Illinois Science of Security (SoS) Lablet

Dong (Kevin) Jin, Illinois Institute of Technology
March 15, 2016, 4:00 p.m., Coordinated Science Lab Auditorium (B02)

slides | video

Abstract: Modern industrial control systems (ICSes) are increasingly adopting Internet technology to boost control efficiency, which unfortunately opens up a new frontier for cyber-security. People have typically applied existing Internet security techniques, such as firewalls, or anti-virus or anti-spyware software. However, those security solutions can only provide fine-grained protection at single devices. To address this, we design a novel software-defined networking (SDN) architecture that offers the global visibility of a control network infrastructure, and we investigate innovative SDN-based applications with the focus of ICS security, such as network verification and self-healing phasor measurement unit (PMU) networks. We are also conducting rigorous evaluation using the IIT campus microgrid as well as a high-fidelity testbed combining network emulation and power system simulation.

Bio: Dong (Kevin) Jin is an Assistant Professor in the Computer Science Department at the Illinois Institute of Technology. He obtained his Ph.D. in Electrical and Computer Engineering from the University of Illinois at Urbana-Champaign in 2013. His research interests include trustworthy cyber-physical critical infrastructures, simulation modeling and analysis, software-defined networking, and cyber-security. He received the best paper awards at the ACM SIGSIM Conference on Principles of Advanced and Distributed Simulation (PADS) in 2012 and 2015.

Srdjan Capkun, ETH Zurich
March 30, 2016, 4:00 p.m. 2405 Siebel Center

video

Abstract: In this talk I will review security issues in today’s navigation and close-range positioning systems. I will discuss why GNS systems like GPS are hard to fully secure and will present novel solutions that can be used to improve the robustness of GNS systems to attacks. I will then show how a different design of a positioning system can enable secure positioning, but also that this requires solving a set of relevant physical- and logical- layer challenges. Finally I will present a design and implementation of a fully integrated IR UWB secure distance measurement (distance bounding) system that solves these challenges and enables secure distance measurement and secure positioning in IoT applications.

Bio: Srdjan Čapkun is a Full Professor in the Department of Computer Science, ETH Zurich and Director of the Zurich Information Security and Privacy Center (ZISC). He was born in Split, Croatia where he received his Dipl.Ing. Degree in Electrical Engineering / Computer Science from the University of Split in 1998. He received his Ph.D. degree in Communication Systems from EPFL in 2004. Prior to joining ETH Zurich in 2006 he was a postdoctoral researcher in the Networked & Embedded Systems Laboratory (NESL), University of California Los Angeles and an Assistant Professor in the Informatics and Mathematical Modelling Department, Technical University of Denmark (DTU). His research interests are in system and network security. He is a co-founder of 3db Access, a startup focusing on secure proximity-based access control.

J. Alex Halderman, University of Michigan
February 9, 2016, 4:00 p.m., B02 Coordinated Science Lab
Slides | Video

Abstract: Diffie-Hellman key exchange is a cornerstone of modern cryptography at the core of protocols like HTTPS and SSH.  Last year, collaborators and I discovered that Diffie-Hellman, as used in practice, is significantly less secure than widely believed. With the number field sieve algorithms, computing a single discrete log in prime fields is more difficult than factoring an RSA modulus of the same size. However, an adversary who performs a large precomputation for a prime $p$ can then quickly calculate arbitrary discrete logs in groups modulo that prime, amortizing the cost over all targets that share this parameter. Although this fact is well known among mathematical cryptographers, it seems to have been lost among practitioners.

Using these observations, we developed Logjam, an attack on TLS in which a man-in-the-middle can downgrade a connection to 512-bit “export-grade” Diffie-Hellman. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We found that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers have been changed to reject short groups.

In the more widespread case of 1024-bit Diffie-Hellman, we estimate that discrete log computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. A small number of fixed or standardized groups are used by millions of servers, and we estimate that performing precomputation for a single 1024-bit group would allow passive eavesdropping on about 18% of popular HTTPS sites, and a second group would allow decryption of traffic to about 66% of IPsec VPNs and 26% of SSH servers. We conclude that the security community should prioritize moving to stronger key exchange methods.

