Check out the new USENIX Web site.

Wednesday, August 3 | Thursday, August 4 | Friday, August 5

9:00 a.m.–10:30 a.m. Wednesday
Opening Remarks, Awards, and Keynote

Keynote Address
Computer Security in the Real World

Butler W. Lampson, Microsoft and MIT

MP3 IconListen in MP3 format

After thirty years of work on computer security, why are almost all the systems in service today extremely vulnerable to attack? The main reason is that security is expensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there's been little damage, people decide that they don't need much security. In addition, setting it up is so complicated that it's hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security. In a distributed system with no central management like the Internet, security requires a clear story about who is trusted for each step in establishing it, and why. The basic tool for telling this story is the "speaks for" relation between principals that describes how authority is delegated, that is, who trusts whom. The idea is simple, and it explains what's going on in any system I know, although the many different ways of encoding this relation often make it hard to see the underlying order.

10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Wednesday

Securing Real Systems
Session Chair: Adrian Perrig, Carnegie Mellon University

Awarded Best Student Paper!
Security Analysis of a Cryptographically-Enabled RFID Device
Steve Bono, Matthew Green, and Adam Stubblefield, Johns Hopkins University; Ari Juels, RSA Laboratories; Avi Rubin, Johns Hopkins University; Michael Szydlo, RSA Laboratories

Stronger Password Authentication Using Browser Extensions
Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John C Mitchell, Stanford University

Cryptographic Voting Protocols: A Systems Perspective
Chris Karlof, Naveen Sastry, David Wagner, University of California, Berkeley


Human-Computer Interaction Opportunities for Improving Security
Ben Shneiderman, University of Maryland

MP3 IconListen in MP3 format

Creating a more secure computing and communications environment requires cooperation among many disciplines. Human-computer interaction (HCI) researchers can contribute by participating in user interface design for system managers and every level of users. The standard HCI processes could clarify the currently confusing array of features that overwhelms many users and leads to errors or frustration. First steps would include clear task analysis and a hierarchical decomposition of objects and actions that enable users to develop a meaningful mental model tied to their needs, rather than the intricacies of system architecture. Then carefully chosen evaluation methods could assess interface designs during development and usage. A second HCI contribution might be tied to information visualization tools to enable system managers to better monitor activity, detect attacks, and trace attackers. Temporal pattern search, network traffic analysis, and hierarchical clustering tools are potential contributions.
   This talk includes a proposed graphic user interface, FORTS (File-sharing Onweb with Realistic Tailorable Security), for specifying and monitoring security/privacy status. This interface is meant to be multi-layered to allow users to choose the level of complexity and protection they need. Based on a fortress model, FORTS shows more secure areas deeper in the fort, and multiple gates to allow incoming/outgoing traffic with comprehensible activity logs.

12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.-3:30 p.m. Wednesday

Panel: National ID Cards
Moderator: Niels Provos, Google

Panelists: Drew Dean, SRI International; Carl Ellison, Microsoft; Daniel Weitzner, World Wide Web Consortium


Homeland Security: Networking, Security, and Policy
Douglas Maughan, DHS, HSARPA

MP3 IconListen in MP3 format

This presentation will provide an overview of the recently created Department of Homeland Security, its Science and Technology Directorate, and some of the research initiatives started in the Department. Many of these initiatives provide examples where networking, security, and policy come together in interesting ways as the Department works with critical infrastructure providers to secure the nation's infrastructures. This presentation will explore these issues and provide an opportunity for an open discussion surrounding the various homeland security applications.

3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m. Wednesday

Diagnosing the Net
Session Chair: Angelos Keromytis, Columbia University

Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network
Ju Wang, Xin Liu, and Andrew A. Chien, University of California, San Diego

Robust TCP Stream Reassembly in the Presence of Adversaries
Sarang Dharmapurikar, Washington University; Vern Paxson, International Computer Science Institute, Berkeley

Countering Targeted File Attacks Using LocationGuard
Mudhakar Srivatsa and Ling Liu, Georgia Institute of Technology


Electronic Voting in the United States: An Update
Avi Rubin, Johns Hopkins University

In July 2003, my research team published an analysis of Diebold's Accuvote TS and TSX voting machines, which were used in public elections all over the United States. We found serious security flaws in the machines, and a general lack of understanding of software and computer systems. Since then, the debate around electronic voting has intensified. In the two years since we published that report, I have become very involved in the issue at a national and local level, going so far as to become an election judge in Baltimore County. Maryland is one of the battleground states with respect to e-voting. In this talk, I will review the security issues around e-voting and voting procedures and will provide an update on where things stand in my state and at the federal level.

