Security '08 Banner

TECHNICAL SESSIONS

Conference papers are available to conference registrants immediately and to everyone beginning July 30, 2008. Everyone can view the proceedings front matter immediately.

Proceedings Front Matter: Title Page | Conference Organizers and External Reviewers | Table of Contents | Index of Authors | Message from the Program Chair

Tech Sessions: Wednesday, July 30 | Thursday, July 31 | Friday, August 1 | Invited Talk Speakers
Wednesday, July 30
9:00 a.m.–10:30 a.m. Wednesday

Regency Ballroom

Opening Remarks, Awards, and Keynote Address

Program Chair: Paul Van Oorschot, Carleton University

Bowen Keynote Address
Dr. Strangevote or: How I Learned to Stop Worrying and Love the Paper Ballot

Debra Bowen, California Secretary of State

Video View the video

MP3 IconListen in MP3 format


10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Wednesday

REFEREED PAPERS

Regency 2

Web Security

Session Chair: Catherine Zhang, IBM Research

All Your iFRAMEs Point to Us
Niels Provos and Panayiotis Mavrommatis, Google Inc.; Moheeb Abu Rajab and Fabian Monrose, Johns Hopkins University

Paper in HTML | PDF

MP3 IconListen in MP3 format

Securing Frame Communication in Browsers
Adam Barth, Collin Jackson, and John C. Mitchell, Stanford University

Paper in HTML | PDF

MP3 IconListen in MP3 format

Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking
Michael Martin and Monica S. Lam, Stanford University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Political DDoS: Estonia and Beyond
Jose Nazario, Senior Security Engineer, Arbor Networks

Video View the video

MP3 IconListen in MP3 format

View the presentation slides

In the spring of 2007, the country of Estonia suffered a deluge of distributed denial of service (DDoS) attacks, coordinated to coincide with street-level protests. These attacks caused nationwide problems for the heavily wired country of Estonia and did so again when they recurred in early 2008. These attacks were not the first such politically motivated attacks and they will certainly not be the last. This talk explores the world of DDoS attacks and their growing role as an online political weapon. It also covers how Arbor Networks measured the Estonia attacks, how other attacks are measured, and what these attacks mean for the Internet at large.

12:30 p.m.–2:00 p.m.   Lunch, on your own
2:00 p.m.–3:30 p.m. Wednesday

REFEREED PAPERS

Regency 2

Cryptographic Keys

Session Chair: Dan Boneh, Stanford University

Awarded Best Student Paper!
Lest We Remember: Cold Boot Attacks on Encryption Keys
J. Alex Halderman, Princeton University; Seth D. Schoen, Electronic Frontier Foundation; Nadia Heninger and William Clarkson, Princeton University; William Paul, Wind River Systems; Joseph A. Calandrino and Ariel J. Feldman, Princeton University; Jacob Appelbaum; Edward W. Felten, Princeton University

Paper in HTML | PDF

MP3 IconListen in MP3 format

The Practical Subtleties of Biometric Key Generation
Lucas Ballard and Seny Kamara, The Johns Hopkins University; Michael K. Reiter, University of North Carolina at Chapel Hill

Paper in HTML | PDF

MP3 IconListen in MP3 format

Unidirectional Key Distribution Across Time and Space with Applications to RFID Security
Ari Juels, RSA Laboratories; Ravikanth Pappu, ThingMagic Inc; Bryan Parno, Carnegie Mellon University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Building the Successful Security Software Company
Ted Schlein, Kleiner Perkins Caufield & Byers

Video View the video

MP3 IconListen in MP3 format

Ted will discuss the security market, past and present. He will review what it takes to succeed in building a company and will look at current opportunities. Ted will also share with the audience a few of his successes.

3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m. Wednesday

REFEREED PAPERS

Regency 2

Network Defenses

Session Chair: Angelos Stavrou, George Mason University

CloudAV: N-Version Antivirus in the Network Cloud
Jon Oberheide, Evan Cooke, and Farnam Jahanian, University of Michigan

Paper in HTML | PDF

MP3 IconListen in MP3 format

Awarded Best Paper!
Highly Predictive Blacklisting
Jian Zhang and Phillip Porras, SRI International; Johannes Ullrich, SANS Institute

Paper in HTML | PDF

MP3 IconListen in MP3 format

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks
Jerry Chou and Bill Lin, University of California, San Diego; Subhabrata Sen and Oliver Spatscheck, AT&T Labs—Research

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

From the Casebooks of . . .
Mark Seiden, Senior Consultant

Video View the video

MP3 IconListen in MP3 format

In a field with few design principles ("defense in depth"? separate duties?), few rules of thumb, no laws named after people more influential than Murphy, no Plancks or Avogadros to hold Constant, and little quantification of any sort (we count only bad things), it appears the best we can do right now is to tell stories.

