CCS 2007
CCS 2007
Tutorials
[
Tutorial I ||
Tutorial II ||
Tutorial III
||
Tutorial IV
]
Tutorial I
Forensic
Techniques for Content Protection
|
The success of industries like music and movies hinge on the ability to
distribute the content to authorized customers only. Piracy is one of their
major concerns. This introductory tutorial teaches security researchers and
practitioners the basic key management and forensic techniques to defend against piracy in content protection. The focus of this tutorial is on entertainment content. We cover from broadcast encryption, revocation, tracing traitors, emerging standards, state-of-the-art and state-of-the-practice forensic approaches. We will go in depth with one of the forensic technologies. The tutorial is targeted at a beginner to intermediate audience; basic background on cryptography is assumed. The attendees will walk away with an understanding of different types of potential pirate attacks and challenges associated with defending against each attack. Intermediate students will have the opportunity to get summary of existing key management and forensic techniques against different types of pirate attacks. Academic researchers will walk away with an understanding of challenges arising to bring a theoretical solution to practice as well as potential new research directions that have been largely overlooked from academia in this area. Industrial practitioners will walk away with an understanding of real world forensic systems, from design, legal issues, to adoption. The tutorial handouts will include slides, an annotated bibliography consisting of leading references and landmark papers, and relevant URLs to standards. |
|
Introduction - History of content protection systems, DRM - Standards: 4C and AACS Key Management Approaches Broadcast Encryption - Matrix-based: CPRM - Tree-based: NNL Potential attacks - Pirate decoder attack - Anonymous attack Forensic Technologies - Tracing Traitors for pirate decoder attack -- State-of-art and state-of-practice - Traitor tracing for anonymous attack -- State-of-art and state-of-practice -- In depth: Sequence Keys for AACS Emerging models Future of Content Protection research directions |
| Hongxia Jin brings expertise in mainstream content protection technologies and first-hand design, implementation and deployment of key generation, management and forensic systems in real world. She obtained her Ph.D. degree in computer science from the Johns Hopkins University in 1999 and worked as a Research Staff Member for IBM research ever since. She is currently at the IBM Almaden Research Center, where she is the leading researcher working on key management, broadcast encryption and traitor tracing technologies. The key management and forensic technologies she developed have been adopted by AACS, a new content protection standards for managing content stored on the next generation of pre-recorded and recorded optical media for consumer use with PCs and consumer electronic devices. She has filed a dozen patents in this area. |
|
Digital societies and markets increasingly mandate consistent procedures for the
access, processing and storage of information. In the United States alone, over
10,000 such regulations can be found in financial, life sciences, health-care and government sectors, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and Sarbanes-Oxley Act. A recurrent theme in these regulations is the need for regulatory-compliant data management as an underpinning to ensure data confidentiality, access integrity and authentication; provide audit trails, guaranteed deletion, and data migration; and deliver Write Once Read Many (WORM) assurances, essential for enforcing long-term data retention and life-cycle policies. In this tutorial, we will discuss achieving strongly compliant data management in realistic adversarial settings. Specifically, we will explore designs for compliant data management systems that offer guaranteed document retention and deletion, quick lookup, and compliant migration, together with support for litigation holds and several key aspects of data confidentiality. Moreover, we will discuss the benefits of the recent advent of tamper-resistant, general-purpose trustworthy hardware which opens the door to fundamentally new assurance paradigms, e.g., by deploying this new hardware running certified code at the data management server. As heat-dissipation concerns greatly limit the performance of tamper-resistant processors, our goal is to investigate and evaluate software architectures for leveraging a secure processor in the server stack with minimal impact on cost and efficiency. |
|
Radu Sion is an assistant professor of Computer Science in
Stony Brook University and the director of the Network Security and Applied
Cryptography Laboratory and the Trusted Hardware Laboratory. His research
focuses on data security and information assurance mechanisms. Collaborators and
funding partners include IBM Research, IBM Cryptography Group, Motorola Labs,
the Center of Excellence in Wireless and Information Technology CEWIT, the Stony
Brook Office for the Vice-President for Research and the National Science
Foundation. For more information, please visit the following websites: http://www.cs.stonybrook.edu/~sion and NSAC Lab: http://crypto.cs.stonybrook.edu Marianne Winslett received her PhD in Computer Science from Stanford University in 1987. She has been an assistant, associate, full, and adjunct professor in the Department of Computer Science at the University of Illinois. Her research interests are in databases and related areas, especially security in open systems and parallel I/O for high-performance scientific computation. She received a Presidential Young Investigator Award from the National Science Foundation in 1989 and Xerox Awards for Faculty Research in 1990 and 1997. She is currently on the editorial board of ACM Transactions on Database Systems and is a former editor for IEEE Transactions on Knowledge and Data Engineering and the vice-chair of ACM SIGMOD. For more information, please visit speaker's website: http://dais.cs.uiuc.edu/dais/winslett.php |
|
