Keynote Addresses

Professor Giuseppe Ateniese
Stenvens Institute of Technology
USA

Giuseppe Ateniese is the David and GG Farber Endowed Chair in Computer Science and department director at Stevens Institute of Technology. He was with Sapienza-University of Rome (Italy) and Assistant/Associate Professor at Johns Hopkins University (USA), and one of the founders of the JHU Information Security Institute. He was a researcher at IBM Zurich Research lab (Switzerland) and scientist at the Information Sciences Institute of the University of Southern California (USA). He also briefly worked as visiting professor at Microsoft in Redmond (USA). He received the NSF CAREER Award for his research in privacy and security, and the Google Faculty Research Award and the IBM Faculty Award for his research on cloud security. He has contributed to areas such as proxy re-cryptography, anonymous communication, two-party computation, secure storage, and provable data possession. He has served in the program committees of international security conferences (such as ACM CCS, IEEE Oakland, and NDSS) and as panelist of the US National Science Foundation. He is currently working on cloud security and machine learning applied to security and intelligence issues for which he received an IBM SUR Award. He is also investigating new security applications for decentralized computing based on the blockchain/bitcoin technology.

Abstract:

The Internet has undergone dramatic changes in the last two decades, evolving from a mere communication network to a global multimedia platform in which billions of users not only actively exchange information, but increasingly conduct sizable parts of their daily lives. While this transformation has brought tremendous benefits to society, it has also created new threats to online privacy that existing technology is failing to keep pace with.

In this talk, I will outline a grand research vision for understanding and controlling privacy in open settings at large. I will in particular discuss the feasibility of a concept called privacy advisor, which inspects online communication as well as information about to be published by a user, performs its own inference based on information available online, and warns the user about potential anonymity and privacy leaks. The ultimate, far-reaching goal is to enable users to properly assess the privacy consequences of their online interactions before they have happened, and thereby offer more-privacy friendly alternatives. I will outline concrete research objectives towards achieving this goal, discuss what has been achieved so far, and point out corresponding research opportunities in thus far under-researched areas. This work is supported by the ERC Synergy Grant imPACT.

Short Bio: Michael Backes has the chair for information security and cryptography at Saarland University. He is the director of the German IT-Security research center CISPA, a Max Planck Fellow of the Max Planck Institute for Software Systems, and the speaker of the Collaborative Research Center on Methods and Tools for Understanding and Controlling Privacy. His research covers various aspects of IT security and privacy and ranges from the design, analysis, and verification of protocols and systems, mechanisms for protecting end-user privacy, research on new attack vectors, to universal solutions in software and network security. Michael has received many awards for his work, including the ERC Synergy Grant in 2014 as Europe's most distinguished research award. He has been the rogram Chair ESORICS 2009, IEEE CSF 2010 and 2011, IEEE S&P 2013 and 2014, and IEEE EuroS&P 2016.

Visit Michael's Homepage


Professor Mauro Barni
University of Siena
Italy

Mauro Barni graduated in electronic engineering at the University of Florence in 1991. He received the PhD in informatics and telecommunications in October 1995. He has carried out his research activity for almost 20 years first at the Department of Electronics and Telecommunication of the University of Florence, then at the Department of Information Engineering of the University of Siena where he works as full Professor. During the last decade, his activity has focused on digital image processing and information security, with particular reference to the application of image processing techniques to copyright protection and Multimedia Forensics. He has also been studying the possibility of processing signals that has been previously encrypted without decrypting them (signal processing in the encrypted domain s.p.e.d.). He is author/co-author of about 300 papers published in international journals and conference proceedings, and holds three patents in the field of digital watermarking

Abstract:

Despite the rise of interpreted languages and the World Wide Web, binary analysis has remained the focus of much research in computer security. There are several reasons for this. First, interpreted languages are either interpreted by binary programs or Just-In-Time compiled down to binary code. Second, "core" OS constructs and performance-critical applications are still written in languages (usually, C or C++) that compile down to binary code. Third, the rise of the Internet of Things is powered by devices that are, in general, very resource-constrained. Without cycles to waste on interpretation or Just-In-Time compilation, the firmware of these devices tends to be written in languages (again, usually C) that compile to binary.

