Keynotes & Invited Talks

ACM CCS 2016 Keynotes & Industrial Talks

23rd ACM Conference on Computer and Communication Security October 25 – 27, 2016, Hofburg Palace, Vienna, Austria

Overview

We are very proud to announce the following keynotes and invited industrial talks at CCS 2016:

Keynotes @ CCS 2016

Cybersecurity, Nuclear Security, Alan Turing, and Illogical Logic
Martin Hellman, Stanford University, US
(Tuesday, October 25, 2016, 08.50-09.50, Lecture Hall C)

Is it practical to build a truly distributed payment system?
Ross Anderson, University of Cambridge, UK
(Wednesday, October 26, 2016, 08.50-09.50, Lecture Hall C)

Invited Industrial Talks @ CCS 2016

Colorful like a Chameleon: Security Nightmares of Embedded Systems
Timo Kasper, Kasper&Oswald GmbH, Germany
(Tuesday, October 25, 2016, 12.00-13.00, Lecture Hall E)

Design requirements on resilient command control and signaling systems in the railway sector – First preliminary results of the CYSIS working group on IT security
Thorsten Borrmann, DB Netz AG, Germany
(Wednesday, October 26, 2016, 16.30-17.15, Lecture Hall E)

Experiences in Securing Smart Grids and their Operations
Klaus Kursawe, GridSec.org, The Netherlands
(Wednesday, October 26, 2016, 17.15-18.00, Lecture Hall E)

Keynotes

Tuesday, October 25, 2016, 08.50-09.50, Lecture Hall C

Martin Hellman, Stanford University, US ACM A.M. Turing Award Winner 2015

Cybersecurity, Nuclear Security, Alan Turing, and Illogical Logic Abstract: My work that was recognized by the 2015 ACM Turing Award is in cybersecurity, while my primary interest for the last 35 years has been international security with an emphasis on reducing the risk that nuclear deterrence will fail and destroy civilization. This ACM Turing Lecture draws connections between those seemingly disparate areas and Alan Turing’s elegant proof that the computable real numbers, while denumerable, are not effectively denumerable. Read more about the ACM A.M. Turing Award 2015

Martin E. Hellman is best known for his his invention, with Diffie and Merkle, of public key cryptography, the technology that, among other uses, enables secure Internet transactions. It is used to transfer literally trillions of dollars every day. He has been a long-time contributor to the computer privacy debate, and was a key participant in the “first crypto war” of the late 1970s and early 80s that established the right of academic cryptographic researchers to publish their papers, free of government interference. His work has been recognized by a number of honors and awards, including election to the National Academy of Engineering, induction as one of the first two dozen “Stanford Engineering Heroes,” the National Inventors Hall of Fame, and the Marconi International Fellowship – and, most recently, the 2015 ACM Turing Award, often called “the Nobel Prize of Computer Science.” More detailed information is available on his honors and awards, his university service, and his professional and civic service. Hellman has a deep interest in the ethics of technological development, and one of his current activities is applying risk analysis to a potential failure of nuclear deterrence. That approach has been endorsed by a number of prominent individuals including former Director of the National Security Agency (NSA) Adm. Bobby Inman and Stanford’s President Emeritus Donald Kennedy. Born in New York, NY in October 1945, he received his B.E. from New York University in 1966, and his M.S. and Ph.D. from Stanford University in 1967 and 1969, all in Electrical Engineering. Prof. Hellman was at IBM’s Watson Research Center from 1968-69 and an Assistant Professor of Electrical Engineering at MIT from 1969-71. Returning to Stanford in 1971, he served on the regular faculty until becoming Professor Emeritus in 1996. He has authored over seventy technical papers (click for publication list), twelve US patents and a number of foreign equivalents.

Wednesday, October 26, 2016, 08.50-09.50, Lecture Hall C

Ross Anderson, University of Cambridge, UK

Is it practical to build a truly distributed payment system? Abstract: Early payment systems were truly distributed; Alice gave Bob some precious metal or fancy printing. So were some early electronic systems, such as Mondex, which relied on value counters in tamper-resistant smartcards. But probably the only such mechanisms now fielded at scale are prepayment electricity meters (mostly using the STS specification, which the author helped develop in the 1990s). Since then, the trend has been to centralise. First, ATMs went online only; second, we moved to EMV, which relies on shared-key crypto between the card and the card issuing bank; third, we got mobile money systems like M-Pesa that use encrypted SMS or USSD sessions with a central server; and most recently we have bitcoin, with its distributed implementation of a central server. Yet about one sixth of humanity live in areas where the GSM network is flaky or absent. it’s bad enough to have to walk miles to use a mobile phone, but even worse if the village shop can’t accept mobile payments, which have been transformative in much of the developing world. As part of a financial inclusion project sponsored by the Gates Foundation, we have built and field-tested a prototype mobile payment system, DigiTally, for use offline.  The crypto is simple enough: a challenge is copied from the payee’s phone to the payer’s, and an authorisation code is then copied back to the payee. Careful usability engineering makes Digitally  easier to use for both merchants and customers than a traditional phone payment system such as M-Pesa. It still works where there is no network, and can be cheaper where there is one. This may have broader implications. Wherever we built delay-tolerant networks, we will need delay-tolerant authentication, and often delay-tolerant payments too. And as tamper-resistant devices proliferate – in SIM cards, TPM chips, NFC secure elements, and processors supporting mechanisms such as TrustZone and SGX – there may be many applications where they can make transactions faster and more resilient rather then just more secure.

