CySeP'19 Technical Program








Day 1, June 10, PROTASIS Session 1, Chair: Stefano Zanero (9:00-10:30):

Speaker: Dr. Petros Efstathopoulos

Title: The right to be protect: privacy research at Symantec Research Labs

Abstract: The privacy and identity threat landscape is evolving rapidly, and it’s difficult for businesses or consumers to track and fully comprehend the implications. Personal data can affect our reputations, it can be used to exercise control over us and in the wrong hands, it can cause great harm. People need a partner to safeguard their identity and defend them from nefarious actors. They need help identifying the important elements of their digital life that need to be kept private and secure. Furthermore, enterprises, governments, and all organizations also have sensitive information that can be hacked. Businesses that operate utilizing sensitive data are at risk themselves of legal and financial repercussions. Enterprises must face their responsibilities to ensure business success while securing their assets and preserving privacy for customers and employees. In this talk we will explore some of the challenges that motivate privacy research and we will discuss a few possible directions to address such challenges.


Speaker: Dr. Spiros Antonatos

Title: Network monitoring: is it still relevant for measuring our security posture?

Abstract: In the recent years we observe two major trends regarding IT networks. The first one is the increasing adoption of encryption across communication channels (and predominantly Web). The second one is that OT and IoT networks converge with the traditional IT networks. One of the major questions that arise is how network monitoring can cope up with these two major trends. Is it still relevant? Shall it be considered as part of the security product investments? In this talk we will share some insights and techniques on how network monitoring can be used in today's landscape. We will deep dive into the security posture of OT and IoT networks, their interface with the IT world and the challenges we face for assessing their risk score. We will describe how we can tackle the encryption challenge and how we can detect threats on the wire even in the absence of clear-text traffic.



Day 1, June 10, PROTASIS Session 2, Chair: Kaveh Razavi (11:00-12:30):

Speaker:Bengt Sahlin

Title: Challenges with Security Assurance

Abstract: The presentation will discuss the latest developments in the security assurance, including the 3GPP SECAM/GSMA NESAS work and the EU Cybersecurity Act. The presentation will then discuss the challenges with security assurance.


Speaker: Prof. Kaveh Razavi

Title: Rowhammer Attacks and Defenses: Past, Present and Future (part 1)

Abstract: Recent years have shown that the basic principles on which we rely on for building secure computing systems do not always hold. DRAM, for example, is plagued with disturbance errors that can corrupt information across different security boundaries. In this talk, I will show the true impact of these flaws in real-world systems and discuss our ongoing efforts in mitigating them.



Day 1, June 10, PROTASIS Session 3, Chair: Evangelos Markatos (13:30-15:00):


Speaker: Prof. Kaveh Razavi

Title: Rowhammer Attacks and Defenses: Past, Present and Future (part 2)

Abstract: Recent years have shown that the basic principles on which we rely on for building secure computing systems do not always hold. DRAM, for example, is plagued with disturbance errors that can corrupt information across different security boundaries. In this talk, I will show the true impact of these flaws in real-world systems and discuss our ongoing efforts in mitigating them.

Speaker: Prof. Stefano Zanero

Title: Securing Cyber-physical Systems: Moving Beyond Fear

Abstract: Cyber-physical systems are attracting a lot of attention: attacks on connected cars received a lot of media exposure, as did attacks on industrial control systems, medical devices, and more generally on IoT devices. A lot of this interest is driven by vulnerability research (often in the form of "stunt hacking"). While useful and frankly engaging and attractive, this research does not really help answer the fundamental question of how to embed security analysis in design. In this talk, we will use automotive security as a case study to try to outline a risk-based design methodology that can be used to deal with our hyper-connected future.



Day 1, June 10, PROTASIS Session 4, Chair: Stefano Zanero (15:30-17:00):

Panelists: Panel with the AB members: Lessons learned and future directions for PROTASIS


Day 1, June 10, BoF: ICES SEC WG (17:15-18:45)



Day 2, June 11, PROTASIS Session 5 (09:00-10:30)

Speaker: Prof. Eleni Kosta

Title: Human rights safeguards for mass surveillance: recent developments in the CJEU and ECtHR case law

Abstract: In the aftermath of the Snowden revelations, the surveillance activities carried out by Law Enforcement Authorities and Security and Intelligence Agencies have been in the spotlight of national Courts, the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR). This lecture will introduce the audience to the recent case law of the CJEU and ECtHR and will discuss the human rights safeguards introduced in them. It will further reflect on pending UK cases and the potential impact of Brexit in relation to mass surveillance and human rights.


