trust autumn 2008 conference program - ptolemy …...trust team for research in ubiquitous secure...

TTRRUUSSTT TTeeaamm ffoorr RReesseeaarrcchh iinn UUbbiiqquuiittoouuss

SSeeccuurree TTeecchhnnoollooggyy

AAuuttuummnn 22001100 CCoonnffeerreennccee

NNoovveemmbbeerr 1100 –– 1111,, 22001100

JJeenn--HHssuunn HHuuaanngg EEnnggiinneeeerriinngg CCeenntteerr SSttaannffoorrdd UUnniivveerrssiittyy

TRUST is funded by the National Science Foundation (award number CCF-0424422)

TTeeaamm ffoorr RReesseeaarrcchh iinn UUbbiiqquuiittoouuss SSeeccuurree TTeecchhnnoollooggyy ((TTRRUUSSTT))

TRUST Autumn 2010 Conference November 10-11, 2010 – Stanford, California of 28

CONTENTS

CONTENTS ................................................................................................................................................ 3

WELCOME MESSAGE ............................................................................................................................. 4

TRUST OVERVIEW ................................................................................................................................. 5

CONFERENCE AGENDA ......................................................................................................................... 6

PRESENTATION ABSTRACTS ............................................................................................................. 8

KEYNOTE SPEAKER BIOGRAPHY ................................................................................................... 16

SPEAKER BIOGRAPHIES .................................................................................................................... 17

NOTES ...................................................................................................................................................... 25



WELCOME MESSAGE It is with great pleasure that we welcome you to the TRUST Autumn 2010 Conference hosted by TRUST partner institution Stanford University.

This is one of two major conferences each year that highlights activities of the TRUST Center. Specifically, work of the Center is focused on:

• Advancing a leading-edge research agenda to improve the state-of-the art in cyber security and critical infrastructure protection;

• Developing a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and

• Pursuing knowledge transfer opportunities to transition TRUST results to end users within industry and the government.

This conference provides an opportunity to hear firsthand about recent research results and future plans of TRUST faculty and students across all TRUST-affiliated universities. We hope you will find the conference educational, engaging, and insightful.

We are honored to have as a keynote speaker UC Berkeley Professor Dawn Song. Dawn is an accomplished researcher and educator recognized for her innovative work in a number of security and privacy areas. Among Dawn’s many honors, she was named a MacArthur Foundation Fellow for 2010, a very select and prestigious award, so it is a privilege for a “genius award” winner to speak at the conference.

For those of you not affiliated with TRUST, or new to TRUST, I encourage you to use this conference to meet the TRUST team and find out more about the Center and its projects.

Sincerely,

S. Shankar Sastry Director, TRUST Center Dean of Engineering, University of California, Berkeley



TRUST OVERVIEW The Team for Research in Ubiquitous Secure Technology (TRUST) is focused on the development of cyber security science and technology that will radically transform the ability of organizations to design, build, and operate trustworthy information systems for the nation's critical infrastructure. Established as a National Science Foundation Science and Technology Center (STC), TRUST is addressing technical, operational, legal, policy, and economic issues affecting security, privacy, and data protection as well as the challenges of developing, deploying, and using trustworthy systems. TRUST activities are advancing a leading-edge research agenda to improve the state-of-the art in cyber security; developing a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and pursuing knowledge transfer opportunities to transition TRUST results to end users within industry and the government. TRUST is addressing technical, operational, privacy, and policy challenges via interdisciplinary projects that combine fundamental science and applied research to deliver breakthrough advances in trustworthy systems in three “grand challenge” areas:

Financial Infrastructures – Creation of a trustworthy environment that links and supports commercial transactions among financial institutions, online retailers, and customers. Health Infrastructures – Technology that advances “Healthcare Informatics” to enable engaged patients, personalized medicine, providers as coach-consultants, and agile evidence-based care. Physical Infrastructures – Advances that support next generation Supervisory Control and Data Acquisition (SCADA) and distributed control systems, including power, water, and telecommunications.

TRUST is led by the University of California, Berkeley with partner institutions Carnegie Mellon University, Cornell University, San Jose State University, Stanford University, and Vanderbilt University. TRUST projects have a holistic view that addresses computer security, software technology, analysis of complex interacting systems, and economic, legal, and public policy issues. As such, TRUST draws on researchers is such diverse fields as Computer Engineering, Computer Science, Economics, Electrical Engineering, Law, Public Policy, and the Social Sciences. More information on TRUST is available at http://www.truststc.org.



CONFERENCE AGENDA

WEDNESDAY, NOVEMBER 10, 2010

TIME TOPIC 0730 – 0845 Breakfast

0845 – 0900 Conference Welcome

0900 – 1000 Keynote Address – BitBlaze, WebBlaze, and Beyond: Open Challenges in Security and Privacy Professor Dawn Song (University of California, Berkeley)

1000 – 1030 Break

Session1: Physical Infrastructures (Chair: Steve Wicker, Cornell University)

1030 – 1050 Security Interdependencies for Networked Control Systems with Identical Agents Saurabh Amin (University of California, Berkeley)

1050 – 1110 Fault-Tolerant Distributed Reconnaissance Adrian P. Lauf (Wright State University)

1110 – 1130 Location Privacy via Private Proximity Testing Arvind Narayanan (Stanford University)

1130 – 1150 Simulation of Network Attacks on SCADA Systems Andrew Davis (Vanderbilt University)

1150 – 1210 Netslice: Enabling Critical Network Infrastructure with Commodity Routers Hakim Weatherspoon (Cornell University)

1210 – 1230 A Privacy-Aware Architecture For Demand Response Systems Stephen Wicker (Cornell University)

1200 – 1330 Lunch / TRUST Student Poster Session

Session 2: Financial Infrastructures (Chair: John Mitchell, Stanford University)

1330 – 1350 Towards a Formal Foundation of Web Security Devdatta Akhawe (University of California, Berkeley)

