Date	Presenter	Topic
12/5		James Mickens' USENIX Security 2018 Keynote: Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models More info For fun (and possibly education), in the last security seminar of the semester we will watch the USENIX Security 2018 keynote talk. Abstract: Some people enter the technology industry to build newer, more exciting kinds of technology as quickly as possible. My keynote will savage these people and will burn important professional bridges, likely forcing me to join a monastery or another penance-focused organization. In my keynote, I will explain why the proliferation of ubiquitous technology is good in the same sense that ubiquitous Venus weather would be good, i.e., not good at all. Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits. At some point, my microphone will be cut off, possibly by hotel management, but possibly by myself, because microphones are technology and we need to reclaim the stark purity that emerges from amplifying our voices using rams’ horns and sheets of papyrus rolled into cone shapes. I will explain why papyrus cones are not vulnerable to buffer overflow attacks, and then I will conclude by observing that my new start-up papyr.us is looking for talented full-stack developers who are comfortable executing computational tasks on an abacus or several nearby sticks.
11/28	Aarushi Sarbhai	Would a Privacy Fundamentalist Sell Their DNA for $1000...If Nothing Bad Happened as a Result? The Westin Categories, Behavioral Intentions, and Consequences More info Westin’s Privacy Segmentation Index has been widely used to measure privacy attitudes and categorize individuals into three privacy groups: fundamentalists, pragmatists, and unconcerned. Previous research has failed to establish a robust correlation between the Westin categories and actual or intended behaviors. Unexplored however is the connection between the Westin categories and individuals’ responses to the consequences of privacy behaviors. We use a survey of 884 Amazon Mechanical Turk participants to investigate the relationship between the Westin Privacy Segmentation Index and attitudes and behavioral intentions for both privacy sensitive scenarios and privacy-sensitive consequences. Our results indicate a lack of correlation between the Westin categories and behavioral intent, as well as a lack of correlation between the Westin categories and consequences. We discuss potential implications of this attitude-consequence gap.
11/21	Russell Kennington	Discovering Smart Home Internet of Things Privacy Norms Using Contextual Integrity More info The proliferation of Internet of Things (IoT) devices for consumer "smart" homes raises concerns about user privacy. We present a survey method based on the Contextual Integrity (CI) privacy framework that can quickly and efficiently discover privacy norms at scale. We apply the method to discover privacy norms in the smart home context, surveying 1,731 American adults on Amazon Mechanical Turk. For $2,800 and in less than six hours, we measured the acceptability of 3,840 information flows representing a combinatorial space of smart home devices sending consumer information to first and third-party recipients under various conditions. Our results provide actionable recommendations for IoT device manufacturers, including design best practices and instructions for adopting our method for further research.
11/14	AMIN MOHAMMADI	RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response (Erlingsson et al) More info NOTE: The seminar will begin with a short presentation on what topics are covered in Dwork's survey paper (http://web.cs.ucdavis.edu/~franklin/ecs289/2010/dwork_2008.pdf). Following that will be a discussion of RAPPOR. Abstact: Randomized Aggregatable Privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports. This paper describes and motivates RAPPOR, details its differential-privacy and utility guarantees, discusses its practical deployment and properties in the face of different attack models, and, finally, gives results of its application to both synthetic and real-world data.
11/7	AMIN MOHAMMADI	Differential Privacy: A Primer for a Non-technical Audience (Nissim et al) More info Abstract: This document is a primer on differential privacy, which is a formal mathematical framework for guaranteeing privacy protection when analyzing or releasing statistical data. Recently emerging from the theoretical computer science literature, differential privacy is now in initial stages of implementation and use in various academic, industry, and government settings. Using intuitive illustrations and limited mathematical formalism, this document provides an introduction to differential privacy for non-technical practitioners, who are increasingly tasked with making decisions with respect to differential privacy as it grows more widespread in use. In particular, the examples in this document illustrate ways in which social scientists can conceptualize the guarantees provided by differential privacy with respect to the decisions they make when managing personal data about research subjects and informing them about the privacy protection they will be afforded.
