HotSec '19 Summit Program

In this talk, I will cover two fundamental challenges the existing IoT infrastructures face today: (i) inability of existing automation frameworks to intuitively capture the automation or policy intents of the users, and (ii) inability of existing tools (that detects static conflicts among automation rules) to proactively detect potential run-time conflicts and violations during policy compilation stage itself. In the first part of the talk, I will discuss the need for novel graph-based automation specification mechanisms. In the second part, I will discuss about the limitations of existing security analyzer tools and demonstrate the need for new security analysis mechanisms such as: (i) ability to detect potential run-time violation (i.e., during policy compile time), (ii) need for behavioral analysis and situational awareness, and (iii) other analyzers that could proactively detect the fundamental issues in the automation. In this talk, I will briefly cover the potential approaches that could be taken to handle the current situation.

Malware Authors Are Just Writing Software: What Can the Software Development Life Cycle and Social Network Analysis Teach Us About Malware Attribution?

Malware is just software—with some special characteristics—and malware authors are just specialized software developers. Software development, including malware development, is an inherently "social" activity—all software is composed of contributions from multiple authors, either explicitly by a software development team or implicitly through the inclusion of libraries and other shared code. Software development is characterized by a software development life cycle, and given that it is a social process, social network analysis can be applied to the contributors and contributions for a given software binary. We argue that each malware binary is produced using some form of a software development life cycle, and there will be clues—artifacts—as to the contributions and contributors for that piece of software that can be studied using social network analysis.

Where's the honeypot love? Honeypots have largely been relegated to toys in academic settings, with very little recent notable work. We bring data from over 600 commercial deployments showing that internal honeypots are remarkably effective as breach detection. We'll expand on this contradiction of an effective approach being ignored by academics, touching on the obsession with network honeypots and point to research directions for non-network honeypots.

Privacy Bounties - a good idea?

Bug bounties are the 'du jour' solution to the historical problems with vulnerability disclosures and properly incentivizing security researchers while limiting their exposure to liability and criminal sanction. Are bug bounty programs like BugCrowd and HackerOne suitable to other contexts such as provable privacy? This lightning talk will address the need for provable privacy validation beyond internal testing, and mere assertions that a form of anonymization or pseudonymization is being used to protect privacy in the world of extreme data processing. Transparency and programs that incentivize white-hat testing for security could be adapted to help build confidence in empirical approaches to differential privacy and other forms of anonymization and pseudonymization of personal information.

There is an abundance of current security research that heavily relies on Machine Learning to find a model for a complex, not well-understood truth. However, offloading the task of finding the truth to a tool eventually relies on circular reasoning, rendering these security applications useless and dangerous: Measuring a model's quality requires a dataset, whose representativeness can only be guaranteed with thorough a priori knowledge of the truth, causing an implicit tautology. This talk pushes for a clear separation between modeling and finding the truth, to give future security systems a steady ground to stand on.