1350 – 1410 SessionJuggler: Secure Login from an Untrusted Terminal Using Session Hijacking Elie Burzstein (Stanford University)

1410 – 1430 Protecting Browsers from Extension Vulnerabilities Adrienne Porter Felt (University of California, Berkeley)

1430 – 1450 The Case for Ubiquitous Transport-Level Encryption Andrea Bittau (Stanford University)

1450 – 1510 Community Epidemic Detection using Time-Correlated Anomalies Adam J. Oliner (Stanford University)

1510 – 1530 A Learning-Based Approach to Reactive Security Benjamin Rubinstein (Microsoft Research Silicon Valley)

1530 – 1700 Parallel Breakout Sessions (Physical Infrastructures, Financial Infrastructures)

1700 – 1800 TRUST Student Poster Session / Reception

1830 TRUST Conference Banquet (Stanford Faculty Club)



CONFERENCE AGENDA (cont.)

THURSDAY, NOVEMBER 11, 2010

TIME TOPIC

0730 – 0830 Breakfast

0830 – 1000 Parallel Breakout Sessions (Health Infrastructures, Policy/Economics)

1000 – 1030 Break

1030 – 1110 Breakout Session Outbriefs

Session 3: Health Infrastructures (Chair: Janos Sztipanovits, Vanderbilt University)

1110 – 1130 A Model-Integrated, Guideline-Driven, Clinical Decision-Support System Janos L. Mathe (Vanderbilt University)

1130 – 1150 Managing Information Leakage Steven Whang (Stanford University)

1150 – 1210 Towards Understanding the Usage Pattern of Web-based Electronic Medical Record System Xiaowei Li (Vanderbilt University)

1210 – 1230 EBAM: Experience-Based Access Management for Healthcare Elizabeth Durham (Vanderbilt University)

1230 – 1250 Experiences in the Logical Specification of the HIPAA and GLBA Privacy Laws Anupam Datta (Carnegie Mellon University)

1250 – 1350 Lunch

Session 4: Policy / Economics (Chair: John Chuang, University of California, Berkeley)

1350 – 1410 Dissecting One Click Frauds Nicolas Christin (Carnegie Mellon University)

1410 – 1430 Security Decision-Making Among Interdependent Organizations Ann Miura-Ko (FLOODGATE / Stanford University)

1430 – 1450 Discounting the Past: Bad Weighs Heavier than Good Laura Brandimarte (Carnegie Mellon University)

1450 – 1510 Modeling Cyber-Insurance: Towards A Unifying Framework Galina Schwartz (University of California, Berkeley)

1510 – 1530 Scalable Parametric Verification of Reference Monitors: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin (Carnegie Mellon University)

1530 – 1550 Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information Benjamin Johnson (Carnegie Mellon University)

1550 – 1600 Wrap Up / Conference Closing



PRESENTATION ABSTRACTS WWeeddnneessddaayy,, NNoovveemmbbeerr 1100

0900 – 1000 Keynote Address – BitBlaze, WebBlaze, and Beyond: Open Challenges in Security and Privacy

Dawn Song (Associate Professor, Computer Science, University of California, Berkeley) In this talk, I will explore some of the most important challenges facing the security

community today. Topics will include how to build secure platforms for emerging computing models, and how to protect user’s privacy in an increasingly complex Web environment, among others. I will also present some of my own work that shows how we have been addressing these challenges, focusing on the BitBlaze and WebBlaze projects, as well as a new privacy framework we are building. The BitBlaze project focuses on building a unified binary program analysis platform and using it to provide novel solutions to computer security problems. The binary analysis platform provides an extensible architecture and a broad range of static analysis, dynamic analysis, and program verification capabilities, all of which operate directly on compiled binaries. These capabilities enable BitBlaze to take a powerful, principled approach to security that focuses on identifying the underlying root causes of security vulnerabilities and generating defenses. We have used BitBlaze to enable over a dozen security applications, including patch-based exploit generation, automatic generation of vulnerability signatures for defense, and model extraction from web browsers for vulnerability discovery. I will also briefly describe the WebBlaze project where we employ the experience learned from BitBlaze to develop techniques and tools for vulnerability discovery and defense on the web. In particular, WebBlaze’s new technologies cover a broad range including new architectural solutions for defending against cross-site scripting attacks, tools for detecting and defending against cross-origin JavaScript capability leaks which lead to universal cross-site scripting attacks, and new approaches for secure browser extensions and web advertisements. Some solutions proposed in WebBlaze have been deployed in Google Chrome. For more information on BitBlaze and WebBlaze, please see http://bitblaze.cs.berkeley.edu and http://webblaze.cs.berkeley.edu.

1030 – 1050 Security Interdependencies for Networked Control Systems with Identical Agents

Saurabh Amin (University of California, Berkeley) This paper studies the security choices of identical plant- controller systems, when their

security is interdependent due the exposure to network induced risks. Each plant is modeled by a discrete-time stochastic linear system, which is sensed and controlled over a communication network. We model security decisions of the individual systems (also called players) as a game. We consider a two-stage game, in which first, the players choose whether to invest in security or not; and thereafter, choose control inputs to minimize the average operational costs. We fully characterize equilibria of the game, which give us the individually optimal security choices. We also find the socially optimal choices. The presence of security interdependence creates a negative externality, and results in a gap between the individual and the socially optimal security choices for a wide range of security costs. Due to the negative externality, the individual players tend to under invest in security.



