Winter '21 SoS Quarterly Meeting
Date: Jan 12, 2021 10:00 am – Jan 13, 2021 3:00 pm
Location: Hopin Virtual Platform
2021 Winter Science of Security and Privacy Quarterly Meeting
The 2021 Winter Science of Security and Privacy Quarterly Meeting
will be hosted virtually by the Vanderbilt Lablet on January 12 and 13.
Registration:
Register to Attend (Register by January 10, 2021) - Please not if you are registering after the deadline, your link to join the meeting will be sent to you as soon as possible after you register.
Program:
DAY 1 - TUESDAY, JANUARY 12
Time (EST)
1100 - 1115
Welcome and Opening Remarks
1115 - 1200
NSA Champions Panel
1200 - 1230
Secure Native Binary Executions
Prasad Kulkarni (KU)
1230 -1315
BREAK
1315 - 1345
How Do Home Computer Users Browse the Web?
Kyle Crichton (CMU)
1345 - 1415
A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing
Alisa Frik (ICSI)
1415 - 1515
Networking
DAY 2 - WEDNESDAY, JANUARY 13
Time (EST)
1100 - 1145
Invited Talk: Formal Methods@Scale
Brad Martin (NSA)
1145 - 1215
Resilient distributed optimization and learning in networked cyber-physical systems
Xenofon Koutsoukos (VU)
1215 - 1300
BREAK
1300 - 1330
Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition
Andy Meneely (RIT)
1330 - 1400
Accelerating Autonomous System Verification Using Symmetry
Hussein Sibai (UIUC)
1400 - 1500
ADJOURN
1400
Closed PI Meeting
1515
Business Managers Meeting
Virtual Venue
The meeting will be held on the Hopin virtual platform. You must register to gain access to the virtual meeting. Instructions for joining will be sent in the week prior to the meeting.
Hopin runs entirely in the browser. Chrome or FireFox is recommended for the best experience. An internet connection that allows you to participate in a Google Meet or Zoom call will be sufficient for the Hopin platform. Dial-in is not supported.
Presentations
Titles are linked to slide decks, if available
Secure Native Binary Executions
Prasad Kulkarni
12:00 PM Tuesday, January 12, 2021
Typically, securing software is the responsibility of the software developer. The customer or end-user of the software does not control or direct the steps taken by the developer to employ best practice coding styles or mechanisms to ensure software security and robustness. Current systems and tools also do not provide the end-user with an ability to determine the level of security in the software they use. At the same time, any flaws or security vulnerabilities ultimately affect the end-user of the software.
The goal of this project is to develop a high-performance framework for client-side security assessment and enforcement for binary software. Our research is developing new tools and techniques to: (a) assess the security level of binary executables, and (b) enhance the security level of binary software, when and as desired by the user to protect the binary against various classes of security issues. Our framework will provide greater control to the end-user to actively assess and secure the software they use.
How Do Home Computer Users Browse the Web?
Kyle Crichton
1:15 PM Tuesday, January 12, 2021
With the ubiquity of web tracking, information on how people navigate the internet is abundantly collected yet, due to its proprietary nature, rarely distributed. As a result, our understanding of user browsing primarily derives from small-scale studies conducted over a decade ago. To provide an updated perspective, we analyzed data from 257 participants who consented to have their home computer and browsing behavior monitored through the Security Behavior Observatory. Compared to previous work, we find a substantial increase in tabbed browsing and demonstrate the need to include tab information for accurate web measurements. Our results confirm that user browsing is highly centralized, with 50% of internet use spent on 1% of visited websites. However, we also find that users spend a disproportionate amount of time on low-visited websites, areas associated with riskier content. We then identify the primary gateways to these sites and discuss implications for future security research.
A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing
Alisa Frik
1:45 PM Tuesday, January 12, 2021
The sharing of information between older adults and their friends, families, caregivers, and doctors promotes a collaborative approach to managing their emotional, mental, and physical well-being and health, prolonging independent living and improving care quality and quality of life in general. However, information flow in collaborative systems is complex, not always transparent to elderly users, and may raise privacy and security concerns. Because older adults’ decisions about whether to engage in information exchange affects interpersonal communications and delivery of care, it is important to understand the factors that influence those decisions. While a body of existing literature has explored the information sharing expectations and preferences of the general population, specific research on the perspectives of older adults is less comprehensive. Our work contributes empirical evidence and suggests a systematic approach. In this paper, we present the results of semi-structured interviews with 46 older adults age 65+ about their views on information collection, transmission, and sharing using traditional ICT and emerging technologies (such as smart speakers, wearable health trackers, etc.). Based on analysis of this qualitative data, we develop a detailed model of the contextual factors that combine in complex ways to affect older adults’ decision-making about information sharing. We also discuss how our comprehensive model compares to existing frameworks for analyzing information sharing expectations and preferences. Finally, we suggest directions for future research and describe practical implications of our model for the design and evaluation of collaborative information-sharing systems, as well as for policy and consumer protection.