Bio: J. Alex Halderman is an Associate Professor of Computer Science and Engineering at the University of Michigan and Director of Michigan’s Center for Computer Security and Society. His interests include computer and network security, Internet security measurement, censorship resistance, and electronic voting, as well as the interaction of technology with law and international affairs. Named one of Popular Science’s “Brilliant 10” for 2015, his recent projects include ZMap, Let’s Encrypt, and the Telex censorship resistance system.

A Hypothesis Testing Framework for Network Security  Slides | Video
Brighten Godfrey, Associate Professor, Computer Science, University of Illinois at Urbana-Champaign
September 15, 2015, 4:00 p.m., 2405 Siebel Center

Abstract: We rely on network infrastructure to deliver critical services and ensure security. Yet networks today have reached a level of complexity that is far beyond our ability to have confidence in their correct behavior – resulting in significant time investment and security vulnerabilities that can cost millions of dollars, or worse. Motivated by this need for rigorous understanding of complex networks, I will give an overview of our or Science of Security lablet project, A Hypothesis Testing Framework for Network Security.

First, I will discuss the emerging field of network verification, which transforms network security by rigorously checking that intended behavior is correctly realized across the live running network. Our research developed a technique called data plane verification, which has discovered problems in operational environments and can verify hypotheses and security policies with millisecond-level latency in dynamic networks. In just a few years, data plane verification has moved from early research prototypes to production deployment. We have built on this technique to reason about hypotheses even under the temporal uncertainty inherent in a large distributed network. Second, I will discuss a new approach to reasoning about networks as databases that we can query to determine answers to behavioral questions and to actively control the network. This talk will span work by a large group of folks, including Anduo Wang, Wenxu an Zhou, Dong Jin, Jason Croft, Matthew Caesar, Ahmed Khurshid, and Xuan Zou.

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honey Pot Environment  Slides | Video
Eric Badger, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
October 6, 2015, 4:00 p.m., 2405 Siebel Center

Abstract: This talk will explore a scalable data analytics pipeline for real-time attack detection through the use of customized honeypots at the National Center for Supercomputing Applications (NCSA). Attack detection tools are common and are constantly improving, but validating these tools is challenging. You must: (i) identify data (e.g., system-level events) that is essential for detecting attacks, (ii) extract this data from multiple data logs collected by runtime monitors, and (iii) present the data to the attack detection tools. On top of this, such an approach must scale with an ever-increasing amount of data, while allowing integration of new monitors and attack detection tools. All of these require an infrastructure to host and validate the developed tools before deployment into a production environment.

We will present a generalized architecture that aims for a real-time, scalable, and extensible pipeline that can be deployed in diverse infrastructures to validate arbitrary attack detection tools. To motivate our approach, we will show an example deployment of our pipeline based on open-sourced tools. The example deployment uses as its data sources: (i) a customized honeypot environment at NCSA and (ii) a container-based testbed infrastructure for interactive attack replay. Each of these data sources is equipped with network and host-based monitoring tools such as Bro (a network-based intrusion detection system) and OSSEC (a host-based intrusion detection system) to allow for the runtime collection of data on system/user behavior. Finally, we will present an attack detection tool that we developed and that we look to validate through our pipeline. In conclusion, the talk will discuss the challenges of transitioning attack detection from theory to practice and how the proposed data analytics pipeline can help that transition.

Accounting for User Behavior in Predictive Cyber Security Models  Slides | Video
Mohammad Noureddine, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
October 20, 2015, 4:00 p.m., 2405 Siebel Center

Abstract: The human factor is often regarded as the weakest link in cybersecurity systems. The investigation of several security breaches reveals an important impact of human errors in exhibiting security vulnerabilities. Although security researchers have long observed the impact of human behavior, few improvements have been made in designing secure systems that are resilient to the uncertainties of the human element.