Wednesday, August 3 | Thursday, August 4 | Friday, August 5
9:00 a.m.–10:30 a.m. Thursday

Managing Secure Networks
Session Chair: Adam Stubblefield, Johns Hopkins University

An Architecture for Generating Semantic Aware Signatures
Vinod Yegneswaran, Jonathon T. Giffin, Paul Barford, and Somesh Jha, University of Wisconsin, Madison

MulVAL: A Logic-based Network Security Analyzer
Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, Princeton University

Detecting Targeted Attacks Using Shadow Honeypots
K. G. Anagnostakis, University of Pennsylvania; S. Sidiroglou, Columbia University; P. Akritidis, K. Xinidis, and E. Markatos, Institute of Computer Science—FORTH; A. D. Keromytis, Columbia University


Cybersecurity: Opportunity and Challenges
Pradeep K. Khosla, CyLab

This presentation will provide an overview of the research in CyLab. CyLab is a university-wide multidisciplinary research center with the goal of combining technology, business, and policy to impact industry. In addition, CyLab has a strategic interest in outreach and awareness for the masses. Toward achieving this goal, it is developing innovative games and curricula. This talk will provide an overview of some the research projects in CyLab and will also describe our strategy.

10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Thursday

Panel: Sniffing Conference Networks: Is It Legal? Is It Right?
Panelists: Abe Singer, San Diego Supercomputer Center; Bill Cheswick, Lumeta Corp.; Paul Ohm, U.S. Department of Justice; Michael Scher, Security Technologist, Attorney, Anthropologist, Nexum, Inc.

It has become commonplace at some computer conferences, especially security conferences, for someone to "sniff" the network—monitor other users' communications. Often this is for the purpose of intercepting usernames and passwords transmitted in cleartext, sometimes publicly posting the information found. The person sniffing may or may not be officially affiliated with the conference, and the activity is often condoned or approved by the conference organizers (although not by USENIX), and many of the participants.

But is such activity legal? It may very well not be, or only under very limited circumstances. Who has standing to "permit" the activity, and who is liable for the results?

Aside from whether or not the activity is criminal, there is also the ethical issue. Is sniffing a conference network the "right thing to do"? What example does it set? What message does it send?

These issues have been highlighted by some heated complaints at recent USENIX conferences.

This panel will discuss these legal and ethical issues.


Treacherous or Trusted Computing: Black Helicopters, an Increase in Assurance, or Both?
Bill Arbaugh, University of Maryland

A lively and mostly healthy debate has focused on the trusted computing initiatives of several prominent vendors. Both sides of this debate have made some relevant and some not so relevant claims—not to mention a little fear, uncertainty, and doubt (FUD). In this talk, I will present the history of trusted computing from before the "Orange Book" to what we might see tomorrow. Along the way, I'll try to sort out the real technical and policy issues from the FUD. In the end, my hope is that you can make an informed decision on whether these initiatives are treacherous or trusted.

12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.–3:30 p.m. Thursday

Session Chair: R. Sekar, Stony Brook University

Where's the FEEB? The Effectiveness of Instruction Set Randomization
Ana Nora Sovarel, David Evans, and Nathanael Paul, University of Virginia

Automating Mimicry Attacks Using Static Binary Analysis
Christopher Kruegel and Engin Kirda, Technical University Vienna; Darren Mutz, William Robertson, and Giovanni Vigna, University of California, Santa Barbara

Non-Control-Data Attacks Are Realistic Threats
Shuo Chen, University of Illinois at Urbana-Champaign; Jun Xu and Emre C. Sezer, North Carolina State University


How to Find Serious Bugs in Real Code
Dawson Engler, Stanford University

This talk will describe new dynamic bug-finding techniques that work well on real code, our experiences with both static and dynamic techniques, and several widely held myths in the bug-finding community.