10/31	Kent Seamons, BYU	Kent Seamons, BYU: Making TLS Applications Easy to Implement More info Abstract: Recent studies demonstrate that TLS applications are error-prone, leaving systems vulnerable to attack. In this talk, I will present the new Secure Socket API (SSA) that moves TLS into the operating system and provides a simple API extension to the familiar POSIX Socket API. The result is that programmers can avoid thousands of lines of complicated TLS library code as they develop applications that communicate securely. This research was awarded the Internet Defense Prize First Runner-up Award at the recent USENIX Security Symposium. Bio: Dr. Kent Seamons is the Director of the Internet Security Research Lab in the Computer Science Department at BYU. His research interests are in usable security, privacy, authentication, end-to-end encryption, identity management, and trust management. He has published over 80 peer-reviewed papers with 5,200+ citations. Dr. Seamons has been awarded over $6 million in funding from NSF, DHS, DARPA, and industry. He is also a co-inventor on four patents in the areas of automated trust negotiation, single sign-on, and security overlays.
10/24	Chad Brubaker (Android Platform Hardening)	Overview of Projects and General Q&A More info (This is an old blurb, but gives an idea of Chad's work) Why should I talk to Chad / what should I talk about with Chad? A. He works in the Android Security group at Google, concentrating on hardening the OS. B. nogotofail - a tool that lets you test your network traffic for TLS/SSL vulnerabilities and misconfigurations via client and/or a VPN (http://googleonlinesecurity.blogspot.com/2014/11/introducing-nogotofaila-network-traffic.html) C. "there is also the Android Network Security Config I made for Android N (http://developer.android.com/preview/features/security-config.html), its the tock to the tick-tock of the "find and understand issues"/"kill root cause of issues" that nogotofail started and allows for developers to do all the customization that we saw people trying to do but in a way that's hard to get wrong and safe." D. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired - a low-risk, often ignored error - but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.
10/17	Michael McConville	OnionDNS: a seizure-resistant top-level domain More info Abstract: The Domain Name System (DNS) provides the critical service of mapping canonical names to IP addresses. Recognizing this, a number of parties have increasingly attempted to perform “domain seizures” on targets by having them delisted from DNS. Such operations often occur without providing due process to the owners of these domains, a practice made potentially worse by recent legislative proposals. We address this problem by creating OnionDNS, an anonymous top-level domain and resolution service for the Internet. Our solution relies on the establishment of a hidden service running DNS within Tor and uses a variety of mechanisms to ensure a high-performance architecture with strong integrity guarantees for resolved records. We then present our anonymous domain registrar and detail the protocol for securely transferring the service to another party. Finally, we also conduct both performance and legal analyses to further demonstrate the robustness of this approach. In so doing, we show that the delisting of domains from DNS can be mitigated in an efficient and secure manner.
10/10		No seminar - Fall Break More info
10/3		SAINTCON discussion More info
9/26		NO SEMINAR - SAINTCON More info
9/19		Watch USENIX Security Invited Talk Video: Privacy for Tigers (Ross Anderson) More info Abstract: (Joint work with Tanya Berger-Wolf) As mobile phone masts went up across the world’s jungles, savannas and mountains, so did poaching. Wildlife crime syndicates can not only coordinate better but can mine growing public data sets, often of geotagged images. Privacy matters for tigers, for snow leopards, for elephants and rhinos – and even for tortoises and sharks. Animal data protection laws, where they exist at all, are oblivious to these new threats, and no-one seems to have started to think about information security policy. The issues sprawl across many of the technical and policy areas of classical security and privacy. Our work is targeted at wildlife aggregation sites that enable conservationists, scientists, and citizens to upload large numbers of images and other observations, which are