ProgramWednesday ACSAC 2010 Wednesday, 8 December 2010 7:30-8:30 Continental Breakfast Ballroom CD...

Program

Twenty-Sixth Annual Computer Security Applications Conference(ACSAC)

Practical Solutions To Real World Security Problems

December 6-10, 2010Four Seasons Hotel

Austin, Texas

Presented by

Organizing Committee

Carrie Gates, CA Labs Conference ChairMichael Franz, University of California, Irvine Program Chair

John McDermott, Naval Research Lab Program Co-ChairChristoph Schuba, Oracle Corporation Multimedia/ProceedingsDaniel Faigin, Aerospace Corporation Tutorials Chair

Steve Rome, Booz Allen Hamilton Case Studies ChairKen Shotting, DoD Case Studies Co-ChairHongxia Jin, IBM Panels Chair

Art Friedman, NSA Registration ChairBenjamin Kuperman, Oberlin College Poster Chair

James P. Early, State University of New York at Oswego Poster Co-ChairKevin Butler, University of Oregon Publicity Chair

Mike Collins, Redjack Sponsorship ChairCharles Payne, Adventium Labs Works in Progress Chair

Harvey H. Rubinovitz, The MITRE Corporation Workshop ChairMarshall Abrams, MITRE FISMA Coordination Chair

Jeremy Epstein, SRI International Local Arrangements ChairKristin Steen, Sandia National Labs Local Arrangements Co-Chair

Lillian Røstad, Norwegian Univ. of Science & Technology Student AwardsBen Cook, Sandia National Labs Student Outreach Chair

Deb Frincke, Pacific Northwest Lab Guest Speaker Liaison ChairKevin Butler, University of Oregon Guest Speaker Liaison Co-Chair

Ed Schneider, Institute for Defense Analyses TreasurerDan Thomsen, SIFT Knowledge Coordinator

Jay Kahn, MITRE ACSA Communications ChairCristina Serban, AT&T Conference Chair Emerita

Robert H’obbes’ Zakon, Zakon Group LLC Web Advisor

Program Committee

Michael Franz, Univ. of California, Irvine (Chair) Hongxia Jin, IBM Almaden Research CenterJohn McDermott, Naval Research Lab (Co-Chair) Michiharu Kudoh, IBM Tokyo Research LaboratoryVijay Atluri, Rutgers Univ. Michael Locasto, Univ. of CalgaryTuomas Aura, Microsoft Research Patrick McDaniel, Pennsylvania State Univ.Lee Badger, NIST Peng Ning, North Carolina State Univ.Elisa Bertino, Purdue Univ. Charles Payne, Adventium LabsKonstantin Beznosov, Univ. of British Columbia Andreas Pfitzmann,Technische Universität DresdenMatt Bishop, Univ. of California, Davis Christian Probst, Technical Univ. of DenmarkSjdan Capcun, ETH Zurich Lillian Røstad, Norwegian Univ. of Science & TechnologyFred Chong, Univ. of California, Santa Barbara Reiner Sailer, IBM T.J. Watson Research CenterChristian Collberg, Univ. of Arizona R. Sekar, Stony Brook Univ.Marc Dacier, Symantec Corporation Pierangela Samarati, Univ. of MilanMary Denz, U.S. Air Force Research Laboratory Christoph Schuba, Oracle CorporationSven Dietrich, Stevens Institute of Technology Cristina Serban, AT&TJeremy Epstein, SRI International Frederick Sheldon, Oak Ridge National LaboratoryDavid Evans, Univ. of Virginia Brian Snow, Independent Security AdvisorRichard Ford, Florida Institute of Technology Anil Somayaji, Carleton Univ.Tyrone Grandison, IBM Almaden Research Center Angelos Stavrou, George Mason Univ.Steven Greenwald, Independent Security Advisor Bhavani Thuraisingham, Univ. of Texas, DallasCynthia Irvine, U.S. Naval Postgraduate School Patrick Traynor, Georgia Institute of TechnologyTrent Jaeger, Pennsylvania State Univ. Venkat Venkatakrishnan, Univ. of Illinois at Chicago

This program is subject to change.

ACSAC 2010 Logistics

Meeting LocationsMonday tutorials will be in the Little Colony, Stone’s Crossing, and Waterloo rooms on the Lobby level, with lunch inBallroom CD on the Lake level. Tuesday tutorials will be in the Little Colony and Waterloo rooms on the Lobby leveland Boardroom 516 on the 5th floor, with lunch in Ballroom CD on the Lake level. The Tuesday GTIP workshop willbe in Stone’s Crossing on the Lobby level with lunch in Ballroom CD on the Lake level.

The Layered Assurance Workshop will be in Ballroom A on the Lake level on Monday and Tuesday, with lunch inBallroom CD, also on the Lake level.

The Tuesday evening reception will be held on the Lawn (outdoors Lake level) if weather permits, otherwise in theBallroom Foyer (Lake level).

All Wednesday through Friday activities are on the Lake level, with the exception of the FISMA training session whichis on the Lobby level. Plenaries will be in Ballroom AB with breakouts in Ballroom AB, San Jacinto East, and SanJacinto West. FISMA training will be in Waterloo. Breakfasts will be in the Ballroom Foyer and lunches in BallroomCD. Exhibits will be in the Ballroom Foyer.

The Wednesday dinner will be held on the Lawn (outdoors Lake level) if weather permits, otherwise in Ballroom CD(Lake level). The Thursday works in progress, posters, career fair, exhibits, and reception will be in the BallroomFoyer (Lake level).

Registration and Information Desk HoursDesk hours during the Conference are: Sunday, 17:00-19:00; Monday, 7:30-12:00 and 17:00-19:00; Tuesday, 7:30-12:00 and 16:00-19:00; Wednesday, 7:30-12:00 and 13:00-16:30; Thursday, 7:30-12:00 and 13:00-16:30; and Friday,7:30-10:00. The Registration and Information Desk also serves as the conference “Lost and Found Center” and is thelocation of the conference message board.

MealsThe conference provides a continental breakfast, a mid-morning coffee break and a mid-afternoon snack and lunchfor ACSAC conference (tutorial/workshop) attendees on the days of the conference (tutorial/workshop). Lunch willbe provided on Friday only for those attendees registered for the outing to Stubbs Barbecue. A reception with lightsnacks and cash bar will be offered on Tuesday evening, dinner and entertainment on Wednesday evening (don’t forgetyour drink tickets!), and a light reception with soft drinks at the WIP/Posters/Career Fair session on Thursday.

Internet AccessWiFi service for personal rooms is available for $5.50/day. Please see the instructions from the hotel on how toconnect. WiFi service in meeting rooms is provided by our A/V company at no charge to you. The SSID is “CSAConf” and password is “2011ACSAC”. If you’re paying for WiFi service in your room, you can also use that in themeeting rooms at no additional charge. ACSAC cannot guarantee the reliability or security of either of these WiFioptions.

Session EtiquettePlease be courteous of others around you during the Tutorial and Conference sessions. Try to enter and exit the sessionquietly. Please mute any beepers, cellular telephones, or similar devices, and please follow the directions of the sessionchair for asking questions. Thank you for your cooperation!

3

Monday ACSAC 2010

PROGRAM SCHEDULE

Monday, 6 December 20108:30-12:00 Technology Tutorials & Workshops

Workshop Ballroom ALayered AssuranceWorkshop (LAW)Chair: Rance J. DeLong,Lynuxworks, Santa ClaraUniv.

For details, please seepage 17.

Tutorial Little ColonyM1. Educating ComputerSecurity Professionalswith the CyberCIEGEVideo GameInstructor(s): Mr. MichaelThompson, NavalPostgraduate School

For details, please seepage 18.

Tutorial Stone’s CrossingM3. Algorithms forSoftware ProtectionInstructor(s):Dr. Christian Collberg,Univ. of Arizona;Dr. Jasvir Nagra, Google,Inc.

For details, please seepage 20

Tutorial WaterlooM4. System Life CycleSecurity EngineeringInstructor(s): Ms. ThuyD. Nguyen andDr. Cynthia E. Irvine,Naval PostgraduateSchool


12:00-13:30 Lunch Ballroom CD

13:30-17:00 Technology Tutorials & Workshops

Workshop Ballroom ALAW (continued)

Tutorial Little ColonyM2. State of the Practice:Intrusion DetectionInstructor(s): Dr. MichaelCollins and Dr. JohnMcHugh, Redjack, LLC


Tutorial Stone’s CrossingM3 (continued)

Tutorial WaterlooM4 (continued)

4

ACSAC 2010 Tuesday

Tuesday, 7 December 20107:30-8:30 Breakfast Ballroom CD


WorkshopBallroom ALAW (continued)

Workshop Stone’sCrossingWorkshop onGovernance ofTechnology,Information, andPolicies (GTIP)Chair: Dr. HarveyRubinovitz, MITRECorporation

For details, pleasesee page 17.

