Program

     

     

     

Abstracts

Monday – June 17, 2024

10:00–11:00

Ethical Frameworks and Computer Security Trolley Problems

Tadayoshi Kohno

The computer security research community regularly tackles ethical questions. The field of ethics / moral philosophy has for centuries considered what it means to be "morally good" or at least "morally allowed / acceptable". Among philosophy's contributions are (1) frameworks for evaluating the morality of actions—including the well-established consequentialist and deontological frameworks—and (2) scenarios (like trolley problems) featuring moral dilemmas that can facilitate discussion about and intellectual inquiry into different perspectives on moral reasoning and decision-making. In a classic trolley problem, consequentialist and deontological analyses may render different outcomes.

In this talk, I will discuss collaborative work with Yasemin Acar (Paderborn University) and Wulf Loh (University of Tübingen) in which we explicitly make and explore connections between moral questions in computer security research and ethics / moral philosophy. I will discuss the creation and analysis of trolley problem-like computer security-themed moral dilemmas. Our vision is for our work to be broadly useful to the computer security community, including to researchers as they embark on (or choose not to embark on), conduct, and write about their research, to program committees as they evaluate submissions, and to educators as they teach about computer security and ethics.

11:30–12:30

Side-channel-free software, are we there yet?

Clémentine Maurice

Over the past decade, many different automated approaches have been developed to detect side-channel vulnerabilities in cryptographic libraries. However, despite this abundance of tools, side-channel vulnerabilities are still regularly (and manually) found in cryptographic libraries. In this talk, we will investigate this paradox. We begin with a survey and classification of recently published side-channel vulnerabilities and side-channel detection tools. We propose a unified benchmark, and our evaluation suggests several reasons why existing tools may struggle to find vulnerabilities. We conclude by analyzing the impact of recent attacks on such automated detection tools.

14:00–15:00

How I learned to stop worrying and love the insecure hardware

Kaveh Razavi

In this talk, I will provide an overview of our recent efforts that led to novel hardware attacks that compromise commodity systems despite the deployed software and hardware mitigations. I will then discuss the design of principled mitigations and novel testing techniques against these hardware vulnerabilities.

15:00–16:00

On Kernel's Safety in the Spectre Era

Tamara Rezk

The efficacy of address space layout randomization has been formally demonstrated in a shared-memory model by Abadi et al., contingent on specific assumptions about victim programs. However, modern operating systems, implementing layout randomization in the kernel, diverge from these assumptions and operate on a separate memory model with communication through system calls.
Moreover, in practice, speculative execution and side-channels are recognized threats to layout randomization.
In this talk, we will discuss these threats and explore possible paths to recover kernel safety in the Spectre era.

16:30–17:30

Verified Software Security Down to Gates

Caroline Trippel

Virtually all hardware side-channel defenses assume the availability of microarchitectural leakage contracts, which characterize a microarchitecture's transmitters (i.e., instructions that leak at least one “unsafe” operand via hardware side-channels). Defenses against transient execution attacks, in particular, also rely microarchitectural execution contracts to characterize a microarchitecture’s control- and data-flow semantics, taking into account transient execution brought on by hardware faults or mis-predictions.

Compared to execution contracts, leakage contracts are relatively mature. Several leakage contracts have emerged in academic literature and/or industry documentation to support a variety of performant hardware side-channel defenses. However, an automated approach for formally verifying hardware adherence to a given leakage contract remains elusive. Execution contracts, on the other hand, are less well-established. In particular, it is unclear how best to restrict microarchitectural control- and data-flow so that defenses against transient execution attacks are both feasible and performant.

In this talk, I will present our work on addressing both challenges above. First, I will discuss an automated approach and tool for formally verifying that a given SystemVerilog processor design implements the leakage contract(s) it claims to. Then, I will present our work on designing a novel execution contract, which enables efficient defenses against Spectre attacks in software, and a corresponding compiler defense for hardening constant-time code (e.g., crypto code) against Spectre on hardware that satisfies it.

Tuesday – June 18, 2024

10:00–11:00

Incentives for cryptanalysis research

Nadia Heninger

This talk is a meditation on incentives for and against research in cryptanalysis, and how this affects progress and confidence in different algorithms.

11:30–12:30

For All Tomorrow's Survivors:  Building Clinical Interventions for Technology Abuse

Thomas Ristenpart

In this talk I'll make the case that we should professionalize support for people suffering from technology abuse. Over time, society has invented professional roles to help people with complex problems --- doctors, lawyers, mechanics, IT support, etc. I think we need analogous roles to help with technology abuse.

This perspective rises out of our experience doing research and advocacy in the context of intimate partner violence (IPV). IPV is a widespread social ill affecting about one in four women and one in ten men at some point in their lives.  Via interviews with survivors and professionals, online measurement studies, and reverse engineering of malicious tools, our research has provided a granular view of technology abuse in IPV contexts. This has helped educate our efforts on intervention design, most notably in the form of what we call clinical computer security: direct, expert assistance to help survivors navigate technology abuse.  Our work led to establishing the Clinic to End Tech Abuse, which has so far worked to help hundreds of survivors of IPV in New York City, and which we view as an early effort towards professionalizing tech abuse support.

The talk will include content on abuse, including discussion of physical, sexual, and emotional violence.

14:00–15:00

FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies

Engin Kirda

HTTP/2 adoption is rapidly climbing. However, in practice, Internet communications still rarely happen over end-to-end HTTP/2 channels. This is due to Content Delivery Networks and other reverse proxies, ubiquitous and necessary components of the Internet ecosystem, which only support HTTP/2 on the client’s end, but not the forward connection to the origin server. Instead, proxy technologies predominantly rely on HTTP/2-to-HTTP/1 protocol conversion between the two legs of the connection. I present the first systematic exploration of HTTP/2-to- HTTP/1 protocol conversion anomalies and their security implications. We developed a novel grammar-based fuzzer for HTTP/2, experiment with 12 popular reverse proxy technologies & CDNs through HTTP/2 frame sequence and content manipulation, and discovered a plethora of novel web application attack vectors that lead to Request Blackholing, Denial-of-Service, Query-of-Death, and Request Smuggling attacks.

15:00–16:00

Efficient and Scalable Fuzzing of Complex Software Systems

Thorsten Holz

In recent years, randomized testing, commonly known as "fuzzing", has gained significant traction as an effective method for identifying bugs in a wide variety of systems. In this talk, I will present an overview of our recent progress in fuzzing and some of the methods we have developed over the past few years. Our work includes fuzzing web browsers, operating system kernels, hypervisors, and embedded systems. I will also introduce a new perspective on generating input for highly complex formats without relying on heavyweight program analysis techniques, coarse-grained grammar approximations, or human domain experts. Finally, I will conclude the talk with an outlook on open challenges and future research directions in the evolving landscape of software security and testing.

16:30–17:30

The UI Is Part of The System: Security, Privacy, and Safety in User Interfaces and Interactions

Franziska Roesner

When we think of “systems security”, we often think of the parts of the system below the level of the user interface, where the UI merely serves to transmit information to and from the user. However, the design and architecture of the UI can be integral to a system’s security, privacy, and safety properties, requiring or creating opportunities for co-design. In this talk, I will give several examples in different contexts, drawing on our recent work on security and privacy in mixed/augmented reality platforms, LLM-based platforms, and deceptive and manipulative design in several ecosystems.