The DSN 2015 conference offers 4 tutorials:
Techniques and Tools to Defend against Web Application’s Software Vulnerabilities
Nuno Antunes and Marco Vieira
University of Coimbra, Portugal
Mitigation of soft errors: from adding selective redundancy to changing the abstraction stack
Luigi Carro and Álvaro Moreira and Paolo Rech
Federal University of Rio Grande do Sul, Brazil
Disaster Recovery for Enterprise-Class Clouds
Rick Harper and Hari Ramasamy and Long Wang – IBM TJ Watson Research Center, USA
Mahesh Viswanathan – Distinguished Engineer and Chief Architect, IBM Cloud Managed Services, USA
Cyber-Physical Control Systems: Vulnerabilities, Threats, and Mitigations
Saman Zonouz – Rutgers University, USA
Katherine Davis – Information Trust Institute, University of Illinois at Urbana-Champaign, USA
Detailed Information
Techniques and Tools to Defend against Web Application’s Software Vulnerabilities
Nuno Antunes and Marco Vieira
University of Coimbra, Portugal
Abstract: Software applications are frequently deployed with critical security bugs. Web applications and services are so exposed that the existing vulnerabilities are most probably uncovered and exploited. Avoiding such vulnerabilities depends on the best practices and tools applied during the implementation, testing and deployment phases of the software development cycle. However, many times those practices are disregarded, as developers are frequently not specialized in security and face hard time-to-deploy constraints. Furthermore, the poor efficiency of existing automatic vulnerability detection and mitigation tools opens the door for the deployment of unsecure web applications. This tutorial will cover some of the devils behind the software security problems and present and discuss state of the art techniques and tools available to help developing teams in improving this status quo. Although such tools reduce the necessary expertise of the user and the time required to perform some of the tasks, it is frequent that the achieved effectiveness is far from satisfactory. This way, the authors will also discuss in which scenarios each type of tools is or is not recommended to be used. In addition, the author will discuss some of the recent advances on this topic including new and innovative tools, and also the evaluation and selection of tools. The tutorial will address both current research topics and engineering practice. Case studies will be presented and future research opportunities will be identified and discussed.
Short-bio:
Nuno Antunes is a post-doctoral researcher at the University of Coimbra, where he received his PhD in Information Science and Technology in 2014. Since 2008 he has been with the Centre for Informatics and Systems of the University of Coimbra (CISUC), researching topics related to methodologies and tools for the development of non-vulnerable web applications and services. More recently, his research interests also include dependability and security of web applications and services, virtualized environments, and data management systems, as well as functional security in critical electronic systems. During this period, has authored or co-authored multiple book chapters and papers in refereed journals and conferences in Dependability and Services. He has participated in many research projects, both at the national and European level.
Marco Vieira is an assistant professor at the University of Coimbra, Portugal. He is an expert on security assessment and benchmarking, dependability benchmarking, experimental dependability evaluation, fault injection, and software quality assurance, subjects in which he has authored or coauthored more than 150 papers in refereed conferences and journals. His work on vulnerability detection has started in 2007 and is widely referenced in the literature. He has participated in more than 20 research projects, both at the national and European level. Marco Vieira has served on program committees of the major conferences of the dependability area and acted as referee for many international conferences and journals in the dependability and databases areas.
Mitigation of soft errors: from adding selective redundancy to changing the abstraction stack
Luigi Carro and Álvaro Moreira and Paolo Rech
Federal University of Rio Grande do Sul, Brazil
Abstract: Soft errors caused by ionizing radiation are already an issue for current technologies, and with the estimates of transistors scaling down to 5.9 nm by 2026, computing devices will be forced to employ some reliability mechanism to ensure proper computation at a reasonable cost. Historically soft errors were considered an issue only in radiation harsh environments, like the aerospace and avionic ones. Nowadays, soft errors have been reported also in terrestrial applications ranging from high performance computing to critical embedded systems, such as automotive. The tutorial authors believe that a knowledge on the causes of soft errors and on the benefits and drawbacks of different approaches to mitigate their effects is valuable for those working not only on microprocessor reliability, but also for those concerned with the design of software systems. They also believe that error mitigation techniques, in fact, might significantly benefit form the redesign of the computational stack, avoid the huge cost in terms of area, performance or energy incurred in traditional techniques. This tutorial will focus on ionizing radiation as the source for soft errors and explain how to evaluate the susceptibility of digital circuits through radiation experiments. It will present and analyze pros and cons of some approaches in the literature to increase the device or system reliability based on a particular fault model. The tutorial concludes by exploring challenges on the re-design of the computational stack in order to achieve high reliability, high performance, and low energy designs in different application domains.