Tutorial LittleColonyT5. Visualizationand SecurityInstructor(s):Mr. Zed Abbadi,Public CompanyAccountingOversight Board(PCAOB)

For details, pleasesee page 22

TutorialBoardroom 516T7. State of thePractice: SecureCodingInstructor(s):Mr. RobertC. Seacord, CERTSoftwareEngineeringInstitute


Tutorial WaterlooT8. An Introductionto Usable SecurityInstructor(s):Dr. Jeff Yan,Newcastle Univ.;Mary Ellen Zurko,IBM




WorkshopBallroom ALAW (continued)

Workshop Stone’sCrossingGTIP (continued)

Tutorial LittleColonyT6. Keeping YourWeb Apps Secure:The OWASP Top 10& BeyondInstructor(s):Mr. RobertH’obbes’ Zakon,Zakon Group LLC


TutorialBoardroom 516T7 (continued)

Tutorial WaterlooT8 (continued)

18:00-20:00 Welcome Reception Lawn

In the event of bad weather, this event will be held in Ballroom CD.

Please visit our exhibitors tonight through Thursday evening!

5

Wednesday ACSAC 2010

Wednesday, 8 December 20107:30-8:30 Continental Breakfast Ballroom CD

8:30-8:45 Welcome Ballroom AB

Dr. Carrie Gates, Conference ChairDr. Michael Franz, Program Chair

8:45-10:00 Distinguished Practitioner Ballroom AB

Putting Basic Research To WorkDouglas Maughan, DHS Science & Technology Directorate

While many agencies struggle with how to move basic research across the ‘valley of death’,there are many success stories. For instance, IronKey was initially funded by DHS S&Tas a two employee organization in 2005. IronKey is now a growing company — well over100 employees, and probably the best USB (storage) in the marketplace and it’s now thestandard-issue at DHS. This talk provides a view from the trenches of what works — andwhat doesn’t — when transitioning basic research into practice.

About the Speaker: Dr. Douglas Maughan is the Director of the Cyber Security Divisionin the Homeland Security Advanced Research Projects Agency (HSARPA) within the Sci-ence and Technology (S&T) Directorate of the Department of Homeland Security (DHS).Dr. Maughan has been at DHS since October 2003 and is directing and managing the CyberSecurity Research and Development activities and staff at DHS S&T. His research interests

and related programs are in the areas of networking and information assurance.

Prior to his appointment at DHS, Dr. Maughan was a Program Manager at the Defense Advanced Research ProjectsAgency (DARPA) in Arlington, Virginia. Prior to his appointment at DARPA, Dr. Maughan worked for the NationalSecurity Agency (NSA) as a senior computer scientist and led several research teams performing network securityresearch. Dr. Maughan received Bachelor’s Degrees in Computer Science and Applied Statistics from Utah StateUniversity, a Masters degree in Computer Science from Johns Hopkins University, and a PhD in Computer Sciencefrom the University of Maryland, Baltimore County (UMBC).

10:00-10:30 Break Ballroom Foyer

6

ACSAC 2010 Wednesday

10:30-12:00 Technical Tracks

A. Papers Ballroom ABSocial NetworksChair: ArthurR. Friedman

Detecting Spammers OnSocial NetworksGianluca Stringhini,Christopher Kruegel,Giovanni Vigna, Univ. ofCalifornia, Santa Barbara

Towards Worm Detectionin Online Social NetworksWei Xu, Fangfang Zhang,Sencun Zhu,Pennsylvania State Univ.

Who Is Tweeting OnTwitter: Human, Bot, OrCyborg?Zi Chu, StevenGianvecchio, HainingWang, The College ofWilliam and Mary; SushilJajodia, George MasonUniv.

B. Case Studies SanJacinto West

Managing SecurityInformation and PCIcompliance at The Univ.of DaytonRick Wagner, Novell, Inc.

A Taxonomy ofVulnerability in theSupply ChainChris Romeo and PatrickHunter, CISCO

The Security Threats Toand From the IntelligentElectronics DevicesBaris Coskun, AT&T

C. Panel San JacintoEastRisks in the Clouds -Between Silver Liningsand Oncoming StormsDr. Peter Neumann, SRI(Chair); Earl Crane,Department of HomelandSecurity; Ahmad-RezaSadeghi, Technical Univ.Darmstadt and FraunhoferInstitute for SecureInformation Systems,Darmstadt; Matt Blaze,Professor of ComputerScience, Univ. ofPennsylvania, USA; LeeTien, Electronic FrontierFoundation, USA

D. Training WaterlooTR1. Cyber SecurityControls: NIST SP 800-53Rev 3 & CNSSI 1253Instructor: Dr. MarshallD. Abrams, The MITRECorporation

See details on page 26.


7

Wednesday ACSAC 2010


A. Papers Ballroom ABSoftware DefensesChair: Lillian Røstad

Cujo: Efficient DetectionAnd Prevention OfDrive-by-downloadAttacksKonrad Rieck, BerlinInstitute of Technology;Tammo Krueger,Fraunhofer InstituteFIRST; Andreas Dewald,Univ. of Mannheim

Fast And PracticalInstruction-setRandomization ForCommodity SystemsGeorgios Portokalidis,Angelos D. Keromytis,Columbia Univ.

G-free: DefeatingReturn-orientedProgramming ThroughGadget-less BinariesKaan Onarlioglu, BilkentUniv.; Leyla Bilge,Andrea Lanzi, DavideBalzarotti, Engin Kirda,Eurecom

B. Case Studies SanJacinto West

Global Automaker’sNorth AmericanOperations DeploysManaged HardwareEncryption for ProtectingSensitive Data onEmployee LaptopsSteven Sprague, WaveSystems

ISO Cyber Security andICT SCRM StandardsNadya Bartol, Booz AllenHamilton

EMC’s Product SecurityEvolutionDan Reddy, EMC

C. Panel San JacintoEastSecurity EconomicsDaniel Arista, SRC, Inc.(chair); DouglasMaughan, DHS; TimClancy, CIPHS; MarcusSachs, Verizon; SashaRomanosky, CMU

D. Training WaterlooTR1. Cyber SecurityControls: NIST SP 800-53Rev 3 & CNSSI 1253Instructor: Dr. MarshallD. Abrams, The MITRECorporation

See details on page 26


8

ACSAC 2010 Wednesday


A. Papers San Jacinto WestAuthenticationChair: Kevin Butler

Towards Practical AnonymousPassword AuthenticationYanjiang Yang, Jianying Zhou, JunWen Wong, Feng Bao, Institute forInfocomm Research

Securing Interactive Sessions UsingMobile Device Through VisualChannel And Visual InspectionChengfang Fang, Ee-Chien Chang,National Univ. of Singapore

Usability Effects Of IncreasingSecurity In Click-based GraphicalPasswordsElizabeth Stobert, Alain Forget,Sonia Chiasson, Paul van Oorschot,Robert Biddle, Carleton Univ.

B. Papers San Jacinto EastVulnerability Assessment ofEmbedded DevicesChair: Jeremy Epstein

Security Analysis Of AFingerprint-protected USB DriveBenjamin Rodes, Xunhua Wang,James Madison Univ.

A Quantitative Analysis Of TheInsecurity Of Embedded NetworkDevices: Results Of A Wide-areaScanAng Cui, Salvatore J. Stolfo,Columbia Univ.

Multi-vendor Penetration Testing InThe Advanced MeteringInfrastructureStephen McLaughlin, DmitryPodkuiko, Adam Delozier, SergeiMiadzvezhanka, Patrick McDaniel,Pennsylvania State Univ.

C. Training WaterlooTR2. Near Real-Time RiskManagement Process: NIST SP800-37Instructor: Dr. Marshall D. Abrams,The MITRE Corporation

See details on page 26

17:00-17:45 Classic Paper I Ballroom AB

Network Intrusion Detection: Dead or Alive?Giovanni Vigna, Univ. of California, Santa Barbara, USA

Research on network intrusion detection has produced a number of interesting results. Inthis paper, I look back to the NetSTAT system, which was presented at ACSAC in 1998. Inaddition to describing the original system, I discuss some historical context, with referenceto well-known evaluation efforts and to the evolution of network intrusion detection into abroader field that includes malware detection and the analysis of malicious behavior.

About the Speaker: Giovanni Vigna is a Professor in the Department of Computer Scienceat the Univ. of California in Santa Barbara. His current research interests include malwareanalysis, web security, vulnerability assessment, and intrusion detection. He also edited abook on Security and Mobile Agents and authored one on Intrusion Correlation. He has beenthe Program Chair of the International Symposium on Recent Advances in Intrusion Detec-tion (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security(NDSS 2009), and of the IEEE Symposium on Security and Privacy (S&P 2010 and 2011).

He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that everyyear involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. fromPolitecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.

17:45-18:00 A Tribute to Paul Karger Ballroom AB

19:00-22:00 Conference Dinner Lawn

Featuring music by blues guitarist Alan Haynes. In the event of bad weather, this event will be held in Ballroom CD.

