on our experiences and learnings from operating the system for over a year in Bing. -- Shayak Sen (Carnegie Mellon University), Saikat Guha (Microsoft Research, India), Anupam Datta (Carnegie Mellon University), Sriram Rajamani (Microsoft Research, India), Janice Tsai (Microsoft Research, Redmond), and Jeannette Wing (Microsoft Research), Bootstrapping Privacy Compliance in Big Data Systems, IEEE Security and Privacy Symposium 2014, Best Student Paper (1 of 2)

But, of course, the Bootstrapping Privacy Compliance paper was not the only CyLab contribution to the Symposium program, e.g., CMU CyLab researcher Zongwei Zhou spoke on Dancing with Giants; Wimpy Kernels for On-Demand Isolation I/O, a paper co-authored with Miao Yu and Virgil Gligor:

Trustworthy applications are unlikely to survive in the marketplace without the ability to use a variety of basic services securely, such as on-demand isolated I/O channels to peripheral devices. This paper presents a security architecture based on a wimpy kernel that provides these services without bloating the underlying trusted computing base. It also presents a concrete implementation of the wimpy kernel for a major I/O subsystem, namely USB subsystem, and a variety of device drivers. Experimental measurements show that the desired minimality and efficiency goals for the trusted base are achieved. -- Zongwei Zhou, Miao Yu, Virgil Gligor, Dancing with Giants; Wimpy Kernels for On-Demand Isolation I/O, IEEE Security and Privacy Symposium 2014

Other CMU papers selected and presented at IEEE SSP 2014 included:

All Your Screens Are Belong to Us; Attacks Exploiting the HTML5 Screen Sharing API, Analyzing Forged SSL Certificates in the Wild by Lin-Shung Huang, Yuan Tian, Patrick Tague and others, CMU SV and Facebook

Analyzing Forged SSL Certificates in the Wild by Lin-Shung Huang, Alrex Rice, Erling Ellingsen, Collin Jackson

Stopping A Rapid Tornado with A Puff by Jose Lopes and Nuno Neves of CMU Portugal
CyLab's contribution to IEEE SPP 2014 also included several papers from two CMU CyLab alumni and alumna.

There were three papers co-authored by CMU CyLab alumnus XiaoFeng Wang of Indiana University (Bloomington): Hunting the Red Fox Online: Understanding and dectection of Mass Redirect-Script Injections, Upgrading Your Android, Elevating My Malware - Privilege Escalation Through Mobile OS updating, and Perils of Fragmentation: Security Hazards in Android Device Driven Customizations.

Also CMU CyLab alumnus Bryan Parno of Microsoft Research and a CMU CyLab alumna Elaine Shi of University of Maryland (College Park) were among the co-authors of PermaCoin: Repurposing Bitcoin Work for Data Preservation, and Shi co-authored a second paper, Automating Efficient RAM-Model Secure Computation.

CyLab's efforts were also apparent on the organizational level at IEEE SSP 2014:

Adrian Perrig of ETH Zürich, formerly CyLab's Research Director, now a CyLab Distinguished Fellow, served as one of the Symposium's three program chairs.

Three CyLab researchers served as Session Chairs, Lujo Bauer for Systems Security, Virgil Gligor (CyLab Director) for Attacks 3 and Anupam Datta for Secure Computation and Storage.

Also, CMU CyLab alum Bryan Parno served as a Session Chair for Privacy and Anonymity.

And, looking ahead to next year, Lujo Bauer will be one of the Symposium program chairs. 2015 will likely be another challenging year in cyber security and privacy, which will mean another compelling IEEE Security and Privacy Symposium, with another significant contribution from Carnegie Mellon University CyLab.

Related Posts

CyLab's Strong Presence Continues at Annual IEEE Symposium on Security and Privacy (2013)

CyLab Chronicles: CyLab's Strong Presence at IEEE Security and Privacy 2012 Packs A Wallop

A Report on 2012 IEEE Symposium on Privacy and Security

Microcosm & Macrocosm: Reflections on 2010 IEEE Symposium on Security & Privacy; Q & A on Cloud, Cyberwar & Internet Freedom w/ Dr. Peter Neumann

CyLab Research has Powerful Impact on 2010 IEEE Security & Privacy Symposium