Check out the new USENIX Web site. USENIX - Symposium


Preliminary Program

7th USENIX Security Symposium

January 26-29, 1998
Marriott Hotel
San Antonio, Texas

Tutorials
Refereed Paper Track
Invited Talks Track
Works-in-Progress Reports
Registration

Tutorial Program

Monday and Tuesday, January 26-27, 1998

Gain command of the newest security tools, techniques, and approaches, then put them to work in your organization immediately.

Highly-publicized, frequent breaches have made security one of the most urgent topics in today's computing environment. Protecting your site has become more difficult and complex as technology tries to address more sophisticated problems. No single security solution will forever guard your systems from a break-in. Need an immediate fix on the newest solutions? Attend the USENIX Security Tutorials. If you register by January 5, you can save $50.

Our guarantee: If you're not happy, we're not happy. If you feel a tutorial does not meet the high standards you have come to expect from USENIX, let us know by the first break and we will change you to any available tutorial immediately.

Continuing Education Units

USENIX provides Continuing Education Units (CEUs) for a small additional administrative fee. The CEU is a nationally recognized standard of unit of measure for continuing education and training, and is used by thousands of organizations. Each full-day USENIX tutorial qualifies for 0.6 CEUs. You can request CEU credit by completing the CEU section on the registration form. USENIX provides a certificate for each attendee taking a tutorial for CEU credit and maintains transcripts for all CEU students. CEUs are not the same as college credits. Consult your employer or school to determine their applicability.

Tutorial Overview

Tutorials fees include

  • Admission to the tutorials you select
  • Printed and bound tutorial materials from your session
  • Lunch
  • Admission to the Vendor Exhibition

Full day tutorials run from 9:00am to 5:00pm. Half-day tutorials, marked "am" or "pm" run either from 9:00am to 12:30pm or 1:30pm to 5:30pm. If you choose half-day tutorials, please select one morning and one afternoon tutorial. Sorry, no partial registrations are allowed.

Monday, January 26

M1 Security on the World Wide Web
M2 Windows NT Security
M3am Certification: Identity, Trust, and Empowerment
M4pm Towards Secure Executable Content: Java Security

Tuesday, January 27

T1 Handling Computer and Network Security Incidents
T2 Network Security Profiles: What Every Hacker Already Knows About You, and What To Do About It
T3am Using Cryptography
T4pm Cryptography for the Internet

M1 Security on the World Wide Web

Daniel Geer, CertCo, LLC, and Jon Rochlis, SystemExperts Corp.

Who should attend: Anyone responsible for running a web site who wants the understand the tradeoffs in making it secure. Anyone seeking to understand how the web is likely to be secured

The world wide web is perhaps the most important enabler (so far) of electronic commerce. It has grabbed the popular imagination and the engineering and marketing efforts of a generation of on-line entrepreneurs and consumers. But it was initially design with little if any thought to industrial strength security. Over the past several years numerous proposals have surfaced to secure the web. This course will survey them with the goal of understanding the strengths and weaknesses of each. The topics covered include:

  • Client/server network security
  • Brief overview of encryption and its role in all security
  • Simple schemes: Basic Auth
  • Prevailing protocols: SSL, S-HTTP, PCT
  • IP Security
  • Payment protocols: Cybercash, Digicash, Open Market, First Virtual, Visa/Mastercard (SET) and others
  • Secure operation: Configuration, containment, interaction with firewalls, replication, proxy servers, logging

M2 Windows NT Security

Rik Farrow, Consultant

Who should attend: System and network administrators, and programmers, who must work with NT systems and need to understand its security principles.

Windows NT is the result of an unusual marriage between disparate operating systems: a completely reworked replacement for Digital Equipment's VMS and Windows 3.1. On the one hand, there are security features to satisfy the most avid control freak: centralized control over user accounts, file sharing, desktop appearance, fine grained object access, encryption, a security monitor, and auditing sensitive enough to capture most security related events. On the other hand, it provides support for an API that has been the main target for virus writers, and application programmers who have never even considered the notion of security.

This tutorial explains the security mechanisms in Windows NT, and how it can best be used to improve the security of networked NT systems. This is not just a review of NT's security-related GUIs (although they are included), we will go behind the scenes and discover the file and directory hierarchy of the trusted computing block, Web server (IIS), registry and event logs, and system files and libraries. Where ever possible, we will explore the command line interfaces and tools for controlling and auditing security of NT systems.