9

Thursday ACSAC 2010

Thursday, 9 December 20097:30-8:30 Continental Breakfast Ballroom CD

8:30-8:45 Opening Remarks & Announcements Ballroom AB

8:45-10:00 Invited Essayist Ballroom AB

Barriers to Science in SecurityThomas Longstaff, Johns Hopkins Univ., Applied Physics Laboratory, USA

In the past year, there has been significant interest in promoting the idea of applying scientific principles to informationsecurity. The main point made by information security professionals who brief at conferences seems to be that ourfield of information security is finally mature enough to begin making significant strides towards applying the scien-tific approach. Audiences everywhere enthusiastically agree and thrash themselves for bypassing science all along,bemoaning the fact that we could be “so much further along” if we only did science. Of course, after the presentationis over, everyone goes back to the methods that have been used throughout our generation to generate prototypes andtools with no regard for the scientific principles involved. We explore the barriers to adopting a scientific approach toexperimental information security projects, including:

• time to publish as a primary driver

• standard of peer reviews in conferences and journals

• expectation of a breakthrough in every publication

Based on these factors, we examine a way forward — how the scientific method can allow us to understand theunderlying causality of information security and addressing the problem at its most fundamental level, and the changesin attitudes and processes necessary for this to happen.

About the Speaker: Dr. Tom Longstaff is the Chief Scientist for the Cyber Missions Branchof the Applied Physics Laboratory. APL is a Univ. Affiliated Research Center, a division ofthe Johns Hopkins Univ.. Tom joined APL in 2007 to work with a wide variety of infocentricoperations projects on behalf of the US Government to include technology transition of cyberR&D, information assurance, intelligence, and global information networks.

Tom’s academic publications span topics such as malware analysis, information survivability,insider threat, intruder modeling, and intrusion detection. Tom is Chair of the Computer Sci-ence, Information Assurance, and Information Systems Engineering Programs at The JohnsHopkins Univ. Whiting School of Engineering. Tom is also a fellow of the InternationalInformation Integrity Institute and editor of the IEEE Security & Privacy journal.


10

ACSAC 2010 Thursday


A. Papers Ballroom ABBotnetsChair: Angelos Stavrou

Friends Of An Enemy: IdentifyingLocal Members Of Peer-to-peerBotnets Using Mutual ContactsBaris Coskun, Polytechnic Instituteof NYU; Sven Dietrich, StevensInstitute of Technology; NasirMemon, Polytechnic Institute ofNYU

The Case For In-the-lab BotnetExperimentation: Creating AndTaking Down A 3000-node BotnetJoan Calvet, Carlton Davis, Jose M.Fernandez, Ecole Polytechnique deMontreal; Jean-Yves Marion,LORIA - Nancy Univ.; Pier-LucSt-Onge, Ecole Polytechnique deMontreal

Conficker And Beyond: ALarge-scale Empirical StudySeungwon Shin, Guofei Gu, TexasA&M Univ.

B. Panel San Jacinto EastFederal Cyber Security ResearchAgendaTomas Vagoun, NITRD (chair);Patricia Muoio, ODNI; DouglasMaughan, DHS S&T; SamuelWeber, NSF

C. Training WaterlooTR2. Near Real-Time RiskManagement Process: NIST SP800-37Instructor: Dr. Marshall D. Abrams,The MITRE Corporation



11

Thursday ACSAC 2010


A. Papers Ballroom ABEmail, E-Commerce,and Web 2.0Chair: Christoph Schuba

Spam Mitigation UsingSpatio-temporalReputations FromBlacklist HistoryAndrew West, AdamAviv, Jian Chang, InsupLee, Univ. ofPennsylvania

Breaking E-bankingCaptchasShujun Li, Univ. ofKonstanz; Syed AmierHaider Shah, MuhammadAsad Usman Khan, SyedAli Khayam, NationalUniv. of Science andTechnology (NUST);Ahmad-Reza Sadeghi,Ruhr-Univ. of Bochum

Firm: Capability-basedInline Mediation Of FlashBehaviorsZhou Li, XiaoFeng Wang,Indiana Univ. atBloomington

B. Papers San JacintoWestHardware-AssistedSecurityChair: Michael E. Locasto

T-dre: A HardwareTrusted Computing BaseFor Direct RecordingElectronic Vote MachinesRoberto Gallo, Univ. ofCampinas; HenriqueKawakami, KRYPTUSCryptographicEngineering; RicardoDahab, Guido Arajo,Univ. of Campinas;Rafael Azavedo, TribunalSuperior Eleitoral

Hardware Assistance ForTrustworthy SystemsThrough 3-d IntegrationJonathan Valamehr, MohitTiwari, TimothySherwood, UC SantaBarbara; Arash Arfaee,Ryan Kastner, UC SanDiego

Sca-resistant EmbeddedProcessors—the NextGenerationStefan Tillich, Univ. ofBristol; MarioKirschbaum, AlexanderSzekely, Graz Univ. ofTechnology

C. Case Studies SanJacinto EastSupply Chain RiskManagementNadya Bartol, Booz AllenHamilton (chair); DonDavidson, DoD/GlobalTask Force; MarianneSwanson, NIST; CarolWoody, SEI CERT; LarryWagoner, NSA; DanReddy, EMC/ SAFECode

D. Training WaterlooTR3. IntegratedEnterprise-Wide RiskManagementOrganization, Mission,and Information SystemView: NIST SP 800-39Instructor: Dr. MarshallD. Abrams, The MITRECorporation



12

ACSAC 2010 Thursday


A. Papers Ballroom ABSecurity Protocols andPortable StorageChair: Baris Coskun

Porscha: Policy OrientedSecure Content HandlingIn AndroidMachigar Ongtang, KevinButler, Patrick McDaniel,Pennsylvania State Univ.

Kells: A ProtectionFramework For PortableDataKevin Butler, StephenMcLaughlin, PatrickMcDaniel, PennsylvaniaState Univ.

Keeping Data SecretUnder Full CompromiseUsing Porter DevicesChristina Ppper, DavidBasin, Srdjan Capkun,Cas Cremers, ETH Zurich

B. Papers San JacintoWestModel Checking andVulnerability AnalysisChair: Sven Dietrich

Familiarity BreedsContempt: TheHoneymoon Effect AndThe Role Of Legacy CodeIn Zero-dayVulnerabilitiesSandy Clark, Univ. ofPennsylvania; Stefan Frei,Secunia; Matt Blaze,Jonathan Smith, Univ. ofPennsylvania

Quantifying InformationLeaks In SoftwareJonathan Heusser,Pasquale Malacaria,Queen Mary Univ. ofLondon

Analyzing And ImprovingLinux Kernel MemoryProtection: A ModelChecking ApproachSiarhei Liakh, MichaelGrace, Xuxian Jiang,North Carolina StateUniv.

C. Panel San JacintoEastThe New SecurityParadigms ExperienceRichard Ford, FloridaInstitute of Technology(Moderator); MichaelLocasto, Univ. ofCalgary; Victor Raskin,Purdue; Julia M. Taylor,Purdue

D. Training WaterlooTR3 IntegratedEnterprise-Wide RiskManagementOrganization, Mission,and Information SystemView: NIST SP 800-39Instructor: Dr. MarshallD. Abrams, The MITRECorporation

17:00-17:45 Classic Paper II Ballroom AB

Back to BerferdWilliam Cheswick, AT&T LabsResearch, USA

It has been nearly twenty years since I published the Berferd paper. Much of it is quiteoutdated, reflecting the state of technology at the time. But it did touch a number of issuesthat have become quite important. I discuss some of the existing conditions around the timeof the paper, and some of these issues.

About the Speaker: Ches is an early innovator in Internet security. He is known for hiswork in firewalls, proxies, and Internet mapping at Bell Labs and Lumeta Corp. He is bestknown for the book he co-authored with Steve Bellovin and now Avi Rubin, Firewalls andInternet Security; Repelling the Wily Hacker.

Ches is now a member of the technical staff at AT&T Labs - Research in Florham Park, NJ,where he is working on security, visualization, user interfaces, and a variety of other things.

13

Thursday ACSAC 2010

18:00-21:00 Posters/Works in Progress/Career Night/Reception Ballroom AB

Works in Progress 18:00-19:30Chair: Charles Payne

• Ontologies for Modeling Enterprise Level SecurityMetrics, Anoop Singhal, NIST

• Hardware Hypervisor for a Secure Root of Trust,Joseph Loomis, Southwest Research Institute

• Federal Cloud Security Top 20, Earl Crane, DHS

• The Systems Security Engineering Process, Toni Claud,NSA

Posters 18:00-19:30Chair: Benjamin Kuperman, James P. Early

• Graph-Based Tra.c Analysis for Network IntrusionDetection, Gary Sandine, Los Alamos NationalLaboratory

• Security through Usability: a user-centered approachfor balanced security policy requirements, ShamalFaily, Univ. of Oxford

• Side Channel Finder (Version 1.0), Artem Starostin,TU Darmstadt

• Service Automata for Secure Distributed Systems,Richard Gay, TU Darmstadt

• Accelerating Regular Expression Processing UsingHardware DFA Engines, Jordi Ros-Giralt, ReservoirLabs

• SIFEX: Tool for Static Analysis of Browser Extensionsfor Security Vulnerabilities, Shikhar Agarwal, IndianInstitute of Technology

• RAVEN: Real-time Attack Visualization throughExamining Network flows, Ethan Singleton, Univ. ofTulsa

• DDoS Attacks Avoidance by Securely Hiding WebServers, Mohamad Samir A. Eid, Univ. of Tokyo

• Reliable Time Based Forensics in NTFS, Xiaoqin Ding,Shanghai Jiao Tong Univ.