Over (enough) beer we conjure up lightly anonymized war stories about late-night phone calls, scary devices, hard-to-find bugs that exploiters somehow found, the backups that didn't, stupid criminals, craven prosecutors, cute hacks ("but don't try this at home"), and pointy-haired bosses. . . . There will be a few of these in this talk, but also some cautionary tales and parables—isomorphs of the Old Stories demonstrating human frailty and that the Law of Unexpected Consequences operates most strongly near the intersection of Bleeding Edge and Slippery Slope. Also, just a bit about the future.

6:00 p.m.–7:30 p.m. Wednesday

Poster Session & Happy Hour

Imperial Ballroom

Poster Session Chair: Carrie Gates, CA Labs

Don't miss the cool new ideas and the latest preliminary research on display at the Poster Session & Happy Hour. Take part in discussions with your colleagues over complimentary drinks and snacks. Check out the list of accepted posters.

Tech Sessions: Wednesday, July 30 | Thursday, July 31 | Friday, August 1 | Invited Talk Speakers
Thursday, July 31
9:00 a.m.–10:30 a.m. Thursday

REFEREED PAPERS

Regency 2

Botnet Detection

Session Chair: Wietse Venema, IBM Research

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection
Guofei Gu, Georgia Institute of Technology; Roberto Perdisci, Damballa, Inc.; Junjie Zhang and Wenke Lee, Georgia Institute of Technology

Paper in HTML | PDF

MP3 IconListen in MP3 format

Measurement and Classification of Humans and Bots in Internet Chat
Steven Gianvecchio, Mengjun Xie, Zhengyu Wu, and Haining Wang, The College of William and Mary

Paper in HTML | PDF

MP3 IconListen in MP3 format

To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads
Sam Small, Joshua Mason, and Fabian Monrose, Johns Hopkins University; Niels Provos, Google Inc.; Adam Stubblefield, Johns Hopkins University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Security Analysis of Network Protocols
John Mitchell, Stanford University

Video View the video

MP3 IconListen in MP3 format

View the presentation slides

Network security protocols, such as key-exchange and key-management protocols, are notoriously difficult to design and debug. Anomalies and shortcomings have been discovered in standards and proposed standards for a wide range of protocols, including public-key and Diffie-Hellman–based variants of Kerberos, SSL/TLS, and the 802.11i (Wi-Fi2) wireless authentication protocols. Although many of these protocols may seem relatively simple, security protocols must achieve their goals when an arbitrary number of sessions are executed concurrently, and an attacker may use information provided by one session to compromise the security of another.

Since security protocols form the cornerstone of modern secure networked systems, it is important to develop informative, accurate, and deployable methods for finding errors and proving that protocols meet their security requirements. This talk will summarize two methods and discuss some of the case studies carried out over the past several years. One method is a relatively simple automated finite-state approach that has been used by our research group, others, and several years of students in a project course at Stanford to find flaws and develop improvements in a wide range of protocols and security mechanisms. The second method, Protocol Composition Logic (PCL), is a way of thinking about protocols that is designed to make it possible to prove security properties of large practical protocols. The two methods are complemen- tary, since the first method can find errors, but only the second is suitable for proving their absence. The talk will focus on basic principles and examples from the IEEE and IETF standardization process.

