securing the future - dcypher.nl€¦ · • control what a user can see on the internet to...

NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation

Securing the Future

Exploring Challenges and Opportunities for Research in

Computer Security

Christopher Kruegel UC Santa Barbara and Lastline, Inc.


The Future


The Future

Innovation and new technology

Advances in offensive technology


The Future

Disclaimer: My bias is that I am a systems security researcher.

Innovation and new technology

Advances in offensive technology


Hype Cycle: Emerging Technologies

Source: Gartner, August 2015


#1: INTERNET OF THINGS


• Embedded software is everywhere – captured through many buzzwords

• pervasive, ubiquitous computing • Internet of Things (IoT)

– sensors and actuators

Blend between real and virtual worlds


Massive Growth


Security Challenges • Quantity has a quality all its own • Vulnerability analysis

– binary blobs (binary only, no OS or library abstractions) – software deeply connected with hardware

• Patch management – devices must be cheap – vendors might be long gone


Security Challenges • Remote accessibility

– device authentication – access control (pacemaker during emergency) – stepping stone into inside of perimeter

• Additional vulnerability surface – attacks launched from physical world – supply chain attacks


#2: INFORMATION MANIPULATION


Information Manipulation • Control what a user can see on the Internet to

influence the user’s mind and actions – Manipulate content and in turn, target the human mind,

instead of machines or code – Affect the users’ decision-making processes

• economic gain (buying) • influence (voting) • credibility (social world)


We “See” Only Some Information


Information Flow

Publishers Internet Intermediaries Users

Event Web sites/portals ISPs/CDNs


Information Flow

Publishers Internet Intermediaries Users

Event Web sites/portals ISPs/CDNs

Fake reviews Sock puppets Astroturf Misleading Wikipedia entries

Production Search-related attacks and misuses Performance degradation

Dissemination Pollution of browsing history Tracking of user activities

Consumption


Taxonomy of Manipulation Production Dissemination Discovery

Changing the choice set

News agencies may choose not to report a story

Social network may remove (or add) content (e.g., Weibo censorship)

Search engine may change the set of results for different users (“filter bubbles”)

Changing the presentation layout (ordering, etc.)

Sites may move content to top/bottom of a page.

News outlets can use social networks to “broadcast” certain stories (e.g., NYTimes Twitter feed)

User profile pollution and poisoning can change the ranking of results

Changing the content Bogus reviews, “astroturfing”, false Wikipedia entries

“Sock puppets” can create/amplify false content


#3: HUMAN DATA


Human Data • From personal data to data about a person


Quantifiable Self • Initially, mostly fitness-related

metrics – steps, sleep, heart rate, …

• Newer wearable sensors go further – blood pressure, sweat, glucose

levels, … • Non-wearable biosensors

– typically take a drop of blood and run 100s of tests


One step further … • DNA analysis services


Security Challenges • Risks are underrated

– attackers not yet targeting human data • everyone understands that a stolen credit card is bad • not clear why anyone would want your health data or DNA

– everyone happy to upload and share their human data – impossible to change

• changing your credit card number is trivial • what if attackers find a reason to access the information

• How can one provide services without revealing data?


#4: ADVANCED MALWARE


Isn’t malware solved already?

23

Fraction of malware-related publications in Top-4 security conferences (NDSS, Oakland, Usenix Sec., CCS) over last 10 years

0,00%

2,00%

4,00%

6,00%

8,00%

10,00%

12,00%

14,00%

16,00%

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Malware (incl. Android)

Malware Publications


But the world has missed it …

24

Source: Google News Trends

Interest in Advanced Malware Protection


But the world has missed it …

25


Lots of interesting things to do • Mobile malware – difference to traditional

malware implies opportunities and challenges – apps are much easier to analyze statically

• use of Dalvik bytecode instead of x86 – centralized control

• vet applications before they enter store • can remotely remove installed applications • carriers might have more complete picture of users and

traffic – interesting GUI issues

26


Summary • Rapid technical progress and new attacks make increased

(research) efforts necessary to protect critical systems and data

• Four challenges/opportunities for future research 1) Secure the Internet of Things 2) Defend against Information Manipulation 3) Protect Human Data 4) Detect Advanced Malware


Thank You!

securing the future - dcypher.nl€¦ · • control what a user can see on the internet to...

Documents