Short-bio:
Luigi Carro has received the electrical engineering, M.Sc. and Ph.D. degree in Computer Science from Federal University of Rio Grande do Sul, Porto Alegre, Brazil. He is a full professor at the Institute of Informatics at UFRGS. He has considerable experience with computer engineering with emphasis on hardware and software design for embedded systems focusing on: embedded electronic systems, processor architecture dedicated test, fault tolerance, and multiplatform software development. He has advised more than 20 graduate students, and has published more than 150 technical papers on those topics. He has authored the book Digital Systems Design and Prototyping (2001-in Portuguese) and is the co-author of Fault-Tolerance Techniques for SRAM-based FPGAs (2006-Springer), Dynamic Reconfigurable Architectures and Transparent optimization Techniques (2010-Springer) and Adaptive Systems (Springer 2012).
Álvaro Moreira has a B.Sc and a M.Sc in Computer Science from Federal University of Rio Grande do Sul, Porto Alegre, Brazil, and a PhD in Computer Science from the University of Edinburgh, Scotland. He is an associate professor at the Institute of Informatics at UFRGS. He is interested in software-based approaches for mitigation of soft errors, in the formal definition of fault models and in the formal semantics of new ISAs that take into account soft errors.
Paolo Rech received his master and Ph.D. degrees from Padova University, Padova, Italy, in 2006 and 2009, respectively. His studies included radiation test and neutrons, protons, and alpha particles effects on programmable logic devices like FPGAs and Systems On Chip. He was a Post Doc at LIRMM, Montpellier, France from 2010 to 2012, working on radiation effects on electronic devices at high altitudes. Now he is an associate professor at Federal University of Rio Grande do Sul, Porto Alegre, RS, Brazil. His main research interests include radiation tests of complex computing devices, the neutron effects on Graphic Processing Units, and the design of efficient hardening techniques for parallel algorithms. Lately, he has been collaborating with NVIDIA, AMD, and Los Alamos National Lab on the radiation sensitivity evaluation and mitigation of parallel processors for high performance computing.
Disaster Recovery for Enterprise-Class Clouds
Rick Harper and Hari Ramasamy and Long Wang – IBM TJ Watson Research Center, USA
Mahesh Viswanathan – Distinguished Engineer and Chief Architect, IBM Cloud Managed Services, USA
Abstract:
A major technology convergence is currently underway between cloud resilience and enterprise resilience. This tutorial will describe the challenges and consequences of this convergence from a Disaster Recovery perspective. Specifically, the authors will present concepts, principles, and approaches for providing Disaster Recovery for Shared Private and Shared Public Enterprise Clouds. The tutorial will describe technologies for providing resilience to massive failures that impact an entire site comprising multiple customers sharing that site, and thousands of customer virtual machines, as well as its management structure. It will describe the data replication, data recovery, and workload recovery and failback to a repaired environment techniques employed to meet these requirements. This tutorial will also discuss the techniques used to recover the Service Management capabilities after a disaster, and the methods used to failback the workload from the DR Site back to a repaired environment after the disaster situation has been cleared. Specific use cases based on IBM experience with the IBM Cloud Managed Services offering will show how DR solutions have been created to meet the requirements of different customers, applications, and geographical constraints.
