Saturday, October 20, 2012
This week I attended CCS in Raleigh, North Carolina. There were lots of interesting papers with a total of 81 being presented in all.
The conference began on Tuesday with the keynote talk from Virgil Gligor. In his talk he discussed how a general theory of trust should be built upon both behavioural trust and computational trust. Perhaps my favourite session of the day was that on TLS. The second talk of the session "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security" presented a man in the middle attack on SSL as it is used by Android phones. The speaker told us that that 41 of the 100 apps they study were vulnerable allowing them to determine bank account information, Facebook credentials and much more. One attack presented during the talk showed how the authors were able to get a popular anti-virus app to accept a virus signature the authors had created for the anti-virus software being used. As a result the app would be detected as a virus and delete itself. The day ended with a buffet dinner and a concert from local bluegrass band the Steep Canyon Rangers.
Smart meters are a growing area of research in the security community. On Wednesday there were two papers on this subject. The second of these "Neighborhood Watch: Security and Privacy Analysis of Automatic Meter Reading Systems" looks at AMR meters that have been deployed for the past decade. While these are not actually smart meters they do use wireless technology to allow remote collection of meter readings. The authors were easily able to reverse engineer the protocol used and as a result were able to determine power useage within homes. Further to this it is possible to perform spoofing attacks enabling an attacker to reduce or increase a victim's utility bills. Currently there are no cryptographic security mechanisms used on these systems, therefore a simple fix would be to introduce a scheme to enable confidentiality and integrity of meter readings. In one of the final sessions on Wednesday Robert Lychev presented the paper "Provable Security of S-BGP and other Path Vector Protocols: Model, Analysis and Extensions" based on work with Alexandra Boldyreva. BGP is the standard for routing traffic across the Internet. S-BGP is an extension to this to ensure secure routing using a PKI. The paper presented is the first attempt to provide a formal provable security analysis of the protocol. In the evening there was the traditional poster session.
I started Thursday by attending the Verification session. I found the second talk by Mihhail Aizatulin on "Computational Verification of C Protocol Implementations by Symbolic Execution" particularly interesting. This paper follows on from previous work the authors presented at CCS last year but instead of verifying in the symbolic model they use the computational model. They develop a tool to extract a model from a protocol's C code, which can then be translated to a Cryptoverif protocol description. If this then verifies correct in Cryptoverif, you have a guarantee about the protocol's security. Other sessions on the final day included Web Security, Secure Computation and Applied Crypto. The final talk of the conference (in the Payments, Votes and Reputation session) was "Measuring Vote Privacy, Revisited" presented by Veronique Cortier and was joint work with Olivier Pereira and Bristol's Bogdan and David.