1050 – 1110 Fault-Tolerant Distributed Reconnaissance Adrian P. Lauf (Wright State University) This paper describes a method to efficiently canvass an area of interest using distributed

sensing methods, assisted by fault-tolerant resource management. By implementing multiple aircraft in an assessment configuration, aerial monitoring and diverse sensing can be accomplished through the use of ad-hoc networking principles; aircraft act as nodes, each being a distributed agent in the network. Combined with a method called the Distributed Apt Resource Transference System (DARTS) for reallocating redundant or alternately-allocatable resources, such implementations can enjoy longer operational duration, increased coverage, and a higher probability of executing the desired reconnaissance. DARTS employs a hybridization of gossip and flooding-based resource discovery methods to find suitable replacement resources in the case of a node failure. Failures may arise due to natural (environmental) interference or malicious attacks designed to disrupt the mission. Testing of the fault-tolerant resource management techniques demonstrated resiliency of the system, resulting in minimal bandwidth requirements to reallocate (up to 6-fold reduction in traffic) and a faster speed of resource reallocation (up to 79% improvement), even in the face of an inconsistent state of operation. By implementing intrusion detection system (IDS) technologies to spawn the reallocation process (a procedure called triggering), DARTS provides a flexible, lightweight, and scalable method to efficiently allow reconnaissance and other distributed sensing applications to occur on a mobile, airborne platform.

1110 – 1130 Location Privacy via Private Proximity Testing Arvind Narayanan (Stanford University) We study privacy-preserving tests for proximity: Alice can test if she is close to Bob

without either party revealing any other information about each other's location. We describe several secure protocols that support private proximity testing at various levels of granularity. We introduce the concept of location tags generated from the physical environment in order to strengthen the security of proximity testing. We implemented our system on the Android platform and report on its effectiveness. Our system uses a social network (Facebook) to manage user public keys. We argue that for proximity testing, social networks are better suited for managing user keys than traditional PKI.

1130 – 1150 Simulation of Network Attacks on SCADA Systems Andrew Davis (Vanderbilt University) Network security is a major issue affecting SCADA systems designed and deployed in the

last decade. Simulation of network attacks on a SCADA system presents certain challenges, since even a simple SCADA system is composed of models in several domains and simulation environments. Here we demonstrate the use of the C2WindTunnel to simulate a plant and its controller, and the Ethernet network that connects them, in different simulation environments. We also simulate DDOS-like attacks on a few of the routers to observe and analyze the effects of a network attack on such a system.

1150 – 1210 Netslice: Enabling Critical Network Infrastructure with Commodity Routers Hakim Weatherspoon (Cornell University) Security, reliability, and performance are paramount in current and future networks,

especially networks of globally distributed datacenters. Example router functionality includes deep packet inspectors (DPI), wide-area performance enhancement proxies (PEP), transparent reliable TCP enhancements, protocol accelerators, overlay routers, security appliances, intrusion detection systems (IDS), and network monitors, to name a few. In this talk I will discuss how such routers (or middleboxes) may be built from the same commodity components readily available within the datacenter; namely, commodity multicore processors. Further, I will discuss a programmable interface and implementation that allow developers to take advantage of the increasing number of



processor cores, a fundamental requirement given that single CPU core speeds no longer scale with increasing network speeds.

1210 – 1230 A Privacy-Aware Architecture For Demand Response Systems Stephen Wicker (Cornell University) We explore the privacy issues implicated by the development of demand response

systems. We begin by highlighting the invasive nature of fine-granularity power consumption data, showing that the data collected by Advanced Metering Infrastructure (AMI) reveals detailed information about behavior within the home. We then show how privacy-aware design principles lead to novel system architectures that realize the benefits of demand response without requiring that AMI data be centrally collected. The resulting systems avoid both harm to subscribers and the potential need to scrap AMI-based demand response efforts in the face of public outcry. We also show that Trusted Platform Modules can be used to develop privacy-sensitive metering infrastructure.

1330 – 1350 Towards a Formal Foundation of Web Security Devdatta Akhawe (University of California, Berkeley) We propose a formal model of web security based on an abstraction of the web platform

and use this model to analyze the security of several sample web mechanisms and applications. We identify multiple distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to fid two previously known vulnerabilities and three new vulnerabilities. The case study of a Kerberos-based single sign-on system illustrates key differences between network protocols and web protocols and finds a vulnerability that arises because of the way cookies, redirects, and embedded links are used.

1350 – 1410 SessionJuggler: Secure Login From an Untrusted Terminal Using Session Hijacking

Elie Burzstein (Stanford University) We show that session hijacking can have positive applications, in particular, it can help

with secure login from an untrusted terminal. While there are many proposals for securing a login from an untrusted terminal, they all require either server-side changes or client-side changes. In this paper we explore a new web user authentication mechanism called SessionJuggler that enables user login without ever entering a long-term credential on the insecure terminal. SessionJuggler requires no server-side changes and assumes no special software on the client beyond a modern web browser. Roughly speaking, with SessionJuggler users log in to a web site using a modified smartphone browser and then transfer the entire session, including cookies and all other session state, to the terminal. The challenge is to ensure that this transfer—which looks like session hijacking—does not cause the web site to invalidate the session. We survey session hijacking defenses used by popular sites and explain how SessionJuggler bypasses all these defenses. Beyond session migration, SessionJuggler also provides a trusted logout mechanism where the trusted phone is used to terminate the session.

1410 – 1430 Protecting Browsers from Extension Vulnerabilities Adrienne Porter Felt (University of California, Berkeley) Browser extensions are remarkably popular, with one in three Firefox users running at

least one extension. Although well-intentioned, extension developers are often not



security experts and write buggy code that can be exploited by malicious web site operators. In the Firefox extension system, these exploits are dangerous because extensions run with the user's full privileges and can read and write arbitrary files and launch new processes. In this paper, we analyze 25 popular Firefox extensions and find that 88% of these extensions need less than the full set of available privileges. Additionally, we find that 76% of these extensions use unnecessarily powerful APIs, making it difficult to reduce their privileges. We propose a new browser extension system that improves security by using least privilege, privilege separation, and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability. Our design has been adopted as the Google Chrome extension system.