then analysed to discover facts about endangered species. In this talk we first set out the threat model, describing the modern wildlife crime environment. We then present a security policy framework we are evolving for the aggregation site Wildbook and others like it. At least two emerging issues may be of wider interest. The first is context: we have a small number of roles, but a large number of quite complex contexts which determine access decisions. So we describe a new kind of context-aware role-based access control, with the context based on the data rather than the system state; it has some interesting parallels with the more traditional access control models used to manage insider threats in government, corporations and healthcare. The second is situational awareness. We want to use logs not just to investigate crimes after the fact, but to forestall them. But in a sprawling heterogeneous system, how do we engineer incentives for vigilance? Bio: Ross Anderson is Professor of Security Engineering at Cambridge University, and leads the Cambridge Cybercrime Centre. He was a pioneer of security economics, peer-to-peer systems, hardware tamper-resistance and API security, and was one of the inventors of the AES finalist encryption algorithm Serpent. He has contributed to industrial standards from prepayment metering to powerline communications, and wrote the textbook Security Engineering—A Guide to Building Dependable Distributed Systems.
9/12	Russell Kennington	"I've Got Nothing to Lose": Consumers' Risk Perceptions and Protective Actions after the Equifax Data Breach (Zou et al) More info Abstract: Equifax, one of the three major U.S. credit bureaus, experienced a large-scale data breach in 2017. We investigated consumers' mental models of credit bureaus, how they perceive risks from this data breach, whether they took protective measures, and their reasons for inaction through 24 semi-structured interviews. We find that participants' mental models of credit bureaus are incomplete and partially inaccurate. Although many participants were aware of and concerned about the Equifax breach, few knew whether they were affected, and even fewer took protective measures after the breach. We find that this behavior is not primarily influenced by accuracy of mental models or risk awareness, but rather by costs associated with protective measures, optimism bias in estimating one's likelihood of victimization, sources of advice, and a general tendency towards delaying action until harm has occurred. We discuss legal, technical and educational implications and directions towards better protecting consumers in the credit reporting system.
9/5	Aarushi Sarbhai	Do You Feel What I Hear? Enabling Autonomous IoT Device Pairing Using Different Sensor Types (Han et al) More info Abstract: Context-based pairing solutions increase the usability of IoT device pairing by eliminating any human involvement in the pairing process. This is possible by utilizing on-board sensors (with same sensing modalities) to capture a common physical context (e.g., ambient sound via each device's microphone). However, in a smart home scenario, it is impractical to assume that all devices will share a common sensing modality. For example, a motion detector is only equipped with an infrared sensor while Amazon Echo only has microphones. In this paper, we develop a new context-based pairing mechanism called Perceptio that uses time as the common factor across differing sensor types. By focusing on the event timing, rather than the specific event sensor data, Perceptio creates event fingerprints that can be matched across a variety of IoT devices. We propose Perceptio based on the idea that devices co-located within a physically secure boundary (e.g., single family house) can observe more events in common over time, as opposed to devices outside. Devices make use of the observed contextual information to provide entropy for Perceptio's pairing protocol. We design and implement Perceptio, and evaluate its effectiveness as an autonomous secure pairing solution. Our implementation demonstrates the ability to sufficiently distinguish between legitimate devices (placed within the boundary) and attacker devices (placed outside) by imposing a threshold on fingerprint similarity. Perceptio demonstrates an average fingerprint similarity of 94.9% between legitimate devices while even a hypothetical impossibly well-performing attacker yields only 68.9% between itself and a valid device.
8/29		Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies (Franken et al) More info Abstract: Distinguished Paper Award Winner and winner of the 2018 Internet Defense Prize Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser. In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.
8/22		Organizational Meeting More info

