Conference Program

Never memorize passwords. Compute them in your head instead, using secure humanly computable functions from challenges (website names) to responses (passwords).

Additional Materials: Publishable Humanly Usable Secure Password Creation Schemas, Manuel Blum and Santosh Vempala

Almost any web service needs secrets to operate. Whether it’s encryption keys for storing credit card data and personally identifiable information, authentication tokens for talking to third party services, or just a password for connecting to the local database, if your application lives online it probably has a secret. But how do you actually keep those secrets secret? In an ideal world access would be tightly restricted; neither developers, nor continuous integration, nor deployment tools would ever see them. But for applications deployed in the cloud which need to automatically instantiate new instances to match demand and replace unhealthy nodes, this creates an even greater challenge; how can an application be automatically deployed with its secrets if even the deployment tools can’t be allowed to see them?

In this talk I will describe how we have approached this problem at Netflix: an environment supporting thousands of independent microservice applications, all of which need the capability to automatically scale and self-heal. Along the way, I’ll describe how this problem becomes inexorably intertwined with the question of secure, provable, and ephemeral identity, and how we ultimately architected a solution to both problems.

Embedded systems are everywhere, from consumer electronics to critical infrastructure, vehicles, airplanes and military equipment. Yet public attention to security of embedded systems is relatively recent compared to that of the general purpose world. Combined with its polyculture of hardware architectures and operating systems and the proprietary and restricted nature of many systems and protocols, this has led to an opaque security landscape for both researchers and developers.

As a result embedded binary security generally lags behind what is commonly expected of modern general purpose systems. Hardening embedded systems via adoption of modern exploitation mitigations isn't, however, a trivial endeavor due to the many challenges and intrinsic constraints imposed by embedded environments. If we take into consideration the dominance of unsafe languages and the fact that patch deployment is far more involved on these systems, this is all the more reason for concern.

In this talk we will delve into the embedded ecosystem, present an overview of the state of embedded binary security and outline some of the challenges faced in the adoption of modern exploit mitigations, drawing upon our experiences during security research conducted into popular embedded OSes and our involvement in developing such mitigations for Industrial Control Systems.

Over 90% of the unprotected devices were found to be infected with at least one Malware threat or exhibiting the signs of an attack. In this talk, we'll reveal the results of the research, exposing the number of vulnerable devices and the gigabytes of storage that are now freely available to attackers. We’ll also share the technical results of the malware analysis. In summary, this talk will provide an insight into how the very old Internet protocols are being exploited on modern internet connected "things," explain the risks it creates to home and corporate users, and suggest recommendations on how businesses and users should be protecting themselves better against these unsophisticated but dangerous and highly successful attack scenarios.

Mozilla runs services for millions of Firefox users that must be operated at reasonable cost while sustaining a fast innovation pace. Development and operation teams have long adopted DevOps' Continuous Integration (CI) and Continuous Delivery (CD) principles, allowing applications to go from a patch submission to production deployment in minutes. These fast cycles have left security controls designed for slow deployment cycles lagging behind. In this talk, we describe how the Mozilla CloudSec team has redesigned security into the DevOps pipelines to accelerate the discovery and mitigation of security issues using a technique called "Test Driven Security" (TDS).

Similar to Test Driven Development, TDS puts the security tests that represent the desired behavior first, then runs these tests continuously against the code. Compared to a traditional approach where controls implementation is done outside of CI/CD, TDS can run in the DevOps pipeline automatically and continuously assert security of a web application.

In this presentation, we show how Mozilla uses Open Source tools to implement TDS and reduce the number of security vulnerabilities and regressions that reach production environments.

The modern world critically depends on the security and safety of software. We seek to ensure customer confidence and protect privacy, intellectual property, and national security. As threats to software security have become more sophisticated, so too have the techniques developed to ensure security.

This talk focuses on novel opportunities to automate bug detection and security exploit generation provided by advances in symbolic execution and automated constraint solving. It discusses how symbolic execution can benefit from novel techniques in Satisfiability Modulo Theories (SMT), a subfield of automated theorem proving that in the past 10 years has revolutionized the discipline. The talk presents a recent highly successful application of SMT solvers in support of the security analysis of Web applications and how these new capabilities open opportunities for automating such analysis beyond the Web.

This is a joint work with Clark Barrett (NYU/Stanford University), Morgan Deters (NYU), Tianyi Liang (The University of Iowa), Andrew Reynolds (The University of Iowa/EPFL), and Cesare Tinelli (The University of Iowa).

