Workshop Program

Web applications are a rich source of vulnerabilities due to their high exposure, diversity, and popularity. Accordingly, web application vulnerabilities are useful subjects for empirical security research. Although some information on vulnerabilities is publicly available, there are no publicly available datasets that couple vulnerabilities with their source code, metadata, and exploits through an executable test environment. We describe BugBox, a corpus and exploit simulation environment for PHP web application vulnerabilities. BugBox provides a test environment and a packaging mechanism that allows for the distribution and sharing of vulnerability data. The goal is to facilitate empirical vulnerability studies, security tool evaluation, and security metrics research. In addition, the framework promotes developer education by demonstrating exploits and providing a sandbox where they can be run safely. BugBox and its modules are open source and available online, and new modules may be contributed by community members.

Cybercrime attack tools (i.e. Exploit Kits) are reportedly responsible for the majority of attacks affecting home users. Exploit kits are traded in the black markets at different prices and advertising different capabilities and functionalities. In this paper we present our experimental approach in testing 10 exploit kits leaked from the markets that we deployed in an isolated environment, our MalwareLab. The purpose of this experiment is to test these tools in terms of resiliency against changing software configurations in time. We present our experiment design and implementation, discuss challenges, lesson learned and open problems, and present a preliminary analysis of the results.

Empirical research often requires access to good datasets. Funding agencies have pushed for increased data sharing among investigators, and have established several publicly accessible repositories and data warehouses. However, the speed of progress in computing and the sensitive nature of data, especially when it pertains to security, makes access to useful datasets a challenge. At the same time, a number of data sets of questionable provenance have recently become available to researchers. As a prominent example, the author(s) of the anonymously published Internet Census 2012 project compromised a large number of open embedded devices to perform a distributed port scan of the Internet. The collected data are available for download and are arguably of great use to network researchers. This panel explores the ethics and best practices concerned with using datasets whose origin is either unknown or is morally ambiguous. In particular, the panel will debate the merits of using (or not using) the data, potential methods of verifying the integrity of anonymously published data, and safeguards for preventing misuse. Audience participation is highly encouraged.

We motivate using non-digital games to teach computer security concepts and describe the inspirations driving the design of our board game, [d0x3d!]. We describe our experiences in designing game mechanics that teach security principles and our observations in developing an open-source game product. We survey our experiences with playing the game with students and our plans for supporting the game in and out of the classroom.

Data-sharing approaches such as collaborative security have been successfully applied to systems addressing multiple classes of cyber security threats. In spite of these results, scale presents a major challenge to further advances: collaborative security systems are designed to operate at a large scale (Internet- or ISP-scale), and obtaining and sharing traces suitable for experimentation is difficult. We illustrate these challenges via an analysis of recently proposed collaborative systems. We argue for the development of simulation techniques designed specifically to address these challenges and sketch one such technique, parameterized trace scaling, which expands small traces to generate realistic large scale traces sufficient for analyzing collaborative security systems.

Security research and teaching using cyber-physical systems (e.g., automotive networks) is challenging because of the need to replicate the interactions between the hardware components and the control software of the systems. These interactions are challenging to replicate because of the dynamic inputs in real-world environments that cause various interactions of the hardware components and control software within the network. In particular, automotive networks are challenging for security research and teaching because although the protocols of the automotive networks are standardized (e.g., CAN, LIN), the implementation details by each automotive manufacturer are not standardized and are generally not publicly available.

In this paper we present Open Car Testbed And Network Experiments (OCTANE), which reduces the barrier of entry into the security research and teaching of automotive networks by providing a software package and a hardware framework for the reverse engineering and testing of automotive networks. OCTANE provides a platform for security research and teaching by replicating the interactions between the hardware components and control software of the systems so that the user can focus on the security aspects of the automotive network instead of the tool configuration and setup.

A major step towards secure Internet backbone routing started with the deployment of the Resource Public Key Infrastructure (RPKI). It allows for the cryptographic strong binding of an IP prefix and autonomous systems that are legitimate to originate this prefix. A fundamental design choice of RPKI-based prefix origin validation is the avoidance of cryptographic load at BGP routers. Cryptographic verifications will be performed only by cache servers, which deliver valid AS/prefix mappings to the RPKI-enabled BGP router using the RPKI/RTR protocol.

In this paper, we give first insights into the additional system load introduced by RPKI at BGP routers. For this purpose, we design and implement a highly efficient C library of the RPKI/RTR router part and the prefix origin validation scheme. It fetches and stores validated prefix origin data from an RTR-cache and performs origin verification of prefixes as obtained from BGP updates. We measure a relatively small overhead of origin validation on commodity hardware (5% more RAM than required for full BGP table support, 0.41% load in case of ≈ 92,000 prefix updates per minute), which meets real-world requirements of today.