TRUST Security Seminar

   Thursday, January 27, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Industrial Control Systems (ICSs) operate the industrial infrastructures world-wide including electric power (including Smart Grid), water, oil/gas, pipelines, chemicals, mining, pharmaceuticals, transportation, and manufacturing. ICSs measure, control, and provide a view of the physical process. These systems are different than business IT systems and require different technologies, policies, and testing. ICS cyber security is real - there have been more than 180 actual ICS cyber incidents to date with impacts ranging from trivial to significant environmental damage to significant equipment damage to major electric outages to deaths. Recent examples of ICS cyber incidents were the Stuxnet worm targeting the Iranian nuclear facilities and the unintentional San Bruno natural gas pipeline failure. The purpose of the presentation is to provide an understanding of:

• what are ICSs
• how are they different than IT systems
• what has happened to date
• what needs to be done to secure these system
• what should the university be doing

This presentation should be of interest to those in computer science studying cyber security wanting to know more about critical infrastructure and those in engineering (electrical, mechanical, chemical, and nuclear) wanting to more about cyber security.  

Joseph Weiss is an industry expert on control systems and electronic security of control systems, with more than 35 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems. As Technical Manager, Enterprise Infrastructure Security (EIS) Program, he provided technical and outreach leadership for the energy industry's critical infrastructure protection (CIP) program. He was responsible for developing many utility industry security primers and implementation guidelines. He was also the EPRI Exploratory Research lead on instrumentation, controls, and communications. Mr. Weiss serves as a member of numerous organizations related to control system security. These include the North American Electric Reliability Corporation (NERC) Control Systems Security Working Group (CSSWG), the International Electrotechnical Commission (IEC) Technical Committee (TC) 57 Working Group 15 - Data and Communication Security, the Process Controls Security Requirements Forum, CIGRE WG D2.22 - Treatment of Information Security for Electric Power Utilities (EPUs), and other industry working groups. He served as the Task Force Lead for review of information security impacts on IEEE standards. He is also a Director on ISA's Standards and Practices Board. Mr. Weiss was involved in the development of, and participated in, the April 2002 White House Conference on CIP - "Developing Secure Digital/Electronic Process Control Systems for the Nation's Critical Infrastructures." He was an invited speaker at the NIST/NSA Information Security Summit. He has provided oral and written testimony to three House subcommittees, one Senate Committee, and a formal statement for the record to another House Committee. He has also responded to numerous Government Accountability Office (GAO) information requests on cyber security and Smart Grid issues. He is also an invited speaker at many industry and vendor user group security conferences, has chaired numerous panel sessions on control system security, and is often quoted throughout the industry. He has published over 60 papers on instrumentation, controls, and diagnostics including a chapter on cyber security for Electric Power Substations Engineering and the book Protecting Industrial Control Systems from Electronic Threats (ISBN 978-1-60650-197-9). He supported MITRE and NIST in extending NIST SP800-53 to include control systems and the development of NIST SP800-82. He was tasked to write the White Paper on Industrial Control Systems Security for the Center for Strategic and International Studies Blue Ribbon Panel preparing cyber security recommendations for the Obama administration. Mr. Weiss has conducted SCADA, substation, plant control system, and water systems vulnerability and risk assessments and conducted short courses on control system security. He has also been asked to participate in an advisory committee being established by the Transportation Safety Board on Cyber Security for Mass Transit meeting in August 2010. He also established and chairs the annual Control System Cyber Security Conference and established the International Standards Coordination Meeting on Control System Cyber Security. Mr. Weiss has received numerous industry awards, including EPRI Presidents Award (2002) and is an ISA Fellow and a member of the ISA Engineering, Science, and Technology Policy Committee. He has two patents on instrumentation and control systems, is a registered professional engineer in the State of California, and a Certified Information Security Manager.

   Thursday, February 3, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Online tracking is pervasive: the average popular website incorporates over fifty third-party tracking mechanisms. And online tracking is unpopular: a majority of Americans oppose the practice. Do Not Track is a technology and policy response that would provide users with a simple, universal web tracking opt-out. Both the Federal Trade Commission and the Department of Commerce have signaled support. This talk explores central questions in the ongoing web privacy debate:

• What should Do Not Track prohibit?
• How should it be implemented?
• Who should implement it?
• Who should enforce it, and how?
• What would the economic impact be?
• Could it actually happen?

To learn more, visit http://donottrack.us and follow @donottrack.  

Jonathan Mayer is a graduate student in Computer Science and Law at Stanford University, where he is a Student Fellow at the Center for Internet and Society. He received his undergraduate degree from Princeton University in 2009 with a concentration in the Woodrow Wilson School of Public and International Affairs. Jonathan's area of study encompasses the intersections of policy, law, and computer science, with particular emphasis on computer security and national security. A proud Chicago native, he is undaunted by freezing weather and enjoys celery salt on a hot dog.

