––—

	Lablet Quarterly Meeting North Carolina State University Feb 2–3, 2016

Raleigh, NC

February 3, 2016

Researchers and NSA meet, discuss Science of Security and value of secure design

The winter 2016 quarterly Science of Security (SoS) Lablet meeting, sponsored by the National Security Agency (NSA), was hosted at North Carolina State University (NCSU) on February 2 and 3, 2016. Laurie Williams and Munindar Singh, Principal Investigators (PIs) at NCSU, hosted the event. Each Lablet and NSA provided speakers. They shared current research, presented interim findings, and stimulated thought and discussion about the Science of Security. Panel discussions and focus groups provided an opportunity for researchers to interact both with each other and with guests from the government and industry to address the hard problems of cyber security. The importance of good design was a theme that ran through the presentations.

The keynote by Henry Petroski, noted civil engineer, author and professor from Duke University, addressed the paradox between success and failure in design. Illustrating his point with historic failures in bridge design and construction, he showed how success, over time, leads to complacencies which in turn lead to failure. Conversely, failure stimulates revisions in design that can produce successes. From 1850s experience to the present, the paradox of design is that anticipating failure leads to success and successful designs evolve into failures.

Peter Loscocco of NSA presented a related keynote addressing “An Approach to Secure Design.” 

The motivation for his study is security still lacking and that designers don’t look at security from a holistic viewpoint. His approach is to look at the design process and develop a methodology. He documents a methodical process for design that can be easily taught, produces suitable designs that have been analyzed, captures reasoning behind the design decisions, and enables understanding for consequences of modifications. One big challenge is documentation. Using a design tree provides a tangible artifact of the design process and allows the use of threat models as assumptions.

Guided discussions and breakout groups addressed the security metrics and human aspects in security hard problems. The Security Metrics discussion addressed the importance of measurement and asked the questions: “Context always matters, so how do we protect against attacks that haven’t been thought of yet? Can metrics help? Many current metrics are on the negative side, measuring, for example, attacks, and failures, so can we develop the positive?” The human factors workshop determined that different traits make people susceptible in different ways and that cognitive modeling can help understand human interaction with security. The workshop summary is available at: https://drive.google.com/folderview?id=0ByHON_USOShec0hCUkdwSWF4RkU&usp=sharing

A panel of leading researchers from the four Lablets and guest speakers Warren Grunbok from IBM  and Andrew Porter from Merck provided their views on how to transfer technology and the value of Science of Security research into the private sector. Communication and an iterative approach seemed to offer the greatest opportunities for success as a consensus of the group.

Technical research presentations included papers by each Lablet. Tao Xie, University of Illinois at Urbana–Champaign, presented his study on “AppContext: Differentiating Malicious and Benign Mobile App Behavior under Contexts.” Jonathan Aldrich, Carnegie Mellon University (CMU), presented “Capability-Based Architectural Control.” A study of user generated pattern passwords was presented by University of Maryland-affiliated researcher Adam Aviv from the US Naval Academy. Robert Proctor, an NCSU cognitive psychologist, addressed ways for people to detect phishing attacks.    

Adam Tagert, from the NSA Research Directorate spoke on human subject research procedures at DoD and how to coordinate with university institutional review boards. Beth Richards, Laboratory for Analytic Studies (LAS), described LAS as an NSA lab using non-traditional data and approaches from open sources to get to “anticipating,” that is, to move from reaction or observation of threats and attacks to anticipation, to get ahead of the foreign adversary, and run at scale and speed since the nature of the threat requires a real time response.

Updates on progress in measuring advancement in SoS were presented by Jeffrey Carver, University of Alabama, and on evaluation of the research and research publications by Lindsey McGowan, NCSU. Carver’s talk reviewed a rubric-based method of evaluating the scientific content of articles published in IEEE Security & Privacy.

More than a dozen excellent student poster presentations provided an opportunity to see a range of Science of Security research and discuss issues, methods and findings.

The annual Symposium and Bootcamp on the Science of Security (HotSoS) will be held April 19–21, 2016 at Carnegie Mellon University in Pittsburgh. The next Lablet Quarterly Meeting will be held July 19–20, 2016 at the University of Illinois Urbana–Champaign.

During the business sessions of the Lablet Quarterly Meeting, the NSA Research Directorate presented the Science of Security (SoS) Initiative Annual Report 2015 to the Lablet PIs. Shown on the right are Bill Scherlis and Laurie Williams, Principal Investigators at CMU and NCSU, holding the report.

(ID#: 16-8565)

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.