Visible to the public HotSoS 2019 Paper SynopsesConflict Detection Enabled

HotSoS 2019 Paper Synopses


Nashville, TN

April 3, 2019

The Sixth Annual 2019 Symposium and Bootcamp on the Science of Security (HoTSoS) was held April 2-3, 2019 at Vanderbilt University in Nashville, Tennessee. HoTSoS is a research event centered on the Science of Security (SoS), which aims to address the fundamental problems of security in a principled manner. SoS emphasizes the advancement of research methods as well as the development of new research results. This dual focus is intended to improve both the confidence gained from scientific results and the capacity to address increasingly technical problems. Overall, there were 43 paper authors and co-authors, 19 universities, 7 full papers, 6 Works in Progress papers, 3 special workshop papers, and 91 attendees.

Keynotes

Rebecca Wright (Barnard College and Rutgers University), Kevin Hamlen (University of Texas at Dallas) and Trent Jaeger (The Pennsylvania State University) were keynote speakers.

"Accountability in Computing" Rebecca Wright, Barnard College and Rutgers University

Prof. Wright's presentation explored using accountability as a useful paradigm to shift away from prevention based approaches. She sates that "accountability" is used to describe computer-security mechanisms that complement preventive security, but the word lacks a precise, agreed-upon definition. Current definitions focus on detection, evidence for 3d parties, judgment/blame, punishment, associating actions and IDs, and answerability across a spectrum ranging from prevention through detection, evidence, judgment, and punishment-- "the ability to hold an entity responsible for its actions." She argues the need for accountability in computing in a variety of settings, categorizes some of the many ways the term is used, and proposes a punishment-focused viewpoint. This view is formalized in a utility-theoretic way and is used to reason about accountability in computing systems: an entity is accountable with respect to policy P whenever the entity violates P, then it is or could be punished in a targeted fashion Mechanisms providing various senses of accountability as well as other approaches to reasoning about accountability-related properties are surveyed.

"Toward a Science of Cyberdeception" Kevin Hamlen, UT Dallas

Cyberdeception and creating a science around it was the topic covered by Prof. Hamlen. Cybersecurity is the most asymmetric form of warfare ever, he avers, and proposes leveling that asymmetry through deception. Traditional cyberdefense has focused mainly on keeping attackers out by eliminating software vulnerabilities, and by detecting and mitigating them. He argues software cyberdeception has the potential to offer advantages for cyberdefense, and might even be considered an "easy win" relative to traditional strategies that are unscalable or provably hard by comparison. However, it requires a deeply interdisciplinary approach that forces us to rethink how we approach certain aspects of software engineering, testing and evaluation, economics of security, human-computer interaction, software virtualization, and risk management. To succeed, a more rigorous science of software cyberdeception is required.

"The Science of Attack Surfaces and Its Applications" Trent Jaeger, The Pennsylvania State University

Prof. Jaeger said attack surfaces should be used as a principle for security because they can be computed systematically and tracked at runtime to aid detection and can leverage to drive improvement in software security. He said that according to Michael Howard of Microsoft, an attack surface is the number of "attack opportunities" a program or system makes available to adversaries. Since adversaries take advantage of undefended opportunities to launch exploits, understanding attack surfaces could be valuable. Examples of research approaches include the methods to use attack surface to compare relative security, identify vulnerabilities in file system access, and compute exploits within programs. A program's expected attack surface must be a superset of system deployment's attack surface. In 4/5 of programs, programmers expect > 55% of resource accesses to be the surface. His lessons learned include: unexpected attack surfaces can be created; programmers are not proactive about identifying and defending theirs; and adversaries seem to exploit nearly every undefended attack surface. His conclusions are that vulnerabilities are caused by a combination of factors/adversary must have access to run code to exploit flaw; lack of knowledge of attack surfaces leaves programs open to a range of attacks: examined vulnerabilities caused by adversaries exploiting unexpected attack surfaces to gain unauthorized access to files; and many attack surfaces have had vulnerabilities reported. He proposes an approach that attack surfaces be used as a principle for security because they can compute systematically and track at runtime to aid detection and can leverage to drive improvement in software security.

Papers

Papers were presented on subjects that included a distributed hospital recording and replay system; observability in cyber physical systems; a game theoretical model for cyber-warfare games; cyberdeception; situated information flow theory; attestation management; and browser fingerprinting. These papers are published in an ACM conference proceeding. Citations and DOIs are given with the descriptions.