Short-bio:
Rick Harper is a Research Staff Member at IBM TJ. Watson Research center. Rick’s main assignment since joining IBM Research in 1998 has been to conceive and lead the transfer of research projects to product development. This has resulted in numerous products, such as the Summit Server product line, the Software Rejuvenation product, the Dynamic System Analysis product, virtualization-based Availability Management products, and the High Availability and Disaster Recovery functions for the IBM Cloud Managed Services offering. Rick participated in the National Academy of Sciences Panel on Reengineering the Space Shuttle in 1998 and was elected to the IBM Academy of Technology in 2007. He has authored approximately 30 papers, supervised over 20 graduate student theses, and has numerous international patents. Prior to joining IBM, Rick was a Senior Technical Advisor at Stratus Computer in Marlboro, Massachusetts, where he was responsible for technical strategy and development for the company’s line of fault tolerant computers. Prior to Stratus, Rick was a Principle Member of the Technical Staff at the Charles Stark Draper Laboratory, where his responsibilities were to create, design, and implement massively parallel fault tolerant computers for mission critical applications. At Oak Ridge National Laboratory, his responsibilities were designing and implementing instrumentation and control systems for nuclear research projects. He received his PhD in Computer Systems Technology/Aerospace Engineering in 1987 from the Massachusetts Institute of Technology, his MS in Physics and Aerospace Engineering in 1976 from Mississippi State University, and his BS in Physics in 1976 from Mississippi State University.
HariGovind (Hari) Ramasamy is a Research Scientist and Manager in the Computing-as-a-Service Research Department at the IBM T.J. Watson Research Center, where he leads the group on Innovations for Cloud and Resiliency. Hari’s research interests are in the dependability, security, and management of distributed systems, particularly cloud systems and services. Hari was elected to the IBM Academy of Technology in 2014. His work has been recognized as IBM Research Accomplishments and IBM Outstanding Research Accomplishments. Hari has received the IBM Research Client Award (2014), IBM Outstanding Innovation Award (2012), IBM Research Division Award (2012), IBM Eminence and Excellence Awards (2013, 2012, 2011), C.W. Gear Outstanding Graduate Student Award from UIUC (2003), and Best Paper Awards from the IEEE SCC (co-author, 2013) and IEEE PRDC (co-Author, 2002) conferences. He is an IEEE Senior Member, and has served as the Program Co-Chair of the SAFECONFIG 2011 conference. Hari is an Adjunct Faculty at NYU, and has previously served as an Adjunct Faculty at Columbia University and at NYU-Poly. He obtained his Ph.D. degree in Computer Science from the University of Illinois, Urbana-Champaign (UIUC) in 2006.
Long Wang is a Research Staff Member at the IBM T.J. Watson Research Center, Yorktown Heights, NY, where he leads the architecture of Disaster Recovery of IBM Cloud Managed Services to IBM Resiliency Services. His research interests include Fault-Tolerance and Reliability of Systems and Applications, Dependable and Secure Systems, Distributed Systems, Cloud Computing, Operating Systems, System Modeling, as well as Measurement and Assessment. He has published more than 20 papers in top conferences and journals and has served as the Program Committee of IEEE SELSE 2015, GlobalIT 2015, and FCC 2014. Dr. Wang is a member of the IEEE. He obtained his Ph.D. degree from Department of Electrical & Computer Engineering in University of Illinois at Urbana-Champaign (UIUC) in 2010. Before that, he got an MS degree from Department of Computer Science at UIUC in 2002 and a BS degree from Department of Computer Science at Beijing University in 2000.
Mahesh Viswanathan is a Distinguished Engineer in IBM Cloud business unit. He is Chief Architect for IBM’s Cloud Managed Services, a shared and private managed cloud product designed and built for large enterprises. Mahesh has also developed several managed services products specializing in adding labor-saving automation into steady-state operations. His career has crossed multiple IBM divisions including Research, Software Group, Global Technology Services and Cloud. He has built end-to-end solutions in managed services, cloud computing, information-on-demand services, human-machine interaction, text & audio-video analytics, voice recognition and voice synthesis. Previously, Mahesh led the research and development of a next-generation conversational system for in-car navigation systems at the IBM TJ Watson Research Center. Viswanathan has a PhD in Electrical, Computer, and Systems Engineering from Rensselaer Polytechnic Institute, New York. He has more than 50 technical publications and 50+ international patents. He is an IBM Master Inventor, an IBM Academy of Technology member, and an IEEE Fellow.