In particular, we will learn about:

  • The NT registry, a file system-like construct for storing device and application configuration, passwords, and other system values,all of which protected by access control lists (ACLs);
  • User accounts, local and global groups, rights, and privileges;
  • Domains, domain controllers, local and network authentication;
  • NT Passwords, and collecting and cracking passwords;
  • ACLs for file, directories, and other objects;
  • NT's event and audit mechanism; and
  • Correct configuration of IIS, RAS, network services, and protecting NT systems with firewalls.

M3am Certification: Identity, Trust, and Empowerment

Carl M. Ellison, CyberCash, Inc.

Who should attend: Programmers and managers who have to design or select systems using public key cryptography for strong access control or other situations in which the guarantee of trust is critical.

In 1976, Diffie and Hellman postulated a telephone directory, but with public keys instead of phone numbers, to take the place of couriers carrying keys between people to open secure channels. This suggestion has grown into public key certificates, binding names to keys, and to suggestions for national or global Public Key Infrastructures (PKIs). Many people advocate using such certificates or PKIs without realizing what they are getting in return. They take the word of professional cryptographers.

Professional cryptographers, meanwhile, are sloppy in their use of words -- using "name" and "identity" as if they were interchangeable -- and using "trust" without any qualifiers (as in "In God We Trust").

In fact, each kind of certificate empowers a public key in some way. This tutorial will teach people how to identify what kind of empowerment they need for their public keys and how to achieve that empowerment. It will describe a variety of different certificate formats (X.509, Attribute Cert, PGP, SDSI, SPKI, PolicyMaker) and describe the kind of empowerment each offers.

Time and interest permitting, the tutorial will also cover US Government proposals for using PKIs to achieve Government Access to Keys -- although this may be moot by the time of the tutorial (depending on congressional and judicial events).

M4pm Towards Secure Executable Content: Java Security

Gary McGraw, Reliable Software Technologies

Who should attend: Programmers, webmasters, and network administrators interested in how Java security is implemented, and how the benefits of Java compare with its risks.

Executable content systems like Java, ActiveX, and Postscript have become a normal part of surfing the Web. These systems are often integrated so seamlessly into browsers that users are unaware that they are doing anything extraordinary. This means many users do not recognize the extra security risks they are taking on by using such systems. Java is especially cool since it is cross-platform, object oriented, network-savvy, and uses modern memory management. In addition, Java's designers have attempted to create a system that simultaneously ensures type safety and allows dynamic class loading. Type safety plays an essential role in Java's security approach.

Java clearly has exciting benefits, but with these benefits come new risks. It is critical that Java perform in a secure fashion---something that its designers tried to ensure. How did they do it? How successful were they? Do the benefits of Java outweigh the risks?

This tutorial covers the three prongs of the fundamental Java security model, discusses some of Java's most famous flaws, covers the impact of code-signing on the Java sandbox, and talks about what to expect in the future from executable content systems in terms of security.

T1 Handling Computer and Network Security Incidents

Jim Duncan, Penn State University, and Rik Farrow, Consultant

Who should attend: System and network administrators, security and management of computer resources. You should have some knowledge of current operating systems and networking.

Are you prepared to handle a security incident at your site? Responding to computer security incidents is a requirement for all organizations where computers and networks are an important part of the infrastructure. You will find out how to prepare for and handle security incidents with step-by-step information and examples from real world incidents.

You will learn about the need for comprehensive computer security incident handling capability, how to communicate that need to management and the user community, how to investigate an incident (as a handler, not as law enforcement), and how to establish and maintain the capability. Even if you are the only person tasked with security, this tutorial will help you prepare yourself and your organization.

Course outline:

