Purdue University West Lafayette
Elisa Bertino is professor of Computer Science at Purdue University. Prior to joining Purdue, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory (now Almaden) in San Jose, at the Microelectronics and Computer Technology Corporation, at Rutgers University, at Telcordia Technologies. Her main research interests include security, privacy, database systems, distributed systems, and sensor networks. Her recent research focuses on digital identity management, biometrics, IoT security, security of 4G and 5G cellular network protocols, and policy infrastructures for managing distributed systems. Prof. Bertino has published more than 700 papers in all major refereed journals, and in proceedings of international conferences and symposia. She has given keynotes, tutorials and invited presentations at conferences and other events. She is a Fellow member of ACM, IEEE, and AAAS. She received the 2002 IEEE Computer Society Technical Achievement Award for “For outstanding contributions to database systems and database security and advanced data management systems” and the 2005 IEEE Computer Society Tsutomu Kanai Award for “Pioneering and innovative research contributions to secure distributed systems”. She received the ACM Athena Lecturer Award in 2019.
Talk title: Data Security and Privacy in the IoT
The Internet of Things (IoT) paradigm refers to the network of physical objects or “things” embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with servers, centralized systems, and/or other connected devices based on a variety of communication infrastructures. IoT makes it possible to sense and control objects creating opportunities for more direct integration between the physical world and computer-based systems. IoT will usher automation in a large number of application domains, ranging from manufacturing and energy management (e.g. SmartGrid), to healthcare management and urban life (e.g. SmartCity). However, because of its fine-grained, continuous and pervasive data acquisition and control capabilities, IoT raises concerns about data security and privacy. Deploying existing security solutions to IoT is not straightforward because of device heterogeneity, highly dynamic and possibly unprotected environments, and large scale. In this talk, after outlining key challenges in IoT data security and privacy, we present initial approaches to securing IoT data, including recent edge-based security solutions for IoT security and analysis of cellular network protocols.
Stanka Šalamun and Mitja Kolšek
0patch by ACROS Security
Stanka Salamun is a business owner with strong corporate background in software development and broad view of IT security landscape. She is having a lot of joy, excitement and hard work as a 0patch co-founder. For several years she was proud OWASP Slovenia Chapter Leader, she was also leading a project that was awarded “Privacy by Design Ambassador” award for 2011 by Information Commissioner of Republic of Slovenia. For a decade she was information security columnist. She is passionate about becoming software micropatching surgeon and to help others to create fixes for security bugs in a micropatching manner.
Mitja Kolsek’s last 20 years of career comprise co-leading a security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name, and discovering vulnerability types which were previously unknown. He is writing technical blog and whitepapers (»session fixation«, »binary planting« or »dll preloading«) on information security. He is also presenting at renowned conferences such as RSA Conference USA, RSA Conference Europe, HITB, Source, DeepSec and others. In addition to finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he’d like to leave information security some day in a state where it’ll be seriously difficult to break into a typical network deploying standard and inexpensive security solutions.
Talk title: How to Fix Vulnerability Fixing
Software vulnerabilities are likely the biggest problem of information security, fueling a rapidly growing market for “0days”, “1days” and exploits alike. Today’s security updates are too big, too risky and too late to be effective. Software vendors take weeks or months to publish patches for security vulnerabilities. Enterprises take months of testing to deploy official vendor patches, if these exist at all, providing constant supply of ammo to attackers.
While official fixes usually exist, users and organizations are really slow in applying them, and for very good reasons: patches often break things and cause damage to production, applying them disrupts daily business, they often come bundled with unwanted – often undocumented – functional changes, and when something goes wrong, it’s a nightmare just to get back to the (vulnerable) functional state. But sometimes the official update does not exist, because vulnerable software is not supported anymore (remember retired, but still very popular operating systems MS Windows 7 and Windows Server 2008 R2?).
Security patches are software vendors’ horror. What is worse than going back to functionalities and tasks that are already checked as “done”? This is especially painful if attackers are already actively exploiting a vulnerability in the wild or there is bad publicity about a particular unfixed vulnerability in a software product. Each patch (including a security one) requires implementation of complete development cycle, including expensive regression testing on all supported platforms. The result is “fat update” that replaces large chunks of a product and could actually change it completely.
An important aspect of the current failure of security patching is in the fact that it is so complicated.
In this presentation, we will point out that the future of vulnerability patching could become virtually imperceptible for users and software vendors by changing current patching paradigm from “fat updates” to “micropatches, miniature pieces of software code that are applied to a running process without changing the executable file. Since micropatch consists of just a handful of machine code instructions injected at a single place in the process, testing can be localized and limited to affected code paths. A micropatch can be instantly applied to a running process without the user even knowing it, and just as instantly removed if suspected of causing problems. And finally, a micropatch never brings any unwanted functional changes.