1430 – 1450 The Case for Ubiquitous Transport-Level Encryption Andrea Bittau (Stanford University) Today, Internet traffic is encrypted only when deemed necessary. Yet modern CPUs could

feasibly encrypt most traffic and the cost of doing so will only drop over time. Tcpcrypt is a TCP extension designed to make end-to-end encryption of TCP traffic the default, not the exception. Tcpcrypt has a number of features to facilitate adoption. It provides backwards compatibility with legacy TCP stacks and middleboxes. Because it is implemented in the transport layer, it protects legacy applications. However, it also provides a hook for integration with application-layer authentication, largely obviating the need for applications to encrypt their own network traffic and minimizing the need for duplication of functionality. Finally, tcpcrypt lessens the impact of public key cryptography by minimizing the cost of key negotiation to servers. As a result, a server can accept 36 times more connections per second with tcpcrypt than with SSL.

1450 – 1510 Community Epidemic Detection using Time-Correlated Anomalies Adam J. Oliner (Stanford University) An epidemic is malicious code running on a subset of a community, a homogeneous set of

instances of an application. Syzygy is an epidemic detection framework that looks for time-correlated anomalies, i.e., divergence from a model of dynamic behavior. We show mathematically and experimentally that, by leveraging the statistical properties of a large community, Syzygy is able to detect epidemics even under adverse conditions, such as when an exploit employs both mimicry and polymorphism. This work provides a mathematical basis for Syzygy, describes our particular implementation, and tests the approach with a variety of exploits and on commodity server and desktop applications to demonstrate its effectiveness.

1510 – 1530 A Learning-Based Approach to Reactive Security Benjamin Rubinstein (Microsoft Research Silicon Valley) Despite the conventional wisdom that proactive security is superior to reactive security,

we show that reactive security can be competitive with proactive security as long as the reactive defender learns from past attacks instead of myopically overreacting to the last attack. Our game-theoretic model follows common practice in the security literature by making worst-case assumptions about the attacker: we grant the attacker complete knowledge of the defender's strategy and do not require the attacker to act rationally. In this model, we bound the competitive ratio between a reactive defense algorithm (which is inspired by online learning theory) and the best _xed proactive defense. Additionally, we show that, unlike proactive defenses, this reactive strategy is robust to a lack of information about the attacker's incentives and knowledge.



TThhuurrssddaayy,, NNoovveemmbbeerr 1111 1110 – 1130 A Model-Integrated, Guideline-Driven, Clinical Decision-Support System Janos L. Mathe (Vanderbilt University) In our earlier paper we have reported the use of a formal model-based development

method for a guideline-driven patient management system, called Sepsis Treatment Enhanced through Electronic Protocolization (STEEP). During the last 8 months we have been engaged in the preparation and execution of a clinical trial at two Intensive Care Units of the Vanderbilt University Medical Center partially funded by NIH. The process required passing of the institutional HIPAA (privacy), security and quality review process and the integration of STEEP into Vanderbilt's clinical information systems including the EMR, Ordering, Medical Administration and Alert Management systems. The experience gave us a number of interesting conclusions that led us to enrich our science agenda on trustworthy health information systems. In this presentation we will summarize the experience gained with the clinical trial and will elaborate on the following two specific challenges: (1) Development of the Clinical Process Modeling Language (CPML) has been a significant effort. CPML integrates three kinds of knowledge: medical (sepsis), execution platform (STEEP engine) and privacy rules. Our primary conclusion is that for future problem domains (such as the cancer management we are currently analyzing) instead of applying CPML or developing new domain specific modeling languages from skretch we need to decompose the knowledge CPML into reusable sub-languages. These sub-languages will be representing essential aspects of the problem space: Medical Ontology, Execution Platform Semantics and Privacy Rules. Reusable model libraries built for these separate aspects will then be used to generate the integrated domain specific models. (2) Integration of STEEP into Vanderbilt's Health IT infrastructure has been a significant challenge. Reusability of the effort can be ensured by formally defining abstraction layers for each major components—including the relevant privacy rules—and integrate these layers into the system architecture as models.

1130 – 1150 Managing Information Leakage Steven Whang (Stanford University) We explore the problem of managing information leakage by connecting two hitherto

disconnected topics: entity resolution (ER) and data privacy (DP). As more of our sensitive data gets exposed to a variety of merchants, health care providers, employers, social sites and so on, there is a higher chance that an adversary can “connect the dots” and piece together our information, leading to even more loss of privacy. For instance, suppose that Alice has a social networking profile with her name and photo and a web homepage containing her name and address. An adversary Eve may be able to link the profile and homepage to connect the photo and address of Alice and thus glean more personal information. The better Eve is at linking the information, the more vulnerable is Alice's privacy. Thus in order to gain DP, one must try to prevent important bits of information being resolved by ER. In this paper, we formalize information leakage and list several challenges both in ER and DP. We also propose using disinformation as a tool for containing information leakage.

1150 – 1210 Towards Understanding the Usage Pattern of Web-based Electronic Medical Record System

Xiaowei Li (Vanderbilt University) The benefits and importance of Electronic Medical Record (EMR) system have been well

recognized in the healthcare industry. Yet, its wide adoption still faces significant barriers that require technical innovations in building highly-available medical information systems that provide continuous on-demand secure medical information access while



preserving patients' privacy. Understanding the usage pattern of the EMR system is the first essential step towards building such a system. This paper conducts an in-depth trace analysis of a large scale EMR system that runs for more than a decade at Vanderbilt Medical Center. Our study examines three aspects of this EMR system: 1) overall system usage pattern, 2) user behavior, which focuses on the difference across users and the behavior consistency and migration over time, and 3) patient record access pattern, which emphasizes the relationship between users and their accessed records. Our study has demonstrated several important characteristics of EMR system usage. First, the workload of the EMR system is highly stable and consistent with a weekly pattern. Second, EMR users behave quite differently. For an individual user, though his/her behavior exhibits high-degree of fluctuation across consecutive sessions, when aggregated over certain time frame, the aggregated behavior is highly consistent with a very slow rate of migration. Finally, the pairing between users and records is extremely sparse, echoing the stable patient-caregiver structure in the healthcare practice. These observations can be used to develop system security measures, such as EMR-specific anomaly detection systems, and facilitate system performance optimization.

