CERIAS Weekly Security Seminar - Purdue University

Threat intelligence is interested in the entire kill chain from tools to victims. Chief among these interests are the threat actors themselves who carry out attacks and campaigns. Many different schemes exist on how to classify differet types of threat actors in order to more easily describe and understand them. This presentation focuses on the nation-state and cybercriminal classes of threat actors, how they differ, and how they overlap. Real world examples are provided to illustrate new and different ways of thinking about threat actors. About the speaker: Dr. Courtney Falk is an information security professional with over ten years of experience in the government, academic, and public sectors. He earned his doctorate of philosophy from Purdue University while researching the applications of natural language processing to information security problems. Courtney currently works as the senior research scientist for Optiv's Global Threat Intelligence Center.

Threat intelligence is interested in the entire kill chain from tools to victims. Chief among these interests are the threat actors themselves who carry out attacks and campaigns. Many different schemes exist on how to classify differet types of threat actors in order to more easily describe and understand them. This presentation focuses on the nation-state and cybercriminal classes of threat actors, how they differ, and how they overlap. Real world examples are provided to illustrate new and different ways of thinking about threat actors.

This talk will explore the enormous threat landscape presented by the IoT ecosystem and examine the state of IoT security with a bit of humor. We will look at everything from individual devices, to conceptual challenges, as well as potential solutions to the most challenging security question we have ever had to answer. About the speaker: Jason is Sr. Integration Engineer and has worked in related roles for 9 years since graduating from Purdue University with a BS in Computer Science in 2009. Prior to joining Pondurance, Jason worked as a defense contractor in the Washington D.C. area and was a NASA intern while attending Purdue. Jason loves the challenges brought forward by a career in cyber security and working to secure national infrastructure. Outside of cyber security, Jason considers himself a maker with a particular passion for educational technology, an amateur cartographer, an urban enthusiast and is fascinated by aerospace engineering and everything related space exploration. Jason also enjoys playing soccer and basketball as well as rooting for the Colts, Pacers, Caps and Blues! Jason is excited to be back in Indy and to be part of the rising Indy tech community!

This talk will explore the enormous threat landscape presented by the IoT ecosystem and examine the state of IoT security with a bit of humor. We will look at everything from individual devices, to conceptual challenges, as well as potential solutions to the most challenging security question we have ever had to answer.

During system call execution, it is common for operating system kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched userspace memory is subject to change across these reads, i.e., a race condition, which is known as a double-fetch bug. Prior works have attempted to detect these bugs both statically and dynamically. However, due to their improper assumptions and imprecise definitions regarding double-fetch bugs, their multiread detection is inherently limited and suffers from significant false positives and false negatives. For example, their approach is unable to support device emulation, inter-procedural analysis, loop handling, etc. More importantly, they completely leave the task of finding real double-fetch bugs from the haystack of multireads to manual verification, which is expensive if possible at all. In this paper, we first present a formal and precise definition of double-fetch bugs and then implement a static analysis system— DEADLINE—to automatically detect double-fetch bugs in OS kernels. DEADLINE uses static program analysis techniques to systematically find multi-reads throughout the kernel and employs specialized symbolic checking to vet each multi-read for double-fetch bugs. We apply DEADLINE to Linux and FreeBSD kernels and find 23 new bugs in Linux and one new bug in FreeBSD. We further propose four generic strategies to patch and prevent double-fetch bugs based on our study and the discussion with kernel maintainers.

During system call execution, it is common for operating system kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched userspace memory is subject to change across these reads, i.e., a race condition, which is known as a double-fetch bug. Prior works have attempted to detect these bugs both statically and dynamically. However, due to their improper assumptions and imprecise definitions regarding double-fetch bugs, their multiread detection is inherently limited and suffers from significant false positives and false negatives. For example, their approach is unable to support device emulation, inter-procedural analysis, loop handling, etc. More importantly, they completely leave the task of finding real double-fetch bugs from the haystack of multireads to manual verification, which is expensive if possible at all.In this paper, we first present a formal and precise definition of double-fetch bugs and then implement a static analysis system— DEADLINE—to automatically detect double-fetch bugs in OS kernels. DEADLINE uses static program analysis techniques to systematically find multi-reads throughout the kernel and employs specialized symbolic checking to vet each multi-read for double-fetch bugs. We apply DEADLINE to Linux and FreeBSD kernels and find 23 new bugs in Linux and one new bug in FreeBSD. We further propose four generic strategies to patch and prevent double-fetch bugs based on our study and the discussion with kernel maintainers. About the speaker: Meng Xu is a 5th-year Ph.D. student at School of Computer Science, Georgia Tech, advised by Professor Taesoo Kim. He is a member of SSLab and IISP. His research interests include system security, N-version programming, and bug finding. He served on the program committee of ACM CCS'18, and published many papers at top conferences such as ACM CCS USENIX Security and IEEE S&P.