Unfortunately, many of these languages provide few security guarantees, often leading to vulnerabilities. For example, buffer over ows stubbornly remain as one of the most-common discovered software flaws despite efforts to develop technologies to mitigate such vulnerabilities. Worse, the wider class of "memory corruption vulnerabilities", the vast majority of which also stem from the use of unsafe languages, make up a substantial portion of the most common vulnerabilities. This problem is not limited to software on general-purpose computing devices: remotely exploitable vulnerabilities have been discovered in devices ranging from smart locks, to pacemakers, to automobiles.

However, finding vulnerabilities in binaries and generating patches that fix exploitable aws is challenging because of the lack of high-level abstractions, such as type information and control ow constructs. Current approaches provide tools to support the manual analysis of binaries, but are far from being completely automated solutions to the vulnerability analysis of binary programs.

To foster research in automated binary analysis, in October of 2013, DARPA announced the DARPA Cyber Grand Challenge (CGC). Like DARPA Grand Challenges in other fields (such as robotics and autonomous vehicles), the CGC pits teams from around the world against each other in a competition in which the participants are autonomous systems. During the CGC competition, these systems must identify, exploit, and patch vulnerabilities in binary programs, without any human in the loop. Millions of dollars in prize money were announced: the top 7 teams to complete the CGC Qualifying Event (held in June, 2015) received 750,000 USD, and the top 3 teams in the CGC Final Event (held in August, 2016) will receive 2,000,000 USD, 1,000,000, and 750,000, respectively.

The Shellphish hacking team is one of the qualified teams. This talk presents some insights into the field of automated binary analysis exploitation and patching, gained through the participation in the CGC competition. In addition, the talk provides a discussion of the use of competitions to foster both research and education, based on the experience in designing and running a large-scale live security hacking competition (called the iCTF) for the past 13 years.

Short Bio: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, the underground economy, vulnerability assessment, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. In his free time, he leads Shellphish, the longest-running hacking team playing at the DefCon CTF competition.

Visit Giovanni's Homepage


Professor Willy Susilo
University of Wollongong
Australia

Willy Susilo obtained his Bachelor Degree in Computer Science from Universitas Surabaya, Indonesia with a "Summa Cum Laude" predicate. He received his Master and Doctor of Philosophy degrees from UOW. His main research interest include cryptography and cyber security. He received a prestigious ARC Future Fellowship from the Australian Research Council. Previously, he was the Head of School of SCSSE, Deputy Director of ICT Research Institute and the Academic Program Director for UoW (Singapore). He is the Director of Centre for Computer and Information Security Research. (CCISR).

Abstract:

Despite the rise of interpreted languages and the World Wide Web, binary analysis has remained the focus of much research in computer security. There are several reasons for this. First, interpreted languages are either interpreted by binary programs or Just-In-Time compiled down to binary code. Second, "core" OS constructs and performance-critical applications are still written in languages (usually, C or C++) that compile down to binary code. Third, the rise of the Internet of Things is powered by devices that are, in general, very resource-constrained. Without cycles to waste on interpretation or Just-In-Time compilation, the firmware of these devices tends to be written in languages (again, usually C) that compile to binary.

Unfortunately, many of these languages provide few security guarantees, often leading to vulnerabilities. For example, buffer over ows stubbornly remain as one of the most-common discovered software flaws despite efforts to develop technologies to mitigate such vulnerabilities. Worse, the wider class of "memory corruption vulnerabilities", the vast majority of which also stem from the use of unsafe languages, make up a substantial portion of the most common vulnerabilities. This problem is not limited to software on general-purpose computing devices: remotely exploitable vulnerabilities have been discovered in devices ranging from smart locks, to pacemakers, to automobiles.

However, finding vulnerabilities in binaries and generating patches that fix exploitable aws is challenging because of the lack of high-level abstractions, such as type information and control ow constructs. Current approaches provide tools to support the manual analysis of binaries, but are far from being completely automated solutions to the vulnerability analysis of binary programs.