Speaker: Prof. Ioannis Iglezakis

Title: Data Protection with regard to IoT in healthcare

Abstract: The internet of things (IoT) presents many advantages in healthcare, as it allows patients to store their health data in mobile applications or wearable devices, which can be used for the detailed analysis of their health status and for providing individual health support. IoT devices, however, present many security risks and thus endanger patient’s right to privacy. As the GDPR (Regulation 2016/679) imposes enhanced responsibilities to data controllers and obligations for improving security of personal data processing, IoT devices should be designed to comply with the GDPR requirements, such as the principles of risk assessment and privacy by design and by default.


Speaker: Prof. Arno Lodder (over Skype)

Title: GDPR: data protection, no privacy

Abstract: The rationale behind the right to privacy is the freedom from interference. The rationale behind data protection legislation is to condition interferences in order to legitimise the processing of personal data. The most relevant parts of the GDPR are discussed, in particular accountability (Article 5(2)), Data protection impact assessment (Articles 35-36), data protection by design and by default (Article 25), and security of processing (Article 32).



Day 2, June 11, PROTASIS Session 6, Chair: Meltini Christodoulaki (11:00-12:30):

Panel: Privacy, Law and human rights



Day 2, June 11, PROTASIS Session 7 (13:30-15:00):

Title: Advanced Fuzzing to Uncover Software Vulnerabilities

Speaker: Prof. Thorsten Holz

Title: Advanced Fuzzing to Uncover Software Vulnerabilities

Abstract: In recent years, randomized fuzz-testing has progressed rapidly, mainly driven by tools such as afl and lots of academic work on this subject. In practice, fuzzing is often superior to seemingly "smarter" approaches such as symbolic or concolic execution. We provide an overview of our recent results, including fuzzing hypervisors, grammar-based fuzzing of complex interpreters, and fuzz-testing of stateful systems. In total, the different methods enabled us to find hundreds of software bugs that lead to more than 50 CVEs.


Day 2, June 11, CySeP Plenary Talk 1 (15:30-17:00)

Speaker: Herb Lin (Stanford University, CA, USA)

Title: Cyber-Enabled Information Operations Through the Lens of Cyberwar

Abstract: Although cyber warfare and cyber-enabled information operations are conceptually different (the former prosecutes conflict through the hacking of computers and the latter through the hacking of people’s minds and hearts), much of the conceptual and doctrinal infrastructure of cyberwarfare is useful for understanding cyber-enabled information operations. This talk presents work in progress that elaborates these connections.


Day 2, June 11, BoF: SURPRISE project (17:15-18:45)


Day 3, June 12, CySeP Plenary Talk 2 (09:00-10:30)

Speaker: Prof. Matt Bishop (University of California, Davis, USA)

Title: Is Practical Data Sanitization Possible?

Abstract: Research in data sanitization (including anonymization) emphasizes ways to prevent an adversary from desanitizing data. Most work focuses on using mathematical mappings to sanitize data, or demonstrates that a sanitized data set can be desanitized. A few papers examine incorporation of privacy requirements, either in the guise of templates or prioritization. Essentially these approaches reduce the information that can be gleaned from a data set. In this talk, we will discuss ongoing work that considers conflicts between privacy requirements and the needs of analysts examining the redacted data. Our goal is to enable an informed decision about the effects of redacting, and failing to redact data. We begin with relationships among the data being examined, including relationships with a known data set and other, additional, external data. By capturing these relationships, desanitization techniques that exploit them can be identified, and what information must be concealed in order to thwart them (if possible) can be determined. Knowing that, a realistic assessment of whether the information and relationships are already widely known or available will enable the sanitizers to assess whether irreversible sanitization is possible, and if so, what to conceal to prevent desanitization.


Day 3, June 12, CySeP Plenary Talk 3 (11:00-12:30)

Speaker: Prof. Yvo G. Desmedt (University of Texas at Dallas, TX, USA)

Title: Information Security: Back to the Essentials

Abstract: In the 19th century astronomers studying Mars came up with maps of canals on Mars. In fact it was a logical thinking for people familiar with Earth. Similar mistakes were made in biology, were it was assumed that oxygen and sunshine were required to enable life. Access Control as implemented today is based on a model that predates the Internet, computer viruses and massive hackings. Should we be surprized that it is inadequate? An alternative to the Access Control Matrix is discussed in this context. Chaum's 1980's Dining Cryptographers and Chaum's MIX are very well known approaches towards anonymity. At that time it was not customary for cryptographers to model the security goal. So, Chaum never modeled anonymity. Afterwards researchers were building on top of Chaum's solution, but were not looking back at the foundations of anonymity. We show that there are message probabilities for which anonymity is completely impossible. Moreover, we show that sometimes Chaum's solutions are not optimal and leak information about the sender/receiver. The question will be raised whether after 45 years research on computer security and 40 years open research in cryptography, we should not systematically revisit the foundations we regard as facts. Part of the lecture is based on recent papers in IEEE Tr. on Inform. Th, and in "From Database to Cyber Security", Springer.