• Inherent Problems in the Information TechnologySupply Chain, Courtney Cavness, Atsec Corporation

Career Fair 18:00-20:00Chair: Ben CookNew to 2010: ACSAC adds a career fair! Companies hiring in the area of information security and research will beon hand to discuss employment opportunities.

14

ACSAC 2010 Friday

Friday, 10 December 20107:30-8:30 Continental Breakfast Ballroom Foyer


A. Papers Ballroom AIntrusion Detection andLive ForensicsChair: Kenneth F.Shotting

Comprehensive ShellcodeDetection Using RuntimeHeuristicsMichalis Polychronakis,Columbia Univ.; KostasAnagnostakis, NiometricsR&D; EvangelosMarkatos, FORTH-ICS

Cross-layerComprehensive IntrusionHarm Analysis ForProduction WorkloadServer SystemsShengzhi Zhang,Pennsylvania State Univ.;Xiaoqi Jia, GraduateUniv. of Chinese academyof sciences; Peng Liu,Pennsylvania State Univ.;Jiwu Jing, Graduate Univ.of Chinese academy ofsciences

Forenscope: AFramework For LiveForensicsEllick Chan, ShivaramVenkataraman, Univ. ofIllinois; Francis David,Microsoft; AmeyChaugule, Univ. ofIllinois

B. Papers San JacintoWestDistributed Systems andOperating SystemsChair: TBD

A Multi-userSteganographic FileSystem On UntrustedShared StorageJin Han, Meng Pan, DebinGao, HweeHwa Pang,Singapore ManagementUniv.

Heap Taichi: ExploitingMemory AllocationGranularity InHeap-spraying AttacksYu Ding, Tao Wei, TieleiWang, Peking Univ.;ZhenKai Liang, NationalUniv. of Singapore; WeiZou, Peking Univ.

Scoba: Source CodeBased Attestation OnCustom SoftwareLiang Gu, Yao Guo,Anbang Ruan, QingniShen, Hong Mei, PekingUniv.

C. Case Studies SanJacinto EastSoftware SecurityAutomation andMeasurementJoe Jarzombek, NationalCyber Security Division,DHS (Moderator); DonDavidson,OASD-NII/DoD; NadyaBartol, Booz AllenHamilton; RobertSeacord, CERTCoordination Center,Carnegie Mellon Univ.;Carol Woody, SEI,Carnegie Mellon Univ.

D. Training WaterlooTR4. Risk Assessments forInformation TechnologySystems: NIST SP 800-30Instructor: PeteGouldmann, U.S.Department of State



15

Friday ACSAC 2010


A. Papers Ballroom AMobile and WirelessChair: Christina Serban

Paranoid Android: VersatileProtection For SmartphonesGeorgios Portokalidis, ColumbiaUniv.; Philip Homburg, Herbert Bos,Vrije Universiteit Amsterdam

Exploiting Smart-phone USBConnectivity For Fun And ProfitZhaohui Wang, Angelos Stavrou,George Mason Univ.

Defending Dsss-based BroadcastCommunication Against InsiderJammers Via DelayedSeed-disclosureAn Liu, Peng Ning, Huaiyu Dai, YaoLiu, North Carolina State Univ.;Cliff Wang, Army Research Office

B. Papers San Jacinto WestSecurity Engineering andManagementChair: Edward A. Schneider

Always Up-to-date – ScalableOffline Patching Of Vm Images In ACompute CloudWu Zhou, Peng Ning, NorthCarolina State Univ.; XiaolanZhang, Glenn Ammons, IBM;Ruowen Wang, North Carolina StateUniv.; Vasanth Bala, IBM

A Framework For TestingHardware-software SecurityArchitecturesJeffrey S. Dwoskin, Princeton Univ.;Mahadevan Gomathisankaran, Univ.of North Texas; Yu-Yuan Chen,Ruby B. Lee, Princeton Univ.

Two Methodologies For PhysicalPenetration Testing Using SocialEngineeringTrajce Dimkov, Andre van Cleeff,Wolter Pieters, Pieter Hartel, Univ.of Twente

C. Training WaterlooTR4. Risk Assessments forInformation Technology Systems:NIST SP 800-30Instructor: Pete Gouldmann, U.S.Department of State


12:00-12:30 Closing Session/Best Paper Award Ballroom A

13:00-15:00 Optional Lunch at Stubb’s BBQ

16

ACSAC 2010 Workshop Details

Workshop DetailsLayered Assurance Workshop (LAW)

Chair: Rance J. DeLong, Lynuxworks, Santa Clara Univ.

Monday December 6th and Tuesday December 7th, AllDay. Separate registration and fee required.

LAW has provided a forum for vital exchange, as wellas a maturing source of information, focused on key is-sues relating to the effective and efficient modular con-struction and certification of assured systems from as-sured components. It is widely recognized that such anapproach is the most promising way to achieve diverseand flexible systems that can be certified quickly andcost effectively. LAW is concerned with the theoreti-cal, engineering, and certification challenges to be metbefore this goal can be fully realized.

The Workshop concerns itself with the fundamental prob-lems of “compositional assurance” and with a need forprinciples, methods, and techniques that can be appliedto achieve the assurance necessary for security-critical,safety-critical, and mission-critical components and sys-tems.

For the past three years, the Layered Assurance Work-shop has grown and evolved. The first LAW in 2007took an exploratory approach, relying heavily on theparticipants’ input to establish the agenda. The sec-ond LAW in 2008 was attended by approximately 80individuals representing more than 30 distinct organi-zations. In that Workshop more of the program wasestablished in advance, with several keynote talks cho-sen from responses to an open invitation, followed bybreakout sessions on diverse topics. The third LAWcomprised two thematic days with a common structure:morning keynote talks, afternoon panels and breakoutsessions. The theme of the first day was programmaticneeds of government, while that of the second day wasresearch and development on the problems of layeredassurance.

This year, the fourth LAW will include talks by dis-tinguished speakers, panels, discussions and technicaltraining. Attendees are encouraged to participate in AC-SAC in addition to LAW. The conjunction of LAW andACSAC provides increased opportunities for academicand industry participants to contribute in the forum oftheir choice. Please pass along information about LAWto colleagues who may be interested.

The workshop is unclassified and will be open to allattendees. As a result of the transition to make LAWa permanent ACSAC workshop, there is now a LAWregistration fee. This year, to ease the transition for at-

tendees, the LAW sponsors have generously provided asponsorship for early registrants.

For agenda and registration details, please visit http://fm.csl.sri.com/LAW/2010/index.shtml.

Workshop on Governance of Technology, Informa-tion, and Policies (GTIP): Addressing the Challengesof Worldwide Interconnectivity

Chair: Dr. Harvey H. Rubinovitz

Tuesday, 7 December 2008, 8:30 – 17:00. Separate reg-istration and fee required.

The explosion in the use of the Internet over the last10 years has connected institutions governments, re-searchers, and non-technical people throughout the world.The large number of devices connected to the networkshas changed the Internet from a set of networks con-necting computers to a set of networks connecting alltypes of objects. This trend, combined with the riseof collaborative technologies, virtual worlds, and cloudcomputing raises issues profoundly affecting how themanagement of systems, of computation, and of data isviewed.

A key issue that springs from the implications of man-aging the interconnection of people and devices through-out the world is how differing laws, customs, and worldviews have led to the application of technologies to meetgoals that conflict, yet must interoperate. For example,the rules governing privacy vary throughout the world.However, with the advent of cloud computing it may nolonger be possible to restrict data to jurisdictions withcompatible rules because the cloud provider may mi-grate data or computation to leverage resources in otherjurisdictions. How do we handle this situation techno-logically? How do we devise policies and processesto control the effects of this increasing interconnection,the technology, and the data? What implications doesthis have for laws, regulations, customs, and manage-ment?

The goal of this workshop is to explore these issues ina variety of contexts. We invited original position andresearch papers describing the challenges that must beresolved, policies, processes and technologies that mayprove useful in dealing with these problems, security,technological, societal, and legal issues, as well as as-pects of computing and managing data in a world offragmented and incompatible rules.

For agenda and other details, please visit http://www.acsac.org/2010/workshop/.

17

Tutorial Details ACSAC 2010

Tutorial DetailsTutorial M1. Educating Computer Security Profes-sionals with the CyberCIEGE Video Game

Instructor(s): Mr. Michael Thompson, Naval Postgrad-uate School

Monday, December 6th, Morning Only. Separate regis-tration and fee required.

