Building Trust Improving Technical Security Open Internet Standards Privacy Technology

NDSS 2016 Grants Distinguished Papers Awards

This morning at the 2016 Network and Distributed System Security Symposium (NDSS), four papers were given “Distinguished Paper Awards.” They are listed here, with links to the full papers:

Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH
Karthikeyan Bhargavan and Gaetan Leurent (INRIA)

ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting
Shiqing Ma, Xiangyu Zhang and Dongyan Xu (Purdue University)

Forwarding-Loop Attacks in Content Delivery Networks
Jianjun Chen, Xiaofeng Zheng, Haixin Duan and Jinjin Liang (Tsinghua University and Tsinghua NaKonal Laboratory for InformaKon Science and Technology) and Jian Jiang (University of California, Berkeley) and Kang Li (University of Georgia) and Tao Wan (Huawei Canada) and Vern Paxson (University of California, Berkeley and ICSI)

SKEE: A Lightweight Secure Kernel-level Execution Environment for ARM
Ahmed Azab, Kirk Swidowski, Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang and Peng Ning (Samsung Research America)

There were awards for Distinguished Posters, too. We will highlight those once the posters are available online.

Are you at NDSS? Let us know how it’s going, your favorite presentations so far, and remember to use #NDSS16 if you’re on social media!

Building Trust Improving Technical Security Privacy

NDSS 2016 Papers Now Online

NDSS 2016 is well underway. Yesterday, there were three wonderful workshops covering TLS, Online Privacy, and Useable Security. The rest of the conference begins today, covering those topics plus other aspects of security, malware, mobile privacy, user authentication, and more.

The web team is working hard to get all the papers published. You can find them at:

In addition, we’ll publish the slides from all the presentations as soon as we can, so stay tuned to the NDSS website for those.

If you’re at NDSS this week and on social media, please use #NDSS16 and like us on Facebook!


NDSS Workshop on Understanding and Enhancing Online Privacy

On 21 February, we’re holding a workshop on Understanding and Enhancing Online Privacy (UEOP) co-located with the Network and Distributed System Security Symposium (NDSS).

The mainstream focus in privacy research has long been on designing software from the ground up, providing firm guarantees on the provided privacy properties. Such a “bottom-up” approach is undoubtedly crucial for achieving better online privacy in the long term. Nevertheless, there is also a clear need for “top-down” research, understanding online privacy in the present online digital user habitats and proposing solutions that are easily deployable in existing infrastructures.

The motivations for such a “top-down” approach are manifold. First, users need support for understanding the privacy-relevant consequences of their behaviour in today’s online systems. Secondly, re-designing a system from scratch is often too costly, while easily deployable plugins may be effective already in the short term. Technology able to assess, predict, and mitigate online privacy threats is of course also useful for guiding “bottom-up” research aiming at privacy enforcement in the long term.

Understanding privacy in online user habitats necessarily has to cope with highly incomplete information. While top-down methods for understanding some privacy-relevant open-world phenomena in the Internet have been researched (most prominently, information spreading in the context of social networks, recommendation systems, and marketing), and many basic technologies relevant to such understanding are well-investigated (e.g., large-scale information retrieval, image analysis, software analysis, record linkage), their application to the understanding and enhancing of online privacy remains under-explored, and has partly not yet been considered at all. Pursuing such an approach poses major technical challenges, which only collaboration across several sub-areas of computer science can solve.

Scope of the Workshop

This workshop is intended to be the first of a series providing a forum for discussing issues and proposing solutions in this context, directed at researchers from privacy and adjacent research areas. Topics of interest include, but are not limited to:

  • data and action linkability
  • privacy metrics
  • data dissemination and information spreading
  • what-if-analysis and privacy threat prediction
  • privacy in social networks and microblogging systems
  • privacy in cloud and big data applications
  • location privacy
  • privacy in mobile and portable devices
  • behavioral targeting
  • data analytics
  • user profiling and data mining
  • economics of privacy and game-theoretical approaches to privacy
  • human factors and usability
  • privacy in electronic currencies