  1. Incidents and their cost: types of incidents, statistics on the frequency of incidents, targets of incidents (finance, research, educational, etc.). The costs for handling an incident poorly versus handling an incident well.
  2. A multilevel assessment of organizations including the hardware and software, operating systems, network components, types of links, locations, user base, knowledge level, experience, behavior. Also the business of each part of the organization and the corporate or organizational management structure.
  3. What not to do--real-life examples of incident handling done wrong.
  4. Post-mortem of incident and overview of computer ethics and law. Major missteps analyzed, possible violations and relevance to various statutes, e.g., ECPA, CFAA, FERPA, and newer legislation.
  5. How to develop and refine computer and network security policies, including practice and procedures for incident handling starting with what's already in place.
  6. Ten steps to incident handling: incident detection, reporting, the quick appraisal, flaw identification, countermeasures, decide about contacting law enforcement, investigation, notification of related RTs, evidence collection, and closure.
  7. Chain of custody: correct evidence handling, dealing with law enforcement, search warrants; deciding when to contact law enforcement.
  8. Building an incident handling capability in-house and outside. People, places, equipment, procedures, authority. Who to notify and determining who is responsible for what. Defining ethical behavior for incident handling team.
  9. Incident handling through role playing.
  10. Other resources, FIRST teams, law enforcement. Mailing lists and newsgroups. Archives. Vendor notifications and expectations.

T2 Network Security Profiles: What Every Hacker Already Knows About You, and What To Do About It

Jon Rochlis and Brad Johnson, SystemExperts Corp.

Who should attend: Network, system, and firewall administrators; security auditors or audit recipients; people involved with responding to intrusions or responsible for network-based applications or systems which might be targets for hackers. Participants should understand the basics of TCP/IP networking. Examples may use UNIX commands or include C or scripting languages.

This course will be useful for people with any type of TCP/IP based system: whether it is a UNIX, Windows, NT, or mainframe based operating system or whether it is a router, firewall, or gateway network host.

There are four common stages to network-based host attacks: reconnaissance, target selection, exploitation, and cover-up. This course will review the tools and techniques hackers use in performing these types of activities. You will understand how to either be prepared for such attacks or how to stay one step ahead of them. Specifically, the course will focus on how to generate profiles of your systems remotely. Additionally, it will show some of the business implications of these network-based probes.

The course will focus primarily on tools that exploit many of the common TCP/IP based protocols (such as ICMP, SNMP, RPC, HTTP, SMTP) which support virtually all of the Internet applications -- such as mail, Web technologies, network management, and remote file systems. Many topics will be addressed at a detailed technical and administrative level. This course will primarily use examples of public domain tools because they are widely available and commonly used in these types of situations.

Topics include:

  • Review of attack methodology: reconnaissance, target selection, exploitation, and cover-up
  • Profiles: what does one look like
  • Techniques: scanning, CERTs, hacking clubs
  • Tools: scotty, strobe, SATAN, ISS, etc.
  • Business exposures: integrity and confidentiality, audits, intrusion resolution
  • Demos of some tools

T4pm Cryptography for the Internet

Bruce Schneier, Counterpane Systems

Who should attend: Those who need to understand how cryptography is used over the Internet to secure communications, establish authenticity, and provide for integrity. I stress the engineering discipline, and do not assume a strong background in mathematics.

Security is essential for business and social interactions, and the pre-computer world has developed many techniques to establish security: voice recognition on the telephone provides authentication, signatures on paper provide proof of intent, closed doors and walks in the park provide privacy, unforgeable currency provides for fairness. As more and more business and social interactions move onto the Internet, the challenge is to mirror these techniques as much as possible in this new world.

This tutorial shows how cryptography can help. By allowing for confidentiality, authentication, integrity, fairness, and many other things, cryptography can transform the Internet into a serious business tool. The Internet community has developed protocols to secure electronic mail, World Wide Web interactions, electronic commerce transactions, etc., which you will hear about.

Topics include:

  • Cryptography in a networked world

  • Tools of Internet cryptography
  • Threat modeling
  • Email security: PGP, S/MIME
  • Trust management: X.509, SDSI, SPKI
  • IP security
  • World-Wide Web security
  • Electronic commerce: Cybercash, Digicash, First Virtual, SET

After completing this tutorial, you will understand how cryptography is currently used on the Internet . You will be able to vigorously debate the pros and cons of different systems, and cause commotions at IETF meetings.

T3am Using Cryptography

Bruce Schneier, Counterpane Systems

Who should attend: Those who need to understand what cryptography: does and how it works. I stress the engineering discipline, and do not assume a strong background in mathematics.

From encryption to digital signatures to electronic commerce to secure voting, cryptography has become the enabling technology that allows us to take existing business and social constructs and move them to computer networks. But a lot of cryptography is bad, and the problem with bad cryptography is that it looks just like good cryptography; most people cannot tell the difference. Security is a chain: only as strong as the weakest link.