Day 3, June 12, CySeP Plenary Talk 4 (13:30-15:00)

Speaker: Prof. Gene Tsudik (University of California, Irvine, USA)

Title: Formally Verifying Remote Attestation for Simple Embedded Devices

Abstract: Remote Attestation (RA) is a security service that allows a trusted verifier (Vrf) to measure the software state of an untrusted remote device -- Prv. If correctly implemented, RA allows Vrf to remotely detect if Prv is in an illegal or compromised state. Although several RA architectures have been proposed, little attention has been devoted to their verifiability and security guarantees that can be derived through formal verification of RA architectures. In this talk we introduce VRASED: Verifiable Remote Attestation for Simple Embedded Devices. VRASED instantiates a hybrid (HW/SW) RA co-design aimed at low-end embedded systems, e.g., simple IoT devices. Since VRASED security properties must be jointly guaranteed by HW and SW, verification is a challenging task, which has never been attempted before in the context of RA. Besides being the first formally verified RA scheme, VRASED is the first formally verified HW/SW implementation of any security service. VRASED’s publicly available implementation is realized on Basys3 FPGA and requires 16x fewer Look-Up Tables and 36x fewer registers than the cheapest pure HW-based RA design.


Day 3, June 12, SecurityLink: CRATE; short talks (15:30-17:00)

Speaker: Tommy Gustafsson, Swedish Defence Research Agency (FOI)

Suggested Title: Cyber ranges in theory and practice: towards a second-generation Cyber range

Suggested Abstract: In the first decade of this millennium, cyber security labs and test facilities started transforming into what we today know as a cyber range. Today, cyber ranges fill an essential role in cyber security training and education, research as well as testing and development and we’re starting to see second-generation ranges being developed. In this session we start with a short introduction to cyber ranges and their different use cases. Then we move into the challenges facing a modern cyber range and investigate how these are addressed in the Swedish cyber range CRATE. We’ll also demonstrate some of the features in CRATE.


Day 4, June 13, CySeP Plenary Talk 5 (9:00-10:30)

Speaker: Prof. Virgil D. Gligor (Carnegie Mellon University, PA, USA)

Title: A Rest Stop on the (Never Ending) Road to Provable Security

Abstract: During the past decade security research has offered persuasive arguments that the road to provable security is never ending, and further that there's no rest stop on this road; e.g., there is no security property one can prove without making assumptions about other, often unproven, system properties. In this seminar I describe what a useful first rest stop might look like, and illustrate one possible place for it on the road to provable security. Specifically, I show that a simple verifier can establish software root of trust (RoT) on an untrusted system unconditionally; i.e., without secrets, trusted hardware modules, or bounds on the adversary power. I will illustrate the theory foundation for proving RoT establishment unconditionally, and show that the proofs require only the availability of randomness in nature and correct specifications for the untrusted system. The verifier is trustworthy as it requires only the off-line ability to construct nonces from strings of truly random bits and evaluate a new computation primitive – the randomized polynomials -- and then perform an on-line measurement of the untrusted system's evaluation of randomized polynomials and its response time. The optimal code for randomized polynomials on the instruction sets of real processors is discussed is some detail. I also illustrate why RoT establishment is useful for obtaining other basic properties unconditionally, such as secure initial state determination and verifiable boot -- a stronger notion than secure and trusted boot. Verifiable boot can be viewed as an instance of the FlipIt game between a defender and an adversary, where the defender wins the game by discovering the presence of malware surreptitiously inserted by the adversary into the system, unconditionally.


Day 4, June 13, CySeP Plenary Talk 6 (11:00-12:30)

Speaker: Prof. Ravi Sandhu (University of Texas, San Antonio, USA)

Title: Access Control Evolution and Prospects

Abstract: This lecture will begin with an overview of important and lasting access control concepts developed in the past 50 years or so. Many of these trace back to the needs of enterprise computing. As computing systems have evolved beyond the enterprise to include modern applications such as electronic commerce, social media and the internet of things, new paradigms of access control are needed. The lecture will conclude with a discussion of the challenges of these application domains and avenues for access control evolution responsive to these needs.


Day 4, June 13, CySeP Plenary Talk 7 (13:30-15:00)

Speaker: Prof. Yvo G. Desmedt (University of Texas at Dallas, TX, USA)

Title: 2000 years of cryptology: a struggle towards science

Abstract: For 2000 years cryptographers have been predicting unbreakable cryptosystems. Unfortunately, no cryptosystem has lasted more than 300 years. The only systems we know that can not be broken (such as the one-time pad) are useless for many modern applications, such as for blockchains. In this lecture we start by having a critical look at the field of cryptography. We analyze what assumptions are needed to make sure modern cryptosystems cannot be broken. This lecture does not require prior knowledge of the audience.