Avesta Hojjati, Yunhui Long, Soteris Demetriou, and Carl A. Gunter. "Distributed Record and Replay for Medical Devices in Hospital Operating Rooms." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019, Nashville, TN, USA. ACM, New York, NY, USA, 10 pages. https://doi.org/10.1145/3314058.3314061

The authors describe the cybersecurity challenges of networked devices in hospital operating rooms and propose a distributed record and replay framework they call BEEER. Since medical devices there are increasingly interconnected, instructions and report results can be downloaded with less risk of error compared to traditional manual techniques. But, many of these devices are safety critical and risks from cyber-attacks can be extremely high. BEEER, they write, is suitable for environments where more than one safety critical device is in simultaneous use, such as in a hospital operating room where a number of networked devices work together. BEEER orders events during recording and uses a newly developed token mechanism to coordinate execution of the events during replay.

Suresh K. Damodaran and Paul D. Rowe. "Limitations on Observability of Effects in Cyber-Physical Systems." 2019 Copyright held by The MITRE Corporation. Publication rights licensed to ACM. ACM ISBN 978-1-4503-7147-6/19/04. https://doi.org/10.1145/3314058.3314065

Increased interconnectivity increases cyber attack surface. Observing the effects of these attacks is helpful in detecting them. The authors show that many attacks on cyber-physical systems result in a control loop effect they term Process Model Inconsistency (PMI). Their formal approach considers the relationships among incompleteness, incorrectness, safety, and inconsistency of process models. They show that incomplete process models lead to inconsistency. Intuitively, PMI occurs when the observations made in the known process model differ from those of the ground truth process model. It is possible to either not observe a PMI effect at all during or after an attack, or come to incorrect conclusions based on the observations of the effects of an attack on the controller or firmware. Inconsistency may arise even in complete and correct models.

Bradley Potteiger, Zhenkai Zhang, and Xenofon Koutsoukos. 2019. "Integrated Data Space Randomization and Control Reconfiguration for Securing Cyber-Physical Systems." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019, Nashville, TN, USA. ACM, New York, NY, USA, 10 pages. https://doi.org/10.1145/3314058.3314064

Utilizing an autonomous vehicle case study, the authors demonstrate a security framework against non-control data attacks. In the context of Cyber-Physical Systems (CPS), attacks can be executed against both authentication and safety. With the tightly coupled nature between the cyber components and physical dynamics, any unauthorized change to safety-critical variables may cause damage or even catastrophic consequences. Data Space Randomization (DSR) protects against non-control data attacks by changing the representation of variables stored in memory so that even if overwritten, result will differ from attacker's expectation. This work addresses the problem of maintaining system stability and security properties of a CPS in the face of non-control data attacks by developing a DSR approach for randomizing binaries at runtime, creating a variable redundancy based detection algorithm for identifying variable integrity violations, and integrating a control reconfiguration architecture for maintaining safe and reliable operation. The HoTSoS 2019 Best Paper Award was given to this paper.

Kimberly Ferguson-Walter, Sunny Fugate, Justin Mauger, and Maxine Major. 2019. "Game Theory for Adaptive Defensive Cyber Deception." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019, Nashville, TN. ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/3314058.3314063

In this work, the authors combines aspects of cyber security research, cyber deception techniques, and game theory and demonstrate a straightforward extension of prior game theory models of cyber defense through the use of individual player models of the game environment where the game structure and payoffs may be manipulated by another player. Prior research into game theoretic models for deception in network security was concerned with defender manipulation of signals sent to an attacker. In these models the defender's primary manipulation is deciding which machines in the network should be fake and which should be real and whether or not to send true or false signals regarding whether a system is real or not. The authors' approach assumes the attacker is fully cognizant of the nature of the deception and true parameters of the game environment for both players. The notation for the hypergame model presented here provides a framework to quantify how cyber deception can be used to influence players' perceptions of available moves and potential payoffs in a game with active misinformation. The scenario illustrated here is limited to depicting attacker and defender perceptions of available moves and potential payoffs in a misinformation game, but could be expanded to include online learning to fully implement an adaptive cyber deception solution.

Sebastian Benthall. 2019. "Situated Information Flow Theory." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019, Nashville, TN, USA. ACM, New York, NY, USA, 11 pages. https://doi.org/10.1145/3314058.3314066

Restricting the flow of personal information or data based on information categories is a key component of recent privacy rules. However data's meaning is not stable but is dependent on how it was formed and with what other information combined. The authors develop situated information flow theory (SIFT): a view of information flows as causal flows with nomic associations due to a larger context of causal relations to address this instability. SIFT is intended to be a scientifically valid theory of information flow based on probability theory. The semantics of situated information flow are precise within the statistical framework of Bayesian networks. This understanding of information flow has three policy implications: restrictions on data transfers are more precise and enforceable than restrictions on information flow; information 'categories' or meanings must be defined relative to a particular class of observers and take into account their reasonable background information; and the semantics of data are ambiguous when there is uncertainty about causal structure, and this structure is learned from data aggregation. The information asymmetry between data aggregators and individual data subjects are one reason why data processors are 'opaque' and difficult to regulate.