   Thursday, February 17, 2010
  

   Thursday, February 24, 2010 at 1:00 PM
   540 Cory Hall (NOTE DIFFERENT LOCATION)

Abstract. As the healthcare industry is undergoing a transformation, privacy and security are still principal hindrances to the adoption and widespread acceptance of healthcare information systems. This is understandable; as the consequence of a breach or compromise may be quite severe. For this reason, practical security systems in healthcare allow practitioners to "break the glass"; as "nothing interferes with the delivery of care" (the Prime Directive of the Healthcare industry). In this talk, the reality of this situation is presented and an approach is provided on reducing the current associated problems in the field.    

Tyrone W Grandison is a Research Staff Member at the Thomas J. Watson Research Center. He received a B.S. degree in Computer Studies (Computer Science and Economics) from the University of the West Indies in 1997, a M.S. degree in Software Engineering in 1998 and a Ph.D. degree in Computer Science from the Imperial College of Science, Technology & Medicine in London. He then joined IBM at the Almaden Research Center in California, where he worked on data privacy and security. In 2010, he joined the Global Healthcare Transformation team as Program Manager for Core Healthcare Services. Dr. Grandison is a Distinguished Engineer of the Association of Computing Machinery (ACM), a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE), a Fellow of the British Computer Society (BCS), has been recognized by the National Society of Black Engineers (as Pioneer of the Year in 2009), the Black Engineer of the Year Award Board (as Modern Day Technology Leader in 2009, and Minority in Science Trailblazer in 2010) and has received the IEEE Technical Achievement Award in 2010 for "pioneering contributions to Secure and Private Data Management". He has authored over 70 technical papers and co-invented over 20 patents.

   Thursday, March 3, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. As networking becomes increasingly prevalent, malicious network behavior can no longer be ignored. In this talk, I will describe my work on dealing with malicious behavior in three different areas: wireless broadcast, medium access control in wireless networks, and malicious messages in vehicular safety networks. Broadcast jamming is a challenging problem because using traditional spread spectrum technology, a receiver has enough information to jam a transmission. I will first present a scheme that mitigates broadcast jamming through asymmetric knowledge, wherein a sender has more information than any subset of receivers. Medium access control suffers from a similar problem: information that allows a potentially conflicting sender to avoid a transmitter also allows an attacker to jam that transmission. I will present an approach that denies jammers the information they need to jam while still providing interference avoidance from legitimate receivers. Finally, I will discuss how the need to cope with malice, and thus the need for some form of revocation, affects design decisions in vehicular safety networks.    

Yih-Chun Hu received the B.S. degree in computer science and pure mathematics from the University of Washington, Seattle, in 1997 and the Ph.D. degree in computer science from Carnegie Mellon University, Pittsburgh, PA, in 2003. He is an Assistant Professor in the Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign, Urbana. In his thesis work at Carnegie Mellon Univerity, he focused on security and performance in wireless ad hoc networks. After receiving the Ph.D. degree, he worked as a Postdoctoral Researcher at the University of California, Berkeley, doing research in the area of network security. His research interests include systems and network security.

   Thursday, March 10, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. I will describe novel protocols that allow an untrusted data aggregator to periodically learn desired statistics over multiple participants' data, without compromising each individual's privacy. Our constructions are efficient, fault-tolerant, and require only a single round of client-to-server communication in each aggregation period. Our constructions also exemplify the power of combining differential privacy techniques with cryptographic techniques. Particularly, we demonstrate that in our application scenario, the utility of any scheme that satisfies information-theoretic differential privacy is asympototically worse than our proposed constructions which employ computational differential privacy. Our protocols can be used to address the privacy issues in numerous domains, including smart grids, sensor networks, population sensing and monitoring, etc.    

Elaine Shi is a Research Scientist at UC Berkeley and a Member of the Research Staff at the Palo Alto Research Center. Her research interests include security and privacy in general, with an emphasis on data privacy, applied cryptography, Trusted Computing, and applying data mining techniques to security and privacy. She obtained her Ph.D. from Carnegie Mellon University in 2008, and her thesis research focused on constructing efficient and expressive searchable encryption schemes.

   Thursday, March 17, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Today's Web is the ubiquitous cyber-world where everything happens: we work, we play, we live our lives. Unfortunately, very early criminals realized the potential of the World Wide Web as a platform for hosting, delivering, and managing large malware installations, whose goal is the creation of revenue by stealing and abusing the very information made accessible by the Web.