In this talk, we discuss several psychological theories that attempt to understand and influence the human behavior in the cyber world. Our goal is to use such theories in order to build predictive cyber security models that include the behavior of typical users, as well as system administrators. We then illustrate the importance of our approach by presenting a case study that incorporates models of human users. We analyze our preliminary results and discuss their challenges and our approaches to address them in the future.

SMT-Based Controller Synthesis for Linear Dynamical Systems with Adversary  Slides | Video
Zhenqi Huang, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
Yu Wang, Research Assistant, Mechanical Science and Engineering, University of Illinois at Urbana-Champaign
November 3, 2015, 4:00 p.m., 2405 Siebel Center

Abstract: We present a controller synthesis algorithm for a discrete time reach-avoid problem in the presence of adversaries. Our model of the adversary captures typical malicious attacks envisioned on cyber-physical systems such as sensor spoofing, controller corruption, and actuator intrusion. After formulating the problem in a general setting, we present a sound and complete algorithm for the case with linear dynamics and an adversary with a budget on the total L2-norm of its actions. The algorithm relies on a result from linear control theory that enables us to decompose and precisely compute the reachable states of the system in terms of a symbolic simulation of the adversary-free dynamics and the total uncertainty induced by the adversary. We provide constraint-based synthesis algorithms for synthesizing open-loop and a closed-loop controllers using SMT solvers.

Neils Provos, Google, Inc.
November 13, 2015, 10:00 a.m., B02 Coordinated Science Lab

Abstract: Security continues to be a challenging problem. After decades of research, we’re still struggling with vulnerabilities, human and machine, and their exploitation. Solving security requires looking at the problem holistically, and explicitly including the human component. In this talk, I’ll be discussing some of the security challenges we encounter at Google: from Unwanted Software, across encrypting HTTP everywhere, to strong authentication. The focus will be on what we found works in practice, and some of the lessons we have learned.

Bio:  Niels Provos is a Distinguished Engineer in Google’s Infrastructure Security group where he is responsible for security engineering. His interests span a wide range of security topics including malware and cloud security. He received a Ph.D. from the University of Michigan in 2003. When not working with computers, he forges steel into swords.

User Expectations in Mobile App Security  slides | video
Tao Xie, Associate Professor, Computer Science, University of Illinois at Urbana-Champaign
January 26, 2016, 4:00 p.m., B02 Coordinated Science Lab

Abstract: Maintaining the security and privacy hygiene of mobile apps is a critical challenge. Unfortunately, no program analysis algorithm can determine that an application is “secure” or “malware-free.” For example, if an application records audio during a phone call, it may be malware. However, the user may want to use such an application to record phone calls for archival and benign purposes. A key challenge for automated program analysis tools is determining whether or not that behavior is actually desired by the user (i.e., user expectation). This talk presents recent research progress in exploring user expectations in mobile app security.

Towards Preserving Mobile Users’ Privacy in the Context of Utility Apps
Wing Lam, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
March 1, 2016, 4:00 p.m., B02 Coordinated Science Lab

Abstract: A variety of valuable mobile utility apps heavily rely on collecting a user’s app usage data to carry out their promised utilities and enhance user experiences. A part of such app usage data often contains security-sensitive information. Thus, an important and challenging issue arises: how to balance between the user’s privacy and the utility app’s utility functionality. Towards addressing the issue, we propose a new privacy framework that combines techniques of runtime sensitive-information detection, utility-impact analysis, privacy-policy compliance checking, and balanced data anonymization to enable a third-party app to determine what original values to keep in sanitized data in order to deliver a desirable level of utility efficacy.