Adam Petz, Perry Alexander. 2019. "A Copland Attestation Manager." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019, Nashville, TN, USA. ACM, New York, NY, USA, 10 pages. https://doi.org/10.1145/3314058.3314060

The Copland Project at Kansas aims at formally specifying and building tools for remote attestation. The core Copland language definition provides a formally verified definition of attestation protocols. Based on the core language, researchers are developing tools for remote attestation including attestation managers, exchange formats, and attestation service providers. It has 2 types of semantics and includes a JavaScript Object Notation (JSON) language wrap. The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application, serving as an alternative to XML. Copland is a domain specific language that can be used in describing, analyzing and executing attestation protocols. Its formal semantics defines evaluation, sequencing, and dispatch of measurements resulting in evidence describing a system's state. That evidence is in turn appraised to determine if and how an external system will interact with it.

Bernhard Garn, Dimitris E. Simos, Stefan Zauner, Rick Kuhn, and Raghu Kacker. 2019. "Browser Fingerprinting using Combinatorial Sequence Testing." In Hot Topics in the Science of Security Symposium (HotSoS), April 1-3, 2019,Nashville, TN, USA. ACM, New York, NY, USA, 9 pages. https://doi.org/10.1145/3314058.3314062

This is a National Institute of Standards and Technology paper modeling 6 server side Transport Layer Security (TLS) handshakes using 6 standard browsers: Firefox, Google Chrome and Opera, and Microsoft IE and Edge. The authors apply combinatorial sequence testing methods to the problem of fingerprinting browsers based on their behavior during the handshake. They created an appropriate abstract model of the TLS handshake protocol and used it to map browser behavior to a feature vector and use them to derive a distinguisher. Using combinatorial methods, they created test sets consisting of TLS server-side messages as sequences that are sent to the client as server responses during the TLS handshake. They then evaluated their approach with a case study showing that combinatorial properties have an impact on browsers' behavior and concluded combinatorial methods are applicable to the problem of fingerprinting browsers.

T. Bao, Y. Shoshitaishvili, R. Wang, C. Kruegel, G. Vigna and D. Brumley, "How Shall We Play a Game?: A Game-theoretical Model for Cyber-warfare Games," 2017 IEEE 30th Computer Security Foundations Symposium (CSF), Santa Barbara, CA, 2017, pp. 7-21. doi: 10.1109/CSF.2017.34 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8049648&isnumber=8049639

The authors present a cyber-warfare model which considers strategies over time, addresses players' uncertainty about their opponents, and accounts for new offensive and defensive techniques that can be employed for cyber-warfare, such as the ricochet attack and Automatic Patch-Based Exploit Generation (APEG). They propose algorithms for computing the Nash equilibrium of their model. This algorithm, they argue, is able to find better strategies than previous work could. By solving the game model, they allow decision makers to calculate utility in scenarios like patch-then-exploit, as well as show where, in the parameter space of the game model, it makes more sense to patch than to attack. This model also challenges previous results which concluded that at least one player should attack, by showing scenarios where attacking is not optimal for either player. This paper won the 6th Annual Best Scientific Cybersecurity Paper Competition in 2018.

There was a new format for discussing draft papers. In this approach, a faculty member serves as critic and mentor to a student author who has submitted a draft. The two describe the work. The critic asks questions or makes comments and then the author may rebut or accept those critiques. Audience participators could request copies of the drafts in advance and participate in a discussion of the work. Since these are not yet finished, a description of the detailed contents is embargoed.

A session on Works-in-Progress / Works-already-Published included "Attacks on Electricity Markets," Carlos Barreto and Xenofon Koutsoukos(Vanderbilt); "Ethics in Norm-Aware Agents," Nirav Ajmeri, Hui Guo, Pradeep Kumar Murukannaiah and Munindar Singh (NC State); "A Graph-Based Analysis of Industrial Control Systems Network Traffic," Imani Palmer, Shane McFly and Edmond Rogers (UIUC); "A Multidimensional Multilevel Model for Smart Environment," Amir Modarresi, John Symons and James Sterbenz; "Search Prevention using Captchas against Web Search Engine: A Proof of Concept," Luke Sample and Donghoon Kim (Arkansas State); "The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception," Kimberly Ferguson-Walter, Temmie Shade, Andrew Rogers, Elizabeth Niedbala, Michael Trumbo, Kevin Nauer, Aaron Jones, Angela Combs and Robert Abbott. Synopses of the presentations that have already been published will be available in a companion document. The works in progress are embargoed, similar to the special session papers. If interested in the work, please contact the author(s) directly.