Mark your calendars: the Second AMSEC Workshop will be on Wednesday October 9, 2019 in the afternoon. The venue will be CWI. A PDF version of the program is available here.

2nd AMSec Workshop

Date and Time

Wednesday October 9, 2019.

The technical program starts as 13:00h (walk-in and coffee as of 12:30h).

Location

Euler Room

Amsterdam Science Park Congress Center

Science Park 125

1098 XG Amsterdam

Program

13:00 – 13:30 : Marc Stevens (CWI): Real-world Cryptanalysis
[Slides]

13:30 – 14:00 : Yuri Demchenko (UvA): Cloud Security services and mechanisms: Can modern clouds provide secure and trusted environment for data and business applications?
[Slides]

14:00 – 14:30 : BREAK

14:30 – 15:15 : Keynote – Ronald de Wolf (CWI, UvA, QuSoft): The potential impact of quantum computers on society
[Slides]

15:15 – 15:45 : Erik van der Kouwe (Leiden): Benchmarking Crimes in Systems Security
[Slides]

15:45 – 16:15 : BREAK

16:15 – 16:45 : Marleen Weulen Kranenbarg (VU, NSCR): Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure
[Slides] [Paper]

16:45 – 17:15 : Joeri Toet (VU): Move fast, but break (only) your own things?

17:15 – 18:00 : DRINKS

Speakers

Yuri Demchenko

Senior researcher at the System and Network Engineering Research Group, University of Amsterdam

Erik van der Kouwe

Assistant professor in security at the Computer Systems Group of the LIACS, Leiden University.

Marc Stevens

Researcher in the Cryptology Group at CWI.

Joeri Toet

Lecturer at the Faculty of Law, Internet Law, VU Amsterdam.

Marleen Weulen Kranenbarg

Assistant professor at the Faculty of Law, Criminology, VU Amsterdam; author at NSCR, Nederlands Studiecentrum Criminaliteit en Rechtshandhaving.

Ronald de Wolf

Researcher at the Algorithms and Complexity Group of CWI; part-time full professor at the ILLC, University of Amsterdam; member of QuSoft.

Presentations

Real-world Cryptanalysis

– Marc Stevens (CWI)

In this talk, I will give an overview of cryptanalytic collision attacks on hash functions and how these impacted the real world. The talk will go from theory to practice, to large-scale computations and real-world threat demonstrations, including supermalware and counter-cryptanalysis, and show the demise of one of industry’s old de facto cryptographic standard to a cryptanalytic toy.

Cloud Security services and mechanisms: Can modern clouds provide secure and trusted environment for data and business applications?

– Yuri Demchenko (UvA)

The talk will provide a brief overview of the general cloud security model and security services and mechanisms, and next look at how they can be used to provide secure and trusted environment in few use cases of data centric applications. The talk will also introduce the proposed Virtual Infrastructure Trust Bootstrapping (VITBP) protocol that allows bootstrapping cloud virtual infrastructure and on-premises infrastructure.

The potential impact of quantum computers on society

– Ronald de Wolf (CWI, UvA, QuSoft)

This talk considers the potential impact that the nascent technology of quantum computing may have on society. It focuses on three areas: cryptography, optimization, and simulation of quantum systems. We will also discuss some ethical aspects of these developments, and ways to mitigate the risks.

Benchmarking Crimes in Systems Security

– Erik van der Kouwe (Leiden University)

Properly benchmarking a system is a difficult and intricate task. Even a seemingly innocuous mistake can compromise the guarantees provided by a systems security defense and threaten reproducibility and comparability. Moreover, as many modern defenses trade security for performance, the damage caused by benchmarking mistakes is increasingly worrying. To analyze the magnitude of the phenomenon, we identify 22 benchmarking crimes that threaten the validity of systems security evaluations, and survey 50 defense papers published in top venues. We show that benchmarking crimes are widespread even in papers published at tier-1 venues; tier-1 papers contain an average of five benchmarking crimes and we find only a single paper in our sample without any benchmarking crimes. Moreover, the scale of the problem appears constant over time, suggesting that the community is not yet taking sufficient countermeasures. This threatens the scientific process, which relies on reproducibility and comparability to ensure that published research advances the state of the art. We hope to raise awareness and provide recommendations for improving benchmarking quality and safeguard the scientific process in our community.

Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure

– Marleen Weulen Kranenbarg (VU, NSCR)

In the computer science field coordinated vulnerability disclosure is a well-known practice for finding flaws in IT-systems and patching them. In this practice, a white-hat hacker who finds a vulnerability in an IT-system reports that vulnerability to the system’s owner. The owner will then resolve the problem, after which the vulnerability will be disclosed publicly. This practice generally does not focus on potential offenders or black-hat hackers who would likely exploit the vulnerability instead of reporting it. In this paper, we take an interdisciplinary approach and review the current coordinated vulnerability disclosure practice from both a computer science and criminological perspective. We discuss current issues in this practice that could influence the decision to use coordinated vulnerability disclosure versus exploiting a vulnerability. Based on different motives, a rational choice or cost–benefit analyses of the possible reactions after finding a vulnerability will be discussed. Subsequently, implications for practice and future research suggestions are included.

Move fast, but break (only) your own things?

– Joeri Toet (VU)

This talk will discuss the conditions under which the legal system would allow for an adequate level of security.

The First AMSEC workshop featured a keynote, research talks from all the participating organisations, much discussion and a lively panel.

Date : May 15, 2019

Time : 13:00-17:00

Place : HG-08A00 (VU Campus)

The first AMSec workshop on May 15, 2019 featured presentations from the various disciplines, accessible to a wide audience, as well as a keynote by Michel van Eeten, professor of Governance of Cybersecurity at TU Delft and member of Cyber Security Council for the Netherlands.

Workshop Program

13:00-13:15 Introduction to AMSec

13:15-14:00 Keynote: Michel van Eeten

14:15-14:35 Drink from the fire hose: how your CPU shouts out your deepest secrets
Speaker Kaveh Razavi, VUSec, Vrije Universiteit Amsterdam

Abstract This talk will introduce the recently disclosed RIDL vulnerability in Intel processors in a manner that is understandable to everyone. RIDL allows attackers to leak sensitive data (such as files containing password information) across any security boundary.

14:35-14:55 Exploring the social dimension of cybercriminal networks.

Speaker Rutger Leukfeldt, NSCR

Abstract We analysed 40 cybercriminal networks that were involved in phishing, banking malware and hacking to see if they could be labelled loners, colleagues, peers, teams, or formal organizations. In contrast with prior research, the majority of our cases can be labelled a team or a formal organization.

14:55-15:15 Lattice-based cryptography: Standardization and security estimation

Speaker Leo Ducas, CWI

Abstract In this talk, I will present the status of the ongoing standardization process for quantum-safe cryptography, highlight some lattice base candidates, and discuss advances in their cryptanalysis.

15:30-15:50 Law and cybersecurity

Speaker Anne de Hingh, VU-Centre for Law and Internet

Abstract Breaking security is both prohibited (e.g. hacking) and allowed (police, intelligence agencies). The law is still struggling with designing the right framework in the area of cybercrime, -security, -war. Some issues are enforcement and attribution.

15:50-16:10 SarNet: Autonomous Response Network

Speaker Ralph Koning, SNE, UvA

Abstract Self defending systems or networks can offload security teams and enable them to focus on new and pressing threats. This talk will cover such systems in the context of the SARNET (Secure Autonomous Response NETworks) project: the experimentation environment, a method for evaluating defense performance, and how we orchestrate defenses in single networks and in collaborations of multiple network domains.

16:30-17:15 Panel

Jos Baeten (CWI)
Jaya Baloo (KPN)
Marc Witteman (Riscure)
Joshua Serrao (City of Amsterdam)

17:15-18:00 Drinks

Information about speakers and panellists

Keynote speaker

Michel van Eeten Â« HITBSecConf2018 â Amsterdam
Michel van Eeten is professor at Delft University of Technology. He studies the interplay between technological design and economic incentives in cybersecurity. His team analyses large-scale Internet measurement and incident data to identify how the markets for Internet services deal with security risks. He is also a member of the Cyber Security Council, an advisory body of the Dutch government.