CyberCIEGE is a 3D video game that enhances com-puter network security education and training throughconstructive resource management techniques such asthose employed in the Tycoon games. In the Cyber-CIEGE world, players spend virtual money to operateand defend networks, and can watch the consequencesof their choices, while under attack. CyberCIEGE sce-narios cover network management and defense includ-ing the use of network filters, VPNs, e-mail encryption,access control mechanisms, biometrics, and PKI. Play-ers balance budget, productivity, and security by keep-ing the virtual world’s personnel happy (e.g., by provid-ing Internet access) while protecting assets from van-dals and professional attacks. The tutorial will coverthe use of the game for education and training, and willinclude hands on scenario play for the audience. In ad-dition, the tutorial will cover use of the Scenario Devel-opment Kit for creating and customizing scenarios.

While CyberCIEGE includes a set of “training and aware-ness” scenarios for general audiences (such as thoseof other computer security games like ”Anti-phishingPhil”), the primary purpose of the game is broader com-puter security education. CyberCIEGE is built aroundthe fundamental concepts of information security poli-cies. Attacks are fueled by attacker motives. And mo-tives vary by asset and scenario. The fidelity of Cy-berCIEGE attacks is high enough to illustrate functionsof technical protection mechanisms and configuration-related vulnerabilities. For example, an attack mightoccur because a particular firewall port is left open and aspecific component lacks a suitable patch managementpolicy. This attack engine is coupled with an economyengine that measures the virtual user’s ability to achievegoals (i.e., read or write assets). This combination en-ables scenarios that illustrate real-world trade-offs suchas the use of air-gaps vs. the risks of cross domain so-lutions when accessing assets on both sensitive and un-classified networks.

CyberCIEGE was created by the Naval PostgraduateSchool in partnership with Rivermind Inc., and it isdeployed around the world in universities, communitycolleges and government organizations. The US Gov-ernment has unlimited use of the game, and a no-cost

license to use CyberCIEGE is available to educationalinstitutions, and hundreds of such institutions have re-quested the game. The target audience of the tutorialis computer security instructors and those developingsecurity training and education programs.

Outline

1. Overview, purpose and intended audience ofthe game. Introductory video. Training scenar-ios vs Educational scenarios. Online encyclope-dia and tutorial movies. Example training sce-nario.

2. Scenarios illustrating basic network securityconcepts. Introductory tutorial scenario. Exam-ples of game engine triggers, conditions and at-tacks. Basic game mechanics. Information secu-rity policy and physical security. Hands on playby attendees of introduction scenario.

3. Intermediate computer security concepts. Net-work filters and their limitations (Network filtersScenario). Access control policies and assurance(Genes R Us scenario). User identification. En-cryption, VPNs, Email protection. Hands on playby attendees of filters scenario.

4. Deploying the game for training and educa-tion. Mechanics of distribution and deployment.Use of the game to augment case studies, directedgroup play. Student assessment tool.

5. Creating and customizing scenarios. Game en-gine: Attack models, Game economy, Triggersand conditions. Use of the Scenario Develop-ment Tool (SDT).

6. Hands on supervised scenario play by the at-tendees.

7. Example of scenario construction. SDT me-chanics. Scenario testing.

Prerequisites. Attendees will each need access to acomputer (e.g. laptop) having a Windows operatingsystem. Those with Mac computers can run the gameusing VMWare Fusion and a Windows guest operatingsystem. Most relatively modern laptops and notebookswill run the game. Test the game on your laptop us-ing the free evaluation version available at http://cisr.nps.edu/cyberciege/downloads/setup-demo.exe.

About the Instructor. Mr. Michael Thompson is a Re-search Associate in the Center for Information Systems

18

ACSAC 2010 Tutorial Details

Security Studies and Research at the Naval Postgradu-ate School in Monterey, California. He is the lead engi-neer for CyberCIEGE and is responsible for its ongoingdevelopment and maintenance. He holds a B.S. in Elec-trical Engineering from Marquette Univ.. His researchinterests include security engineering and high assur-ance computer security, and he has over twenty yearsexperience in the field of computer security.

Tutorial M2. State of the Practice: Intrusion Detection

Instructor(s): Dr. Michael Collins and Dr. John McHugh,RedJack, LLC

Monday, December 6th, Afternoon Only. Separate reg-istration and fee required.

This half day tutorial is intended to provide an overviewof the state of practice in intrusion detection. It is in-tended to provide an understanding of the problems andpotential pitfalls for researchers intending to undertakeresearch efforts in the field, especially those who ap-proach it from the viewpoint of other disciplines suchas machine learning. The intended audience includesgraduate students seeking PhD or MS topics, networksecurity analysts who want deeper insights into the rea-sons why intrusion detection systems manifest relativelypoor performance, and individuals desiring to evaluateintrusion detection products.

At the completion of the tutorial, the student should beconversant with the vocabulary of intrusion detectionand have developed an appreciation for the difficultyof the problem area. The tutorial will cover the majorclasses of intrusion detection including host and net-work based classifications and signature and anomalybased classifications. Each of these approaches presentsits own advantages and problems and each presents spe-cific kinds of problems that need to be addressed by theresearch and operational communities. While there is alarge body of published research in the area, relativelyfew of the academically developed approaches makeany practical impact on the field and a unifying themeof the tutorial will be discussion of why this is the case.Specific topics of interest include the role of intrusiondetection in system defense, sensing approaches, detec-tion issues, and intrusion detection system evaluation.

Outline

1. Introduction. Intrusion detection systems his-tory. Basic IDS technology: HIDS, NIDS, Signature-Based, Anomaly-Based. Major IDS families. Re-lated technologies. Fallacies in IDS - false posi-tives, false negatives, base-rate.

2. General problems in IDS. Data collection. In-ferential fallacies - false positives, false negatives,base-rate, prosecutor’s fallacy. IDS evasion. Prob-lems with IDS on the floor: polymorphism, pack-ers and signature evasion, zero-days, and chair-swiveling.

3. Signature Based IDS: State of the practice. Stan-dard Signature Based IDS: Snort, Commercialsystems. Signature management. Mechanismsfor comparing and evaluating signatures. Cur-rent problems in signature based IDS: malware,signature management, deceptive signatures.

4. Anomaly Based IDS: State of the Practice. His-torical anomaly detection timeshares. Modernanomaly detection systems. Successful anomalydetection. Current problems in anomaly basedIDS: noise, training assumptions.

5. IDS Evaluation. Data available for evaluation.ROC curves and other evaluation mechanisms.Problems in ’normalcy’.

6. Similar Systems. IPS vs. IDS vs. Sensor. SIM/SEM.AV. DDoS Detection.

Prerequisites. None.

About the Instructors. Dr. Michael Collins is ChiefScientist for RedJack and a former scientist for the CERT/ Network Situational Awareness Team at Carnegie Mel-lon Univ.. In this capacity, Dr. Collins was one of thelead designers of CENTAUR and the SiLK toolkit. Dr. Collinsis an expert on traffic analysis, and has developed novelmethods for tracking peer-to-peer applications and ap-plying social network analysis to network traffic. Hiswork is used by several federal agencies for traffic anal-ysis and network defense. He is currently working onsocial network analysis of web usage.

Dr. John McHugh is the Senior Principal at RedJackLLC, a network data analysis and security consultingcompany and holds a visiting faculty position at UNC.Before joining RedJack, he was a Canada Research Chairin Privacy and Security at Dalhousie Univ. in Halifax,NS, and, earlier, senior member of the technical staffwith the CERT Situational Awareness Team, where hedid research in survivability, network security, and in-trusion detection. Recently, he has been involved in theanalysis of large scale network flow data using visualanalytic techniques and has developed tools for charac-terizing host and network behavior. Dr. McHugh re-ceived his PhD degree in computer science from theUniv. of Texas at Austin. He has a MS degree in com-puter science from the Univ. of Maryland, and a BSdegree in physics from Duke Univ..

19


Tutorial M3. Algorithms for Software Protection

Instructor(s): Dr. Christian Collberg, Univ. of Arizona,and Dr. Jasvir Nagra, Google Inc.

Monday, December 6th, All Day. Separate registrationand fee required.

Abstract. In this tutorial we will describe techniquesfor software protection. These are techniques for pro-tecting secrets contained in computer programs frombeing discovered, modified, or redistributed. Importantapplications include protecting against software piracy,license check tampering, and cheating in on-line multi-player games. With a series of interactive exercisesand problems, you will get hands-on experience withmethods you can use to protect your program as wellas techniques that attackers use to analyze and crackapplications. The attack model is very liberal: we as-sume that an adversary can study our program’s code(maybe first disassembling or decompiling it), executeit to study its behavior (perhaps using a debugger), oralter it to make it do something different than what weintended (such as bypassing a license check). In a typ-ical defense scenario we use code transformation tech-niques to add confusion to our code to make it moredifficult to analyze (statically or dynamically), tamper-protection to prevent modification, and watermarking toassert our intellectual property rights (by embedding ahidden copyright notice or unique customer identifier).