Overview

The Fall 2018 offering of CS 7936 will focus on reading and discussing recent papers in security and privacy research from conferences such as:

• USENIX Security Symposium
• IEEE Symposium on Security and Privacy
• ACM Conference on Computer and Communications Security
• Network and Distributed System Security Symposium
• Symposium on Usable Privacy and Security
• ACM Conference on Human Factors in Computing Systems (Security and Privacy Tracks)

Class announcements are sent out on security-privacy@cs.utah.edu. You can subscribe at http://mailman.cs.utah.edu/mailman/listinfo/security-privacy.

Credit

Students may enroll for one (1) credit. Although the University lists the course as “variable credit,” the two- and three-credit options are not currently available.

Students enrolled in the seminar are expected to read the papers prior to the seminar. Additionally, students are expected to sign up to lead the discussion on one or more seminar meeting. Leading the disucssion means:

1. Choosing the paper and sending it to tdenning@cs.utah.edu by 6PM Sunday before the seminar meeting;
2. Preparing a 7-10 minute summary of the paper and its pertinent points;
3. Familiarizing yourself enough with the paper to be able to answer questions that may come up;
4. Preparing potential discussion points if the discussion needs prompting.

Tips on Reading Papers

Some tips that might help on reading, understanding, and analyzing papers:

• It can be useful to look up the video of the presentation (for USENIX and some other conferences, the video was recorded and is available online) and/or the slides (which may be available on the presenting author's page).
• Keshav and Cheriton. How to Read a Paper.
• The following questions (some of which are pulled from Writing for Computer Science) can be useful to keep in mind when reading a paper (although not all questions will apply to all papers):
  • What phenomena or properties are being investigated? Why are they of interest? 
  • Has the aim of the research been articulated? What are the specific hypotheses and research questions? Are these elements convincingly connected to each other?
  • To what extent is the work innovative? How does it differ from past work?
  • What are the underlying assumptions? Are they sensible?
  • What forms of evidence are used?
  • How is the evidence measured? Are the chosen methods of measurement objective, appropriate, and reasonable?
  • What compromises or simplifications are inherent in the choice of measure?
  • To what extent do the results persuasively confirm the hypothesis? 
  • What are the likely weaknesses of or limitations to the approach?
  • Which results are the most surprising?
  • What is the main contribution of the work?
  • Are appropriate conclusions drawn from the results, or are there other possible interpretations?
  • Could the results be verified?
  • Do the results have applicability to other problems or domains?
  • Do the title, abstract, and introduction appropriately set the context for the work?
  • Is there anything unusual about the organization of the write-up, and, if so, is there a reason for this organization?
  • Are the Tables and Figures clear and useful?
  • Are the results of practical applicability, or are they more theoretical in nature?
  • What are the main strengths of the paper? What are its weaknesses?
  • If you were to cite this paper, what kinds of things might you be citing it for?
  • Are there interesting future directions for work that the authors have not discussed?
  • Are there particular steps in the methodology or presentation that you would have done differently?
  • Are there any methodological decisions that seem to have been motivated by restrictions on time or resources, rather than absolute feasibility?
  • Are there any ethical issues associated with the paper, and if so, how were they (or how weren't they) dealt with?
• Writing for Computer Science, by Justin Zobel, is available online at the library and contains a fair amount on other aspects of research such as how to review papers, how to select a research topic, etc. The table of contents:
  1. Introduction
  2. Getting Started
  3. Reading and Reviewing
  4. Hypotheses, Questions, and Evidence
  5. Writing a Paper
  6. Good Style
  7. Style Specifics
  8. Punctuation
  9. Mathematics
  10. Algorithms
  11. Graphs, Figures, and Tables
  12. Other Professional Writing
  13. Editing
  14. Experimentation
  15. Statistical Principles
  16. Presentations
  17. Ethics

How to Access Papers

Some papers are free to access, while others are behind paywalls. The university has a paid subscription to most of the libraries where those papers can be found. There are several ways to access those papers:

• Access the paper listing from on campus (wired or wireless) in order to have access to the paper.
• Search for the paper title (and authors) to find a PDF of the author's copy posted on their web site.
• Use the University of Utah Web VPN.
• Connect to the library from off-campus.
• If you have a School of Computing account, use the School of Computing VPN.