One of the latest trends in web-based malware is the leveraging of legitimate web sites for the delivery of attacks that target vulnerabilities in client-side software. Therefore, badly developed software and overtly malicious code both contribute to the overall threat. This talk presents recent research on addressing the two facets of this problem: How can we make Web applications more secure? How can we detect and block attacks against the components of the World Wide Web?    

Giovanni Vigna is a Professor in the Department of Computer Science at the University of California, Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and intrusion detection. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, which every year involves dozens of educational institutions around the world.

   Thursday, March 24, 2011
  

   Thursday, March 31, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this presentation, we propose a new approach to automated response called the Response and Recovery Engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. RRE applies attack-response trees to analyze undesired security events and their countermeasures using Boolean logic to combine lower-level attack consequences. In addition, RRE accounts for uncertainties in intrusion detection alert notifications. RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. The application of RRE to power grid security will be illustrated.  

William H. Sanders is a Donald Biggar Willett Professor of Engineering, the founding Director of the Information Trust Institute, and the Director of the Coordinated Science Laboratory at the University of Illinois at Urbana-Champaign. He is a professor in the Department of Electrical and Computer Engineering and Affiliate Professor in the Department of Computer Science. He is a Fellow of the IEEE and the ACM, a past Chair of the IEEE Technical Committee on Fault-Tolerant Computing, and past Vice-Chair of the IFIP Working Group 10.4 on Dependable Computing.

Dr. Sanders's research interests include secure and dependable computing and security and dependability metrics and evaluation, with a focus on critical infrastructures. He has published more than 200 technical papers in those areas. He is currently the Director and PI of the DOE/DHS Trustworthy Cyber Infrastructure for the Power Grid (TCIP) center, which is at the forefront of national efforts to make the U.S. power grid smart and resilient.

He is also co-developer of three tools for assessing computer-based systems: METASAN, UltraSAN, and Möbius. Möbius and UltraSAN have been distributed widely to industry and academia; more than 500 licenses for the tools have been issued to universities, companies, and NASA for evaluating the performance, dependability, and security of a variety of systems. He is also a co-developer of the Loki distributed system fault injector, the AQuA/ITUA middlewares for providing dependability/security to distributed and networked applications, and the NetAPT (Network Access Policy Tool) for assessing the security of networked systems.

   Thursday, April 7, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. An increasing amount of physiological monitoring data is displayed on medical devices around the world every day. By and large, the vast majority of this data is lost once it has passed off the monitor screen. However, opportunities now exist to utilize this data for improved care of those patients within the critical care settings and for clinical research. A key issue in this regard is how this type of data can be archived for inclusion within the patient's medical record for later clinical use, and also as a resources for later clinical research. Current research in our group at the University of Ontario Institute of Technology is demonstrating how this can be achieved in intensive care settings. Additionally, it is possible to extend the critical support provided to clinicians such that patients may be located within or outside their intensive care unit, or between such units.  

Mike Eklund is an Assistant Professor and Program Director for Electrical and Software Engineering at the University of Ontario Institute of Technology. His current research focuses on information technology for critical care, focusing on intensive care units and extensions of critical care into remote care. While a Visiting Postdoctoral Scholar at UC Berkeley he was involved with the Software Enabled Control Capstone projects, CHESS DGC3 project, the TRUST Electronic Medical Records project and was a SUPERB supervisor with TRUST. He received his PhD from Queen's University in Kingston, Ontario.

   Thursday, April 14, 2011 at 1:00 PM
   540 Cory Hall (NOTE DIFFERENT LOCATION)

Abstract. Cybersecurity, which comprises numerous interrelated components, and software assurance are inextricably intermingled. The former extends the boundary of physical security to the domain of cyberspace, while the latter provides the means for delivering on the promise that we can depend on the technologies that implement cyberspace. Secure systems must be dependable, and dependable systems fail if they are not secure. Unreliable software is inherently insecure. Unfortunately, cybersecurity practice and policy are largely heuristic, reactive, and increasingly cumbersome, struggling to keep pace with rapidly evolving threats. Advancing beyond this predominantly reactive posture will require a transformation in computing and communication systems architectures. New capabilities are required that don't merely solve today's plethora of security enigmas, but enable comprehensive game-changing strategies such as:

• Moving target, systems that move in multiple dimensions to the attacker's disadvantage and to increase resiliency.
• Tailored trustworthy spaces, security tailored to the needs of a particular transaction rather than the reverse.
• Cybereconomic incentives, a landscape of incentives that reward good cybersecurity and ensure that crime doesn't pay.