Bulletproof and anonymous hosting providers are key enabling factors of ransomware, phishing, and other cybercrime operations. Bulletproof hosters shield criminal content from abuse complaints and takedowns, whereas anonymous offshore hosters preserve privacy and free speech for their customers. Despite being conceptually different, the distinction between both classes tends to blur in practice. These hosters leverage multiple factors in their operations: the anonymity of the internet when establishing their businesses, heterogeneous laws and norms that exist in cross-border online spaces, and jurisdictions with little or no legislation to enforce laws against cyber criminals. Focusing threat intelligence efforts on these services and the actors that provide them is an important step to identifying and removing illegal and malicious content on the Internet. As an example, we choose The Netherlands, one of the world's top transit and hosting spaces, and through our research we bring together findings from the network and the field to shed light on criminal hosting in the Dutch IP space. This talk will be useful to threat analysts, security researchers, and law enforcement.

This is a joint work with Sarah Brown (Security Links/NATO).

Trust is a psychological factor that can gate channels of communication, persuasion, and collaboration. Here, I offer an overview of some of the neural and psychological mechanisms involved in coding for trust and coding for distrust. Trust can be conceptualized as two types of functions. The first is a factor in a relationship with another agent that is often socially developed through one or more interactions. The second is as an individual perception that contributes to certainty or confidence in the face of uncertainty. My research relates to the latter, and how people use incomplete information to handle uncertain or ambiguous decisions. I will show how the relationship between information and feelings of certainty is important for persuasion, and can lead to both optimistic and pessimistic biases in individual decision-making.

What happens if a surgical robot, used to perform a life-saving medical procedure, gets compromised and is used to harm a patient on an operating table, a surgeon performing a procedure, or both of them? What happens if a brain-computer interface, used either by severely disabled people or by early adopters, gets compromised and starts allowing anyone interested to listen in on its user's preferences, prejudices, or secrets? A lot—and sci-fi literature is full of interesting but rather unsettling examples.

So a better question to ask is: what can we done to prevent these attacks from happening? The answer is: a lot, and in this talk I will show that many of the mitigation strategies that we can apply rely on users' uniqueness in the way they interact with the system. 

When researching security/privacy and developing tools, it is tempting to focus on the abstract technical merits of a problem. In practice, attacks are not graded for difficulty, only success. Why spend the time and expense of a zero-day exploit which bypasses ASLR to achieve remote code execution when spearphishing is so effective? The biggest barriers to widespread computer security are not technical. Wide deployment of privacy-preserving tools and trustworthy computers isn't limited by cutting-edge challenges in cryptography or formal methods. The obstacles are getting everyday tools to implement secure development best-practices, incorporate end-to-end crypto, and offer multi-factor authentication. The problem is fighting an endless public relations war about whether we should have to invent the impossible to create back-doors or design tools which protect their users except when the user is trying to do something bad.

Here's the trick: think and talk about journalists. Talking about journalism as a first-class use case changes the mental calculus. It allows for focus on the real technical challenges of developing safe systems, and bypasses poorly-thought-out objections. Even better, thinking about the needs of journalists as first class users helps make design choices which better protect all users.

Philanthropy has a critical role to play in improving cybersecurity worldwide. As new technologies affect every aspect of our lives, the applicable laws, norms and policies—as well as the decision-makers that shape them—are struggling to keep up. High-profile breaches—at Sony Pictures, the Office of Personnel Management, and the Democratic National Committee, among many others—underscore the magnitude of the risks we face and the need for informed cybersecurity policies.

Yet despite its critical importance, funding to develop long-term cybersecurity policy for the benefit of the public is practically non-existent. The funding gap is, moreover, structural. Government and industry are directing significant resources to cybersecurity, but their efforts are and will remain focused on countering immediate threats and triaging new breaches. Unlike government or industry, philanthropy can be a neutral player not motivated by profit, politics, or self-interest.

There is critical work to be done for the safety of the public—work that government cannot and the private sector will not fund. What’s needed is flexible support from institutions that have the latitude to take a long-term, strategic approach—the kind of funding, in other words, that philanthropy is uniquely positioned to provide.

Industry is grappling, arguably unsuccessfully, with core sociotechnical tensions between individual and collective rights and interests in privacy, security, innovation, and autonomy. This is manifest in issues associated with smart-X (homes, health wearables, vehicles), predictive services, and precision measurements, for example.  Because these issues force new applications and interpretations of our traditional social mooring—law, economics and security—we need to rely on ethics as a common ordering force to address the challenges facing industry in achieving customer privacy and autonomy, business innovation and profit, and public and private cyber security. While the concept of corporate social responsibility is not new, the notion of collective industry ethics is shallow at best. This talk aims to advance the dialogue and collective action by discussing some of the core elements of ethics on which industry doesn't compete but without which it can individually fail.

Over the last 15 years, election integrity advocates have pushed the paper ballot as the unifying solution to various election audit problems. As long as we have the paper ballot, we thought, we can always recount. The US election of 2016 has given us ample evidence that a paper ballot recount is a lot less likely to occur than we had imagined. We cannot continue to rely solely on paper recounts to ensure the integrity of our elections.