Hygiene - it's good for your body and it's good for your computer/network. We will explore the simplicity of cyber hygiene and the insider/outsider threats that take advantage of poor hygiene. It is all a matter of focus and attention to threat actors. In addition, we will introduce you to the Cyber Center for Education and Innovation, Home of the National Cryptologic Museum (CCEI-NCM). This is a unique national value proposition to bring together cybersecurity education and invite collaboration. CCEI-NCM's core mission is to broaden cyber threat awareness, understand cybersecurity best practices with educational outreach, and to enhance operational cybersecurity workforce development in support of our nation's critical infrastructure sectors. About the speaker: Mark S. Loepker is a master practitioner in Information Assurance (IA) and International Partnerships with over 39 years of government experience. He excels at orchestrating dissimilar groups aimed at fostering consensus to solve the toughest cybersecurity challenges. Mr. Loepker held many Executive level leadership positions throughout his career.Mr. Loepker currently serves as a Senior Advisor and Education Lead to the National Cryptologic Museum Foundation, focused on developing educational programs to be delivered from the new Cyber Center for Education & Innovation (CCEI). In this role, he focuses on ensuring that K-12/STEM initiatives are tightly aligned with national cyber curriculum standards, and that the CCEI becomes a national resource addressingworkforce development and operational training requirements targeting 13-20 grade curriculum.During his National Security Agency career, he worked closely with Congressional Members and Staff on emerging cybersecurity issues and legislation. He was the Director, National Information Assurance Partnership (NIAP) established between the National Institute of Standards and Technology (NIST) and NSA to evaluate Information Technology (IT) product conformance to international standards. He was the Department of Defense Chief Information Officer (DoD/CIO), Defense-wide Information Assurance Program (DIAP) Director. He ensured the DoD's vital IT resources were secured and protected by unifying and integrating cybersecurity activities to achieve secure Net-Centric Global Information Grid operations. He served as the Committee on National Security Systems (CNSS), Secretariat Manager and was responsible for setting National Security Systems (NSS) national-level Information Assurance policies, directives, and instructions and providing a forum for the discussion of policy issues amongst U.S. Government departments and agencies. He served as the Common Criteria Recognition Arrangement (CCRA) Executive Subcommittee Chairman leading 27 Nations in product assurance, evaluation, supply chain risk management and managing the CCRA. He served for six years as the NATO Information Security Subcommittee National Co-Chairman and three years as the CNSS Subcommittee Chairman.Mr. Loepker, working with Dr. Melissa Dark, Purdue's Professor of Technology in Computer and Information Technology, pioneered the first-ever NSA sponsored class where graduate students used typical NSA technical challenges for their class work with mentorship from NSA TechnicalDirectors. After five years, the effort now spans 19 Universities and 12 government agencies with over 354 alumni and over 160 currently enrolled.Mr. Loepker's educational degrees include a Master in Business Administration – Quantitative Analysis, University of Missouri; Bachelor of Science in Electrical Engineering Technology, Purdue University; Associate in Aviation Electronic Technology, Purdue University and numerous NSA technical, executive and legislative development programs.

Hygiene - it's good for your body and it's good for your computer/network. We will explore the simplicity of cyber hygiene and the insider/outsider threats that take advantage of poor hygiene. It is all a matter of focus and attention to threat actors. In addition, we will introduce you to the Cyber Center for Education and Innovation, Home of the National Cryptologic Museum (CCEI-NCM). This is a unique national value proposition to bring together cybersecurity education and invite collaboration. CCEI-NCM's core mission is to broaden cyber threat awareness, understand cybersecurity best practices with educational outreach, and to enhance operational cybersecurity workforce development in support of our nation's critical infrastructure sectors.

Cyber security for increasingly mobile clients is an increasing and never ending challenge. Companies of the future are adopting agile systems and cross-functional processes to respond to these challenges. About the speaker: Mr. Goldsberry is a Specialist Leader in Deloitte's Transportation Strategy and Operations group. Ryan has over 20 years of leadership experience in industrial and automotive companies. He uses his background in both Strategic Marketing and Supply Chain to assist clients struggling with disruptive change. Ryan has managed consulting engagements in transportation, telecommunications, energy, and financial services, using his background in both strategic marketing and operations. His passion is preparing clients for the disruptive changes that are occurring due to changing mobility preferences and due to new technologies like autonomous, connected, electric, and shared vehicles/infrastructure. He has worked extensively with manufacturers, suppliers, universities, and government agencies to tackle these problems and prove out solutions with pilots and new business models. Prior to joining Deloitte, Ryan successfully turned around several automotive aftermarket businesses and has extensive experience across the automotive value chain from OEM to retail to wholesale/distribution. Ryan has a BS in Mechanical Engineering from Cornell University, an MS in Manufacturing Systems Engineering from the University of Michigan, and an MBA from Stanford University.

