Tutorial co-Chairs

Guofei Gu, Texas A&M University, USA
Maribel Fernandez, Kings College London, UK

Overview of Tutorials

Cache Side Channels: State-of-the-Art and Research Opportunities
Tuesday, October 31st, 10:45am – 12:15pm, Dallas Ballroom D3
Yinqian Zhang (Ohio State University)

Cliptography: Post-Snowden Cryptography
Tuesday, October 31st, 1:45pm – 5:00pm, Dallas Ballroom D3
Qiang Tang (New Jersey Institute of Technology), Moti Yung (Snap. Inc, & Columbia University)

Identity-related Threats, Vulnerabilities, and Risks Mitigation in Online Social Networks
Wednesday, November 1st, 11:00am – 12:30pm, Dallas Ballroom D3
Leila Bahri (Royal Institute of Technology, Sweden)

Web Tracking Technologies and Protection Mechanisms
Wednesday, November 1st, 1:45pm – 5:00pm, Dallas Ballroom D3
Nataliia Bielova (Inria, France)

SGX Security and Privacy
Thursday, November 2nd, 9:00am – 12:30pm, Dallas Ballroom D3
Taesoo Kim (Georgia Tech), Zhiqiang Lin (UT Dallas), Chia-Che Tsai (UC Berkeley/Texas A&M University)

Private Information Retrieval
Thursday, November 2nd, 2:00pm – 5:00pm, Dallas Ballroom D3
Ryan Henry (Indiana University)

Tutorials in Detail

Cache Side-Channels: State-of-the-Art and Research Opportunities

Lecturer: Yinqian Zhang (Ohio State University)

Tuesday, October 31st, 10:45am – 12:15pm, Dallas Ballroom D3

Abstract: Cache side-channels are a type of attack vectors through which an adversary infers secret information of a running program by observing its use of CPU caches or other caching hardware. The study of cache side channels, particularly access-driven cache side channels, is gaining traction among security researchers in recent years. A large volume of papers on cache side-channel attacks or defenses is being published in both security and computer architecture conferences each year. However, due to the diversity of the research goals, methods, and perspectives, it becomes much harder for researchers new to this field to keep track of the frontiers of this research topic. As such, in this tutorial, we will provide a high-level overview of the studies of cache side-channels to help other security researchers to comprehend the state-of-the-art of this research area, and to identify research problems that have not been addressed by the community. We also hope to bridge the gap between the security community and the computer architecture community on this specific research topic by summarizing research papers from both sides.

Biography: Dr. Yinqian Zhang is an assistant professor of the Department of Computer Science and Engineering at The Ohio State University. He received his Ph.D. from University of North Carolina at Chapel Hill. His research interest lies in system security in general. His current research focus is side-channel attacks and defenses. In the past years, he has investigated several topics under this research theme, and published multiple research papers in top security conferences such as IEEE S&P, ACM CCS, Usenix Security. His research has been supported by NSF. He held three U.S. patents that were derived from his previous research. In the recent years, he has served on the technical program committees of multiple security conferences, including IEEE S&P, ACM CCS, Usenix Security, and NDSS.

Cliptography: Post-Snowden Cryptography

Lecturer: Qiang Tang (New Jersey Institute of Technology) and Moti Yung (Snap. Inc, & Columbia University)

Tuesday, October 31st, 1:45pm – 5:00pm, Dallas Ballroom D3

Abstract: This tutorial covers a systematic overview of kleptography: stealing information subliminally from black-box cryptographic implementations; and cliptography: defending mechanisms that clip the power of kleptographic attacks via specification re-designs (without altering the underlying algorithms).

Despite the laudatory history of development of modern cryptography, applying cryptographic tools to reliably provide security and privacy in practice is notoriously difficult. One fundamental practical challenge, guaranteeing security and privacy without explicit trust in the algorithms and implementations that underlie basic security infrastructure, remains. While the dangers of entertaining adversarial implementation of cryptographic primitives seem obvious, the ramifications of such attacks are surprisingly dire: it turns out that, in wide generality, adversarial implementations of cryptographic (both deterministic and randomized) algorithms may leak private information while producing output that is statistically indistinguishable from that of a faithful implementation. Such attacks were formally studied in Kleptography.

Snowden revelations have shown us how security and privacy can be lost at a very large scale even when traditional cryptography seems to be used to protect Internet communication, when Kleptography was not taken into consideration.

We first explain how the above-mentioned Kleptographic attacks can be carried out in various settings. We then introduce several simple but rigorous immunizing strategies that were inspired by folklore practical wisdoms to protect different algorithms from implementation subversion. Those strategies can be applied to ensure security of most of the fundamental cryptographic primitives such as PRG, digital signatures, public key encryptions against kleptographic attacks when they are implemented accordingly. Our new design principles may suggest new standardization methods that help reduce the threats of subverted implementation. We also hope our tutorial stimulates community-wide efforts to further tackle this fundamental challenge.