   

Rick Sheldon is a Senior Scientist at Oak Ridge National Laboratory currently focusing on cyberspace and information intelligence research. With 25+ years of experience in the fields of software engineering and computer science, he has held faculty appointments with research universities including R&D positions at three fortune 100 companies. He lead several significant efforts in Formal Methods for Integrated Diagnostics (WPAFB) and the YF-22 VMS Kernel (USAF); visiting scholar at NASA (Langley and Ames/Stanford); published 80+ papers and edited five books/proceedings concerned with developing and validating models, applications, methods and tools for the creation of safe, secure and dependable systems. Sheldon is co-inventor on several pending patents, IEEE Sr. Member, Sigma Xi outstanding dissertation; recently, received a key contributor & significant event award from UT-Battelle for excellence in technology transfer at ONRL; received his Ph.D. from the University of Texas at Arlington.

   Thursday, April 21, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. We explore the problem of managing information leakage by connecting two hitherto disconnected topics: entity resolution (ER) and data privacy (DP). As more of our sensitive data gets exposed to a variety of merchants, health care providers, employers, social sites and so on, there is a higher chance that an adversary can "connect the dots" and piece together our information, leading to even more loss of privacy. For instance, suppose that Alice has a social networking profile with her name and photo and a web homepage containing her name and address. An adversary Eve may be able to link the profile and homepage to connect the photo and address of Alice and thus glean more personal information. The better Eve is at linking the information, the more vulnerable is Alice's privacy. Thus in order to gain DP, one must try to prevent important bits of information being resolved by ER. In this presentation, we formalize information leakage and list several challenges both in ER and DP. We also propose using disinformation as a tool for containing information leakage.    

Steven Whang is Steven Whang is a Computer Science PhD candidate at Stanford University advised by Prof. Hector Garcia-Molina. He is interested in entity resolution (also known as deduplication) and data privacy. His past work has been on developing general techniques for improving the accuracy, scalability, and maintainability of entity resolution. He is currently interested in applying fundamental entity resolution techniques to data privacy, where managing information leakage is becoming a critical problem.

   Thursday, April 28, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Today's users have a limited range of choices in managing their online identity. They can use their real name or a long-term pseudonym, thereby lending context and credibility to information they publish but retaining no control over their privacy, or they can post anonymously, ensuring strong privacy but lending no additional credibility to their posts. We aim to develop a new type of online identity that allows users to publish information anonymously and unlinkably while simultaneously backing their posts with the credibility offered by a single identity with a persistent reputation.

We achieve these seemingly contradictory goals through a novel cryptographic primitive we call "signatures of reputation" along with improved techniques for private information retrieval. Combined intelligently, these building blocks allow users to accumulate reputation over time and attach a proof of their current reputation to any information they post online, all while maintaining the unlinkability of their actions. Because of the unlinkability provided, the user is free to use a single identity across all applications, thereby obtaining the most reputation.    

John Bethencourt is a Ph.D. student in Computer Science at UC Berkeley advised by Professor Dawn Song. Previously, he studied at the University of Wisconsin and Carnegie Mellon University. His research has focused on topics in cryptography and privacy, including private information retrieval, attribute based encryption, and searchable encryption.

   Thursday, May 5, 2011 at 1:00 PM
   Soda Hall, Wozniak Lounge

Abstract. Deductive and inductive reasoning have been the staple of automated reasoning about protocols, software, and hardware systems over the last five decades. In this talk, I will discuss how the classical reasoning techniques can be extended with automatic inference of protocols from their implementations, and more generally, how automatic inference of software abstractions could impact security and verification.

As a particular example, the I will discuss inference of protocol state machines in the realistic high-latency network setting, and applying it to the analysis of botnet Command and Control (C&C) protocols. The proposed technique enables an order of magnitude reduction in the number of queries and time needed to learn a proprietary botnet C&C protocol compared to classic algorithms. I will also show that the computed protocol state machines enable formal analysis for botnet defense, including finding the weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting.

Finally, I will discuss some recent extensions of the above described work, and possible directions for the future research.    

Domagoj Babic received his Dipl.Ing. in Electrical Engineering and M.Sc. in Computer Science from the Zagreb University (Faculty of Electrical Engineering and Computing) in 2001 and 2003. He received his Ph.D. in Computer Science in 2008 from the University of British Columbia. After spending some time in industry, he joined UC Berkeley, as a research scientist.

Domagoj's research focuses on various aspects of software analysis (software verification, security, and testing), decision procedures, grammatical inference, and applied formal methods in general.

He is a recipient of the Canada's NSERC PDF Research Fellowship (2010-2012), Microsoft Graduate Research Fellowship (2005-2007), Fulbright Fellowship (declined to attend UBC), and several awards at international programming competitions (1st place at the 2007 Satisfiability Modulo Theories competition in the bit-vector arithmetic category and 3rd place at the 2005 Satisfiability Testing competition in the satisfiable-crafted instances category).

Details about how the seminar is managed can be found at How is the TRUST Seminar managed?