To foster research in automated binary analysis, in October of 2013, DARPA announced the DARPA Cyber Grand Challenge (CGC). Like DARPA Grand Challenges in other fields (such as robotics and autonomous vehicles), the CGC pits teams from around the world against each other in a competition in which the participants are autonomous systems. During the CGC competition, these systems must identify, exploit, and patch vulnerabilities in binary programs, without any human in the loop. Millions of dollars in prize money were announced: the top 7 teams to complete the CGC Qualifying Event (held in June, 2015) received 750,000 USD, and the top 3 teams in the CGC Final Event (held in August, 2016) will receive 2,000,000 USD, 1,000,000, and 750,000, respectively.

The Shellphish hacking team is one of the qualified teams. This talk presents some insights into the field of automated binary analysis exploitation and patching, gained through the participation in the CGC competition. In addition, the talk provides a discussion of the use of competitions to foster both research and education, based on the experience in designing and running a large-scale live security hacking competition (called the iCTF) for the past 13 years.

Short Bio: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, the underground economy, vulnerability assessment, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. In his free time, he leads Shellphish, the longest-running hacking team playing at the DefCon CTF competition.

Visit Giovanni's Homepage

Professor Wanlei Zhou
Deakin University
Australia

Professor Wanlei Zhou received the B.Eng and M.Eng degrees from Harbin Institute of Technology, Harbin, China in 1982 and 1984, respectively, and the PhD degree from The Australian National University, Canberra, Australia, in 1991, all in Computer Science and Engineering. He also received a DSc degree (a higher Doctorate degree) from Deakin University in 2002. He is currently the Alfred Deakin Professor (the highest honour the University can bestow on a member of academic staff), Chair of Information Technology, and Associate Dean (International Research Engagement) of Faculty of Science, Engineering and Built Environment, Deakin University. Professor Zhou has been the Head of School of Information Technology twice (Jan 2002-Apr 2006 and Jan 2009-Jan 2015) and Associate Dean of Faculty of Science and Technology in Deakin University (May 2006-Dec 2008). Before joining Deakin University, Professor Zhou served as a lecturer in University of Electronic Science and Technology of China, a system programmer in HP at Massachusetts, USA; a lecturer in Monash University, Melbourne, Australia; and a lecturer in National University of Singapore, Singapore. His research interests include distributed systems, network security, bioinformatics, and e-learning. Professor Zhou has published more than 300 papers in refereed international journals and refereed international conferences proceedings, including many articles in IEEE transactions and journals. He has also chaired many international conferences, including TrustCom, ISPA, IUCC, CSS, ICA3PP, EUC, NSS, HPCC, PRDC, etc., and has been invited to deliver keynote address in a number of international conferences, including SKG, NSS, PDCAT, NSS, EUC, ICWL, CIT, ISPA, ICA3PP, etc. Prof Zhou is a Senior Member of the IEEE.

Abstract:

Today's online social networks have pervaded all aspects of our daily lives. With their unparalleled popularity, online social networks have evolved from the platforms for social communication and news dissemination, to indispensable tools for professional networking, social recommendations, marketing, and online content distribution. Their evolution has influenced every technological, societal, and cultural aspect of human beings. They are receiving more and more attention in research communities.

It has been widely recognized that security and privacy are the critical issues in online social networks. On one hand, online social networks have been the effective platform for the attackers to launch attacks and distribute malicious information. On the other hand, privacy leakage through online social networks has become common exercise. New methods and tools, consequently, must follow up in order to adapt to this emerging security paradigm. In this talk, we will discuss the security and privacy issues in social networks and how we can turn challenges into opportunities to build a more secure cyberspace.

Short Bio: Professor Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is currently the Director of Centre for Cyber Security Research at Deakin University. His research interests include network and system security, distributed systems, and data analytics. He has published more than 200 research papers in international journals and conferences, such as IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Information Security and Forensics, and IEEE Transactions on Dependable and Secure Computing. He serves as the Associate Editor of IEEE Transactions on Computers, Security and Communication Networks (Wiley), and the Editor of Journal of Network and Computer Applications (Elsevier). He is a Senior Member of the IEEE.