Background. Software protection is a fairly new branchof computer security. It’s a field that borrows tech-niques not only from computer security, but also frommany other areas of Computer Science such as cryptog-raphy, steganography, media watermarking, software met-rics, reverse engineering, and compiler optimization.The problems we work on are different from other branchesof computer security: we are concerned with protect-ing the secrets contained within computer programs.We use the word secrets loosely, but the techniques wepresent in this tutorial (code obfuscation, software wa-termarking and fingerprinting, tamper-proofing, and birth-marking) are typically used to prevent others from ex-ploiting the intellectual effort invested in producing apiece of software.

For example, software fingerprinting can be used to tracesoftware pirates, code obfuscation can be used to makeit more difficult to reverse engineer a program, and tam-perproofing can make it harder for a hacker to removea license check.

Outline

1. Introduction. What is software protection? Whatproblems do we work on?

2. Attack Models. Who is our adversary? Whattechniques are at his disposal?

3. Code Obfuscation. Code transformation tech-niques for preventing malicious reverse engineer-ing of programs. How do we defeat static analy-sis? How do we defeat dynamic analysis? Howcan adversaries use obfuscation to affect the re-sults of electronic voting?

4. Obfuscation Theory. Theoretical background toobfuscation. What can we hide in a program?What can’t we hide in a program?

5. Tamperproofing. Techniques for preventing mod-ifications of programs. How can we stop the re-moval of licensing checks? How can we stopcheating in on-line games? How can we preventattacks against the TCP stack that could poten-tially take down the Internet?

6. Watermarking. Techniques for embedding uniqueidentifiers in programs to prevent software piracy.

7. Conclusion. Directions for future research.

Prerequisites. An understanding of basic compiler/programanalyis techniques is helpful, but not necessary.

About the Instructors. Dr. Christian Collberg receiveda BSc in Computer Science and Numerical Analysisand a Ph.D. in Computer Science from Lund Univ., Swe-den. He is currently an Associate Professor in the De-partment of Computer Science at the Univ. of Arizonaand has also worked at the Univ. of Auckland, NewZealand, and the Chinese Academy of Sciences in Bei-jing. Prof. Collberg is a leading researcher in the intel-lectual property protection of software, and also main-tains an interest in compiler and programming languageresearch. In his spare time he writes songs, sings, andplays guitar for The Zax and hopes one day to finish uphis Great Swedish Novel.

Dr. Jasvir Nagra received his B.Sc. in Mathematics andComputer Science and a Ph.D. in Computer Sciencefrom the Univ. of Auckland, New Zealand. He’s been aPost Doctoral scholar on the RE-TRUST project at theUniv. of Trento where his focus was on applying obfus-cation, tamperproofing and watermarking techniques toprotect the integrity of software executing on a remoteuntrusted platform. His research interests also includethe design of programming languages and its impact onthe security of applications. He’s currently with Google,

20


Inc where he is building Caja, a open-sourced, secure-subset of javascript. In his spare time Jasvir dabbleswith Lego and one day hopes to finish building his Tur-ing machine made entirely out of Lego blocks.

Tutorial T4. System Life Cycle Security Engineering

Instructor(s): Ms. Thuy D. Nguyen and Dr. Cynthia E.Irvine, Naval Postgraduate School

Monday, December 6th, All Day. Separate registrationand fee required.

Within the discipline of systems engineering, informa-tion systems security engineering (ISSE) applies infor-mation assurance principles across a system’s life cycle.Grounded by underlying security principles and a rigor-ous methodology, ISSE follows the ”system thinking”approach for assessing system security behaviors basedon dependencies, interactions and emergent propertiesof its components in the context of a larger system.

This tutorial aims to provide attendees with an overviewof the ISSE methodologies and processes for the de-sign, implementation and assessment of risk-based se-curity solutions. Concepts and practices of informationsystems security engineering are presented from a sys-tem life cycle perspective. Core topics include secu-rity requirement engineering, architecture and designanalysis, system implementation assessment, require-ments/ implementation traceability correspondence, se-curity test and evaluation strategy, and risk manage-ment. These topics are structured to follow the NISTrisk management framework. In each stage of the sys-tem development life cycle, the roles and responsibili-ties of the ISSE team are explained.

Through the tutorial, attendees will understand the im-portance of capturing user’s needs in a tractable formto guide development and risk analysis activities. Theywill be familiar with the properties used to evaluate dif-ferent security architectures, the inherent trust problemsrelating to the composition of systems and components,and security issues associated with the adaptation of ex-isting systems to meet the need for technological andenvironmental evolution.

Outline

1. Introduction to Information Systems SecurityEngineering. This module presents an overviewof the following ISSE activities in a system devel-opment life cycle: (1) Discover Information Pro-tection Needs; (2) Define System Security Re-quirements; (3) Design System Security Archi-tecture; (4) Develop Detailed Security Design;

(5) Implement System Security. This module alsoexplores the Risk Management Framework de-fined by NIST and reviews ISSE responsibilitiesin the risk management cycle of a system to as-sess the effectiveness and residual risk of the sys-tem’s protection mechanisms.

2. Life Cycle Assurance Practices. This moduleemphasizes the ”baked in” security strategy andthe notions of defense in breadth and defense indepth. Topics to be covered include: (1) Defensein breadth: evaluating risk throughout a system’slife cycle; (2) Defense in depth: protecting againstattacks by employing appropriate protection mech-anisms in keys areas; (3) Trust relationships amongcomponents in large/complex systems: composi-tion, balanced assurance, interconnection.

3. Security Requirement Engineering. This mod-ule presents a general security requirements en-gineering framework that includes the followingactivities: (1) Security requirements elicitation;(2) Threat/risk analysis; (3) Security requirementsderivation; (4) Security requirements validation.

4. Security Architecture and Design. This mod-ule focuses on the following: (1) Architecturalproperties and strategies for reasoning about thesecurity architecture of a system; (2) Security de-sign requirements and engineering activities fordeveloping and analyzing the security design fora secure system.

Prerequisites. It is assumed that participants have knowl-edge of basic security concepts and principles, and anunderstanding of computer, software and network secu-rity fundamentals. In addition, familiarity with systemlife cycle assurance (including threat characterizationand risk analysis) and general systems engineering pro-cesses would be useful.

About the Instructor. Ms. Thuy D. Nguyen is a SeniorResearch Associate of Computer Science at the NavalPostgraduate School in Monterey, California. She has25 years of experience and specializes in high assur-ance software and systems development, security eval-uation and information systems security engineering.Ms. Nguyen performs research on high assurance plat-forms, trusted operating systems and separation ker-nels, secure collaborative applications, MLS federatedarchitectures and dynamic security services. She is thelead architect/engineer of the MYSEA multilevel se-cure (MLS) project and oversees the construction of aMLS testbed. She co-authored a Common Criteria Pro-tection Profile for highly robust separation kernels and

21


a draft Computing Platform Architecture and SecurityCriteria for the High Assurance Platform Program. Shehas developed and taught courses on security require-ments engineering and applied information systems se-curity engineering. Prior to NPS, she developed com-mercial security products, including a TCSEC Class A1security kernel.

Dr. Cynthia E. Irvine is a Professor in the Department ofComputer Science and Director of the Center for Infor-mation Systems Security Studies and Research (CISR)at the Naval Postgraduate School, where she has workedsince 1994. She was the founding director of the Ce-browski Institute at NPS from 2001 to 2003. A grad-uate of Rice and Case Western Reserve Universities,her research centers on the design and construction ofhigh assurance systems and multilevel security. Theauthor on over 150 papers and reports on cyber secu-rity, she has supervised over 120 Masters and PhD stu-dents. Dr. Irvine has served on numerous governmentcomputer and network security committees and reviewboards. Her memberships include: the ACM, ASP (life),IEEE (Senior) and the IEEE Computer Society GoldenCore. A recipient of the Navy Information AssuranceAward as well as numerous research and service awards,she served as Chair of the IEEE Technical Committeeon Security and Privacy from 2007 to 2009.

Tutorial T5. Virtualization and Security

Instructor(s): Mr. Zed Abbadi, Public Company Ac-counting Oversight Board (PCAOB)

Tuesday, December 7th, Morning Only. Separate regis-tration and fee required.

In recent years, virtualization has become one of themost deployed technologies in the IT field. It providesclear benefits when it comes to utilization, maintenance,redundancy and lower power consumption. However,just like every new technology, virtualization is still evolv-ing and there are still unanswered security questions.Virtualization is a concept that encompasses many typesof technologies used in different configurations and fora variety of reasons. Each one of these technologiespresents its own unique sets of security challenges andbenefits.

This tutorial will provide a basic understanding of thevarious virtualization technologies and discuss the se-curity aspects and characteristics of each one. It willprovide the audience with valuable material on how toutilize virtualization to decrease risks from security at-tacks and how to avoid vulnerabilities that may accom-pany virtualization technologies.