Workshop Program

UEOP 2016 will begin with an Invited Talk by Emiliano De Cristofaro, on The Genomics Revolution: The Good, The Bad, and The Ugly. Then, six technical papers will be presented, on aspects relating to:

  • Software landscape analysis:

Longitudinal Analysis of the Third-party Authentication Landscape (Anna Vapen, Niklas Carlsson and Nahid Shahmehri)

Experimental Analysis of Popular Anonymous, Ephemeral, and End-to-End Encrypted Apps (Lucky Onwuzurike and Emiliano De Cristofaro)

  • Online privacy attacks:

Traffic Confirmation Attacks Despite Noise (Jamie Hayes)

On Epigenomic Privacy: Tracking Personal MicroRNA Expression Profiles over Time (Michael Backes, Pascal Berrang, Anne Hecksteden, Mathias Humbert, Andreas Keller and Tim Meyer)

  • Understanding Online User Privacy Preferences:

Privacy Trade-Offs of Geo-Location (Laura Brandimarte and Alessandro Acquisti)

Raise the Curtains: The Effect of Transparency about Targeted Advertising on Attitudes and Behavioral Intentions (Sonam Samat and Alessandro Acquisti)

The workshop will be concluded by an open discussion inviting all participants to voice their personal stance on Quo Vadis, UEOP: What UEOP research should, or should not, be focusing on in the future.

If you’ll be at NDSS, I hope you will join us for the UEOP Workshop on Sunday. If you can’t attend in person, stay tuned to the NDSS website for the published papers and talks.

Improving Technical Security Privacy

Security Excellence at NDSS 2016

We all know security matters. And great things are achieved by chipping at the details. The Network and Distributed System Security Symposium (NDSS) symposium provides a few good examples of how academic work is one way in which the broad technical community takes responsibility and impacts the landscape. NDSS 2016 takes place 21-24 February 2016 in San Diego, California, and registration is open now.

At its core, the Internet Society’s collaborative security framework is approaching security as a distributed process. It is a process whereby various actors accept their responsibilities, in their respective roles, to decrease the various risks that we are exposed to when using the Internet. The open processes – where information is shared, discussed, criticized, and eventually leads to implementable improvements – are part of the genome from which the Internet is built and are at the core of the Collaborative Security idea.

The academic method is the archetype for these open processes: peer review, publication, and intellectual accountability bring constant improvement and innovation. Academic research, specifically applied security research, is an important tool to improve global Internet security. The NDSS Symposium, hosted by the Internet Society, is one of the most renowned conferences in this field.

As the NDSS website mentions, the conference brings together leaders in cyber security — university researchers and educators, chief technology and privacy officers, security analysts and system administrators, and operations and security managers – to encourage and enable the Internet community to apply, deploy, and advance the state of available network and distributed system security technology. In order to have the greatest impact, the peer reviewed papers are freely available and reproducible (for noncommercial purposes).

Lets have a look at the program.

In addition to the main symposium, NDSS is hosting three workshops this year.

“TLSv1.3 – Ready or Not?” (TRON)

The TRON workshop intends to take a hard stab at the newest version of the Transport Layer Security (TLS) protocol. TLS is a generic building block to provide confidentiality and integrity in the Internet Protocol suite. It is used to provide end-to-end encryption and authentication for web traffic, for mail traffic, for messaging traffic, and virtually any other form of conceivable Internet communication. The newest version of TLS, version 1.3, has just been specified by the IETF. Now, it is notoriously hard to implement cryptographic primitives into protocols. We (the NDSS program committee, IETF protagonists, and my ISOC colleagues) figured it would be a good idea to create the opportunity to allow “security researchers [to] have a real, immediate, and lasting impact on the security of the deployed Internet.”