1210 – 1230 EBAM: Experience-Based Access Management for Healthcare Elizabeth Durham (Vanderbilt University) Insufficient attention has been given to enterprise Identity and Access Management (IAM)

as a process that needs to be carried out on a continuing basis in the presence of change and evolution. In particular, there is little formal support for how IAM can exploit experience the enterprise collects over time. We propose to shift the focus towards a lifecycle model of IAM called Experience Based Access Management (EBAM) that incorporates a set of models, techniques, and tools to reconcile differences between the “ideal” access model, as judged by high-level enterprise, professional, and legal standards, and the “enforced” access control, specific to the operational IAM system. The principal component of an EBAM support system is an “expected” access model that is used to represent differences between the ideal and enforced models based on information collected from access logs and other operational information. This works specifically focuses on how such an approach is ideal for healthcare information systems.

1230 – 1250 Experiences in the Logical Specification of the HIPAA and GLBA Privacy Laws

Anupam Datta (Carnegie Mellon University) Despite the wide array of frameworks proposed for the formal specification and analysis

of privacy laws, there has been comparatively little work on expressing large fragments of actual privacy laws in these frameworks. We attempt to bridge this gap by giving complete logical formalizations of the transmission-related portions of the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). To this end, we develop the PrivacyLFP logic, whose features include support for disclosure purposes, real-time constructs, and self-reference via _xed points. To illustrate these features and demonstrate PrivacyLFP’s utility, we present formalizations of a collection of clauses from these laws. Due to their size, our full formalizations of HIPAA and GLBA appear in a companion technical report. We discuss ambiguities in the laws that our formalizations revealed and sketch preliminary ideas for computer-assisted enforcement of such privacy policies.

1350 – 1410 Dissecting One Click Frauds Nicolas Christin (Carnegie Mellon University) “One Click Fraud” is an online confidence scam that has been plaguing an increasing

number of Japanese Internet users, in spite of new laws and the mobilization of police task forces. In this scam, the victim clicks on a link presented to them, only to be informed that they just entered a binding contract and are required to pay a registration fee for a



service. Even though no money is legally owed, a large number of users prefer to pay up, because of potential embarrassment due to the type of service “requested” (e.g., pornographic goods). Using public reports of fraudulent websites as a source of data, we analyze over 2,000 reported One Click Frauds incidents. By correlating several attributes (WHOIS data, bank accounts, phone numbers, malware installed…), we discover that a few fraudsters are seemingly responsible for a majority of the scams, and evidence a number of loopholes these miscreants exploit. We further show that, while some of these sites may also be engaging in other illicit activities such as spamming, the connection between different types of scams is not as obvious as we initially expected. Last, we show that the rise in the number of these frauds is fueled by high expected monetary gains in return for very little risk. The quantitative data obtained gives us an interesting window on the economic dynamics of some online criminal syndicates.

1410 – 1430 Security Decision-Making Among Interdependent Organizations Ann Miura-Ko (FLOODGATE / Stanford University) In various settings, such as when customers use the same passwords at several

independent web sites, security decisions by one organization may have a significant impact on the security of another. We develop a model for security decision-making in such settings, using a variation of linear influence networks. The linear influence model uses a matrix to represent linear dependence between security investment at one organization and resulting security at another, and utility functions to measure the overall benefit to each organization. A simple matrix condition implies the existence and uniqueness of Nash equilibria, which can be reached by a natural iterative algorithm. A free-riding index, expressible using quantities computed in this model, measure the degree to which one organization can potentially reduce its security investment and benefit from investments of others. We apply this framework to investigate three examples: web site security with shared passwords, customer education against phishing and identity theft, and anti-spam email filters. While we do not have sufficient quantitative data to draw quantitative conclusions about any of these situations, the model provides qualitative information about each example.

1430 – 1450 Discounting the Past: Bad Weighs Heavier than Good Laura Brandimarte (Carnegie Mellon University) This paper studies how individuals’ trust and appreciation of other parties is affected by

the valence and maturity of information about actions or traits of those parties. Specifically, it introduces and tests the hypothesis that the effect of information about individuals or organizations with negative valence tends to fade away more slowly than the effects of information with positive valence, not only because its immediate impact may be stronger, but also because negative and positive information is discounted differently. To empirically test this hypothesis, we designed three survey-based randomized experiments, in which we manipulated the valence of the information that subjects are exposed to and the time to which such information refers. We measured how our subjects reacted to such information using judgment metrics of trust and liking derived from the literature or created ad-hoc for our experiments. We used a difference-in-difference model to disentangle the effects of valence, time and their interaction. Our findings provide some empirical support for our hypothesis. We suggest the theoretical grounds that could motivate differential discounting, and the privacy implications of such phenomenon in a society where negative and positive information about people, useful for judging the trustworthiness of technological environments, is so easily retrievable.



1450 – 1510 Modeling Cyber-Insurance: Towards A Unifying Framework Galina Schwartz (University of California, Berkeley) We propose a comprehensive formal framework to classify all market models of cyber-

insurance we are aware of. The framework features a common terminology and deals with the specific properties of cyber-risk in a unified way: interdependent security, correlated risk, and information asymmetries. A survey of existing models, tabulated according to our framework, reveals a discrepancy between informal arguments in favor of cyber-insurance as a tool to align incentives for better network security, and analytical results questioning the viability of a market for cyber-insurance. Using our framework, we show which parameters should be considered and endogenized in future models to close this gap.