Differential Privacy, Entropy and Security in Distributed Control of Cyber Physical Systems  slides | video
Zhenqi Huang, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
Yu Wang, Research Assistant, Mechanical Science and Engineering, University of Illinois at Urbana-Champaign
April 26, 2016, 4:00 p.m., B02 Coordinated Science Lab

Abstract: The concept of differential privacy stems from the study of private query of datasets. In this work, we apply this concept to discrete-time, linear distributed control systems in which agents need to maintain privacy of certain preferences, while sharing information for better system-level performance. The system has N agents operating in a shared environment that couples their dynamics. We show that for stable systems the performance grows as O(T3/Nε2), where T is the time horizon and ε is the differential privacy parameter. Next, we study lower-bounds in terms of the Shannon entropy of the minimal mean square estimate of the system’s private initial state from noisy communications between an agent and the server. We show that for any of noise-adding differentially private mechanism, then the Shannon entropy is at least nN(1−ln(ε/2)), where n is the dimension of the system, and t he lower bound is achieved by a Laplace-noise-adding mechanism. Finally, we study the problem of keeping the objective functions of individual agents differentially private in the context of cloud-based distributed optimization. The result shows a trade-off between the privacy of objective functions and the performance of the distributed optimization algorithm with noise.

Preemptive Intrusion Detection – Practical Experience and Detection Framework  slides | video
Phuong Cao, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
May 3, 2016, 4:00 p.m., B02 Coordinated Science Lab

Abstract: Using stolen or weak credentials to bypass authentication is one of the top 10 network threats, as shown in recent studies. Disguising as legitimate users, attackers use stealthy techniques such as rootkits and covert channels to gain persistent access to a target system. However, such attacks are often detected after the system misuse stage, i.e., the attackers have already executed attack payloads such as: i) stealing secrets, ii) tampering with system services, and ii) disrupting the availability of production services.

In this talk, we analyze a real-world credential stealing attack observed at the National Center for Supercomputing Applications. We show the disadvantages of traditional detection techniques such as signature-based and anomaly-based detection for such attacks. Our approach is a complement to existing detection techniques. We investigate the use of Probabilistic Graphical Model, specifically Factor Graphs, to integrate security logs from multiple sources for a more accurate detection. Finally, we propose a security testbed architecture to: i) simulate variants of known attacks that may happen in the future, ii) replay such attack variants in an isolated environment, and iii) collect and share security logs of such replays for the security research community.

Paul Barford, University of Wisconsin, Madison
October 16, 2015, 10:00 a.m., B02 Coordinated Science Lab

Video

Abstract:  The diversity of entities and complexity of mechanisms involved in the delivery of online display and video advertisements lead to a variety of opportunities for fraudsters.  Recent reports by estimate online fraud in the hundreds of millions of dollars annually.  In this talk, I will provide an overview of the online ad eco-system.  I will describe the methods that are commonly used to commit ad fraud, and the basic approaches to detecting and mitigating fraud.  I will also describe a new type of ad fraud that we call domain laundering, which is quite subtle and takes advantage of the limitations in standard methods for ad placement attribution.  I will provide an overview of the mechanisms used to facilitate domain laundering along with case studies on three different instances of domain laundering that we have identified and diagnosed.  I will conclude with a discussion on approaches for enhanced identification and mitigation of online ad fraud including domain laundering.

Bio:  Paul Barford a professor of Computer Sciences at the University of Wisconsin-Madison.  He is also the Chief Scientist at comScore, Inc.  His Research interests are in computer networking and communications, large data analytics, and Internet security.  He was the founder of Nemean Networks (acquired By Qualys in ‘10) and co-founder of MdotLabs (acquired By comScore in ‘14).   He has published over 100 research papers and has served on numerous national and international panels, editorial boards, organizing committees, and program committees. He has an NSF CAREER award, several best paper awards and is a Distinguished Member of the ACM and a Senior Member of the IEEE.

Patrick McDaniel, The Pennsylvania State University
September 24, 10:00 a.m., B02 Coordinated Science Lab
Slides

Abstract: The introduction of smart phones in 2008 forever changed the way users interact with data and computation. These platforms and the network and cloud services supporting them have led to a renaissance of mobile computing. At the same time, changes in the nature of personal computing heightens concerns about security and privacy.   Such concerns prompted an ongoing area of scientific study exploring smartphone and application security. Through these efforts, the technical community has become increasingly aware that applications can (and in many cases have) work against the user’s best interests and house new forms of malware.