10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Thursday

REFEREED PAPERS

Regency 2

Hardware and Security

Session Chair: Yoshi Kohno, University of Washington

Reverse-Engineering a Cryptographic RFID Tag
Karsten Nohl and David Evans, University of Virginia; Starbug and Henryk Plötz, Chaos Computer Club, Berlin

Paper in HTML | PDF

MP3 IconListen in MP3 format

Practical Symmetric Key Cryptography on Modern Graphics Hardware
Owen Harrison and John Waldron, Trinity College Dublin

Paper in HTML | PDF

MP3 IconListen in MP3 format

An Improved Clock-skew Measurement Technique for Revealing Hidden Services
Sebastian Zander, Swinburne University of Technology, Australia; Steven J. Murdoch, Computer Laboratory, University of Cambridge

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Enterprise Security in the Brave New (Virtual) World
Tal Garfinkel, VMware

Video View the video

MP3 IconListen in MP3 format

View the presentation slides

The move to virtual machine–based computing platforms is perhaps the most significant change in how enterprise computing systems have been built in the past decade. The benefits of moving to virtual infrastructure are substantial, from ease of management and better server utilization to transparently providing a wide range of services from high availability to backup. Despite this sweeping change, the way that we secure these systems is still largely unchanged from how we secure today's physical systems. We must rethink the way we design security in virtual infrastructure, both to cope with the new challenges it introduces and to take advantage of the opportunities it offers.

I will discuss the growing pains of moving from physical to virtual infrastructure in the network and the dissonance this can cause in operational settings: why simply dropping existing firewalls and NIDS into virtual infrastructure can limit flexibility, how new mechanisms can help overcome these limitations, and why these elements are better off being virtual instead of physical. Next, I will look at how virtual machines can affect host security as techniques such as virtual machine introspection become mainstream and the line between host and network security gets increasingly blurred. Finally, I will look at some of the odder and more interesting capabilities virtual platforms will be offering in the next few years which will offer fertile ground for new research.

12:30 p.m.–2:00 p.m.   Lunch, on your own
2:00 p.m.–3:30 p.m. Thursday

REFEREED PAPERS

Regency 2

Systems Security

Session Chair: Wenke Lee, Georgia Institute of Technology

NetAuth: Supporting User-Based Network Services
Manigandan Radhakrishnan and Jon A. Solworth, University of Illinois at Chicago

Paper in HTML | PDF

MP3 IconListen in MP3 format

Hypervisor Support for Identifying Covertly Executing Binaries
Lionel Litty, H. Andrés Lagar-Cavilla, and David Lie, University of Toronto

Paper in HTML | PDF

MP3 IconListen in MP3 format

Selective Versioning in a Secure Disk System
Swaminathan Sundararaman, Gopalan Sivathanu, and Erez Zadok, Stony Brook University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Hackernomics
Hugh Thompson, Chief Security Strategist, People Security

Video View the video

MP3 IconListen in MP3 format

View the presentation slides

Security processes inside most commercial development teams haven't caught up with the growing threat from organized crime groups that are becoming better financed, are relying more on automation to find vulnerabilities, and have figured out how to drive down the cost of launching a significant attack. This talk looks at why the incentive to attack and the ability to find flaws are outpacing practiced application security techniques. It examines how the economics of software attack and defense ("hackernomics") is changing and looks at some interesting outcomes, such as making vulnerability discovery a viable business. The talk will include several live vulnerability demonstrations to illustrate the exploitation vs. prevention dynamics.

3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m. Thursday

REFEREED PAPERS

Regency 2

Privacy

Session Chair: Patrick Traynor, Pennsylvania State University

Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs
Thomas Ristenpart, University of California, San Diego; Gabriel Maganis, Arvind Krishnamurthy, and Tadayoshi Kohno, University of Washington

Paper in HTML | PDF

MP3 IconListen in MP3 format

Panalyst: Privacy-Aware Remote Error Analysis on Commodity Software
Rui Wang and XiaoFeng Wang, Indiana University at Bloomington; Zhuowei Li, Center for Software Excellence, Microsoft

Paper in HTML | PDF

MP3 IconListen in MP3 format

Multi-flow Attacks Against Network Flow Watermarking Schemes
Negar Kiyavash, Amir Houmansadr, and Nikita Borisov, University of Illinois at Urbana-Champaign

Paper in PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

A Couple Billion Lines of Code Later: Static Checking in the Real World
Dawson Engler, Stanford University; Ben Chelf, Andy Chou, and Seth Hallem, Coverity

Video View the video

MP3 IconListen in MP3 format

View the presentation slides

This talk describes lessons learned taking an academic tool that "worked fine" in the lab and using it to check billions of lines of code across several hundred companies. Some ubiquitous themes: reality is weird; what one thinks will matter often doesn't; what one doesn't even think to reject as a possibility is often a first-order effect.

5:30 p.m.–6:30 p.m. Thursday

Panel

Regency 2

Setting DNS's Hair on Fire

Moderator: Niels Provos, Google, Inc.

