Winter '21 SoS Quarterly Meeting

Date: Jan 12, 2021 10:00 am – Jan 13, 2021 3:00 pm
Location: Hopin Virtual Platform

2021 Winter Science of Security and Privacy Quarterly Meeting


The 2021 Winter Science of Security and Privacy Quarterly Meeting
will be hosted virtually by the Vanderbilt Lablet on January 12 and 13.

Registration:

Register to Attend (Register by January 10, 2021) - Please not if you are registering after the deadline, your link to join the meeting will be sent to you as soon as possible after you register.

Program:

DAY 1 - TUESDAY, JANUARY 12

Time (EST)  
1100 - 1115 Welcome and Opening Remarks
1115 - 1200 NSA Champions Panel
1200 - 1230 Secure Native Binary Executions
Prasad Kulkarni (KU)
1230 -1315 BREAK
1315 - 1345 How Do Home Computer Users Browse the Web?
Kyle Crichton (CMU)
1345 - 1415 A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing
Alisa Frik (ICSI)
1415 - 1515 Networking

DAY 2 - WEDNESDAY, JANUARY 13

Time (EST)  
1100 - 1145 Invited Talk: Formal Methods@Scale
Brad Martin (NSA)
1145 - 1215 Resilient distributed optimization and learning in networked cyber-physical systems
Xenofon Koutsoukos (VU)
1215 - 1300 BREAK
1300 - 1330 Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition
Andy Meneely (RIT)
1330 - 1400 Accelerating Autonomous System Verification Using Symmetry
Hussein Sibai (UIUC)
1400 - 1500 ADJOURN
1400 Closed PI Meeting
1515 Business Managers Meeting

Virtual Venue

The meeting will be held on the Hopin virtual platform. You must register to gain access to the virtual meeting. Instructions for joining will be sent in the week prior to the meeting.

Hopin runs entirely in the browser. Chrome or FireFox is recommended for the best experience. An internet connection that allows you to participate in a Google Meet or Zoom call will be sufficient for the Hopin platform. Dial-in is not supported.

Presentations

Titles are linked to slide decks, if available

Secure Native Binary Executions
Prasad Kulkarni
12:00 PM Tuesday, January 12, 2021

Typically, securing software is the responsibility of the software developer. The customer or end-user of the software does not control or direct the steps taken by the developer to employ best practice coding styles or mechanisms to ensure software security and robustness. Current systems and tools also do not provide the end-user with an ability to determine the level of security in the software they use. At the same time, any flaws or security vulnerabilities ultimately affect the end-user of the software.

The goal of this project is to develop a high-performance framework for client-side security assessment and enforcement for binary software. Our research is developing new tools and techniques to: (a) assess the security level of binary executables, and (b) enhance the security level of binary software, when and as desired by the user to protect the binary against various classes of security issues. Our framework will provide greater control to the end-user to actively assess and secure the software they use.

How Do Home Computer Users Browse the Web?
Kyle Crichton
1:15 PM Tuesday, January 12, 2021

With the ubiquity of web tracking, information on how people navigate the internet is abundantly collected yet, due to its proprietary nature, rarely distributed. As a result, our understanding of user browsing primarily derives from small-scale studies conducted over a decade ago. To provide an updated perspective, we analyzed data from 257 participants who consented to have their home computer and browsing behavior monitored through the Security Behavior Observatory. Compared to previous work, we find a substantial increase in tabbed browsing and demonstrate the need to include tab information for accurate web measurements. Our results confirm that user browsing is highly centralized, with 50% of internet use spent on 1% of visited websites. However, we also find that users spend a disproportionate amount of time on low-visited websites, areas associated with riskier content. We then identify the primary gateways to these sites and discuss implications for future security research.

A Qualitative Model of Older Adults’ Contextual Decision-Making About Information Sharing
Alisa Frik
1:45 PM Tuesday, January 12, 2021

The sharing of information between older adults and their friends, families, caregivers, and doctors promotes a collaborative approach to managing their emotional, mental, and physical well-being and health, prolonging independent living and improving care quality and quality of life in general. However, information flow in collaborative systems is complex, not always transparent to elderly users, and may raise privacy and security concerns. Because older adults’ decisions about whether to engage in information exchange affects interpersonal communications and delivery of care, it is important to understand the factors that influence those decisions. While a body of existing literature has explored the information sharing expectations and preferences of the general population, specific research on the perspectives of older adults is less comprehensive. Our work contributes empirical evidence and suggests a systematic approach. In this paper, we present the results of semi-structured interviews with 46 older adults age 65+ about their views on information collection, transmission, and sharing using traditional ICT and emerging technologies (such as smart speakers, wearable health trackers, etc.). Based on analysis of this qualitative data, we develop a detailed model of the contextual factors that combine in complex ways to affect older adults’ decision-making about information sharing. We also discuss how our comprehensive model compares to existing frameworks for analyzing information sharing expectations and preferences. Finally, we suggest directions for future research and describe practical implications of our model for the design and evaluation of collaborative information-sharing systems, as well as for policy and consumer protection.