Instead, we should build election systems that inherently provide evidence of their integrity, not via a post-hoc audit process, but by virtue of running the election itself. We should be able to challenge election results not because an election is close, but because there is hard objective evidence of questionable integrity. We'll focus on end-to-end cryptographic techniques and how they can work in practice, and we'll also touch on how important voter registration is, and what we can do to increase our confidence in the maintenance of voter rolls.

End-to-end encryption, which protects message content so that only the sender and recipient can access it, is gaining popularity in messaging applications. At the same time, there is some concern about potential deleterious effects on spam detection systems. At WhatsApp we have successfully launched such "e2e" encryption for over 1 billion people—while also reducing the amount of spam they receive. This talk will discuss techniques we've found successful for preventing spam without access to message content, and some of the challenges we faced along the way. It should help dispel concerns that e2e encryption necessarily means reduced effectiveness of spam detection.

We all know that hardly anybody ever reads privacy notices or security warnings, and when people try to read them, they tend to be long and extremely difficult to understand. In this talk I will start by discussing why privacy notices are important, explain why they are largely failing to inform people, and discuss some of the approaches companies and researchers are taking in an attempt to make privacy notices more useful. Then I’ll present a theory about the cognitive processes that take place when someone encounters a privacy notice or security warning. Finally, I will share several examples in which my students conducted user studies to test the effectiveness of privacy notices or security warnings. I will show some examples of notices that don’t seem to be very effective, as well as some examples of how notices can be improved through an iterative design and testing process.

This talk will present results of a qualitative study of the digital privacy and security practices and challenges of survivors of intimate partner abuse (IPA). We propose a framework for organizing survivors' technology practices and challenges into three phases: physical control, escape, and life apart. This framework is intended to help technology creators consider how survivors of IPA can leverage new and existing technologies. Overall, our results suggest that the usability of and control over privacy and security functions should be or continue to be high priorities for technology creators seeking ways to better support survivors of IPA.

One of the few areas in which the tech and policy communities generally agree is the need for norms to guide acceptable behavior in the digital domain. Given the increasingly vocal demand for—and noted cases of—greater retaliatory capabilities within the private sector, this is a necessary discussion and directly impacts security and privacy. With everything from cyber militias to full-fledged hacking back capabilities entering the discourse, there is a significant need for policy innovation and creativity that can set the foundation for the broader establishment of global norms. However, there are significant hurdles to norm implementation and a clear lack of comprehension of those factors that impact norm diffusion, including the technical difficulty of verification, outdated policies, as well as collective action problems and expected utility challenges. Despite these hurdles, the US must continue to attempt to shape global digital norms. Otherwise, other states will fill that void. And to get it right, tech community collaboration is required to avoid another Wassenaar situation. This presentation will discuss the opportunities and challenges of norm diffusion, while embedding the discussion in the recent discourse on offense-based behavior, which has significant implications for both security and privacy.

Machine learning classifiers are widely used in security applications, and often achieve outstanding performance in testing. When deployed, however, classifiers can often be thwarted by motivated adversaries who can construct evasive variants which are misclassified as benign. The main reason for this is that classifiers are trained on samples collected from previous attacks, which often differ from benign samples in superficial and easily-modified ways. Further, many machine learning techniques, including deep neural networks, are inherently fragile. In this talk, I’ll highlight the reasons most classifiers can be evaded by motivated adversaries and demonstrate some successful evasion techniques, including ones that can be fully automated. Then, I’ll talk about methods that could be used to make classifiers less vulnerable to evasion and to evaluate the robustness of a deployed classifiers in the presence of adversaries.

Cyber threats against our information systems have grown in sophistication and number, yet progress in the cyber security of best-of-breed systems has been significant over the last few years, giving us hope that we are no longer facing an impossible task. This talk will present an overview of the state of current cyber systems, the anatomy of a cyber attack, and discuss the cyber R&D portfolio in DARPA I2O.

Not that long ago, the Department of Defense started to evolve from security through obscurity to more open practices that welcome contributions from the outside world. A new “Hack the Pentagon” bug bounty pilot proved that outside hackers could help secure DoD systems. The DoD then launched a vulnerability disclosure policy so that researchers could point out general security issues. And a recent “Hack the Army” contest has further proven that bug bounties are an effective tool in the DoD’s security toolkit.

This talk will discuss 2016’s rocky road to get to where we are today. Though there is still work to be done, there are signs of life to report. Progress at the DoD will help legitimize practices for other sectors and finally provide more clarity on the gray areas of the Computer Fraud & Abuse Act. Security researchers and prosecutors alike will have a better understanding of what is and isn’t legal in the hacking realm.