1510 – 1530 Scalable Parametric Verification of Reference Monitors: How to Verify Reference Monitors without Worrying about Data Structure Size

Jason Franklin (Carnegie Mellon University) The security of systems such as operating systems, hypervisors, and web browsers

depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has made automated formal verification of reference monitors a more tractable goal. However, a significant remaining factor for the complexity of automated verification is the size of the data structures (e.g., access control matrices) over which the programs operate. This paper develops a parametric verification technique that scales even when reference monitors and adversaries operate over unbounded, but finite data structures. Specifically, we develop a parametric guarded command language for modeling reference monitors and adversaries. We also present a parametric temporal specification logic for expressing security policies that the monitor is expected to enforce. The central technical results of the paper are a set of small model theorems. These theorems state that in order to verify that a policy is enforced by a reference monitor with an arbitrarily large data structure, it is sufficient to model check the monitor with just one entry in its data structure. We apply our methodology to verify the designs of two hypervisors, SecVisor and the sHype mandatory-access-control extension to Xen. Our approach is able to prove that sHype and a variant of the original SecVisor design correctly enforces the expected security properties in the presence of powerful adversaries.

1530 – 1550 Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information

Benjamin Johnson (Carnegie Mellon University) A common assumption in security research is that more individual expertise

unambiguously leads to a more secure overall network. We present a game-theoretic model in which this common assumption does not hold. Our findings indicate that expert users can be not only invaluable contributors, but also free-riders, defectors, and narcissistic opportunists. A direct application is that user education needs to highlight the cooperative nature of security, and foster the community sense of higher skilled computer users.



KEYNOTE SPEAKER BIOGRAPHY Dawn Song Associate Professor, Computer Science University of California, Berkeley Dawn Song is an Associate Professor of Computer Science at the University of California, Berkeley. She obtained her B.S. in Physics from Tsinghua University in China in 1996, her M.S. in Computer Science from Carnegie Mellon University in 1999, and her Ph.D. in Computer Science from UC Berkeley in 2002. Prior to joining UC Berkeley, she was an Assistant Professor at Carnegie Mellon University from 2002 to 2007. Her research interest lies in security and privacy issues in computer systems and networks, including areas ranging from software security, networking security, database security, distributed systems security, to applied cryptography. She is the recipient of various awards including the MacArthur Fellowship, the Guggenheim Fellowship, the NSF CAREER Award, the Alfred P. Sloan Research Fellowship, the MIT Technology Review TR-35 Award, the IBM Faculty Award, the George Tallman Ladd Research Award, the Okawa Foundation Research Award, and the Li Ka Shing Foundation Women in Science Distinguished Lecture Series Award. She is also the author of multiple award papers in top security conferences.



SPEAKER BIOGRAPHIES Devdatta Akhawe University of California, Berkeley Devdatta is a second year graduate student working with Dawn Song at UC Berkeley. His research interests security and reliability of software and systems, particularly web systems/software and light weight formal methods for achieving the same. Previously he was an undergraduate in Computer Science at BITS Pilani, India. In the past he has interned at Yahoo! Labs and Microsoft Research. Saurabh Amin University of California, Berkeley Saurabh is a fifth year graduate student in the Civil and Environmental Engineering systems engineering program. Before coming to UC Berkeley, Saurabh studied civil engineering at the Indian Institute of Technology, Roorkee (formerly, University of Roorkee). He then studied transportation engineering at the University of Texas at Austin, where he obtained an M.S.E. in the area of infrastructure systems. He moved to Berkeley in fall 2004 for his Ph.D. studies and is currently interested in control of hybrid systems, robust optimization, boundary control of hyperbolic PDEs, and reachability analysis for stochastic systems. His research has been supervised by Prof. S. Shankar Sastry and Prof. Alexandre M. Bayen. Andrea Bittau Stanford University Andrea Bittau is a postdoc in Stanford's Computer Science department. His current projects are building a security framework for Google's native client and adding encryption support to TCP. Past projects included building a security toolkit for Linux (“Wedge”) primarily geared to securing existing application code, and attacks on WEP (the fragmentation attack).



Laura Brandimarte Carnegie Mellon University Laura Brandimarte is a Ph.D. candidate at the Carnegie Mellon University (CMU) – Heinz College’s Ph.D. program in Public Policy and Management. Her research focuses on the economics of privacy and on the use of behavioral economics to study privacy-related decision making. In the last three years, she presented her working papers at several conferences, such as the Ninth Workshop on the Economics of Information Security, held in June 2010 at Harvard University, and the INFORMS 2009 Annual Meeting, held in San Diego in October 2009. Before arriving to CMU to start her Ph.D., she lived in Rome, Italy, her home town, where she finished her undergraduate studies at the University of Rome “La Sapienza”, majoring in Economics, and in London, where she got her Master of Science in Economics at the London School of Economics. Her working experience includes her current position of Instructor of the distance course in Economic Analysis at the Heinz College, an Internship at the European Investment Bank in Luxembourg in 2004 and several consultancy contracts for the Italian Federation of Cooperative Banks between 2005 and 2007. Apart from research, she is passionate about tennis (she is part of the CMU tennis team and won the 2010 Bob O’Connor mixed doubles tournament ), soccer, motorbike racing, Rome, movies from the 40’s and 50’s, Michael Jackson and Freakonomics/Superfreakonomics. Elie Burzstein Stanford University Elie Bursztein is a postdoctoral fellow at the Stanford Computer Security Lab. He holds a PhD in computer science and an Engineering degree in computer systems, networks and security. His research focus is offensive technologies, mobile and web security. He enjoys applying game theory, machine learning and data mining techniques to security.