3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m. Thursday

Protecting the Network
Session Chair: Niels Provos, Google

Awarded Best Paper!
Mapping Internet Sensors with Probe Response Attacks
John Bethencourt, Jason Franklin, and Mary Vernon, University of Wisconsin, Madison

Vulnerabilities of Passive Internet Threat Monitors
Yoichi Shinoda, Japan Advanced Institute of Science and Technology; Ko Ikai, National Police Agency of Japan; Motomu Itoh, Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)

On the Effectiveness of Distributed Worm Monitoring
Moheeb Abu Rajab, Fabian Monrose, and Andreas Terzis, Johns Hopkins University


Open Problems with Certifying Compilation
Greg Morrisett, Harvard University

Proof-carrying code was introduced by Necula and Lee as a technique for minimizing trusted code: instead of monitoring or analyzing code to see if it is trustworthy, we require that the code comes with a machine-checkable, mathematical proof that the code respects a desired security policy. In practice, checking the proof is easy when compared to constructing one, so the framework shifts the hard work from the code consumer to the code producer. Unfortunately, it doesn't eliminate the hard problem: how does a code producer construct the proof?

Certifying compilers provide part of the answer: A certifying compiler takes as input high-level source code and a proof that the source code respects the policy, and then transforms the code and proof in parallel. In this fashion, it is able to automatically output the required proof at the machine-code level. For simple policies, such as memory-safety and type-safety, the proof can be automatically constructed at the source level, assuming we start with a type-safe source language.

Unfortunately,most of the code that needs to be trustworthy is written in type-unsafe languages such as C or C++, so we need some way to realize proofs for these languages. Furthermore, we need support for security policies that go well beyond type-safety. I will survey some of the research that has been done, and that needs to be done to achieve these goals, so that we may one day realize the full potential of proof-carrying code.

Wednesday, August 3 | Thursday, August 4 | Friday, August 5
8:30 a.m.–10:30 a.m. 9:00 a.m.–10:30 a.m.

Session Chair: Yoshi Khono, University of California, San Diego

Protecting Against Unexpected System Calls
C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman, University of Arizona

Efficient Techniques for Comprehensive Protection from Memory Error Exploits
Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney, Stony Brook University

Finding Security Vulnerabilities in Java Applications with Static Analysis
V. Benjamin Livshits and Monica S. Lam, Stanford University

OPUS: Online Patches and Updates for Security
Gautam Altekar, Ilya Bagrak, Paul Burstein, and Andrew Schultz, University of California, Berkeley


What Are We Trying to Prove? On the Relevance of Certified Code to Computer Security
Peter Lee, Carnegie Mellon University

Since 1996 there has been tremendous progress in developing the idea of certified code, including both proof-carrying code (PCC) and typed assembly language (TAL). In a certified code framework, each program (which is usually in machine-code binary form) comes equipped with a certificate that "explains," both rigorously and in a manner that is easily validated, why it possesses a formally specified safety property. A substantial amount of the research work in this area has been directed towards the problem of how to make certified code a practical technology—what one might call "proof engineering." Thus, many of the advances have been in methods for representing the certificates in the most compact and efficiently checkable way. A considerable amount of effort has also gone into the development of prototype tools that explore how to handle realistic programs written in realistic languages.

In this talk, I will start with a brief overview of the current state of these and other current concepts in certified code. Then I will consider a very different but equally practical question: Just what is it that we are trying to prove, especially if we want to be relevant to computer security? Today, certified code systems do not prove the semantic equivalence between source and target programs. Nor do they prove the absence of most kinds of trojan horses, covert channels, or race conditions. While the safety properties provided by current certified code systems are, in fact, of central importance to computer security, I will argue that there are potentially great opportunities in investigating an expansion of the kinds of properties that these systems reason about.

10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m. Friday

Building Secure Systems
Session Chair: Somesh Jha, University of Wisconsin, Madison

Fixing Races for Fun and Profit: How to Abuse atime
Nikita Borisov, Rob Johnson, Naveen Sastry, and David Wagner, University of California, Berkeley

Building an Application-aware IPsec Policy System
Heng Yin and Haining Wang, College of William and Mary

Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation
Jim Chow, Ben Pfaff, Tal Garfinkel, and Mendel Rosenblum, Stanford University


Four Lightning Talks
Ben Laurie, The Bunker

I spend my life doing a dozen different things at once. So, rather than concentrate on one thing which might bore you, I would prefer to spark everyone's interest (at least occasionally) by talking about several of the things that have been distracting me recently. Included may or may not be: anonymous instant messaging, bolting capabilities onto existing languages, why packaging is bad for security, problems in DNSSEC and ruminations on writing an OpenPGP library. But since I'm writing this abstract in April and talking in August, there may be even more cool topics to discuss.

12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.–3:30 p.m. Friday

Work-in-Progress Reports and Closing Remarks

?Need help? Use our Contacts page.

Last changed: 19 Oct. 2007 ac