Daniel Ahn is a Senior Vice President at Samsung Electronics. He leads the Security Team at Samsung Research. His team plays a crucial role in delivering innovative security solutions to enhance the security level of Samsung products through defense-in-depth and usable mechanisms. Prior to Samsung, he was a Professor of Computer Science and Engineering, and Director of Center for Cybersecurity and Digital Forensics at Arizona State University. He authored over 200 research papers and his research has been supported by National Science Foundation (NSF), National Security Agency (NSA), Department of Defense (DoD), Office of Naval Research (ONR), Army Research Office (ARO), Department of Justice (DoJ), Department of Energy (DoE), Department of Homeland Security (DHS), Bank of America, CISCO, GoDaddy, Hewlett Packard, Freeport McMoRan Copper & Gold, Google, Microsoft and Robert Wood Johnson Foundation. He is a recipient of US Department of Energy CAREER Award and the Educator of the Year Award from the US Federal Information Systems Security Educators' Association (FISSEA).

Building Trust through Security

Surveys and polling data confirm that 5G and AI are now prime vehicles for enabling new business services and diverse personal interactions. Consequently, security and privacy challenges have been continuously raised. It is inevitable to clearly understand and effectively address such challenges for a new era that would heavily rely on commercial off-the-shelf technologies. This talk will overview the importance of software assurance in leveraging new emerging technologies and dealing with relevant security and privacy challenges. In particular, security governance process and vulnerability assessment practices will be highlighted. In addition, this talk will articulate how such practices would help build trust among enterprises.

Taesoo Kim is an associate professor in the School Computer Science at Georgia Tech. He also serves as the director of the Georgia Tech Systems Software and Security Center (GTS3). He is genuinely interested in building a system that has underline principles for why it should be secure. Those principles include the design of the system, analysis of its implementation, ellimination of certain classes of vulnerabilities, and clear separation of its trusted components. He holds a SM (2011) and a PhD (2014) from MIT EECS.

Building Trustworthy Software Foundation with Hardware Security Mechanisms

As reaction to the end of Moore's law, CPU vendors are racing toward announcing new, up-coming hardware security features. On the one hand, it is exciting to see that lots of security mechanisms actively explored in research communities are finally delivered to the end users. On the other hand, it is truly sad that many of security features become prematurely designed, implemented, and tested, failing to deliver the promised guarantees. In this talk, I will showcase a set of modern hardware features: their designs, goals, as well as surprising pitfalls. Most importantly, as a developer, I will describe how we can build trustworthy software foundation by using one of the most promising security mechanisms, called Intel SGX.

Ruoyu “Fish” Wang is an Assistant Professor at Arizona State University and a co-director of the SEFCOM Lab at ASU. His research area is binary program analysis, covering topics including vulnerability discovery, automated exploit generation, vulnerability mitigation, binary decompilation, etc. He has published over 10 papers in top-tier computer security and systems conferences and has won two best paper awards. He is the co-founder and a core developer of the binary analysis platform, angr. Currently, Dr. Wang is the captain of the CTF team Shellphish. In addition, he was a core member of the CGC team Shellphish CGC, who won the third place in the Final Event of DARPA Cyber Grand Challenge in 2016.

On the Difficulty of Automated Vulnerability Discovery on Binary Programs

The explosion of information age has thrust us into a new, interconnected, and uncharted future. In this information age, our safety and security are more and more dependent on the security of interconnected systems, including operating systems and services running on top of them. While preventing all vulnerabilities in software still seems far away, automated vulnerability discovery techniques provide a promising solution to improve the security of software: Finding and fixing the vast majority of software vulnerabilities in an efficient and effective manner. However, existing automated vulnerability discovery techniques suffer in the following three aspects: low speed of analysis, insufficient coverage of program state space, and low levels of automation. In this talk, I will first analyze why automated vulnerability discovery techniques are difficult based on both research data and empirical results. I will also attempt to answer why simple techniques (like fuzz testing) are generally perceived as more efficient and more applicable than many advanced techniques (such as symbolic execution). Then I will discuss a potential way forward to greatly improve the efficiency of automated vulnerability discovery, especially dynamic symbolic execution. And finally, I will discuss future research directions in this field.

CEO, Theori
- B.S. in Computer Science, Carnegie Mellon University (2011)
- M.S. in Computer Science, Carnegie Mellon University (2012)
- Plaid Parliament of Pwning (PPP) Founder
- 4-times DEFCON winner (2013, 2014, 2016, 2017)
- 50+ International CTFs winner
- KITRI Best of the Best (BoB) Mentor

Best Practices and Lessons Learned from Security Consulting

At Theori, we are helping our customers improve their security. We plan to share the lessons and experiences of security consulting with customers ranging from start-ups to large enterprises to the public sector over the past few years.

The key takeaway is that each customer will have a unique threat model that depends on their environment. To what degree is determined by the types of attacks the customer anticipates and their overall risk management. As a result, the direction and scale of your company's investment in cybersecurity will vary greatly.

In this talk, we explore some real examples that we encountered during our consulting work. We then present how this should impact cybersecurity at your organization. Finally, we propose effective ways for organizations to train their next generation of white hat hackers.

Researches and Activities for Offensive Security in Samsung Research

To provide secure experience of our products and services, we have developed and applied strong security solutions such as KNOX technologies. While such security solutions are well known to promote security technologies, activities related to offensive security for products have not been relatively introduced well. In this session, we introduce researches and activities for offensive security we have performed in Samsung Research. The offensive security we are working on is not only limited to pen-testing or system hacking, but also it includes research works to detect, analysis, and prevent threat over the whole lifecycle of products. We monitor external/internal security threats and detect security events to evaluate their impacts on our products or services in advance. In addition we operate hacking competition called Samsung CTF (Capture-The-Flag), participate in other CTFs to communicate with external security experts, and study the state-of-art security technologies. This session provide our researches and activities in detail.