Biography: Qiang Tang is an Assistant Professor at the Department of Computer Science at New Jersey Institute of Technology (NJIT). Before joining NJIT, he was a postdoctoral associate at Cornell University and was also affiliated with the Initiative of CryptoCurrency and Contracts (IC3). He obtained his PhD from the University of Connecticut with a Taylor Booth Scholarship. He also held visiting researcher positions at various institutes including the University of Wisconsin, Madison, NTT Research, Tokyo and the University of Athens, Greece. His research interests are applied and theoretical cryptography, privacy and computer security. In particular, in accountability, post-Snowden cryptography, and blockchain technology. He has made contributions on using cryptocurrency to deter copyright infringement and to enforce key management policy, re-designing cryptographic specifications to defend against implementation subversion, as well as information theoretical security.

Moti Yung is a computer scientist whose main interests are in cryptography, security, and privacy. He is currently with Snap, Inc., and has been holding adjunct professor appointments at Columbia University where he has co-advised several Ph.D. students. He was with IBM, CertCo, RSA Lab, and Google. Dr. Yung made extensive contributions on the foundation of modern cryptography as well as innovative secure industrial technology within actual large scale systems, including the Greek National Lottery system, the security and privacy aspects of Google's global systems such as the Ad Exchange (ADX) and the ephemeral ID efforts for Google's BLE beacons, and Snap's "my eyes only memories' cloud security. Also, his invention of Cryptovirology (including Kleptography) envisioned the explosion of ransomware, and algorithm subversion on crypto systems and standards such as the Dual_EC DRNG subversion. Dr. Yung has been giving distinguished and keynote speeches at numerous top-tier crypto/security/distributed computing conferences. He is a Fellow of ACM, IEEE, IACR, and EATCS.

Identity-related Threats, Vulnerabilities, and Risks Mitigation in Online Social Networks

Lecturer: Leila Bahri (Royal Institute of Technology, Sweden)

Wednesday, November 1st, 11:00am - 12:30pm, Dallas Ballroom D3

Abstract: The continuous increase in the numbers and sophistication levels of fake accounts in Online Social Networks (OSNs) constitutes a big threat to the privacy and to the security of honest OSN users. Uninformed OSN users could be easily fooled into accepting friendship links with fake accounts, giving them by that access to personal information they intend to exclusively share with their real friends. Moreover, these fake accounts subvert the security of the system by spreading malware, connecting with honest users for nefarious goals such as sexual harassment or child abuse, and make the social computing environment mostly untrustworthy.

There is a considerable body of work in the area of detecting fake accounts in OSNs, mostly under the research topic known as Sybil detection. One of the objectives of this tutorial is to provide a summarized but comprehensive review of the main techniques suggested for Sybil detection. The tutorial will also shed the light on the shortcomings of these methods, especially in front of more sophisticated Sybil accounts that learn general social behaviour patterns and try to imitate them. Therefore, we will also talk about the need for identity validation techniques, and present some of the available works in this direction.

Overall, the tutorial's goal is to initiate the audience to the topic of Sybil detection and identity validation, to increase awareness on the privacy and security threats related to fake accounts, and on our role, both as informed OSN users and as researchers, in taking informed actions towards minimizing the effects of fake accounts.

Biography: Leila Bahri has a PhD in computer science from the University of Insubria in Italy. She has been a Marie-Curie research fellow under the European Commission funded project iSocial, where she has worked on designing privacy-preserving services and access control models for decentralized online social networks. Her main research work during her PhD was on decentralized privacy-preserving services for online social networks, mostly as related to identity management and validation in a user-centric and community-sourced fashions.

She is currently a postdoc researcher at the Royal Institute of Technology in Stockholm, Sweden, where she works on designing accountable data governance and privacy models that are aligned with the European GDPR. She is currently investigating topics related to the Blockchain technology and its potential in the field of privacy and trust in the social web.

Web Tracking Technologies and Protection Mechanisms

Lecturer: Nataliia Bielova (Inria, France)

Wednesday, November 1st, 1:45pm - 5:00pm, Dallas Ballroom D3

Abstract: Billions of users browse the Web on a daily basis, leaving their digital traces on millions of websites. Every such visit, every mouse move or button click may trigger a wide variety of hidden data exchanges across multiple tracking companies. As a result, these companies collect a vast amount of user's data, preferences and habits, that are extremely useful for online advertisers and profitable for data brokers, however very worrisome for the privacy of the users. In this tutorial we will cover the vide variety of Web tracking technologies, ranging from simple cookies to advanced cross-device fingerprinting. We will describe the main mechanisms behind web tracking and what users can do to protect themselves. Moreover, we will discuss solutions Web developers can use to automatically eliminate tracking from the third-party content they include in their applications. This tutorial will be of interest to a general audience of computer scientists, and we do not require any specific prerequisite knowledge for attendees.