Understanding and Enhancing Online Privacy (UEOP)

In the UEOP workshop, researchers are taking a look at how to improve the privacy of existing systems by supplying solutions that are easily deployable. The workshop intends to explore applications of the current understanding of privacy sensitive technologies and phenomena to enhance online privacy. In contrast to a clean slate approach, the evolutionary approach that the workshop organizers want to focus on resonates with what I think is the best way to approach large scale Internet issues. (The organizers use the unfortunate and ambiguous terms ‘bottom-up’ and ‘top-down’ in the description of the workshop for what I read as clean-slate and evolutionary respectively).

Usable Security (USEC)

The USEC workshop explores how better security can be achieved when we – ethical, social and economically acting beings – interact with the security solutions at our disposal. The USEC workshop was hosted at NDSS last year as well, and a good overview of the various topics that are being discussed at the upcoming workshop can be gained from last year’s papers.

The rest of the program

The NDSS 2016 Symposium program itself is quite robust with a keynote and 60 academic papers. Some of the abstracts caught my interest because they are likely to inform and influence current societal discourse and or have an almost immediate impact in improving Internet Security.

In addition to the TRON workshop, the first session includes a number of papers that expose vulnerabilities in the current use of TLS. A paper by Bhargavan and Leurent [explores how weak exploits in transport layer protocols can be exploited. The vulnerability they found has been disclosed as “SLOTH” which led one commenter to observe: “The big “cryptographic cracking” story so far in 2016 is SLOTH, which is not only interesting and important, but also a VUWACONA, making it eye-catching as well. VUWACONA is short for Vulnerability With A Cool Name, our new acronym for bugs like LOGJAM, FREAK and Poodle.”

In the second session Czyz et al promise a discussion about the state of the implementation of IPv6 security policies as compared to the implementation of IPv4 security policies; they find several high-value target applications with a comparatively open security policy. In addition, Malhotra et al will discuss the security of the Network Time Protocol (NTP), one of the core building block network functions that, when vulnerable, impacts the functioning of other parts of the Internet. The research represented in this paper has already resulted in updates to deployed NTP software (here and here). This is an excellent example of quality research and responsible collaborative action taken to improve Internet infrastructure.

Session 3 on Web Security includes a paper by Rafique et al that explores the security aspects of free live streaming services, maps the ecosystem and proposes a methodology to automate the identification of these services, which are often the source of pirated content and malware. The other papers also apply automated methodologies to detect misconfiguration, misbehavior, and vulnerabilities.

There are several privacy tracks at the conference, one of which deals with privacy and mobile devices. In this session a light is shone on the various privacy aspects that have to do with using the Mobile Internet. Obviously we all know that the use of these devices has an impact on what others may be able to know about us. The majority of the papers promise to expose mechanisms that can be (or are) used to create a much richer picture of individuals than what they knowingly share with consent. I suspect that the details will demonstrate that the possibilities and scale are (again) beyond my wildest dreams, or nightmares.

There is one fascinating miscellaneous session that talks about crypto currencies, captchas, and gamebots. Danezis and Meiklejohnintroduce a centrally banked cryptocurrency. As a rather distant observer of cryptocurrencies I find the multidisciplinary nature and the potential societal impact of these ideas more than fascinating.

The conference features a whole slew of papers on system security. These papers are distributed over two sessions on system and software security (session 8 and session 12) and one on Android security. The papers in these sessions all look at the integrity of the systems that we use all the time, and which surround us. In the abstract of a paper by Formby et al on Industrial control systems I read “The distributed networks are difficult to physically secure, legacy equipment can make cryptography and regular patches virtually impossible, and compromises can result in catastrophic physical damage.” The paper introduces two fingerprinting techniques to detect intrusion. While this is important to secure the existing infrastructure it is also important to draw lessons from this, because that quote above doesn’t only apply to Industrial Control Systems that have been build a decade or two ago but also to the Internet of Things that we are rolling out now.

The papers coming out of this conference and other security conferences impact how we think about and implement security. Some serve as a wake-up call, some provide solutions, and some expose real problems.

The papers will be available from the NDSS 2016 web site shortly after the conference. We will be tracking the conference and highlighting and interpreting some of the papers that inspire us.

If all of this sounds interesting, there is still time to register for NDSS 2016 and come participate in these sessions!