Cyber security for increasingly mobile clients is an increasing and never ending challenge. Companies of the future are adopting agile systems and cross-functional processes to respond to these challenges.

About the speaker: Jessy Irwin is Head of Security at Tendermint, where she excels at translating complex cybersecurity problems into relatable terms, and is responsible for developing, maintaining and delivering comprehensive security strategy that supports and enables the needs of her organization and its people. Prior to her role at Tendermint, she worked to solve security obstacles for non-expert users as a strategic advisor, security executive, consultant and former Security Empress at 1Password. She regularly writes and presents about human-centric security, and believes that people should not have to become experts in technology, security or privacy to be safe online.Her current interests include security maturity and culture, usable security and secure UI/UX, and building impactful security teams and programs in emerging blockchain technologies.

Jessy Irwin, "Double the Factors, Double the Fails: How Usability Obstacles Impact Adoption of Strong Authentication Habits"

The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It features a multi-layer caching scheme distributed in various kernel data structures, and uses the caches to detect and suppress redundant events. Our technique is designed to reduce the runtime overhead caused by transferring, processing, and writing logs, as well as the space overhead caused by storing them on disk. Compared to existing log reduction techniques that first generate the huge raw logs before reduction, our technique avoids generating redundant events at the first place. Our experimental results of the prototype KCAL (Kernel-supported Cost-effective Audit Logging) on one-month real-world workloads show that KCAL can reduce the runtime overhead from 40+% to 15-%, and reduce space consumption by 90% on average. KCAL achieves such a large reduction with 4% CPU consumption on average, whereas a state-of-the-art user space log-reduction technique has to occupy a processor with 95+% CPU consumption all the time. About the speaker: Shiqing Ma is a Ph.D. candidate from the Department of Computer Science at Purdue University, advised by Dr. Xiangyu Zhang and Dr. Dongyan Xu. He received his B.E. from School of Software Engineering, Shanghai Jiao Tong University (SJTU) in 2013. His research focuses on system/software security, software engineering and machine learning. He is a recipient of the Bilsland Dissertation Fellowship and two Distinguished Paper Awards from NDSS 2016 and USENIX Security 2017.

The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It features a multi-layer caching scheme distributed in various kernel data structures, and uses the caches to detect and suppress redundant events. Our technique is designed to reduce the runtime overhead caused by transferring, processing, and writing logs, as well as the space overhead caused by storing them on disk. Compared to existing log reduction techniques that first generate the huge raw logs before reduction, our technique avoids generating redundant events at the first place. Our experimental results of the prototype KCAL (Kernel-supported Cost-effective Audit Logging) on one-month real-world workloads show that KCAL can reduce the runtime overhead from 40+% to 15-%, and reduce space consumption by 90% on average. KCAL achieves such a large reduction with 4% CPU consumption on average, whereas a state-of-the-art user space log-reduction technique has to occupy a processor with 95+% CPU consumption all the time.

Millions of people spend their day chatting away on their cellphones, ordering groceries from Amazon's Alexa, making calendar appointments with Apple's Siri, or posting on Facebook about the last concert they attended. Sharing our personal information via social media platforms or providing it to third party companies has become so common place in our routines that it begs the question, "What, if anything, in our personal lives is really private?" As we grow more comfortable using modern technology to streamline and stay connected, are we risking our right to a reasonable expectation of privacy, a protection garnered by the Fourth Amendment of the U.S. Constitution? Modern innovation has presented the judiciary with unique challenges, as the court balances the legitimate interests of government and the people. We will explore the dynamics of Carpenter v. United States, United States v. Miller, and Smith v. Maryland, and the recent developments surrounding the Golden State Killer and the Arkansas murder case involving Amazon's Alexa. About the speaker: Jillean Long Battle serves as Director of Privacy, Security and Compliance for the Rofori Corporation, an innovative technology company that uses meta data tagging and advanced algorithmic software to enhance virtual communication and cyber security protection for the public and private sectors. Before joining the Rofori Corporation, Jillean served as the Deputy Treasurer of State for both Missouri and Indiana. In her roles, she took the lead on risk management, provided legal guidance to the state treasurer, and acted to protect the states' investment portfolios, which included assets valued at $3 billion and $8 billion respectively. Jillean also served as a Trustee of the Indiana Public Retirement System, a pension system with approximately $30 billion in assets under management.  A self-proclaimed WWII historian and Starbucks enthusiast, Ms. Battle has shared her financial insight and governance strategies in national publications and conferences across North America. She has been a panelist along-side respected economist and political leaders from around the world, including former Federal Reserve Chairman Ben Bernanke. When Jillean is not watching a documentary film or practicing yoga, she is cruising the corridors of art museums for inspiration. Jillean Battle is a licensed attorney, and holds degrees from the University of California, Berkeley and Indiana University School of Law.