Invited Talk: Formal Methods@Scale
Brad Martin
11:00 AM Wednesday, Jan 13, 2021
Two workshops were convened in 2019 on the topic of Formal Methods at Scale. Participants from U.S. industry, government, and academia gathered to discuss recent advances in the application of formal methods at scale and prospects for the future. The workshops showcased excitement in the community regarding the advances in formal methods technology, the scale of existing applications, and potential for a new and broader scope for formal methods applications. Specific topics discussed included improvements in tools, practices, and training and characteristics of existing and emerging applications. Ultimately pointing the way towards opportunities for additional actions with the potential for positive impact.
Resilient distributed optimization and learning in networked cyber-physical systems
Xenofon Koutsoukos
11:45 AM Wednesday, Jan 13, 2021
Distributed optimization and machine learning algorithms are increasingly used in cyber-physical systems such as power grids and multi-robot systems. However, such distributed algorithms are not resilient in the presence of adversarial attacks. This talk presents a number of novel distributed algorithms with improved resilience guarantees. First, we consider the vector consensus problem in networks with adversarial agents and we propose a resilient algorithm based on the notion of centerpoint, which is an extension of the median in higher dimensions. Using centerpoint-based aggregation, we present a distributed implementation of stochastic gradient descent (SGD) in a multi-agent network. Further, we present an approach for Byzantine resilient distributed multi-task learning. We demonstrate the algorithms and evaluate their performance with numerical simulations, target pursuit and pattern recognition examples in multi-robot systems, and case studies that include regression and classification tasks.
Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition
Andy Meneely
1:00 PM Wednesday, Jan 13, 2021
Security practitioners leverage vulnerability assessment to determine which types of software vulnerabilities to address first. Vulnerability assessment tools, such as the CommonWeakness Scoring System, and security organizations, suchas the Open Web Application Security Project, suggest thelikelihood of a vulnerability being discovered—discoverability—as a useful metric for prioritizing vulnerabilities to identifyand fix in software. However, quantifying discoverability is adifficult task that often involves subjective expert opinions dueto a lack of reporting for vulnerability discovery dates. In this work,we examine the details of vulnerability discovery andattacker behavior with the goal of improving existing vulnerabilityassessment processes by providing methods and metrics to quantify discoverabilityusing data from the Collegiate Penetration TestingCompetition (CPTC). To that end, we constructed 99 timelines, consisting of 417 events, of vulnerability discovery and exploitfor 37 unique vulnerabilities discovered by ten teams of college-aged penetration testers at the 2019 CPTC nationals event.We grouped related vulnerabilities together by mapping to Common Weakness Enumerations, which also enabled us toexamine vulnerability mitigation strategies. Finally, we translatedtimeline events to MITRE ATT&CK™ tactics and techniques,which allowed us to study attacker behavior. We found that (1)vulnerabilities related to protection mechanism failure (e.g.lackof SSL/TLS) and improper neutralization (e.g.SQL injection)are discovered faster than others, (2) vulnerabilities related toprotection mechanism failure and improper resource control (e.g.user sessions) are discovered more often and are exploited moreeasily than others, and (3) there is a clear process followed by pen-etration testers of discovery/collection to lateral movement/pre-attack. Our methodology is repeatable and we have begunautomating it to facilitate quicker analysis of vulnerabilities infuture CPTC events.
Accelerating Autonomous System Verification Using Symmetry
Hussein Sibai
1:30 PM Wednesday, Jan 13, 2021
In this talk, I present recent successes in cyber-physical systems verification from our group. I discuss two main points: (1) In the presence of extra structural information, such as symmetry, about cyber-physical systems’ dynamics, we designed caching, abstraction, and refinement methods to accelerate their safety verification. We achieved up to orders of magnitude decrease in verification time on experiments verifying autonomous drones and cars, even those with neural network-based controllers. (2) in the case of black box systems, we designed multi-armed bandits-based algorithms for their statistical model checking along with their sample complexity and regret bounds.
