Date	Presenter	Topic
12/7	Kent Seamons	TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication More info Abstract: In this talk, I will describe TrustBase, an architecture that provides certificate-based authentication as an operating system service. TrustBase enforces best practices for certificate validation for all applications and transparently enables existing applications to be strengthened against failures of the CA system. The TrustBase system allows simple deployment of authentication systems that harden the CA system. This enables system administrators, for example, to require certificate revocation checks on all TLS connections, or require STARTTLS for email servers that support it. TrustBase is the first system that is able to secure all TLS traffic, using an approach compatible with all operating systems. We will discuss the design and evaluation of a prototype implementation of TrustBase on Linux. To demonstrate the utility of TrustBase, we have developed six authentication services that strengthen certificate validation for all applications. Bio: Dr. Kent Seamons is the Director of the Internet Security Research Lab in the Computer Science Department at BYU. His research interests are in usable security, privacy, authentication, end-to-end encryption, identity management, and trust management. He has published over 65 peer-reviewed papers that have been cited over 4,500 times. Dr. Seamons has been awarded over $5 million in funding from NSF, DHS, DARPA, and industry. He is also a co-inventor on four patents in the areas of automated trust negotiation, single sign-on, and security overlays.
11/30	Sean McKenna	Understanding the Context of Network Traffic Alerts (Cappers and Wijk) More info Abstract: For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.
11/23	Michael McConville	Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 (Lerner et al) More info Abstract: Though web tracking and its privacy implications have received much attention in recent years, that attention has come relatively recently in the history of the web and lacks full historical context. In this paper, we present longitudinal measurements of third-party web tracking behaviors from 1996 to present (2016). Our tool, TrackingExcavator, leverages a key insight: that the Internet Archive’s Wayback Machine opens the possibility for a retrospective analysis of tracking over time. We contribute an evaluation of the Wayback Machine’s view of past third-party requests, which we find is imperfect—we evaluate its limitations and unearth lessons and strategies for overcoming them. Applying these strategies in our measurements, we discover (among other findings) that third-party tracking on the web has increased in prevalence and complexity since the first third-party tracker that we observe in 1996, and we see the spread of the most popular trackers to an increasing percentage of the most popular sites on the web. We argue that an understanding of the ecosystem’s historical trends—which we provide for the first time at this scale in our work—is important to any technical and policy discussions surrounding tracking.
11/16	Zirak Zaheer	A descriptive study of Microsoft's threat modeling technique (Scandariato et al) More info Abstract: Microsoft's STRIDE is a popular threat modeling technique commonly used to discover the security weaknesses of a software system. In turn, discovered weaknesses are a major driver for incepting security requirements. Despite its successful adoption, to date no empirical study has been carried out to quantify the cost and effectiveness of STRIDE. The contribution of this paper is the evaluation of STRIDE via a descriptive study that involved 57 students in their last master year in computer science. The study addresses three research questions. First, it assesses how many valid threats per hour are produced on average. Second, it evaluates the correctness of the analysis results by looking at the average number of false positives, i.e., the incorrect threats. Finally, it determines the completeness of the analysis results by looking at the average number of false negatives, i.e., the overlooked threats.
11/2	Sahar Mehrpour	Is This Thing On? Crowdsourcing Privacy Indicators for Ubiquitous Sensing Platforms (Egelman et al) More info Abstract: We are approaching an environment where ubiquitous computing devices will constantly accept input via audio and video channels: kiosks that determine demographic information of passersby, gesture controlled home entertainment systems and audio controlled wearable devices are just a few examples. To enforce the principle of least privilege, recent proposals have suggested technical approaches to limit thirdparty applications to receiving only the data they need, rather than entire audio or video streams. For users to make informed privacy decisions, applications will still need to communicate what data they are accessing and indicators will be needed to communicate this information. We performed several crowdsourcing experiments to examine how potential users might conceptualize and understand privacy indicators on ubiquitous sensing platforms.
10/26	Adam Conkey	Adversarial Machine Learning (Huang et al) More info Abstract: In this paper (expanded from an invited talk at AISEC 2010), we discuss an emerging field of study: adversarial machine learning—the study of effective machine learning techniques against an adversarial opponent. In this paper, we: give a taxonomy for classifying attacks against online machine learning algorithms; discuss application-specific factors that limit an adversary’s capabilities; introduce two models for modeling an adversary’s capabilities; explore the limits of an adversary’s knowledge about the algorithm, feature space, training, and input data; explore vulnerabilities in machine learning algorithms; discuss countermeasures against attacks; introduce the evasion challenge; and discuss privacy-preserving learning techniques.
10/19	Ayla Khan	ASIDE: IDE support for web application security (Xie et al) More info Abstract: Many of today's application security vulnerabilities are introduced by software developers writing insecure code. This may be due to either a lack of understanding of secure programming practices, and/or developers' lapses of attention on security. Much work on software security has focused on detecting software vulnerabilities through automated analysis techniques. While they are effective, we believe they are not sufficient. We propose to increase developer awareness and promote practice of secure programming by interactively reminding programmers of secure programming practices inside Integrated Development Environments (IDEs). We have implemented a proof-of-concept plugin for Eclipse and Java. Initial evaluation results show that this approach can detect and address common web application vulnerabilities and can serve as an effective aid for programmers. Our approach can also effectively complement existing software security best practices and significantly increase developer productivity.
9/21	Chad Brubaker	[NOTE: Room change] Chad Brubaker Q&A (Android platform hardening) More info Why should I talk to Chad / what should I talk about with Chad? A. He works in the Android Security group at Google, concentrating on hardening the OS. B. nogotofail - a tool that lets you test your network traffic for TLS/SSL vulnerabilities and misconfigurations via client and/or a VPN (http://googleonlinesecurity.blogspot.com/2014/11/introducing-nogotofaila-network-traffic.html) C. "there is also the Android Network Security Config I made for Android N (http://developer.android.com/preview/features/security-config.html), its the tock to the tick-tock of the "find and understand issues"/"kill root cause of issues" that nogotofail started and allows for developers to do all the customization that we saw people trying to do but in a way that's hard to get wrong and safe." D. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired - a low-risk, often ignored error - but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.
9/14	Zaheer	Successful Crowdfunding: The Effects of Founder and Project Factors More info Abstract: Crowdfunding has been regarded as a novel way of collecting money for innovators to launch products and services by opening their ideas in online. This funding approach is differentiated from a traditional fundraising alternative in terms of project evaluation and risk management. In this paper, we question the reason why some crowdfunding projects are more successful in the context of a pre-ordering model, also known as a reward-based crowdfunding. Data analysis results based on 704 Kickstarter projects showed that founder's prior experiences would influence successful fundraising. User comments and update efforts have positive effects on the increase of success rate. In addition, we examined that the amount of funding goal had negative association with fundraising success.
9/7	McConville	Practical and Effective Sandboxing for Non-root Users More info Abstract: MBOX is a lightweight sandboxing mechanism for nonroot users in commodity OSes. MBOX’s sandbox usage model executes a program in the sandbox and prevents the program from modifying the host filesystem by layering the sandbox filesystem on top of the host filesystem. At the end of program execution, the user can examine changes in the sandbox filesystem and selectively commit them back to the host filesystem. MBOX implements this by interposing on system calls and provides a variety of useful applications: installing system packages as a non-root user, running unknown binaries safely without network accesses, checkpointing the host filesystem instantly, and setting up a virtual development environment without special tools. Our performance evaluation shows that MBOX imposes CPU overheads of 0.1–45.2% for various workloads. In this paper, we present MBOX’s design, efficient techniques for interposing on system calls, our experience avoiding common system call interposition pitfalls, and MBOX’s performance evaluation.
8/31		Logistics & Scheduling More info
8/24		NO SEMINAR More info