Invited Talk: Formal Methods@Scale
Brad Martin
11:00 AM Wednesday, Jan 13, 2021

Two workshops were convened in 2019 on the topic of Formal Methods at Scale. Participants from U.S. industry, government, and academia gathered to discuss recent advances in the application of formal methods at scale and prospects for the future. The workshops showcased excitement in the community regarding the advances in formal methods technology, the scale of existing applications, and potential for a new and broader scope for formal methods applications. Specific topics discussed included improvements in tools, practices, and training and characteristics of existing and emerging applications. Ultimately pointing the way towards opportunities for additional actions with the potential for positive impact.

Resilient distributed optimization and learning in networked cyber-physical systems
Xenofon Koutsoukos
11:45 AM Wednesday, Jan 13, 2021

Distributed optimization and machine learning algorithms are increasingly used in cyber-physical systems such as power grids and multi-robot systems. However, such distributed algorithms are not resilient in the presence of adversarial attacks. This talk presents a number of novel distributed algorithms with improved resilience guarantees. First, we consider the vector consensus problem in networks with adversarial agents and we propose a resilient algorithm based on the notion of centerpoint, which is an extension of the median in higher dimensions. Using centerpoint-based aggregation, we present a distributed implementation of stochastic gradient descent (SGD) in a multi-agent network. Further, we present an approach for Byzantine resilient distributed multi-task learning. We demonstrate the algorithms and evaluate their performance with numerical simulations, target pursuit and pattern recognition examples in multi-robot systems, and case studies that include regression and classification tasks.

Deriving Vulnerability Discoverability Insights from a Penetration Testing Competition
Andy Meneely
1:00 PM Wednesday, Jan 13, 2021

Security practitioners leverage vulnerability assessment to determine which types of software vulnerabilities to address first. Vulnerability assessment tools, such as the CommonWeakness  Scoring  System,  and  security  organizations,  suchas  the  Open  Web  Application  Security  Project,  suggest  thelikelihood of a vulnerability being discovered—discoverability—as a useful metric for prioritizing vulnerabilities to identifyand fix in software. However, quantifying discoverability is adifficult task that often involves subjective expert opinions dueto  a  lack  of  reporting  for  vulnerability  discovery  dates.  In this work,we examine the details of vulnerability discovery andattacker behavior with the goal of improving existing vulnerabilityassessment processes by providing methods and metrics to quantify discoverabilityusing data from the Collegiate Penetration TestingCompetition (CPTC). To that end, we constructed 99 timelines, consisting of 417 events, of vulnerability discovery and exploitfor 37 unique vulnerabilities discovered by ten teams of college-aged  penetration  testers  at  the  2019  CPTC  nationals  event.We  grouped  related  vulnerabilities  together  by  mapping  to Common Weakness Enumerations, which also enabled us toexamine vulnerability mitigation strategies. Finally, we translatedtimeline events to MITRE ATT&CK™ tactics and techniques,which allowed us to study attacker behavior. We found that (1)vulnerabilities related to protection mechanism failure (e.g.lackof SSL/TLS) and improper neutralization (e.g.SQL injection)are discovered faster than others, (2) vulnerabilities related toprotection mechanism failure and improper resource control (e.g.user sessions) are discovered more often and are exploited moreeasily than others, and (3) there is a clear process followed by pen-etration testers of discovery/collection to lateral movement/pre-attack.  Our  methodology  is  repeatable  and  we  have  begunautomating it to facilitate quicker analysis of vulnerabilities infuture CPTC events.

Accelerating Autonomous System Verification Using Symmetry
Hussein Sibai
1:30 PM Wednesday, Jan 13, 2021

In this talk, I present recent successes in cyber-physical systems verification from our group. I discuss two main points: (1) In the presence of extra structural information,  such as symmetry, about cyber-physical systems’ dynamics,  we designed caching, abstraction, and refinement methods to accelerate their safety verification. We achieved up to orders of magnitude decrease in verification time on experiments verifying autonomous drones and cars, even those with neural network-based controllers. (2) in the case of black box systems, we designed multi-armed bandits-based algorithms for their statistical model checking along with their sample complexity and regret bounds.

Questions:

If you have questions about the meeting, please contact Katie Dey: katie.dey[at]vanderbilt.edu


  • Research Program Overview
Submitted by Katie Dey on