Visit Yang's Homepage

Professor Xiao-Jiang Du
Temple University
USA

Xiaojiang Du is a tenured professor in the Department of Computer and Information Sciences at Temple University, Philadelphia, USA. Dr. Du received his B.S. and M.S. degree in electrical engineering from Tsinghua University, Beijing, China in 1996 and 1998, respectively. He received his M.S. and Ph.D. degree in electrical engineering from the University of Maryland College Park in 2002 and 2003, respectively. His research interests are security, wireless networks, and systems. He has authored over 200 journal and conference papers in these areas, as well as a book published by Springer. Dr. Du has been awarded more than $5 million US dollars research grants from the US National Science Foundation (NSF), Army Research Office, Air Force, NASA, the State of Pennsylvania, and Amazon. He won the best paper award at IEEE GLOBECOM 2014 and the best poster runner-up award at the ACM MobiHoc 2014. He serves on the editorial boards of three international journals. Dr. Du served as the lead Chair of the Communication and Information Security Symposium of the IEEE International Communication Conference (ICC) 2015, and a Co-Chair of Mobile and Wireless Networks Track of IEEE Wireless Communications and Networking Conference (WCNC) 2015. He is (was) a Technical Program Committee (TPC) member of several premier ACM/IEEE conferences such as INFOCOM (2007 - 2017), IM, NOMS, ICC, GLOBECOM, WCNC, BroadNet, and IPCCC. Dr. Du is a Senior Member of IEEE and a Life Member of ACM.

Abstract:

Despite the rise of interpreted languages and the World Wide Web, binary analysis has remained the focus of much research in computer security. There are several reasons for this. First, interpreted languages are either interpreted by binary programs or Just-In-Time compiled down to binary code. Second, "core" OS constructs and performance-critical applications are still written in languages (usually, C or C++) that compile down to binary code. Third, the rise of the Internet of Things is powered by devices that are, in general, very resource-constrained. Without cycles to waste on interpretation or Just-In-Time compilation, the firmware of these devices tends to be written in languages (again, usually C) that compile to binary.

Unfortunately, many of these languages provide few security guarantees, often leading to vulnerabilities. For example, buffer over ows stubbornly remain as one of the most-common discovered software flaws despite efforts to develop technologies to mitigate such vulnerabilities. Worse, the wider class of "memory corruption vulnerabilities", the vast majority of which also stem from the use of unsafe languages, make up a substantial portion of the most common vulnerabilities. This problem is not limited to software on general-purpose computing devices: remotely exploitable vulnerabilities have been discovered in devices ranging from smart locks, to pacemakers, to automobiles.

However, finding vulnerabilities in binaries and generating patches that fix exploitable aws is challenging because of the lack of high-level abstractions, such as type information and control ow constructs. Current approaches provide tools to support the manual analysis of binaries, but are far from being completely automated solutions to the vulnerability analysis of binary programs.

To foster research in automated binary analysis, in October of 2013, DARPA announced the DARPA Cyber Grand Challenge (CGC). Like DARPA Grand Challenges in other fields (such as robotics and autonomous vehicles), the CGC pits teams from around the world against each other in a competition in which the participants are autonomous systems. During the CGC competition, these systems must identify, exploit, and patch vulnerabilities in binary programs, without any human in the loop. Millions of dollars in prize money were announced: the top 7 teams to complete the CGC Qualifying Event (held in June, 2015) received 750,000 USD, and the top 3 teams in the CGC Final Event (held in August, 2016) will receive 2,000,000 USD, 1,000,000, and 750,000, respectively.

The Shellphish hacking team is one of the qualified teams. This talk presents some insights into the field of automated binary analysis exploitation and patching, gained through the participation in the CGC competition. In addition, the talk provides a discussion of the use of competitions to foster both research and education, based on the experience in designing and running a large-scale live security hacking competition (called the iCTF) for the past 13 years.

Short Bio: Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara and the CTO of Lastline, Inc. His current research interests include malware analysis, web security, the underground economy, vulnerability assessment, and mobile phone security. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. In his free time, he leads Shellphish, the longest-running hacking team playing at the DefCon CTF competition.

Visit Giovanni's Homepage