Nicolas Christin Carnegie Mellon University Nicolas Christin is the Associate Director of the Information Networking Institute at Carnegie Mellon University, where he also holds faculty appointments in CyLab and Electrical Engineering. He holds a Diplome d'Ingénieur from École Centrale Lille, and M.S. and Ph.D. degrees in Computer Science from the University of Virginia. Before joining Carnegie Mellon in 2005, he was a post-doctoral researcher in the School of Information at the University of California, Berkeley. He served for three years as resident faculty in the CyLab Japan program in Kobe (Japan), before returning to Carnegie Mellon's main campus in 2008. His research interests are in computer and information systems networks; most of his work is at the boundary of systems and policy research, with a slant toward security aspects. He has most recently focused on network security and its economics, online crime modeling, incentive-compatible network topology design, and peer-to-peer security. Anupam Datta Carnegie Mellon University Anupam Datta is on the research faculty at Carnegie Mellon University. Anupam’s research focuses on foundations of information security and privacy, and draws on methods from a broad range of fields including logic, programming languages, verification, cryptography, and game theory. Specific research topics include cryptographic protocols, privacy, and trustworthy systems. Anupam has served as General Chair of the 2008 IEEE Computer Security Foundations Symposium, Program Co-chair of the 2008 Formal and Computational Cryptography Workshop, and on the program committees of many computer security conferences including ACM CCS, IEEE S & P, and IEEE CSF. Dr. Datta has a Ph.D. in Computer Science from Stanford University and a BTech from IIT Kharagpur. Andrew Davis Vanderbilt University Andrew Davis is a second year graduate student in the Electrical Engineering and Computer Science department at Vanderbilt University. He received his B.S. in Computer Science from Wake Forest University in 2009. His research interests include network security in infrastructure systems, intrusion detection, and secure wireless networks. He currently works under Dr. Gabor Karsai supported by TRUST on a project developing a security testbed for SCADA systems. The testbed aims to provide a realistic setting for discovering and eliminating vulnerabilities in current SCADA systems as well as aiding secure design of future systems.



Elizabeth Durham Vanderbilt University Elizabeth Ashley Durham is a Ph.D. student in Biomedical Informatics at Vanderbilt University and is advised by Dr. Bradley Malin. She is a member of the Health Information Privacy Laboratory that focuses on data privacy and management issues in biomedical research and clinical management systems. Elizabeth's specific research is in the area of privacy-preserving record linkage – the task of identifying records, from disparate sources, that refer to the same individual – without revealing the individual's identity. She holds a M.S. in Biomedical Informatics from Vanderbilt University and a B.S. in Computer Science from the Georgia Institute of Technology. Adrienne Porter Felt University of California, Berkeley Adrienne Porter Felt is a graduate student in Computer Science at the University of California, Berkeley where she is advised by Prof. David Wagner and a member of the security group. She is interested in web browser and smartphone security and her current research is focused on building secure APIs for third-party applications. Adrienne received a M.S. from UC Berkeley in 2010 and a B.S. from the University of Virginia in 2008. She is a recipient of the National Science Foundation Graduate Fellowship, the UC Berkeley Chancellor's Fellowship, and the Google Anita Borg Memorial Scholarship. Jason Franklin Carnegie Mellon University Jason Franklin is a 6th year Ph.D. student in the Computer Science Department at Carnegie Mellon University. He received a B.S. in Computer Science and Mathematics from the University of Wisconsin-Madison in 2005. He is the recipient of the 2005 USENIX Security Best Paper Award, 2009 SOSP Best Paper Award, Department of Homeland Security Fellowship, and NSF Graduate Research Fellowship. His research focuses on the application of principled techniques to improve system and network security.



Benjamin Johnson Carnegie Mellon University Benjamin Johnson is a postdoctoral researcher at CyLab, Carnegie Mellon University. His research interests include economics of information security, game theory of networked systems, and complexity theory. Benjamin holds a Ph.D. in Logic and the Methodology of Science from the University of California at Berkeley, and a M.S. degree in mathematics from Virginia Tech University. In his spare time he enjoys gymnastics, kitesurfing, and snowboarding Adrian P. Lauf Wright State University Dr. Adrian P. Lauf is a research assistant professor of Electrical Engineering and Computer Science within the Department of Mechanical and Materials Engineering at Wright State University in Dayton, OH. He completed his M.S. and Ph.D. in Electrical Engineering at Vanderbilt University 2010, under the direction of Dr. William H. Robinson, working on aspects of fault-tolerance, task reallocation, and security on Mobile Ad-Hoc Networks (MANETs). Currently, he is working on the development of flapping-wing Micro Air Vehicle (MAV) platforms at WSU in conjunction with the Wright-Patterson Air Force Base’s Air Force Research Lab (AFRL). Dr. Lauf is applying his previous expertise with networked and autonomous Unmanned Aerial Vehicles (UAVs) to work being done at the Wright State Center for Micro Air Vehicle Studies (CMAVS). Currently, he is adding characteristics of autonomous flight, group behaviors, and mesh networking to bio-inspired aircraft weighing less than 7 grams each, which can be used in surveillance, reconnaissance, and search-and-rescue applications. Xiaowei Li Vanderbilt University Xiaowei Li received his B.S. degree in Communication Engineering from Tianjin University, China in 2006 and his M.S. degree from Beijing University of Post and Telecommunications in 2008. Currently, he is a graduate student in Department of Electrical Engineering and Computer Science at Vanderbilt University. His current research interests focus on application security in web-based system and clinical information system.