Biography: Nataliia Bielova is a Research Scientist at Inria, French National Institute for Research in Computer Science and Automation. Nataliia is internationally known for her work on applying formal methods to security and privacy of web browsers. Her main interest is privacy- and transparency-enhancing technologies for Web applications. She works on measurement, detection and prevention of web tracking, including advanced behaviour-based fingerprinting. Nataliia received the French Doctoral Supervision and Research Award (PEDR) in 2017. Before obtaining her permanent position in 2013, Nataliia was a postdoctoral researcher at Inria Rennes from 2012 to 2013, where she worked on automatic detection of web tracking scripts using program analysis. She received her PhD in Computer Science from the University of Trento, Italy in 2011.

SGX Security and Privacy

Lecturer: Taesoo Kim (Georgia Tech), Zhiqiang Lin (UT Dallas), Chia-Che Tsai (UC Berkeley/Texas A&M University)

Thursday, November 2nd, 9:00 - 12:30, Dallas Ballroom D3

Abstract:In this tutorial, we will first introduce the basic concepts of Intel SGX, its development workflows, potential applications and performance characteristics. Then, we will explain known security concerns, including cache/branch side-channel attacks and memory safety issues, and corresponding defenses with various working demos. Last but not least, we will introduce various ways to quickly start writing SGX applications, specifically by utilizing library OSes or thin shielding layers; we will explain the pros and cons of each approach in terms of security and usability.

Biography: Taesoo Kim is an Assistant Professor in the School Computer Science at Georgia Tech. He also serves as the director of the Georgia Tech Systems Software and Security Center (GTS3). He is interested in building a system that has underlying principles for why it should be secure. Those principles include the design of a system, analysis of its implementation, and clear separation of trusted components. His thesis work, in particular, focused on detecting and recovering from attacks on computer systems. He holds a BS from KAIST (2009), a SM (2011) and a PhD (2014) from MIT in CS.

Zhiqiang Lin is an Associate Professor of Computer Science at The University of Texas at Dallas. He earned his PhD from Computer Science Department at Purdue University in 2011. His primary research interests are systems and software security, with an emphasis on developing program analysis techniques and applying them to secure both application programs including mobile apps and the underlying system software such as Operating Systems and hypervisors. Dr. Lin is a recipient of the NSF CAREER Award and the AFOSR Young Investigator Award.

Chia-Che Tsai is a PhD candidate at Stony Brook University, and will soon join the RISE Lab at UC Berkeley as a postdoc researcher. He is also joining the Computer Science and Engineering department of Texas A&M University in Fall 2018 as a faculty. He is interested in building OSes and runtimes with a balance between usability, security, and performance. He is the main contributor to the Graphene library OS, an open-source framework for reusing unmodified Linux applications on Intel SGX and other various host options.

Private Information Retrieval

Lecturer:Ryan Henry (Indiana University)

Thursday, November 2nd, 2:00pm - 5:00pm, Dallas Ballroom D3

Abstract:Private information retrieval (PIR) is a cryptographic primitive that facilitates the seemingly impossible task of letting users fetch records from untrusted and remote database servers without revealing to those servers which records are being fetched. The research literature on PIR is vast; in the over two decades since its 1995 introduction by Chor, Goldreich, Kushilevitz, and Sudan, the cryptography, privacy, and theoretical computer science research communities have studied PIR intensively and from a variety of perspectives. Alas, despite a series of significant advances, most privacy practitioners and theoreticians alike fall into one of two camps: (i) those who believe that PIR is so inefficient and abstruse as to make it all-but-useless in practice, or (ii) those who remain blissfully unaware that PIR even exists. Indeed, to date not even one of the numerous PIR-based applications proposed in the research literature has been deployed at scale to protect the privacy of users "in the wild".

This tutorial targets both of the above camps, presenting a bird's-eye overview of the current state of PIR research. Topics covered will span the spectrum from purely theoretical through imminently applicable and all the high points in between, thereby providing participants with an awareness of what modern PIR techniques have (and do not have) to offer, dispelling the myth of PIR's inherent impracticality, and hopefully inspiring participants to identify practical use cases for PIR within their own niche areas of expertise. This introductory tutorial will be accessible to anyone comfortable with college-level mathematics (basic linear algebra and some elementary probability and number theory).

Biography: Ryan Henry is an Assistant Professor in the Computer Science department at Indiana University in Bloomington, Indiana. His research explores the systems challenges of applied cryptography, with an emphasis on using cryptography to build secure systems that preserve the privacy of their users. In addition to designing and analyzing privacy-enhancing systems, Professor Henry is interested in practical matters like implementing and working toward the deployment of such systems, as well as more theoretical matters like devising number-theoretic attacks against non-standard cryptographic assumptions and developing new models and theories to understand just how efficient "heavy-weight" cryptographic primitives can be. He received his MMath (2010) and PhD (2014) from the University of Waterloo, where he held a Vanier Canada Graduate Scholarship (Vanier CGS), the most prestigious graduate scholarship in Canada. He has published several papers on PIR at top research venues (e.g., CCS, NDSS, and PETS), is a contributor to Percy++ (an open-source implementation of PIR protocols in C++), and two of his three active NSF grants heavily involve PIR research.