Hangzhou • China | 18-20 November, 2019
Abstract: User authentication is the first line of defence in information security and password has been the most pervasive means for user authentication since the advent of computers. However, the use of password has intrinsic problems. In particular, password leakage (due to eavesdropping, phishing, shoulder-surfing or key logging) has been the source of numerous cyber attacks. In this talk, we will look at some of the recent efforts towards secure and usable password authentication, from automatically detecting implementation flaws from password authentication codes in Android apps, systematically analyzing the inherent trade-off between security and usability in leakage-resilient password systems, to the design of low-cost 2FA in order to enhancing the security of password authentication.
Bio: Robert Deng is AXA Chair Professor of Cybersecurity and Director of the Secure Mobile Centre, School of Information Systems, Singapore Management University (SMU). His research interests are in the areas of data security and privacy, network security, and system security. He received the Outstanding University Researcher Award from National University of Singapore, Lee Kuan Yew Fellowship for Research Excellence from SMU, and Asia-Pacific Information Security Leadership Achievements Community Service Star from International Information Systems Security Certification Consortium. He serves/served on many editorial boards and conference committees. These include the editorial boards of IEEE Security & Privacy Magazine, IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, Journal of Computer Science and Technology, and Steering Committee Chair of the ACM Asia Conference on Computer and Communications Security. He is a Fellow of IEEE and Fellow of Academy of Engineering Singapore.
Abstract: Modern computing platforms are becoming more complex, and thus more prone to new bugs. An emerging class of sophisticated attacks exploit cross-layer bugs, originating deep in the hardware, that leverage subtle interactions between software and hardware. This growing threat has been recently shown through a series of real-world exploits that affected all major hardware vendors. Patching hardware bugs is not always possible, and can potentially result in a product recall.
In this talk we take a deep dive into the security of modern processors’ design and implementation from a hardware designer’s perspective: we showcase how different software-exploitable hardware bugs, undetected by current hardware security verification techniques, can be exploited to mount critical attacks. Inspired by real-world vulnerabilities and insights from our collaborators at Intel, we constructed the first representative testbed of real-world software-exploitable RTL bugs based on open-source RISC-V SoCs. We conducted two extensive case studies for finding the implanted bugs: (i) an international hardware security competition, and (ii) an analysis of the effectiveness of the state-of-the-art hardware security verification typically used in industry.
We discuss the results of our case studies and investigations. We shed light on the specific limitations of these approaches to propel future research in these directions and in the open-source hardware landscape.
Bio: Ahmad-Reza Sadeghi is a professor of Computer Science at the TU Darmstadt, Germany. He is the head of the Systems Security Lab at the Cybersecurity Research Center of TU Darmstadt. He is also the director of the Intel Research Institute for Collaborative Autonomous Resilient Systems (ICRI-CARS) at TU Darmstadt. He holds a Ph.D. in Computer Science from the University of Saarland, Germany. Prior to academia, he worked in R&D of Telecommunications enterprises, amongst others Ericsson Telecommunications.
He has been continuously contributing to security and privacy research. He was Editor-In-Chief of IEEE Security and Privacy Magazine, served 5 years on the editorial board of the ACM Transactions on Information and System Security (TISSEC), and is currently on the editorial boards of ACM Books, ACM TODAES, ACM TIOT and ACM DTRAP.
For his influential research on Trusted and Trustworthy Computing he received the renowned German “Karl Heinz Beckurts” award. This award honors excellent scientific achievements with high impact on industrial innovations in Germany. In 2018 Prof. Sadeghi received the ACM SIGSAC Outstanding Contributions Award for dedicated research, education, and management leadership in the security community and for pioneering contributions in content protection, mobile security and hardware-assisted security. SIGSAC is ACM’s Special Interest Group on Security, Audit and Control.
Abstract: With fast growth of IoT technology, ubiquitous devices and services significantly increase the complexity of cybersecurity management of enterprise networks. These devices bring not only convenience but also new security threats. In an enterprise network, thousands of devices may be connected and exposed to various cyber threats. The enterprise attack surface includes all the ways in which an adversary can attack an enterprise. Tens of thousands of new CVEs (Common Vulnerabilities and Exposures) were found each year but their patches often lag far behind. This large number of zero-day vulnerabilities along with many other attack methods, such as phishing, mutated malware, system misconfigurations, social engineering, insider threats, can significantly increase the risk of an enterprise. As agreed by many security experts, given enough time and effort, anything can be breached. The game of spear and shield does not seem to have an end, at least not at any time sooner. Conventional perimeter defensive mechanisms can be evaded and cannot be administered manually due to their complexity. To cope with the problems, new solutions are desirable to enable management of the complex and heterogenous enterprise networks. In this talk, we introduce the challenges and opportunities of offensive and defense techniques for an enterprise network. Case studies for offensive techniques, such as vulnerability assessment and penetration testing, against enterprise networks will be given. These offensive methods can complement, not replace, defensive mechanisms in the life cycle of system development for security assurance. On the other hand, fractured point solutions leave enterprises exposed and limit economies of scale. According to recent security service providers’ reports, it may in many cases take months or sometimes years to discover devices being infected in an enterprise. This motivates the need of comprehensive defense strategies and measures for holistic improvement. It is important for an enterprise to have a comprehensive, systematic, and near real-time view into their threat level and breach risk along with specific prioritized insights and integrations to enable them to escalate their cybersecurity posture. With real-time visibility and measures, a cyber-resilient enterprise network can be built and effectively controlled in line with the enterprise’s core values to maximize the effectiveness of investment.
Bio: Shieh received his M.S. and Ph.D. degrees in electrical and computer engineering from the University of Maryland, College Park, respectively. Shieh is currently a University Chair Professor of National Chiao Tung University (NCTU), and adjunct Chair Professor of Chung Yuan Christian University. He has served as the advisor to the National Security Council of Taiwan, the chair of Computer Science Department, NCTU, and President of Chinese Cryptology and Information Security Association (CCISA). Being actively involved in IEEE, he has served as EIC of IEEE Reliability, RS Newsletter, Reliability Society VP Tech, Fellow Evaluation Committee Chair, Editor of IEEE Trans. on Reliability, IEEE Trans. on Dependable and Secure Computing, and founding STC Chair of IEEE Conference on Dependable and Secure Computing. In ACM, he has also served as ACM SIGSAC Awards Committee member, Associate Editor of ACM Trans on Information and System Security, and founding STC and TPC chairs of ACM Symposium on Information, Computer and Communications Security (ASIACCS) . Along with Virgil Gligor of Carnegie Mellon University, he invented the first US patent in intrusion detection, and has published 200 technical papers, patents, and books. Being well recognized in the network security field, Shieh received many awards, e.g., IEEE Reliability Society Engineer of the Year Award, Taiwan’s Ministry of Science and Technology Outstanding Research Award, He is an IEEE Fellow, and ACM Distinguished Scientist. His research interests include intrusion detection, penetration test, user behavior analytics, and malware behavior analysis. Contact him at email@example.com.