This tutorial is about cryptography as it is used in the real world: the algorithms, the protocols, and the implementations. I'll stress the whats and the hows rather than the whys. People building (or using) cryptography need to understand what it can do and can't do, and that it's not the panacea it's often made out to be.

Topics covered include:

  • Basics of Cryptography
  • Symmetric Cryptography: DES, triple-DES, IDEA, Blowfish, RC2, RC4, RC5, AES
  • Public-key Cryptography: Encryption and digital signatures, RSA, Diffie-Hellman, ElGamal, DSA
  • Hash Functions and Message Authentication Codes: MD4, MD5, SHA,
  • CBC-MAC, HMAC, NMAC
  • Random Number Generation
  • Protocols: key exchange, authentication, secret sharing, key escrow, certificates, digital cash
  • What cryptography can do for you
  • What cryptography can't do for you

No single tutorial can teach someone to be a cryptographer. After completing this tutorial, participants will be intelligent consumers of cryptography. The will understand cryptography's building blocks, how those building blocks are put together to make cryptographic system, and what the limitations of the science are.

About the Instructors

Jim Duncan is manager of Network and Information Systems and principal systems administrator for Pennsylvania State University's Applied Research Laboratory, a multi-disciplinary research facility for the U.S. Navy and other sponsors. He is a contributor to RFC 1244, The Site Security Policy Handbook and has developed numerous policies, guidelines, and presentations on systems and network administration, computer security, incident handling, and ethics. Jim is an active member of the Penn State CERT team and has primary responsibility for incident handling at the Applied Research Lab.

Carl Ellison is a professional cryptographer who has been researching certification for over two years now. He is draft author for the IETF standard track certificate structure known as SPKI. In addition to his cryptography background, Carl has expertise in networking, operating systems, real time computer graphics, fault tolerance and digital signal processing.

Rik Farrow provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984, and with TCP/IP networks since 1988. Rik has taught at the IRS, Department of Justice, NSA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security and System Administrator's Guide to System V. Farrow writes two columns for ;login:, and a network security column for Network magazine

Daniel E. Geer, Jr. is vice president of CertCo, LLC, a market leader in digital certification for electronic commerce. Dr. Geer has a long history in network security and distributed computing management as an entrepreneur, consultant, teacher and architect. He holds a Doctor of Science in Biostatistics from Harvard University. A frequent speaker, popular teacher and member of several professional societies, he is active in USENIX where he has participated in most every activity. He is a co-author of the recently-publishedWeb Security Sourcebook.

Brad Johnson is a well-known authority in the field of distributed systems. He has participated in seminal industry initiatives like the Open Software Foundation, X/Open, and the IETF, and has published often about open systems. At SystemExperts he has led numerous security probes for major companies, revealing significant unrealized exposures. Prior to joining SystemExperts, Brad was one of the original members of the OSF DCE Evaluation Team, the group that identified, evaluated and selected technology to become the industry's first true interoperable middleware.

Gary McGraw is a research scientist with a dual PhD in Cognitive Science and Computer Science from Indiana University. Dr. McGraw is a noted speaker, consultant, and author on Java security. He recently completed Java Security: Hostile Applets, Holes, & Antidotes (with Professor Ed Felten of Princeton University). McGraw's second book, Software Fault Injection: Inoculating Programs Against Errors (with Dr. Jeff Voas) will be published in November. Dr. McGraw's has published his research in over forty technical publications. He is principal investigator on grants from the National Science Foundation, Rome Labs, and the Defense Advanced Research Projects Agency (DARPA).

Jon Rochlis is a senior consultant for SystemExperts Corp. He provides high level advice to businesses in the areas of network security, distributed systems design and management, high-availability, and electronic commerce. Before joining SystemExperts, Mr. Rochlis was engineering Manager with BBN Planet, a major national Internet service provider.

Bruce Schneier is president of Counterpane Systems, a cryptography and computer security consulting company. He is the author of Applied Cryptography, the seminal work in its field, selling over 80,000 copies and has translated into four languages. His papers have appeared at international conferences, and he has written dozens of articles on cryptography for major magazines. He designed the popular Blowfish encryption algorithm, still unbroken after years of cryptanalysis.

Refereed Paper Track

Keynote Address
Bill Cheswick, Lucent Technologies

Bill Cheswick logged into his first computer in 1969 and has worked on operating system security for more than 25 years. Since joining Bell Laboratories in 1987, he has worked on network security, PC viruses, mailers, the Plan 9 operating system, and kernel hacking. He co-authored, with Steve Bellovin, the first full book on Internet security, Firewalls and Internet Security, Repelling the Wily Hacker. Cliff Stoll has called Ches "one of the seven avatars of the Internet."