Cyber-Physical Control Systems: Vulnerabilities, Threats, and Mitigations
Saman Zonouz – Rutgers University, USA
Katherine Davis – Information Trust Institute, University of Illinois at Urbana-Champaign, USA
Abstract: Cyber-Physical Systems (CPS) yield novel problems and solutions for security researchers. CPSs connect computerized controllers and human supervisors with physical systems used in the energy, transportation, water, manufacturing, and other sectors. Recent attacks against CPS, such as the Stuxnet virus, have prompted unprecedented investigation into new threats and mitigations against CPSs. In this tutorial, we provide researchers with an introduction to the basic and widely deployed application of CPS, control systems, and the emerging problems in their security. We begin with a deep dive description of how control systems are built. This includes Supervisory Control and Data Acquisition (SCADA) architectures, physical system state estimation, and logic controller programming. Before going into the security-specific issues with control systems, we provide some motivating examples of real world control system attacks. Some of these are classic memory exploits and network protocol flaws. However, control systems introduce new classes of attacks as well as new challenges for attackers. We will cover both attacks and defenses for False Data Injection (FDI), code injection on Programmable Logic Controllers (PLCs), and infiltration of human machine interfaces. One of the most important themes in understanding these attacks is how adversaries must have some understanding of the dynamics of the victim control process. With the above coverage of control systems and their security issues, we briefly review several important topics in arguably the largest and most critical control system currently under development: the smart grid. We look at threats and vulnerabilities ranging from theft of electric service to large-scale disruptions of power. Smart meter privacy issues will also be covered. We finish by reviewing several recent advances in the general security of control systems. We focus on intrusion detection methods that leverage the regularity of control system behavior, and program analysis techniques for real-time embedded controller code.
Slides PART_1_25-58
Slides PART_1_59-71
Slides PART_1_72-110
Short-bio:
Saman Zonouz is an Assistant Professor in the Electrical and Computer Engineering Department at Rutgers University since September 2014 and the Director of the 4N6 Cyber Security and Forensics Laboratory. Before, he held a tenure-track position at the University of Miami for three years. He has been awarded NSF CAREER Award in 2015, the Faculty Fellowship Award by AFOSR in 2013, the Best Student Paper Award at IEEE SmartGridComm 2013, the University EARLY CAREER Research award in 2012 as well as the Provost Research Award in 2011. The 4N6 research has been funded in grants from National Science Foundation (NSF), Office of Naval Research (ONR), Department of Energy – Advanced Research Projects Agency Energy (DOE ARPA-E), WinRiver, Google, and Fortinet Corporation including tech-to-market and commercialization initiatives. Saman’s current research focuses on systems security and privacy, trustworthy cyber-physical critical infrastructures, binary/malware analysis and reverse engineering, as well as adaptive intrusion tolerance architectures. Saman has served as the chair, program committee member, and a reviewer for international conferences and journals. He obtained his Ph.D. in Computer Science, specifically, intrusion tolerance architectures for the cyber-physical infrastructures, from the University of Illinois at Urbana-Champaign in 2011.
Katherine Davis is a Research Scientist in the Information Trust Institute (ITI) and an Adjunct Assistant Professor in the Electrical and Computer Engineering Department at the University of Illinois at Urbana-Champaign (UIUC). Her research interests include data-enhanced power system modeling and analysis, security-oriented cyber-physical techniques for studying the interdependencies of electrical and cyber infrastructures, and making algorithms more robust with respect to untrustworthy inputs. She has worked closely with other researchers on the protection of the power grid. Davis received the B.S. degree in electrical engineering from the University of Texas at Austin in 2007 and the M.S. and Ph.D. degrees in electrical engineering from the University of Illinois at Urbana-Champaign in 2009 and 2011, respectively. Before joining ITI, she worked as a Software Engineer and Senior Consultant at PowerWorld Corporation.