Toward a Safe and Reliable Experience

In recent years, many countries around the world have been publishing rigorous privacy regulations and policies, and they have been preparing acts and guidelines for the security of IoT devices. Surveys and polling data confirm that security and privacy are considered the most important features when a consumer purchases an IT product. In order to respond to the more sensitive and stronger users' demand for security and privacy, securely protecting and transparently managing user privacy data have become more important than ever. The technologies and policies for how a user’s data is utilized according to a user’s choice, and how it is then transparently disclosed to the user have been actively researched and developed. In addition, to support them, strong security should be provided together. This talk will introduce our research works and activities being conducted at Samsung Research to satisfy such security and privacy challenges. We expect to provide a safe and reliable experience with our efforts.

Ross Anderson has devoted his career to developing security engineering as a discipline. He was a pioneer of hardware tamper-resistance, API security, peer-to-peer systems, prepayment metering and powerline communications. His other research extends from cryptography through side channels and the safety and privacy of clinical systems to technology policy. He was one of the founders of the discipline of security economics, and is PI of the Cambridge Cybercrime Centre, which collects and analyses data about online crime and abuse. He is a Fellow of the Royal Society and the Royal Academy of Engineering, as well as a winner of the Lovelace Medal – the UK's top award in computing. He is professor of security engineering at both Cambridge and Edinburgh universities.

Security Engineering and Machine Learning

Statistical machine-learning techniques have been used in security applications for over 20 years, starting with spam filtering, fraud engines and intrusion detection. In the process we have become familiar with attacks from poisoning to polymorphism, and issues from redlining to snake oil. The neural network revolution has recently brought many people into ML research who are unfamiliar with this history, so it should surprise nobody that many new products are insecure. In this talk I will describe some recent research projects where we examine whether we should try to make machine-vision systems robust against adversarial samples, or fragile enough to detect them when they appear; whether adversarial samples have constructive uses; how we can do service-denial attacks on neural-network models; on the need to sanity-check outputs; and on the need to sanitise inputs. We need to shift the emphasis from the design of "secure" ML classifiers, to the design of secure systems that use ML classifiers as components.

Dr. Mustaque Ahamad is a professor of cybersecurity and computer science at the Georgia Institute of Technology. His research interests include understanding threats against emerging technologies and applications and securing them from attacks posed by such threats. He served as director of the Georgia Tech Information Security Center (GTISC) from 2004-2012. As director of GTISC, he worked with industry leaders to launch several major research thrusts, including one in the area of Voice-over-IP (VoIP) security. He has also co-founded two companies, Pindrop Security and Codoxo, which have successfully commercialized research conducted in his laboratory. Pindrop Security is a leader in securing voice interactions, including telephony calls. Dr. Ahamad co-chaired the Voice and Telephony Abuse Special Interest Group (VTASIG) of the international industry group MAAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), which focuses on combating online threats. Dr. Ahamad received his Ph.D. in computer science from the State University of New York at Stony Brook in 1985. He received his undergraduate degree in electrical and electronics engineering from the Birla Institute of Technology and Science, Pilani, India.

Telephony Gone the Way of the Internet?: Combating Threats Targeting Voice Communication

Telephony has been a trusted communication medium in the past. However, with advances in technologies like Voice-over-IP (VoIP) and smartphones, we have seen the migration of many online threats to this medium with serious consequences. Robocalling, voice phishing and caller-id spoofing have become widespread and have degraded our trust in telephony. The convergence of voice and online channels has also led to new cross-channel attacks that leverage one channel to exploit the other. We will discuss how we can better understand and mitigate the impact of attacks that exploit the phone channel. Recent advances in voice and natural language processing, which can be performed on smartphones, also affords new opportunities to enhance trust in voice communication. The presentation will conclude with a discussion of such opportunities, including recent initiatives that seek to restore trust in telephony.

Konstantin (Kosta) Beznosov is a Professor at the Department of Electrical and Computer Engineering, University of British Columbia, where he directs the Laboratory for Education and Research in Secure Systems Engineering. His research interests are usable security, mobile security and privacy, security and privacy in online social networks, and web security. Prior UBC, he was a Security Architect at Hitachi Computer Products (America) and Concept Five. Besides many academic papers, he is also a co-author of “Enterprise Security with EJB and CORBA” and “Mastering Web Services Security” books, as well as XACML and several CORBA security specifications. He has served on program committees and/or helped to organize SOUPS, ACM CCS, IEEE Symposium on Security & Privacy, NSPW, NDSS, ACSAC, SACMAT. Prof. Beznosov has served as an associate editor of ACM Transactions on Information and System Security (TISSEC) and Elsevier’s Computers & Security.

What Affected The Adoption of Information Tracking Solutions During COVID-19 Pandemic

Numerous information-tracking solutions have been implemented worldwide to manage the COVID-19 pandemic. These solutions use more sensitive data than commonly studied contact-tracing apps. In this talk, I will explore adoption and design considerations for six representative information-tracking solutions for COVID-19, which differ in their goals and in the types of information they collect. I will discuss four main categories of factors that influence people's willingness to adopt such solutions: individual and societal benefits of the solution, as well as functionality and digital safety concerns. Further, I will discuss what people take into account when they assess these benefits and concerns. I will conclude with recommendations for the future design of information-tracking solutions and discuss how different factors may balance against benefits in future crisis situations.

Byoungyoung Lee is an Associate Professor in Electrical and Computer Engineering at Seoul National University (SNU). Before joining SNU, he was an Assistant Professor in Computer Science at Purdue University. He earned his BS and MS at POSTECH under the supervision of Prof. Jong Kim, and Ph.D. at Georgia Tech under the supervision of Prof. Wenke Lee and Prof. Taesoo Kim. His research area is in general security and privacy problems, particularly focusing on systems and software security areas. He received Internet Defense Prize by Facebook and USENIX (2015), Best Applied Research Paper Award by CSAW (2015), and Google ASPIRE Award (2019). His research found more than 100 security vulnerabilities in various software/hardware products, including Windows kernel, Linux kernel, Mac OS X, Chrome, Firefox, QEMU, and RISC-V CPUs.

Challenges in Automated Vulnerability Discovery through Fuzzing

Now fuzz testing is used everywhere, probably because it is easy-to-use while being effective. It is easy-to-use, as all you need to do is to provide random inputs. It is effective, as many critical vulnerabilities have been found through fuzzing.
In this talk, I will introduce new challenges that the fuzzing testing is facing, as well as possible research directions to address these challenges. In particular, the security attack trends are rapidly shifting, rendering the traditional fuzzing techniques neither easy-to-use nor effective. First, attackers are now launching new type of attacks, which is different from classic memory corruption issues. These new attacks are ranging from side-channels (e.g., Spectre) to privacy leaks (e.g., your photos are leaked from your smartphone app), but we do not know of good detecting mechanisms for fuzzing. Second, attackers are now target various devices, not only a simple piece of software. These include autonomous vehicles, drones, hardware chips, etc., but performing automated testing on these platforms has opened a completely new set of challenges.