Ross Anderson is Professor of Security Engineering at Cambridge University. He is one of the founders of a vigorously-growing new academic discipline, the economics of information security.  Ross was also a seminal contributor to the idea of peer-to-peer systems and an inventor of the AES finalist encryption algorithm “Serpent”. He also has well-known publications on many other technical security topics including hardware tamper-resistance, emission security, copyright marking, and the robustness of application programming interfaces (APIs). He is a Fellow of the Royal Society, the Royal Academy of Engineering, the IET and the IMA. He also wrote the standard textbook “Security Engineering – a Guide to Building Dependable Distributed Systems”.

Invited Industrial Talks

Tuesday, October 25, 2016, 12.00-13.00, Lecture Hall E

Timo Kasper, Kasper&Oswald GmbH, Germany

Colorful like a Chameleon: Security Nightmares of Embedded Systems Abstract: Wireless embedded devices have become omnipresent in applications such as access control (to doors or to PCs), identification, and payments. The talk reviews the security of several commercial devices that typically employ cryptographic mechanisms as a protection against ill-intended usage or to prevent unauthorized access to secured data. A combination of side-channel attacks, reverse-engineering and mathematical cryptanalysis helps to reveal and exploit weaknesses in the systems that for example allow opening secured doors in seconds. At hand of real-world examples and live demos, the implications of a key extraction for the security of the respective contactless application are illustrated. As a powerful tool for security-analyzing and pentesting NFC and RFID systems, the open-source project  “ChameleonMini” is presented: Besides virtualization and emulation of contactless cards, the device allows to log the NFC communication, and in its latest revision acts as an active RFID reader to copy contactless cards on-the-fly.

Timo Kasper has studied electrical engineering and information technology at the Ruhr-University Bochum, Germany and at the University of Sheffield, UK. In 2006, his Diploma thesis “Embedded Security Analysis of RFID Devices” won the first place award for IT security (CAST, Darmstadt). He continued as a researcher at the Chair for Embedded Security of the Horst Görtz Institute for IT Security (HGI) and completed his studies 2011 with a PhD in Engineering. In 2012, his PhD thesis “Security Analysis of Pervasive Wireless Devices – Physical and Protocol Attacks in Practice” was decorated with the first place award for PhD theses in German IT security. Since 2012, Timo has been co-founder and executive director of Kasper&Oswald GmbH, offering innovative products and services for security engineering. Timo’s field of expertise covers the security of embedded cryptographic systems such as smartcards, microcontrollers, and FPGAs, with a focus on RFID and wireless applications. He is interested in security analyses and penetration testing, implementation attacks (side-channel analysis, fault injection), reverse engineering, and system-level viewpoints of security. He enjoys implementing cryptography on embedded systems and efficiently securing them with countermeasures. His publications demonstrate various security vulnerabilites of real-world applications, e.g., by breaking access control systems (KeeLoq – CRYPTO 2008, SimonsVoss – CRYPTO 2013), a payment system (Financial Crypto 2010), the security mechanism of widespread FPGAs (ACM CCS 2011) and remote keyless entry systems of cars (Usenix Security 2016). Timo has several years of experience as a speaker on international conferences, on workhops and seminars in the industry, and as a lecturer at universities.