Ches's current work includes various Internet munitions, a new edition of the book, and maybe a way to hunt down anonymous denial-of-service attacks.

Architecture
Session Chair: Steve Bellovin, AT&T Labs--Research

A Comparison of Methods for Implementing Adaptive Security Policies
Brian Loe, Michael Carney, Secure Computing Corporation

The CRISIS Wide Area Security Architecture
Eshwar Belani, Amin Vahdat, Thomas E. Anderson, Michael Dahlin University of California at Berkeley

Intrusion Detection
Session Chair: Mike Reiter, AT&T Labs--Research

Bro: A System for Detecting Network Intruders in Real-Time
Vern Paxson, Lawrence Berkeley National Laboratory

Cryptographic Support for Secure Logs on Untrusted Machines
Bruce Schneier and John Kelsey, Counterpane Systems

StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
Crispan Cowan, Oregon Graduate Institute

Data Mining Approaches for Intrusion Detection
Wenke Lee and Salvatore J. Stolfo, Columbia University

Network Security
Session Chair: Dave Balenson, Trusted Information Systems

Securing 'Classical IP over ATM Networks'
Carsten Benecke and Uwe Ellermann, Universitaet Hamburg, Fachbereich Informatik

A Java Beans Component Architecture for Cryptographic Protocols
Pekka Nikander and Arto Karila, Helsinki University of Technology

Secure Videoconferencing
Peter Honeyman, Andy Adamson, Kevin Coffman, Janani Janakiraman, Rob Jerdonek, Jim Rees, CITI, University of Michigan

Distributed Systems
Session Chair: Hilarie Orman, DARPA/ITO

Unified Support for Heterogeneous Security Policies in Distributed Systems
Victoria Ungureanu and Naftaly H. Minsky, Rutgers University

Operating System Protection for Fine-Grained Programs
Trent Jaeger, Jochen Liedtke, Nayeem Islam, IBM T.J. Watson Research Center

Expanding and Extending the Security Features of Java
Karen R. Sollins and Nimisha V. Mehta, MIT Laboratory for Computer Science

World Wide Web Security
Diane Coe, Concept5 Technologies

Towards Web Security Using PLASMA
A. Krannig, Fraunhofer-Institute for Computer Graphics IGD

Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies
Vinod Anupam and Alain Mayer, Bell Labs, Lucent Technologies

Finite-state Analysis of SSL 3.0
John C. Mitchell, Vitaly Shmatikov, Ulrich Stern, Stanford University

Cryptography
Session Chair: Carlisle Adams, Nortel

Certificate Revocation and Certificate Update
Kobbi Nissim and Moni Naor, Weizmann Institute of Science

Attack-Resistant Trust Metrics for Public Key Certification
Raph Levien and Alex Aiken, University of California at Berkeley

Software Generation of Random Numbers for Cryptographic Purposes
Peter Gutmann, University of Auckland

Invited Talks Track

The Security Product Market: Trends and Influences
Marcus Ranum, Network Flight Recorder, Inc.

Computer Security and Legal Liability
Steve Bellovin, AT&T Labs - Research

Factoring: Facts and Fables
Arjen K. Lenstra, Citibank, N.A.

Elliptic Curves -- Ready for Prime Time
Alfred Menezes, Auburn University

Securing Electronic Commerce: Applied Computer Security or Just Common Sense
Clifford Neuman, University of Southern California, Information Sciences Institute

Real World Security Practices
JoAnn Perry, Independent Consultant and Shabbir Safdar, Goldman, Sachs & Co.

Work-in-Progress Reports

The Works-in-Progress session will consist of five minute presentations. Speakers should submit a one or two paragraph abstract to sec98wips@usenix.org by January 15. Please include your name, affiliation, and the title of your talk. Please note this is a change from the original instructions in the Call for Papers. A schedule of presentations will be posted at the conference by Noon on January 29. Experience at other conferences has shown that most submissions are usually accepted. The five minute time limit will be strictly enforced.

Registration Materials


?Need help? Use our Contacts page.
Last changed: Oct 31, 1997 efc
Symposium Index
Events Calendar
USENIX home