This talk explores the genesis and evolution of academic research efforts in evaluating smartphone application security over the first seven years of its existence. A retrospective view of how the community’s understanding of application security has changed over the years is provided, with a focus on the scientific questions asked and the methods used. We highlight a range of analysis techniques that extract software structures and behaviors from smartphone applications, and describe several studies that identified important security and privacy concerns. The talk concludes by considering the realities of current mobile apps and markets and identifies challenges in preventing misuse of smartphones.

Bio: Patrick McDaniel is a Professor in the Computer Science and Engineering Department at The Pennsylvania State University, co-director of the Systems and Internet Infrastructure Security Laboratory, IEEE Fellow, and Chair of the IEEE Technical Committee for Security and Privacy. Dr. McDaniel is also the program manager and lead scientist for the newly created Cyber-Security Collaborative Research Alliance. Patrick’s research efforts centrally focus on network, telecommunications, systems security, language-based security, and technical public policy. Patrick was the editor-in-chief of the ACM Journal Transactions on Internet Technology (TOIT), and served as associate editor of the journals ACM Transactions on Information and System Security, IEEE Transactions on Computers, and IEEE Transactions on Software Engineering. Patrick was awarded the National Science Foundation CAREER Award and has chaired several top conferences in security including, among others, the 2007 and 2008 IEEE Symposium on Security and Privacy and the 2005 USENIX Security Symposium. Prior to pursuing his Ph.D. at the University of Michigan, Patrick was a software architect and project manager in the telecommunications industry.

Somesh Jha, University of Wisconsin, Madison
April 2, 4:00 p.m., 301 Coordinated Science Lab
Slides

Abstract: Writing a complex but secure program is a near-impossible task for a conventional operating system. If an attacker compromises any module of a trusted program running on such a system, then the attacker can perform arbitrary operations on the system. However, if a program runs on a privilege-aware operating system, then the program can invoke system calls to explicitly manage the privileges of its modules, and thus minimize the abilities of an attacker. The developers of privilege-aware systems have rewritten complex programs to invoke such system calls to satisfy strong security properties. However, such systems have not been adopted by developers outside the development community of each system. Moreover, even the systems’ own developers often write programs for their system that they believe to be correct, only to realize later through testing that the rewritten program is insecure or does not demonstrate desired functionality of the original program.

In this talk we will examine the challenges in rewriting programs for privilege-aware systems, and present a tool, called a policy weaver, that rewrites programs for such systems automatically. Our policy weaver takes as input a program written for a conventional system and a small and declarative policy (i.e., a regular expression describing allowed program executions). The weaver outputs a version of the program that invokes system calls so that it satisfies the policy. The weaver reduces each rewriting problem to finding a correct strategy to a two-player automata-theoretic safety game. We describe our experience developing a policy weaver for the Capsicum privilege-aware operating system (now included in FreeBSD 9.0), and describe how a policy weaver for an arbitrary privilege-aware system can be constructed automatically by providing a declarative model of the system to a policy-weaver generator. I will conclude by describing some future work and encourage other researchers to work on some interesting problems on this topic.

Bio: Somesh Jha received his B.Tech from Indian Institute of Technology, New Delhi in Electrical Engineering. He received his Ph.D. in Computer Science from Carnegie Mellon University in 1996. Currently, Somesh Jha is a Professor in the Computer Sciences Department at the University of Wisconsin (Madison), which he joined in 2000. His work focuses on analysis of security protocols, survivability analysis, intrusion detection, formal methods for security, and analyzing malicious code.  Recently he has also worked on privacy-preserving protocols. Somesh Jha has published over 150 articles in highly-refereed conferences and prominent journals. He has won numerous best-paper awards. Somesh also received the NSF career award in 2005.