Panelists: David Dagon, Georgia Institute of Technology; Paul Vixie, Internet Systems Consortium, Inc.

Video View the video

MP3 IconListen in MP3 format

View David Dagon's presentation slides

6:30 p.m.–8:30 p.m. Thursday

Symposium Reception

Fourth Street Summit Center

Tech Sessions: Wednesday, July 30 | Thursday, July 31 | Friday, August 1 | Invited Talk Speakers
Friday, August 1
9:00 a.m.–10:30 a.m. Friday

REFEREED PAPERS

Regency 2

Voting and Trusted Systems

Session Chair: Rachna Dhamija, Harvard University

Verifying Compliance of Trusted Programs
Sandra Rueda, Dave King, and Trent Jaeger, The Pennsylvania State University

Paper in HTML | PDF

MP3 IconListen in MP3 format

Helios: Web-based Open-Audit Voting
Ben Adida, Harvard University

Paper in PDF

MP3 IconListen in MP3 format

VoteBox: A Tamper-evident, Verifiable Electronic Voting System
Daniel Sandler, Kyle Derr, and Dan S. Wallach, Rice University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

The Ghost in the Browser and Other Frightening Stories About Web Malware
Niels Provos, Google, Inc.

Video View the video

MP3 IconListen in MP3 format

While the Web provides information and services that enrich our lives in many ways, it has also become the primary vehicle for delivering malware. Once infected with Web-based malware, an unsuspecting user's machine is converted into a productive member of the Internet underground. This talk explores Web-based malware and the infrastructure supporting it, covering an analysis period of almost two years. It describes trends observed in Web server compromises, as well as giving an overview of the life cycle of Web-based malware. The talk shows that Web malware enables a large number of questionable activities, ranging from the exfiltration of sensitive information such as email addresses and credit card information to forming spamming botnets, which are responsible for a significant fraction of the spam currently seen on the Internet.

10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Friday

REFEREED PAPERS

Regency 2

Software Security

Session Chair: David Lie, University of Toronto

An Empirical Security Study of the Native Code in the JDK
Gang Tan and Jason Croft, Boston College

Paper in HTML | PDF

MP3 IconListen in MP3 format

AutoISES: Automatically Inferring Security Specification and Detecting Violations
Lin Tan, University of Illinois, Urbana-Champaign; Xiaolan Zhang, IBM T.J. Watson Research Center; Xiao Ma, University of Illinois, Urbana-Champaign, and Pattern Insight Inc.; Weiwei Xiong, University of Illinois, Urbana-Champaign; Yuanyuan Zhou, University of Illinois, Urbana-Champaign, and Pattern Insight Inc.

Paper in HTML | PDF

MP3 IconListen in MP3 format

Real-World Buffer Overflow Protection for Userspace & Kernelspace
Michael Dalton, Hari Kannan, and Christos Kozyrakis, Stanford University

Paper in HTML | PDF

MP3 IconListen in MP3 format

INVITED TALKS

Regency 1

Managing Insecurity: Practitioner Reflections on Social Costs of Security
Darren Lacey, Chief Information Security Officer, Johns Hopkins University/Johns Hopkins Medicine

Video View the video

MP3 IconListen in MP3 format

Nonprofits and local government have experienced more than their share of breaches and notifications over the past several years. The reasons for this are evident: lots of sensitive information, insufficient IT resources, lack of institutional discipline, etc. Clearly more time and resources at these organizations should be dedicated to security.

I discuss whether even identifying the proper balance is a good deal more difficult for public service organizations than has been widely discussed. Will security concerns affect the adoption of electronic medical records, regional health organizations, and nonprofit work? At what point do needed changes in organizational cultures undermine the public mission? What types of security controls and practices are best suited for service agencies? What kinds of research would most help public services?

12:30 p.m.–2:00 p.m.   Lunch, on your own
2:00 p.m.–3:30 p.m. Friday

Work-in-Progress Reports (WiPs) and Closing Remarks

Regency Ballroom

WiPs Session Chair: Hao Chen, University of California, Davis

Video View the video

The Work-in-Progress reports (WiPs) session offers short presentations about research in progress, new results, or timely topics. The schedule of WiPs and their abstracts is available here.

?Need help? Use our Contacts page.

Last changed: 9 Dec. 2008 mn