Questions:
If you have questions about the meeting, please contact Katie Dey: katie.dey[at]vanderbilt.edu
Submitted by Katie Dey
on
2021 Winter Science of Security and Privacy Quarterly Meeting
The 2021 Winter Science of Security and Privacy Quarterly Meeting
will be hosted virtually by the Vanderbilt Lablet on January 12 and 13.
Registration:
Register to Attend (Register by January 10, 2021) - Please not if you are registering after the deadline, your link to join the meeting will be sent to you as soon as possible after you register.
Program:
DAY 1 - TUESDAY, JANUARY 12
| Time (EST) | |
| 1100 - 1115 | Welcome and Opening Remarks |
| 1115 - 1200 | NSA Champions Panel |
| 1200 - 1230 | Secure Native Binary Executions Prasad Kulkarni (KU) |
| 1230 -1315 | BREAK |
| 1315 - 1345 | How Do Home Computer Users Browse the Web? Kyle Crichton (CMU) |
| 1345 - 1415 | A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing Alisa Frik (ICSI) |
| 1415 - 1515 | Networking |
DAY 2 - WEDNESDAY, JANUARY 13
| Time (EST) | |
| 1100 - 1145 | Invited Talk: Formal Methods@Scale Brad Martin (NSA) |
| 1145 - 1215 | Resilient distributed optimization and learning in networked cyber-physical systems Xenofon Koutsoukos (VU) |
| 1215 - 1300 | BREAK |
| 1300 - 1330 | Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition Andy Meneely (RIT) |
| 1330 - 1400 | Accelerating Autonomous System Verification Using Symmetry Hussein Sibai (UIUC) |
| 1400 - 1500 | ADJOURN |
| 1400 | Closed PI Meeting |
| 1515 | Business Managers Meeting |
Virtual Venue
The meeting will be held on the Hopin virtual platform. You must register to gain access to the virtual meeting. Instructions for joining will be sent in the week prior to the meeting.
Hopin runs entirely in the browser. Chrome or FireFox is recommended for the best experience. An internet connection that allows you to participate in a Google Meet or Zoom call will be sufficient for the Hopin platform. Dial-in is not supported.
Presentations
Titles are linked to slide decks, if available
Secure Native Binary Executions
Prasad Kulkarni
12:00 PM Tuesday, January 12, 2021
Typically, securing software is the responsibility of the software developer. The customer or end-user of the software does not control or direct the steps taken by the developer to employ best practice coding styles or mechanisms to ensure software security and robustness. Current systems and tools also do not provide the end-user with an ability to determine the level of security in the software they use. At the same time, any flaws or security vulnerabilities ultimately affect the end-user of the software.
The goal of this project is to develop a high-performance framework for client-side security assessment and enforcement for binary software. Our research is developing new tools and techniques to: (a) assess the security level of binary executables, and (b) enhance the security level of binary software, when and as desired by the user to protect the binary against various classes of security issues. Our framework will provide greater control to the end-user to actively assess and secure the software they use.
How Do Home Computer Users Browse the Web?
Kyle Crichton
1:15 PM Tuesday, January 12, 2021
With the ubiquity of web tracking, information on how people navigate the internet is abundantly collected yet, due to its proprietary nature, rarely distributed. As a result, our understanding of user browsing primarily derives from small-scale studies conducted over a decade ago. To provide an updated perspective, we analyzed data from 257 participants who consented to have their home computer and browsing behavior monitored through the Security Behavior Observatory. Compared to previous work, we find a substantial increase in tabbed browsing and demonstrate the need to include tab information for accurate web measurements. Our results confirm that user browsing is highly centralized, with 50% of internet use spent on 1% of visited websites. However, we also find that users spend a disproportionate amount of time on low-visited websites, areas associated with riskier content. We then identify the primary gateways to these sites and discuss implications for future security research.
A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing
Alisa Frik
1:45 PM Tuesday, January 12, 2021
The sharing of information between older adults and their friends, families, caregivers, and doctors promotes a collaborative approach to managing their emotional, mental, and physical well-being and health, prolonging independent living and improving care quality and quality of life in general. However, information flow in collaborative systems is complex, not always transparent to elderly users, and may raise privacy and security concerns. Because older adults’ decisions about whether to engage in information exchange affects interpersonal communications and delivery of care, it is important to understand the factors that influence those decisions. While a body of existing literature has explored the information sharing expectations and preferences of the general population, specific research on the perspectives of older adults is less comprehensive. Our work contributes empirical evidence and suggests a systematic approach. In this paper, we present the results of semi-structured interviews with 46 older adults age 65+ about their views on information collection, transmission, and sharing using traditional ICT and emerging technologies (such as smart speakers, wearable health trackers, etc.). Based on analysis of this qualitative data, we develop a detailed model of the contextual factors that combine in complex ways to affect older adults’ decision-making about information sharing. We also discuss how our comprehensive model compares to existing frameworks for analyzing information sharing expectations and preferences. Finally, we suggest directions for future research and describe practical implications of our model for the design and evaluation of collaborative information-sharing systems, as well as for policy and consumer protection.