Wednesday, October 26, 2016, 16.30-17.15, Lecture Hall E

Thorsten Borrmann, DB Netz AG, Germany

Design requirements on resilient command control and signaling systems in the railway sector – First preliminary results of the CYSIS working group on IT security Abstract: Managing of the railway infrastructure in Germany is performed by DB Netz AG. Therefore the company is responsible for the safe and effective operation of the German railway network and for its new development and upgrade, renewal and maintenance. In order to be able to be still competitive in a constantly changing market for transport services, it is necessary to further improve the performance of the railway network and in parallel to reduce the life-cycle costs for the future systems. Currently, proprietary systems and closed communication infrastructures are in operation, for future system architectures commercial-off-the-shelf devices and common i.e. open communication networks are intended to be used. These new system architectures may lead to additional new threats (e.g. Cyberattacks), which have to be considered in the design of the related safety system by definition of appropriate high design requirements on IT security for the relevant system architecture. Especially the safety relevant control command and signaling systems, which have still reached a high level of functional safety, are in focus. Deutsche Bahn AG and Technical University of Darmstadt (TU Darmstadt) have set up an innovation alliance to provide a platform for close collaboration and interdisciplinary research projects in the field of railway networks, mobility and logistics (DB RailLab). Within this platform the working group CYSIS (Cybersecurity for safety relevant critical infrastructures) was founded in 2016 by TU Darmstadt and Deutsche Bahn AG, to meet the rising challenges on IT security in the railway sector. One current startup project is concerned with the development of requirements for resilient system architectures. One major requirement for such system architectures is the requirement that its safety functions are not jeopardized by any threat action. For meeting such a requirement only perimeter protection is not sufficient so that a Defense-in-Depth (DiD) concept is necessary, which provides multiple IT security measures depending on the different DiD protection layers. The speech mainly presents first preliminary results of the CYSIS working group. This is a definition of a resilient system and a list of specific system requirements which should be included in such a system design from a best practice perspective.

Thorsten Borrmann studied physics at Ruhr-University Bochum and began his career in the field of nuclear safety. Since 2015 he is working in the department for approval management for railway control command and signaling systems at DB Netz AG. He is responsible for the new German approval process for control command and signaling systems and is advisor for safety risk analyses, especially in relation to the European common safety methods for risk assessment. He is member of the CYSIS working group for resilient architectures and has a deep interest in security for safety concepts.

Wednesday, October 26, 2016, 17.15-18.00, Lecture Hall E

Klaus Kursawe, GridSec.org, The Netherlands

Experiences in Securing Smart Grids and their Operations

Abstract: The electricity distribution grid is one of the most complex and critical systems build by mankind. This system is currently in a process of massive digitalisation. This “smart grid” promises to improve the reliability and efficiency by introducing automated control systems on several levels of electricity distribution, and is a vital component of integrating renewable energy sources and electric vehicles. Thus, in a few years, the grid will no longer be able to operate without large scale digital control systems. The corresponding security needs are not only a new challenge for grid operators and their suppliers, where numerous vulnerabilities have recently emerged in smart grid architectures, protocols, and device implementations. The requirements imposed by the smart grids also put security providers to their limits, and in some cases using a classical IT approach has done more harm than good. Some of the differences are due to the way control devices operate – they may have a lifetime of several decades, communication networks may need weeks to transfer a single software update, and large parts of the systems cannot be protected against physical access. Other differences are more fundamental to the protection goal – while IT security is usually primary concerned about keeping information secure, in the Smart Grid and other control systems the main goal is to keep a process safe, which requires a different kind of focus, and has led to repeated conflicts. In this talk, we will summarise the experiences gained in four years of working with grid operators to address their security concerns with trainings in a simulated company, device- and protocol testing, consulting, research and running an information sharing platform. This covers the current state of smart grid security and privacy, and discusses the special needs for smart grids both on the design- and the operational level. In addition to technical challenges, some of the most immediate security challenges appear in areas one does not immediately suspect. For example, one important and surprisingly complex step towards secure components development of security requirements for the procurement process, which will be shown on the example of the Austrian Smart Meter.

Klaus Kursawe received his PhD from the University of Saarbruecken in collaboration with the IBM Research in 2001, working on issues of secure dependable systems. From 2006 till 2010, he headed the “Trusted Systems  Cluster” at the Philips Natlab. There, he started working on security aspect and standards around the ‘Smart Grid’, which he continued after changing to teach at Radboud University. In 2012, he co-founded the European Network for Cybersecurity, an organisation owned and funded by grid operators to assist the with security issues around smart grids, where he also worked as the Chief Scientist until 2016.  In this context, he was member of several EU and US expert groups on smart grids, performed several trainings for grid operators, and was involved in risk analysis, procurement requirement design as well as both the security analysis and security design for smart grid protocols and components.

General Information

Follow us!

Tutorials

30-06-2016
We are happy to announce the 7 tutorials which will be held at CCS 2016.

Call for Papers

27-01-2016
The Call for Papers for CCS 2016 is out. Submisson Deadline: May 23, 2016 23:59 UTC-11

Workshops

19-04-2016
We are happy to announce the 14 workshops which will be held in conjunction with CCS 2016.

CCS 2016

01-12-2015
CCS 2016 website is up. CCS will be held from October 24 - 28, 2016 in Vienna, Austria at the Hofburg Palace. Read more about Vienna here.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close