12.05.2021 - 16:00
Fuzz Testing and Beyond
Bio: Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr-University Bochum, Germany. His research interests include technical aspects of secure systems, with a specific focus on systems security. Currently, his work concentrates on reverse engineering, automated vulnerability detection, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005) and the Ph.D. degree from University of Mannheim (2009). Prior to joining Ruhr-University Bochum in April 2010, he was a postdoctoral researcher in the Automation Systems Group at the Technical University of Vienna, Austria. In 2011, Thorsten received the Heinz Maier-Leibnitz Prize from the German Research Foundation (DFG) and in 2014 an ERC Starting Grant. Furthermore, he is Co-Spokesperson of the Cluster of Excellence "CASA - Cyber Security in the Age of Large-Scale Adversaries" (with C. Paar and E. Kiltz).
Abstract: In this talk, I will provide an overview of our recent progress in randomized testing and present some of the methods we have developed in the past years. These include fuzzing of OS kernels and hypervisors, grammar-based fuzzing of complex interpreters, and fuzz testing of stateful systems. As part of this work, we have already found hundreds of software bugs, some of which are related to well-known programs and systems. In addition, I will also talk about a method to prevent fuzz testing and conclude with an outlook on open challenges that still need to be solved.
14.04.2021 - 16:00
Privacy and Verifiability in Certificate Transparency
Bio: Sarah Meiklejohn is a Professor in Cryptography and Security at University College London (UCL), in the Computer Science department. She is affiliated with the Information Security Group, and is also a member of the Open Music Initiative, a fellow of the Alan Turing Institute, and an Associate Director of the Initiative for Cryptocurrencies and Contracts (IC3).
From November 2019 to December 2020, she was a visiting researcher at Google UK, working with the Certificate Transparency / TrustFabric team. As of December 2020 she is a Staff Research Scientist there.
Sarah Meiklejohn received a PhD in Computer Science from the University of California, San Diego under the joint supervision of Mihir Bellare and Stefan Savage. During her PhD, she spent the summers of 2011 and 2013 at MSR Redmond, working in the cryptography group with Melissa Chase. She obtained an Sc.M. in Computer Science from Brown University under the guidance of Anna Lysyanskaya in 2009, and an Sc.B. in Mathematics from Brown in 2008.
Abstract: In recent years, there has been increasing recognition of the benefits of having services provide auditable logs of data, as demonstrated by the deployment of Certificate Transparency and the development of other transparency projects. Despite their success, extending the current form of these projects can yield improved guarantees in terms of verifiability, efficiency, and privacy. This talk touches on these considerations by discussing efficient solutions for verifiability, in the form of a gossip protocol and a new verifiable data structure, and the difficulties of achieving privacy-preserving auditing.
10.03.2021 - 16:00
Proximity tracing with Coronalert: lessons learned
Bio: Prof. Bart Preneel is a full professor at the KU Leuven, where he heads the COSIC research group. His main research interests are cryptography, information security and privacy. He has served as president of the IACR (International Association for Cryptologic Research) and is co-founder and chairman of the Board of the information security cluster LSEC. He is a member of the Advisory group of ENISA, of the Board of the Cyber Security Coalition Belgium and of the Academia Europaea. He received the RSA Award for Excellence in the Field of Mathematics (2014), the IFIP TC11 Kristian Beckman award (2015) and the ESORICS Outstanding Research Award (2017). In 2015 he was elected as fellow of the IACR. He frequently consults for industry and government about security and privacy technologies.
Abstract: The corona pandemic is the first major pandemic in times of big data, AI and smart devices. Some nations have deployed these technologies a large scale to support a trace/quarantine/test/isolate strategy in order to contain a pandemic. However, serious concerns have been raised w.r.t. the privacy implications of some solutions, which makes them incompatible with privacy and human rights that are protected by EU law. This talk focuses on the proximity tracing solution developed by the DP-3T (Distributed Privacy-Preserving Proximity Tracing) consortium. This app has been rolled out in more than 40 countries and states, with support of Google and Apple. We will provide some details on the experience with the Coronalert app in Belgium that is connected to the European Federated Gateway Service, which at this moment has 11 EU countries and more than 40 million users. The talk will discuss the lessons learned from this large-scale deployment in which the principles of privacy-by-design and data minimization have played a central role.
10.02.2021 - 16:00
SafetyPin: Encrypted Backups with Human-Memorable Secrets
Bio: Henry Corrigan-Gibbs (he/him) is an assistant professor in MIT's department of electrical engineering and computer science and is a principal investigator in MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). Henry builds computer systems that provide strong security and privacy properties using ideas from the domains of cryptography, computer security, and computer systems. Henry completed his PhD in the Applied Cryptography Group at Stanford, where he was advised by Dan Boneh. After that, he was a postdoc in Bryan Ford's research group at EPFL in Lausanne, Switzerland.
For their research efforts, Henry and his collaborators have received the Best Young Researcher Paper Award three times (at Eurocrypt in 2020, the Theory of Cryptography Conference in 2019 and at Eurocrypt in 2018), the 2016 Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies, and the 2015 IEEE Security and Privacy Distinguished Paper Award. Henry's work has been cited by IETF and NIST, and his libprio library for privacy-preserving telemetry data collection ships today with the Firefox browser.
Abstract: This talk will present the design and implementation of SafetyPin, a system for encrypted mobile-device backups. Like existing cloud-based mobile-backup systems, including those of Apple and Google, SafetyPin requires users to remember only a short PIN and defends against brute-force PIN-guessing attacks using hardware security protections. Unlike today's systems, SafetyPin splits trust over a cluster of hardware security modules (HSMs) in order to provide security guarantees that scale with the number of HSMs. In this way, SafetyPin protects backed-up user data even against an attacker that can adaptively compromise many of the system's constituent HSMs. SafetyPin provides this protection without sacrificing scalability or fault tolerance. Decentralizing trust while respecting the resource limits of today's HSMs requires a synthesis of systems-design principles and new cryptographic tools. We evaluate SafetyPin on a cluster of 100 low-cost HSMs and show that a SafetyPin-protected recovery takes 1.01 seconds. To process 1B recoveries a year, we estimate that a SafetyPin deployment would need 3,100 low-cost HSMs.
13.01.2021 - 16:00
Bio: Andrei Sabelfeld is a Professor in the Department of Computer Science and Engineering at Chalmers University of Technology in Gothenburg, Sweden. Before joining Chalmers as faculty, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld's research ranges from foundations to practice in a range of topics in computer security and privacy. Today, he leads a group of researchers at Chalmers engaged in a number of internationally visible projects on software security, web security, IoT security, and applied cryptography.
Abstract: Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. While enabling novel and exciting applications, TAPs raise critical security and privacy concerns because a TAP is effectively a "person-in-the-middle" between trigger and action services. Third-party code, routinely deployed as "apps" on TAPs, further exacerbates these concerns.