Outline

1. Virtualization Basics: An introduction to the var-ious types of virtualization technologies and theirtypical usage. This includes server and client vir-tualization, and the different software/hardwaresolutions that exit in the market today.

2. Server Virtualization Security: A detailed dis-cussion focused on server virtualization and theunderlying security benefits and challenges. Thediscussion will cover bare-metal (monolithic vs.microkernel) and hosted technologies.

3. Client Virtualization Security: A detailed dis-cussion focused on client virtualization and theunderlying security benefits and challenges. Thediscussion will cover desktop (local and hosted)and application (local and hosted) virtualizationtechnologies.

4. Other Virtualization Technologies: Other evolv-ing virtualization technologies including OS Steam-ing and Workspace Virtualization and the secu-rity implications that accompany them.

Prerequisites. General understanding of computer ar-chitecture and basic security concepts.

About the Instructor. Mr. Zed Abbadi is an Appli-cation Security Manager with the Public Company Ac-counting Oversight Board (PCAOB). He has over 18years of experience in software and security engineer-ing. His experience ranges from providing security con-sulting services to building large-scale software systems.In his current role he is responsible for the security ofall software applications that run on PCAOB’s infras-tructure.

Zed holds a Bachelor of Science in Computer Scienceand a Masters degree in Systems Engineering from GeorgeMason Univ.. He is a published author and has pre-sented at various security conferences.

Tutorial T6. Keeping Your Web Apps Secure: The OWASPTop 10 & Beyond

Instructor(s): Mr. Robert H’obbes’ Zakon, Zakon GroupLLC

Tuesday, December 7th, Afternoon Only. Separate reg-istration and fee required.

The Open Web Application Security Project (OWASP)Top 10 provides an overview of the most critical webapplication security risks. This tutorial introduces theOWASP Top 10 (2010 edition) along with other risks,

22


and discusses the techniques and practices to protectagainst them. References to software tools and othersecure coding resources will also be provided. This tu-torial is a must if you are developing web applications,managing developers, researching web security, or sim-ply are a security enthusiast.

Outline

1. Introduction. Overview of the need for securecoding practices in web application development.

2. The OWASP Top 10. From Injection and Cross-Site Scripting (XSS) to Insecure CryptographicStorage and Cross-Site Request Forgery (CSRF)we will cover OWASP’s Top 10 Risks in detailhow these risks lead to vulnerabilities, and howto mitigate them.

3. Beyond the Top 10. The Top 10 are not meant tobe comprehensive, but to make developers awareof the most commonly encountered risks. Herewe will cover additional risks and vulnerabilitiesthat every web developer needs to be aware of,along with how to mitigate them.

4. Gotchas, Pitfalls & Prevention. In addition tosecure coding practices addressing potential vul-nerabilities, there are still some underlying tech-nologies that could result in unintended conse-quences. Learn about what these are and how toprevent them from being exploited.

5. Security Tools & Resources. It’s a half-day course,so you get lots of references to additional resourcesand tools.

Prerequisites. Some understanding of web applicationdevelopment may be helpful when discussing risk mit-igation techniques.

About the Instructor. Mr. Robert Zakon is a technol-ogy consultant and developer who has been program-ming web applications since the Web’s infancy, over 15years ago. In addition to developing web applicationsfor web sites receiving millions of daily hits, he workswith organizations in an interim CTO capacity, and ad-vises corporations, non-profits and government agen-cies on technology, information, and security architec-ture and infrastructure. Robert is a former Principal En-gineer with MITRE’s infosec group, CTO of an Inter-net consumer portal and application service provider,and Director of a university research lab. He is a SeniorMember of the IEEE, and holds BS & MS degrees fromCase Western Reserve Univ. in Computer Engineering

& Science with concentrations in Philosophy & Psy-chology. His interests are diverse and can be exploredat www.Zakon.org.

Tutorial T7. State of the Practice: Secure Coding

Instructor(s): Mr. Robert C. Seacord, CERT SoftwareEngineering Institute

Tuesday, December 7th, All Day. Separate registrationand fee required.

State of the practice courses provide an introductionand overview of the current state of research in a par-ticular discipline with the intent of informing begin-ning doctoral students an overview of research, tech-nology and outstanding problems in a particular disci-pline. This state of the practice tutorial describes thestate of the practice in secure C language programmingas defined by the C99 standard and the emerging C1Xstandard. The tutorial also identifies outstanding prob-lems in these standards, and identifies where furtherresearch is necessary. The tutorial also describes TheCERT C Secure Coding Standard as well as the workand progress of the WG14 C Secure Coding Guidelinesstudy group.

Outline

1. History of C language programming. Origins.The C90, C99, and C1X standards. Common vul-nerabilities. The role of secure coding standards.

2. C programming language and library research.Implementation-defined, unspecified, and unde-fined behaviors. Poorly designed library func-tions. Poorly understood behaviors. Dangerousoptimizations. Unmanaged environments. En-coding and decoding pointers. Security attributes.Concurrency.

3. C1X improvements. Annex K Bounds-checkinginterfaces. Annex L Analyzability. Static Asser-tions. File I/O.

4. Analysis Research. Static analysis. Dynamicanalysis. Safe secure C/C++ methods. Modelchecking. Contributing analysis tools: case stud-ies.

5. Runtime protection schemes research. Ran-domization. WX . Pointer encoding/decoding.Secure heap. Capability-based systems.

6. Additional Research Areas. Underlying causesof vulnerabilities, effective and enforceable se-cure coding guidelines, and effectiveness of staticanalysis in analyzing open source software.

23


Prerequisites. Tutorial participants should be familiarwith C language programming. Practicing C and C++programmers will derive the greatest benefit but pro-grammers who use other languages such as Java willalso find the tutorial useful.

About the Instructor. Mr. Robert C. Seacord is the au-thor of The CERT C Secure Coding Standard (Addison-Wesley, 2008) and Secure Coding in C and C++ (Addison-Wesley, 2005), providing guidance on secure practicesin C and C++ programming. Seacord leads the SecureCoding Initiative at CERT, located in Carnegie Mel-lon’s Software Engineering Institute (SEI) in Pittsburgh,PA. CERT’s Secure Coding Initiative develops and pro-mulgates secure coding practices and techniques, suchas CERT’s Secure Code Analysis Laboratory (SCALe),the first to certify software for conformance with securecoding standards. His research group develops publiclyavailable tools for the analysis and development of se-cure software. Seacord is an adjunct professor in theCarnegie Mellon Univ. School of Computer Scienceand in the Information Networking Institute and fre-quent speaker throughout the world. Seacord is alsoa technical expert for the ISO/IEC JTC1/SC22/WG14international standardization working group for the Cprogramming language.

Tutorial T8. An Introduction to Usable Security

Instructor(s): Dr. Jeff Yan, Newcastle Univ., UK, andMary Ellen Zurko, IBM, USA

Tuesday, December 7th, All Day. Separate registrationand fee required.

For a long time, computer security was mainly con-cerned with the design of various technical mechanismsfor defending against adversaries, as well as with theunderlying mathematical foundations such as cryptog-raphy primitives. However, the usability of such tech-nical mechanisms was largely ignored, which unfor-tunately has proved a major cause of many computersecurity failures. In particular, many technical solu-tions though theoretically sound were practically inse-cure because of their poor usability.

In recent years, “usable security” (or “security usabil-ity”) has attracted fast growing attention in both academiaand industry. More and more people agree that we needusable security systems - unusable secure systems arenot used properly or at all, and thus only usable sys-tems can provide effective security. However, there isless agreement about how to design systems that areboth usable and secure.

Outline This full-day tutorial will give an overview of

the field of usable security with the focus on principles,approaches and research methods of usable security. Alarge number of real-life examples will be used to illus-trate that it is feasible to develop security solutions thatare simultaneously secure and usable. With the aim toenable participants to both evaluate and produce high-quality work in usable security, the tutorial is tentativelystructured as follows:

1. Part 1: Fundamentals. How security has faileddue to the failure of usability of security tech-nologies. Psychological aspect of computer se-curity, highlighting that what security engineersexpect to work and what the user makes to work,can differ greatly. The contrast between theoret-ical and effective practical security will be high-lighted. Examples of how security has failed dueto usability will enable the attendee to recognizecommon mistakes. Early research in the field willbe touched on, providing a background on moti-vations and an historical context for the field.

2. Part 2: Approaches and methods. Commonapproaches to usable security and relevant designprinciples for security usability will be discussed.Methods for improving security usability and meth-ods for empirically establishing such improve-ment will be discussed in detail. Usability tech-niques successfully applied to security, includingusable design (with an emphasis on error han-dling and task flow), lab user studies (a field ad-vanced enough that simple and useful guidanceis available in book form), field user studies, andtechniques for evaluating organizational cultures.The difficulties peculiar to the usability of secu-rity will also be discussed.

