Winter 2020 SoS Quarterly Lablet Meeting

Winter 2020 Lablet Quarterly Meeting

The Winter 2020 Science of Security and Privacy (SoS) Quarterly Lablet meeting was held at North Carolina State University (NCSU) on January 15-16, 2020. The Quarterly meeting was hosted by NCSU Principal Investigators (PIs) Laurie Williams and Munindar Singh and featured invited presentations by representatives from government, academia, and industry as well as a mix of Lablet project presentations and a poster session. This Lablet Quarterly also introduced PechaKucha presentations, providing each speaker, all NCSU students, five minutes to cover their topic.

Invited Presentations

Neal Ziring, Technical Director for NSA’s Cybersecurity Directorate, gave a presentation entitled “ ‘Deep’ Thoughts on Information Sharing.” He provided an overview of the Cybersecurity Directorate’s key missions, and emphasized that information sharing will help empower all stakeholders. The four ‘deep’ topics he cited were: 1) assessing information sharing/the axes of assessment; 2) a simple capability-centric model for sharing participants; 3) the importance of standardization; and 4) a vision for shared awareness and coordinated action.

Mike Bender, Director of the joint NSA-NCSU Laboratory for Analytic Sciences, spoke about data breaches and their impact in a presentation entitled “The Weakest Link.” He noted that protecting privacy, shielding intellectual property, and securing IT infrastructure are becoming more difficult and discussed the analytic challenges to addressing these problems, including how to optimize algorithms in the analysis since you never have all the data you need.

In a presentation entitled “Zero Trust 101: An Evolution in Enterprise Cybersecurity,” Alper Kerman and Scott Rose of NIST discussed the NIST Special Publication Zero Trust Architecture (ZTA) which is the product of a multi-agency collaboration overseen by the Federal CIO Council. While not intended to be a single deployment plan for ZTA, the publication describes ZTA strategies for enterprise network architectures and provides a roadmap to migrate and deploy ZTA concepts to an enterprise network.

Anthony Grieco, Trust Strategy Officer at Cisco spoke on “Building Trust into the Future,” and addressed what Cisco is doing to enhance trust relationships with its customers. He described the way Cisco is building resilience into their solutions based on the foundation of trust and noted that they want to make sure they have shared goals with executives that are not security people.

“Privacy in a Decentralized World: Crypto Tools for blockchains, Applications, and Governance” was the title of the presentation given by Alessandra Scafuro of NCSU. Key tenets of a decentralized world include public verifiability, distributed trust, smart contracts, interoperability, and distributed governance, and she described cryptologic primitives that can enable privacy-preserving blockchain governance.

Lablet Project Presentations

Jonathan Aldrich, Carnegie Mellon University, spoke on “Usability Evaluation of the Obsidian Smart Contract Language” in which he provided the results from experiments that evaluated the usability of the final Obsidian language design, evaluating how quickly developers can learn Obsidian and whether it helps them avoid making errors when writing smart contracts. The results showed that experienced developers can learn Obsidian in about 90 minutes; developers can use Obsidian to do interesting tasks; and developers write contracts with fewer vulnerabilities than in Solidity, leading the researchers to conclude that an interdisciplinary language design approach can provide both assurance and usability. More information on this project can be found here.

Perry Alexander, Anna Fritz, and Adam Petz of University of Kansas gave a presentation entitled “The Attestation Monad – A Principal Architecture for Remote Attestation.” The research goals for the project include formal semantics of trust; verified remote attestation infrastructure; enterprise attestation and appraisal; and sufficiency and soundness of measurement.

Andy Meneely of Rochester Institute of Technology, a Sub-Lablet of NCSU, spoke on “Discovery and Attacker Behavior in a Penetration Testing Competition” in which he described the work being done analyzing over 9 TB of data collected during collegiate penetration testing competitions. The goal of the analysis is to assess discoverability via behavior, and they are in the process of developing a stochastic Markov chain model. More information on this project can be found here.

In her presentation “Analytics for Cybersecurity of Cyber-Physical Systems,” Nazli Choucri of Massachusetts Institute of Technology, a Sub-Lablet of Vanderbilt University, provided an update on the project which is focused on introducing analytics for CPS cybersecurity to enhance value of guidelines and directives. The expected product of the research is a platform for cybersecurity analytics with customized tools to support user needs. More information on this project can be found here.

David Nicol, University of Illinois at Urbana-Champaign, spoke on “Efficient Estimation of the Cyber-Attack Loss Distribution” in which he updated the work he has been doing on developing the mathematical basis for quantifying and including uncertainty into system security analysis. The current research seeks to estimate the cost of cyber attacks given uncertainty in the presence of vulnerabilities and the routing and application of access control. More information on this project can be found here.

Nick Doty, University of California, Berkeley, a Sub-Lablet of the International Computer Sciences Institute, gave a presentation entitled “Finding Solutions for Privacy Problems: Privacy Design Patterns.” In this presentation he provided a definition of design patterns and why they were important as well as the challenges associated with identifying more design patterns. More information on this project can be found here.

The complete agenda and selected talks, including the PechaKucha presentations, can be found here.

The next meeting of the SoS Lablets will be at the Hot Topics in the Science of Security: Symposium (HotSoS) which will be held at the University of Kansas, 7-8 April 2020.