The explosive growth of location-detection devices (e.g., GPS-like devices and
handheld devices) along with wireless communications and mobile databases
results in realizing location-based applications that deliver specific
information to their users based on their current locations. Examples of such
applications include location-based store finder, location-based traffic
reports, and location-based advertisements. Although location-based services
promise safety and convenience, they threaten the privacy and security of users
as such services explicitly require users to share private location information
with the service and possibly with others. If a user wants to keep her location
information private, she has to turn off her location-aware device and
temporarily unsubscribe from the service. This tutorial aims to provide practitioners, researchers, and graduate students with the state of the art and major research issues in the important and practical research area of location privacy. The tutorial is divided into four main parts. The first part is concerned about legislatives issues and user perception of location privacy. In the second part, we provide a comprehensive survey of the state-of-the-art system architectures and techniques in protecting location information in mobile environments. The third part overviews several techniques that an adversary can use to reveal the location privacy information along with a brief overview of how to avoid such privacy attacks. In the fourth part, we introduce the newly developing research area of privacy-aware query processors that enable users to obtain location-based services without sacrificing their privacy. |
| Mohamed F. Mokbel (Ph.D., Purdue University, 2005) is an assistant professor in the Department of Computer Science and Engineering, University of Minnesota. His main research interests focus on advancing the state of the art in the design and implementation of database engines to cope with the requirements of emerging applications (e.g., location-based applications). Recently, he has led the efforts in incorporating location privacy in location-based applications. Dr. Mokbel is also interested in indexing, adaptive query processors, object-based storage devices, and geographic information systems. Mohamed has joined Lawrence Livermore National Lab, Microsoft Research, and Hong Kong Polytechnic University at summers 2002, 2004, and 2006, respectively. He is an ACM and IEEE member. For more information, please visit http://www.cs.umn.edu/~mokbel. |
|
VoIP is a key component of the critical information infrastructure. Due to its
advantages in cost and functionality over the Plain Old Telephone System (POTS),
VoIP is becoming increasingly popular, and more and more people are using VoIP
for their daily voice communication. IDC predicted that the number of US
residential VoIP subscribers will grow from 10.3 million in 2006 to 44 million
by 2010. A recent study by ABI predicted that the number of residential VoIP
subscribers worldwide will increase from current 38 million to more than 267
million by 2012. One of the most basic requirements of any VoIP services is that they must be reliable and trustworthy. Specifically, when people make calls via VoIP, they would expect that their calls will actually reach the intended callee once connected. When people receive calls, they would expect that the caller ID of the incoming calls is authentic. In addition, VoIP subscribers expect that no one but themselves will receive calls to them. Furthermore, VoIP subscribers would expect they only pay for the calls they have made and for the duration they have called. Lastly, VoIP should not introduce new security threats to the VoIP users. Despite the fact that tens of millions of people are using VoIP daily, the security of VoIP has not received enough attention from the research community and VoIP vendors. In fact, existing VoIP systems are vulnerable to a number of VoIP specific exploits in addition to well-known attacks (e.g., DNS cache poisoning) that are generic to the Internet and its applications. This tutorial aims to bring the attention of the research community as well as VoIP industry to the largely overlooked VoIP security problems, and lay down the technical challenges and open research problems in securing VoIP. We will first overview existing VoIP security mechanisms, analyze the vulnerabilities of SIP-based VoIP systems, and then describe a number of exploits of existing VoIP systems that would compromise the reliability and trustworthiness of VoIP. We will discuss possible mitigations to the exploits of exiting VoIP systems and technical challenges. We hope this tutorial will bring more attention from a wider community of security researchers and practitioners and inspire more active researches in securing VoIP. |
|
. Call eavesdropping . Call hijacking . Unauthorized call redirection . CallerID spoofing . Nuisance calls . Voice mail hijacking . VoIP billing attacks . Voice spam . Phone phishing . Open problems and technical challenges |
| Xinyuan Wang is currently an Assistant Professor in the Department of Information and Software Engineering/ Computer Science at George Mason University. He received his BS and MS in Computer Science from Peking University and Chinese Academy of Space Technology respectively. He received his PhD in Computer Science from North Carolina State University in 2004 after years professional experience in networking industry. His main research interests are around computer network and system security - including intrusion source tracing, anonymity and privacy, VoIP security, virus and worm, botnet. He developed the first network flow watermarking technique, which won him the 3rd place in graduate category of the 2004 ACM International Student Research Competition Grand Finals. He is the first to demonstrate that it is feasible to track encrypted, anonymous, peer-to-peer VoIP call on the Internet. He developed the first practical attack that has "penetrated" the Total Net Shield - the "ultimate solution in online identity protection" of www.anonymizer.com. For information, please visit speaker's web page: http://ise.gmu.edu/~xwangc/ |