Overview

The Fall 2016 offering of CS 7936 will focus on reading and discussing papers that are useful related work for the presenter's security and privacy research.

Class announcements are sent out on security-privacy@cs.utah.edu. You can subscribe at http://mailman.cs.utah.edu/mailman/listinfo/security-privacy.

Credit

Students may enroll for one (1) credit. Although the University lists the course as “variable credit,” the two- and three-credit options are not currently available.

Students enrolled in the seminar are expected to read the papers prior to the seminar. Additionally, students are expected to sign up to lead the discussion on one or more seminar meeting. Leading the disucssion means:

1. Choosing the paper and sending it to tdenning@cs.utah.edu by 6PM Sunday before the seminar meeting;
2. Preparing a 7-10 minute summary of the paper and its pertinent points;
3. Familiarizing yourself enough with the paper to be able to answer questions that may come up;
4. Preparing potential discussion points if the discussion needs prompting.

Reading and Presenting

It can be useful to look up the video of the presentation (if it was at USENIX, the video was recorded and is available online) and/or the slides (which may be available on the presenting author's page).

The following questions (some of which are pulled from Writing for Computer Science) can be useful to keep in mind when reading a paper (although not all questions will apply to all papers):

• What phenomena or properties are being investigated? Why are they of interest? 
• Has the aim of the research been articulated? What are the specific hypotheses and research questions? Are these elements convincingly connected to each other?
• To what extent is the work innovative? How does it differ from past work?
• What are the underlying assumptions? Are they sensible?
• What forms of evidence are used?
• How is the evidence measured? Are the chosen methods of measurement objective, appropriate, and reasonable?
• What compromises or simplifications are inherent in the choice of measure?
• To what extent do the results persuasively confirm the hypothesis? 
• What are the likely weaknesses of or limitations to the approach?
• Which results are the most surprising?
• What is the main contribution of the work?
• Are appropriate conclusions drawn from the results, or are there other possible interpretations?
• Could the results be verified?
• Do the results have applicability to other problems or domains?
• Do the title, abstract, and introduction appropriately set the context for the work?
• Is there anything unusual about the organization of the write-up, and, if so, is there a reason for this organization?
• Are the Tables and Figures clear and useful?
• Are the results of practical applicability, or are they more theoretical in nature?
• What are the main strengths of the paper? What are its weaknesses?
• If you were to cite this paper, what kinds of things might you be citing it for?
• Are there interesting future directions for work that the authors have not discussed?
• Are there particular steps in the methodology or presentation that you would have done differently?
• Are there any methodological decisions that seem to have been motivated by restrictions on time or resources, rather than absolute feasibility?
• Are there any ethical issues associated with the paper, and if so, how were they (or how weren't they) dealt with?