Invited Talk: Formal Methods@Scale
Brad Martin
11:00 AM Wednesday, Jan 13, 2021
Two workshops were convened in 2019 on the topic of Formal Methods at Scale. Participants from U.S. industry, government, and academia gathered to discuss recent advances in the application of formal methods at scale and prospects for the future. The workshops showcased excitement in the community regarding the advances in formal methods technology, the scale of existing applications, and potential for a new and broader scope for formal methods applications. Specific topics discussed included improvements in tools, practices, and training and characteristics of existing and emerging applications. Ultimately pointing the way towards opportunities for additional actions with the potential for positive impact.
Resilient distributed optimization and learning in networked cyber-physical systems
Xenofon Koutsoukos
11:45 AM Wednesday, Jan 13, 2021
Distributed optimization and machine learning algorithms are increasingly used in cyber-physical systems such as power grids and multi-robot systems. However, such distributed algorithms are not resilient in the presence of adversarial attacks. This talk presents a number of novel distributed algorithms with improved resilience guarantees. First, we consider the vector consensus problem in networks with adversarial agents and we propose a resilient algorithm based on the notion of centerpoint, which is an extension of the median in higher dimensions. Using centerpoint-based aggregation, we present a distributed implementation of stochastic gradient descent (SGD) in a multi-agent network. Further, we present an approach for Byzantine resilient distributed multi-task learning. We demonstrate the algorithms and evaluate their performance with numerical simulations, target pursuit and pattern recognition examples in multi-robot systems, and case studies that include regression and classification tasks.
Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition
Andy Meneely
1:00 PM Wednesday, Jan 13, 2021
Security practitioners leverage vulnerability assessment to determine which types of software vulnerabilities to address first. Vulnerability assessment tools, such as the CommonWeakness Scoring System, and security organizations, suchas the Open Web Application Security Project, suggest thelikelihood of a vulnerability being discovered—discoverability—as a useful metric for prioritizing vulnerabilities to identifyand fix in software. However, quantifying discoverability is adifficult task that often involves subjective expert opinions dueto a lack of reporting for vulnerability discovery dates. In this work,we examine the details of vulnerability discovery andattacker behavior with the goal of improving existing vulnerabilityassessment processes by providing methods and metrics to quantify discoverabilityusing data from the Collegiate Penetration TestingCompetition (CPTC). To that end, we constructed 99 timelines, consisting of 417 events, of vulnerability discovery and exploitfor 37 unique vulnerabilities discovered by ten teams of college-aged penetration testers at the 2019 CPTC nationals event.We grouped related vulnerabilities together by mapping to Common Weakness Enumerations, which also enabled us toexamine vulnerability mitigation strategies. Finally, we translatedtimeline events to MITRE ATT&CK™ tactics and techniques,which allowed us to study attacker behavior. We found that (1)vulnerabilities related to protection mechanism failure (e.g.lackof SSL/TLS) and improper neutralization (e.g.SQL injection)are discovered faster than others, (2) vulnerabilities related toprotection mechanism failure and improper resource control (e.g.user sessions) are discovered more often and are exploited moreeasily than others, and (3) there is a clear process followed by pen-etration testers of discovery/collection to lateral movement/pre-attack. Our methodology is repeatable and we have begunautomating it to facilitate quicker analysis of vulnerabilities infuture CPTC events.
Accelerating Autonomous System Verification Using Symmetry
Hussein Sibai
1:30 PM Wednesday, Jan 13, 2021
In this talk, I present recent successes in cyber-physical systems verification from our group. I discuss two main points: (1) In the presence of extra structural information, such as symmetry, about cyber-physical systems’ dynamics, we designed caching, abstraction, and refinement methods to accelerate their safety verification. We achieved up to orders of magnitude decrease in verification time on experiments verifying autonomous drones and cars, even those with neural network-based controllers. (2) in the case of black box systems, we designed multi-armed bandits-based algorithms for their statistical model checking along with their sample complexity and regret bounds.
Questions:
If you have questions about the meeting, please contact Katie Dey: katie.dey[at]vanderbilt.edu