Janos L. Mathe Vanderbilt University Janos L. Mathe received his M.Sc. degree in Computer Science at the Technical University of Budapest in 2004. He continued his studies by enrolling to the Department of Electrical Engineering and Computer Science at Vanderbilt University where he is currently pursuing his Ph.D. under the guidance of Janos Sztipanovits. Janos is interested in applying Model-Integrated Computing techniques to address the security and privacy requirements in healthcare settings. His current research focuses on the model-based development of clinical information systems where he investigates how modeling, validation, verification and deployment of treatment protocols can be performed by using the example of sepsis management. Ann Miura-Ko FLOODGATE / Stanford University Ann Miura-Ko is a co-founding partner at FLOODGATE where her investment interests include the innovations in e-commerce, security, and big data. In addition to serving at FLOODGATE, Ann is a lecturer in the School of Engineering at Stanford University, where she got her Ph.D. focused on mathematical modeling of computer security. She teaches High Tech Entrepreneurship with Steve Blank and is a frequent lecturer in courses such as Technology Venture Formation, High-tech Entrepreneurship, and the Mayfield Fellows Program. Many of her students have gone on to secure Angel and VC funding for their ideas. Prior to joining FLOODGATE and her stint at Stanford, Ann worked at Charles River Ventures and McKinsey and Company. Ann grew up in Palo Alto, California and, as a result, was exposed at an early age to the world of startups, technology and venture capital. She developed an early passion for robotics and went on to major in electrical engineering at Yale University where she received her B.S. degree. For her senior project, she was part of a five person team that designed four robots to autonomously play soccer. That team placed fourth at the second annual Robocup competition held in Paris, France in 1998. Arvind Narayanan Stanford University Arvind Narayanan has a Ph.D. from the University of Texas at Austin and is a postdoctoral fellow at Stanford University. His research is focused on data anonymization, privacy, web security, and social networks. His paper on de-anonymization of large sparse datasets with Vitaly Shmatikov received the 2008 PET Award for Outstanding Research in Privacy Enhancing Technologies.



Adam J. Oliner Stanford University Adam Oliner is a Ph.D. student in the Computer Science Department at Stanford University, working with Alex Aiken. Adam was a DOE High Performance Computer Science Fellow and Honorary Stanford Graduate Fellow. Before coming to Stanford, he earned a Master's of Engineering in electrical engineering and computer science at MIT, where he also received undergraduate degrees in computer science and mathematics. He interned several times at IBM with the Blue Gene/L system software team and spent a summer studying supercomputer logs at Sandia National Labs. Benjamin Rubinstein Microsoft Research Silicon Valley Prior to joining Microsoft Research Silicon Valley in the summer of 2010, Ben completed his Ph.D. at UC Berkeley under Peter Bartlett. His dissertation research focused on machine learning in computer security, and was based on work with Adam Barth, Peter Bartlett, Anthony Joseph, Dawn Song, and Doug Tygar at Berkeley, John Mitchell at Stanford, and Ling Huang and Nina Taft at Intel Labs Berkeley. During this time Ben was awarded the Yahoo! Key Scientific Challenges Award in Adversarial Machine Learning, Best Poster Award at RAID’08, and a Siebel Scholars fellowship. His current interests extend to applications of machine learning in privacy and security, search, measurement, social network analysis, and basic research questions in learning and statistics. Galina Schwartz University of California, Berkeley Dr. Schwartz is a researcher in the Department of at Electrical Engineering and Computer Sciences at the University of California, Berkeley. She is affiliated with the Network Economics Group and TRUST Center. Dr. Schwartz’s primary expertise is game theory and microeconomics. She is involved in projects in the areas of internet security, network reliability, quality of service (QoS) provision, security of cyber-physical systems (SCADA systems and applications to Smart Grid). Dr. Schwartz authored papers in economic and engineering journals. Recently she published on the subjects of network neutrality, residual cyber risks management and modeling of cyber-insurance markets, and security of networked control systems. In her earlier research, she has addressed governance (managerial incentives and compensation) and incentive effects of regulations. She has applied contract theory to analyze ownership structure(s) and contractual costs of multinational corporations and addressed the role of bureaucracies in environments with high transaction costs. Dr. Schwartz has been on the faculty of the Ross School of Business at the University of Michigan and has taught at the Economics Departments at UC Davis and UC Berkeley. Dr. Schwartz received her M.S. in mathematical physics from Moscow Institute of Engineering Physics (Russia) and Ph.D. in economics from Princeton University in 2000.



Steven Whang Stanford University Steven Whang is a Computer Science Ph.D. candidate at Stanford University advised by Prof. Hector Garcia-Molina. He is interested in entity resolution (also known as deduplication) and data privacy. His past work has been on developing general techniques for improving the accuracy, scalability, and maintainability of entity resolution. He is currently interested in applying fundamental entity resolution techniques to data privacy, where managing information leakage is becoming a critical problem. Hakim Weatherspoon Cornell University Hakim Weatherspoon is an Assistant Professor in the Department of Computer Science at Cornell University. His research interests cover various aspects of cloud computing, information systems, distributed systems, network systems, and peer-to-peer systems with a particular focus on fault-tolerance, reliability, security, and performance of Internet-scale systems with decentralized—autonomous, federated, multi-organizational, and cooperative— control. Professor Weatherspoon received his Ph.D. from University of California, Berkeley and B.S. from University of Washington. He is a recipient of the IBM Faculty Partnership Award and a NetApp Faculty Fellowship. Stephen Wicker Cornell University Stephen B. Wicker is a Professor of Electrical and Computer Engineering at Cornell University, and a member of the graduate fields of Computer Science and Applied Mathematics. Professor Wicker was awarded the 1988 Cornell College of Engineering Michael Tien Teaching Award and the 2000 Cornell School of Electrical and Computer Engineering Teaching Award. Professor Wicker teaches and conducts research in wireless information networks, digital systems, self-configuring systems, and artificial intelligence. His current research focuses on the use of probabilistic models and game theory in the development of highly distributed, adaptive sensor networks. He is also conducting joint research with the UC Berkeley School of Law on privacy policy and the impact of the deployment of sensor networks in public spaces. Professor Wicker is the Cornell Principal Investigator for the TRUST Science and Technology Center and he heads the Wireless Intelligent Systems Laboratory, whose focus is on the field of wireless networks, including traditional cellular networks, ad-hoc networks, and sensor networks.



NOTES



NOTES (cont.)

trust autumn 2008 conference program - ptolemy …...trust team for research in ubiquitous secure...

Documents