Day 4, June 13, EuroS&P/CySeP Short talks, poster/demo teaser talks (15:30-17:30)


Day 4, June 13, Poster, demo, short talk buffet (17:30-19:30)


Day 5, June 14, CySeP Plenary Talk 8 (09:00-10:30)

Speaker: Prof. Gernot Heiser (UNSW, Sydney, Australia)

Title: The verified seL4 microkernel – trustworthy operating systems for the real world

Abstract: seL4 is the world’s first operating system (OS) kernel with a formal, machine-checked proof of functional correctness of its implementation. It also has proofs of security enforcement, and is the only OS in the literature with a complete and sound worst-case execution-time analysis. In this lecture I will give an overview of seL4’s verification and what it means in practice, and discuss how seL4 is being used to build secure real-world systems and some of the lessons learned. I will also introduce some of the frameworks that enable the construction of high-assurance systems on seL4, including the CAmkES framework that enables security enforcement by architecture, and the Cogent framework, that aims at reducing the verification cost of critical user-level components.


Day 5, June 14, CySeP Plenary Talk 9 (11:00-12:30)

Speaker: Prof. Joseph Yehuda Halpern (Cornell University, NY, USA)

Title: From Coordination to Blockchain: The Elusive Trail of Common Knowledge

Abstract: Reasoning about knowledge -- what I know about what you know about what I know ... -- is the type of reasoning that is often seen in puzzles and paradoxes, and has been studied at length by philosophers. But it plays a key role in many other contexts, ranging from understanding conversations to the analysis of distributed computer algorithms. More recently, it has been shown to play a key role in understanding what a blockchain protocol provides. I'll start the talk by considering a number of well-known puzzles and paradoxes, which both illustrate the subtleties of reasoning about knowledge and the advantages of having a good framework in which to make this reasoning precise. These puzzles also turn out to be closely related to important problems in distributed computing and game theory. In particular, they emphasize the importance of the notion of common knowledge, which turns out to be essential for reaching agreements and coordinating action. Unfortunately, we can prove that in practical multi-agent systems, common knowledge is not attainable. This seems somewhat paradoxical. How can common knowledge be both necessary and unattainable? The paradox gets resolved (to some extent) by examining a number of variants of common knowledge that turn out to be both attainable and sufficient for many applications. In particular, I'll show that how that a variant of common knowledge characterizes the guarantees provided by blockchain protocols. The work on blockchain is joint with Rafael Pass. The earlier work is joint with Yoram Moses, Ron Fagin, and Moshe Vardi.


Day 5, June 14, CySeP Plenary Talk 10 (13:30-15:00)

Speaker: Prof. Pierangela Samarati (University of Milano, Italy)

Title: Data Security and Privacy in Emerging Scenarios

Abstract: The rapid advancements in Information and Communication Technologies (ICTs) have been greatly changing our society, with clear societal and economic benefits. Mobile technology, Cloud, Big Data, Internet of things, services and technologies that are becoming more and more pervasive and conveniently accessible, towards to the realization of a 'smart' society’. At the heart of this evolution is the ability to collect, analyze, process and share an ever increasing amount of data, to extract knowledge for offering personalized and advanced services. A major concern, and potential obstacle, towards the full realization of such evolution is represented by security and privacy issues. As a matter of fact, the (actual or perceived) loss of control over data and potential compromise of their confidentiality can have a strong detrimental impact on the realization of an open framework for enabling collection, processing, and sharing of data, typically stored or processed by external cloud services. In this seminar, I will illustrate some security and privacy issues arising in emerging scenarios, focusing in particular on the problem of managing data while guaranteeing confidentiality and integrity of data stored or processed by external providers.


Day 5, June 14, CySeP-CTF Panel (15:30-17:00)

Panel: Challenges ahead towards a trustworthy Internet of Things (IoT)

The digitalization of societies is advancing fast. The future success of many companies depends on their embracing IoT trends in their business. However, this increases their dependency on information technology services and it multiplies the vulnerabilities of such emerging systems of systems. What measures need to be taken in order to ensure security and safety in our democratic society and, at the same time, keep up with the competition on a global market? This panel seeks to approach these questions from policy, technology, defense, education, public opinion, and economy viewpoints, discussing lessons learned, burning issues, priorities, and strategic choices to be made.


- Anne-Marie Eklund Löwinder (The Internet Foundation in Sweden)

- Pål Jonson (Member of the Swedish Parliament)

- Erik Biverot (Swedish Civil Contingencies Agency)

- Colonel Patrik Ahlgren (Swedish Armed Forces)

- Oscar Jonson (Free World Forum)


- Panos Papadimitratos (KTH and RISE SICS)


Day 5, June 14, CTF Nymble afterwork (17:30-19:30)





Social event

Accepted posters, demos, and short talks

Important Dates