{"id":17,"date":"2009-11-13T21:31:07","date_gmt":"2009-11-14T02:31:07","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=17"},"modified":"2012-11-06T16:37:39","modified_gmt":"2012-11-06T21:37:39","slug":"ccs-2009","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2009\/11\/ccs-2009\/","title":{"rendered":"CCS 2009"},"content":{"rendered":"<div>\n<p>16th Conference on Computer and Communication Security (CCS\u201909)<br \/>\nChicago, Illinois<br \/>\nNovember 9-13, 2009<\/p>\n<p>CCS is one of the top international security conferences (example topics: detecting kernel rootkits, RFID, privacy and anonymization networks, botnets, cryptography).\u00a0 It is held annually in November.\u00a0 This year there were 315 submitted papers from 31 countries, of which 18% were accepted after peer review.<\/p>\n<p>I\u2019ve attended CCS twice (2006 and 2009).\u00a0 It is one of the best conferences I\u2019ve ever attended \u2014 I find that the speakers describe practical, cutting edge, informative results; I keep up with old acquaintances and meet new ones; I keep sharp and up-to-date as a research scientist.<\/p>\n<p>Here are some of the major themes from this year:<\/p>\n<p>* ASCII-compliant shellcode:\u00a0 My favorite paper of the conference is \u201cEnglish Shellcode\u201d where the authors developed a tool that takes malicious software as input and converts it into REAL ENGLISH PHRASES (taken from Wikipedia and Project Gutenberg) that execute natively on 32-bit x86.\u00a0 If you read no other paper this year, you simply must read this paper, it is wack incredulous.\u00a0 There was another paper that uses only valid ASCII characters for shellcode on the ARM architecture.\u00a0 These demonstrations are important because ASCII (and especially English ASCII) is likely to be passed through by network intrusion detection systems.\u00a0 The favorite paper is here:<\/p>\n<p>http:\/\/www.cs.jhu.edu\/~sam\/ccs243-mason.pdf<\/p>\n<p>* Cloud computing:\u00a0 Few authors of cloud-related papers seemed to address the cloudiness of their work, instead (and disappointingly) discussing generic distributed computing principles under a cloud umbrella.\u00a0 The best cloud talk I saw was Ian Foster, an invited speaker at the cloud security workshop, who described the transition from grid computing to cloud computing thus: grid was about federation, cloud is about infrastructure and hosting.\u00a0 He pointed out that the grid folks did a good job of developing (e.g., medical research) applications and executing analyses, but that it is the advent of data distribution and sharing in the cloud that is a game-changer in cloud computing.<\/p>\n<p>* Anonymous communication:\u00a0 There were several talks analyzing the efficacy of anonymization networks (mix networks, remailers, Tor, onion routing).\u00a0 My takeaway is that these techniques work very well for latency-insensitive traffic (such as email), only moderately well for latency-sensitive traffic (such as web browsing), and not very well yet for high-bandwidth traffic (such as VoIP).\u00a0 My favorite work was a poster on \u201cPreventing SSL Traffic Analysis with Realistic Cover Traffic\u201d (Nabil Schear and Nikita Borisov) where the authors change the statistical profile of your encrypted traffic such that existing analyses (such as measuring keystroke latencies) are impossible.<\/p>\n<p>* Off-client emulation:\u00a0 Several speakers described a technique for client-server applications (such as game clients running on customers\u2019 home computers) that help to ensure the correctness, robustness, or speed of the client application.\u00a0 It\u2019s impractical to run a complete copy of the client on the server (because one server handles many clients) so the authors generally create minimalist versions of the client (for example, a game client that contains no rendering code) that are server-efficient.\u00a0 In the game example, the client would send the user\u2019s commands (\u201cturn left, walk forward\u201d) to the server, where the minimalist client would verify that those commands didn\u2019t result in an invalid state (such as walking through a wall) that would indicate cheating by the player.<\/p>\n<p>* Function-call graphs:\u00a0 These are well-known techniques for tracing how an application executes (create a graph of the control flow of an application).\u00a0 The technique kept popping up during the conference: using them to identify when someone has violated your software license and included your source code in their application; using them inside a hypervisor to identify when a kernel rootkit is present in a virtual machine due to the different hypercalls).\u00a0 One attendee I had lunch with was very critical of the function-call graph technique (using an argument I didn\u2019t really follow) but otherwise the technique seems useful.<\/p>\n<p>* Power grids:\u00a0 The currently-hot topic in security research is power grids and smart meters.\u00a0 There are at least projects at Penn State, Carnegie Mellon, Johns Hopkins, and I\u2019m certain many other places.\u00a0 There was a tutorial, a paper, and several posters all discussing security issues in the power grid.\u00a0 The most interesting aspect to me was attacks against state estimators: the researchers described techniques to manipulate the system components involved in measuring and predicting the state of generators, transmission lines, etc.\u00a0 However, the research community still suffers from a dearth of real-world information of how these networks operate and where the real vulnerabilities might be.<\/p>\n<p>* RFID:\u00a0 As we already know, it is possible to do RFID well but none of the actual deployed RFID implementations do it well.\u00a0 One classic observation by a speaker was of the RFID-enabled drivers licenses issued in Washington State (in advance of the Winter Olympics) that include a KILL command that\u2019s supposed to be set with a unique PIN but in reality is unset (using a default PIN)\u2026meaning that anyone with a transmitter and sufficient power could kill a device.<\/p>\n<p>* Ethical standards for security researchers:\u00a0 One paper raised an ethical issue in its appendix (how can we do security research inside Amazon\u2019s cloud computing infrastructure in a manner that doesn\u2019t violate their terms of service?) and some researchers from the Stevens Institute have published a report and are organizing a workshop to investigate ethical standards for security researchers.\u00a0 I didn\u2019t really agree with many of the points made (my ethical line is drawn much further to the left: security researchers should have few constraints) but it was a hotly discussed and debated issue during the session breaks.<\/p>\n<p>Wolfram Schulte at Microsoft Research gave an invited workshop talk on their Singularity OS project (reinventing the OS from scratch; using software-enforced isolation instead of relying on hardware memory management techniques).\u00a0 It\u2019s an interesting project but impractical since it would require a widescale by developers in such a way that very little development would happen for awhile.\u00a0 The work was inspired by his team\u2019s frustration on using best-practices formal verification (etc.) techniques for software development \u2014 or, taken another way, it was so frustrating when a blue-sky team tried to use existing techniques to develop and prove major software projects that they gave up.\u00a0 That doesn\u2019t bode well for using those techniques extensively in any real-world software development project (although they can still be very useful and insightful\u2026just frustrating).<\/p>\n<p>Also a shout-out to my student Brendan O\u2019Connor for delivering a well-received talk on stock markets for reputation at the digital identity workshop.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>16th Conference on Computer and Communication Security (CCS\u201909) Chicago, Illinois November 9-13, 2009 CCS is one of the top international security conferences (example topics: detecting kernel rootkits, RFID, privacy and anonymization networks, botnets, cryptography).\u00a0 It is held annually in November.\u00a0 This year there were 315 submitted papers from 31 countries, of which 18% were accepted [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/17"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=17"}],"version-history":[{"count":4,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":659,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/17\/revisions\/659"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}