3. Part 3: Case studies. Real-life examples illus-trating how security and usability can be simul-taneously improved, and how the principles andmethods introduced in the previous part were ap-plied. Reflections and critiques on the applica-tion of the methods. Topics that have receivedmuch attention will be highlighted, including au-thentication (particularly password use and graph-ical authentication), access control and authoriza-tion, phishing defenses, the utility of education ofthe user, and CAPTCHAs. The impact of organi-zational culture will receive particular attention,as we expect compliance, education, and orga-nizational rules and guidelines to be of particu-lar interest to ACSAC attendees. Recent usablesecurity and privacy research in social networkswill also be included.

24


4. Conclusions.

Prerequisites. Basic understanding of computer se-curity. The intended audience are security researcherswho want to step into the field of usable security, andsecurity practitioners who wish to understand the im-pact of usable security on their work and integrate someof its lessons, techniques, and developments. PhD stu-dents and new researchers in usable security who wantto have a quick start in this field will also benefit. Thosewho want to teach this topic can also find the tutorialrelevant - a set of summary notes and a large number ofpointers to further readings will be provided, so that itshould be easy for them to extend the tutorial into a fullcourse.

About the Instructor. Dr. Jeff Yan is on the facultyof computer science at Newcastle Univ., England. Hehas a PhD in computer security from Cambridge Univ..The password security and memorability study he car-ried out with colleagues in 1999 - 2000 was an earlyinfluential work in the field of usable security. He is acontributor to the O’Reilly book ”Security and Usabil-ity: Designing Secure Systems that People Can Use”(2005), the first book on usable security, and was onthe program committee for the first Symposium on Us-able Privacy and Security (SOUPS) held at CarnegieMellon in 2005. Recent work on usable security in histeam includes 1) a novel graphical password scheme(CCS’07), which was selected by the Royal Society -the UK’s national academy - for their 2008 SummerScience Exhibition, and 2) the robustness and usabilityof CAPTCHAs (CCS’08, SOUPS’08), which has influ-enced the design of a number of CAPTCHAs includingthose that have been deployed by Microsoft and Yahoo!

Mary Ellen Zurko is security architect of the collabora-tion cloud offerings at IBM. She has over two decadesof work in user-centered security, in product develop-ment, early product prototyping, and research. Her ex-perience spans across the entire lifecycle of softwareproducts, from initial product definition and delivery,to mature product maintenance, with an emphasis ondistributed middleware and collaboration. She is chairof the steering committee of the International WWWConference series, on the steering committee of NewSecurity Paradigms Workshop and a senior fellow onACSA.

25

Training Details ACSAC 2010

Training DetailsTraining TR1 Cyber Security Controls: NIST SP 800-53 Rev3 & CNSSI 1253

Instructor: Dr. Marshall D. Abrams, The MITRE Cor-poration

Wednesday, December 8th, 10:30-12:00 & 13:30-15:00

The National Institute of Standards and Technology (NIST),in collaboration with the Office of the Director of Na-tional Intelligence, the Department of Defense, and theCommittee on National Security Systems (CNSS), re-cently updated Special Publication (SP) 800-53, Rec-ommended Security Controls for Federal InformationSystems and Organizations. This historic publication,for the first time, contains a unified set of security con-trols for both non national security and national securitysystems. This session provides an overview of the uni-fied security control catalog and the security control se-lection process described in NIST SP 800-53, Revision3, as well as an introduction to CNSS Instruction 1253,the publication that provides implementation guidancefor the national security community using SP 800-53.


About the Instructor. Dr. Marshall D. Abrams is aPrincipal Scientist at the MITRE Corporation in McLean,Virginia. He holds two patents and has authored manydocuments addressing cyber security. He has taught cy-ber security courses on six continents. He received theBSEE from Carnegie Institute of Technology and theMSEE and Ph.D. from the Univ. of Pittsburgh. Whileat the National Bureau of Standards he received theDepartment of Commerce Silver Metal Award. Twoawards were received from the Federal Aviation Ad-ministration for contributions to the Information Sys-tems Security Program. He is a Senior Life Memberof the IEEE and has been honored with the IEEE Com-puter Society Golden Core award. He is also a SeniorFellow of the Applied Computer Security Associates.Marshall has been involved with the NIST FISMA Im-plementation Project since its inception.

Training TR2 Near Real-Time Risk Management Pro-cess: NIST SP 800-37


Wednesday, December 8th, 15:30-17:00 & Thursday,December 9th, 10:30-12:00

The National Institute of Standards and Technology (NIST),in collaboration with the Office of the Director of Na-

tional Intelligence, the Department of Defense, and theCommittee on National Security Systems (CNSS), re-cently updated Special Publication 800-37, Guide forApplying the Risk Management Framework to FederalInformation Systems, (formerly the security certifica-tion and accreditation guideline). The revised publi-cation transforms the traditional static, stovepiped cer-tification and accreditation process into a process thatsupports near real-time risk management. This sessiondescribes how the process of certification and accredi-tation is integrated into the Risk Management Frame-work, and focuses on the continuous monitoring of se-curity controls to determine the security state of organi-zational information systems and environments of op-eration.


Training TR3 Integrated Enterprise-Wide Risk Man-agement Organization, Mission, and Information Sys-tem View: NIST SP 800-39


Thursday, December 9th, 13:30-15:00 & 15:30-17:00

Information technology is widely recognized as the en-gine that drives the U.S. economy, giving industry acompetitive advantage in global markets, enabling thefederal government to provide better services to its cit-izens, and facilitating greater productivity as a nation.Risk related to the operation and use of information sys-tems is one of many components of organizational riskthat senior leaders address as a routine part of their on-going risk management responsibilities. Effective riskmanagement requires that organizations operate in a highlycomplex and interconnected world using state-of-the-art and legacy information systems systems that orga-nizations depend upon to accomplish critical missionsand to conduct important business-related functions. Spe-cial Publication 800-39 is the flagship document in theseries of FISMA publications and provides a structured,yet flexible approach for managing that portion of riskresulting from the operation and use of information sys-tems to support the missions and mission/business pro-cesses of organizations. This session will examine Spe-cial Publication 800-39 guidelines for an integrated, en-terprise wide approach to managing risk to organiza-tional operations and assets, individuals, other organi-zations, and the Nation resulting from the operation anduse of information systems.

Prerequisites. None - Open to anyone interested in in-creasing their understanding of Risk Management.

26

ACSAC 2010 Training Details

Training TR4 Risk Assessments for Information Tech-nology Systems: NIST SP 800-30

Instructor: Pete Gouldmann, U.S. Department of State

Friday, December 10th, 8:30-10:00 & 10:30-12:00

Prerequisites. None - Open to anyone interested in in-creasing their understanding of Risk Assessment.

About the Instructor. Mr. Peter Gouldmann is theDepartment of State Liaison to the National Instituteof Standards and Technology (NIST) and Co-Chair ofthe Permanent Subcommittee to the Committee for Na-tional Security Systems (CNSS). As a Supervisory In-formation Technology Specialist in the Office of Infor-mation Assurance, Mr. Gouldmann has served as RiskOfficer, Chief of Systems Authorization, and SecurityArchitect. Over the past 32 years, Mr. Gouldmann hasheld IT and IT security-leadership positions within theDepartment of State, the private sector and the UnitedStates Air Force. He holds a Masters Degree in In-formation Management from Syracuse Univ., and is adistinguished graduate of the National Defense Univ.’sAdvanced Management Program. Mr. Gouldmann hasbeen awarded the CIO certificate in Federal ExecutiveCompetencies from the CIO Univ., and holds the Certi-fied Information Systems Security Professional (CISSP)credential.

27

SponsorsACSAC Steering Committee

Marshall Abrams, The MITRE CorporationJeremy Epstein, SRI International

Daniel Faigin, The Aerospace CorporationAnn Marmor-Squires, The Sq GroupSteve Rome, Booz Allen Hamilton

Ron Ross, National Institute of Standards and TechnologyChristoph Schuba, Oracle Corporation

Cristina Serban, AT&TDan Thomsen, SIFT

ACSAMarshall Abrams, The MITRE Corporation (Founder and Asst Treasurer)

Jeremy Epstein, SRI International (Vice President)Daniel Faigin, The Aerospace Corporation (Secretary)

Ann Marmor-Squires, The Sq GroupSteve Rome, Booz Allen Hamilton (President)

Harvey Rubinovitz, The MITRE Corporation (Treasurer)Cristina Serban, AT&T

Mary Ellen Zurko, IBM Corporation

ACSA had its genesis in the first Aerospace Computer Security Applications Conference in 1985. That conference wasa success and evolved into the Annual Computer Security Applications Conference (ACSAC). ACSA was incorporatedin 1987 as a non-profit association of computer security professionals who have a common goal of improving theunderstanding, theory, and practice of computer security. ACSA continues to be the primary sponsor of the annualconference. For more information on ACSA and its activities, please visit http://www.acsac.org/acsa/.

ProgramWednesday ACSAC 2010 Wednesday, 8 December 2010 7:30-8:30 Continental Breakfast Ballroom CD...

Documents

Transcript of ProgramWednesday ACSAC 2010 Wednesday, 8 December 2010 7:30-8:30 Continental Breakfast Ballroom CD...