Loading…
SecAppDev 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Low-level / IoT security [clear filter]
Monday, February 18
 

11:00

New trends in system software security
Novel safe systems programming languages and new hardware extensions can significantly improve the security of software.


Abstract
The war between attackers and defenders in low-level languages has been ongoing for decades. Software written in C-like languages suffers from a set of specialized attacks. Consequentially, such software needs dedicated defenses to counter such attacks. This session highlights interesting new trends with game-changing potential.

New safe systems programming languages improve the current landscape. A language such as Mozilla's Rust helps prevent the introduction of memory safety vulnerabilities. At the same time, it also helps prevent data races in multi-threaded code. Complementary, the revival of hardware support for capabilities significantly changes the landscape. Such hardware makes it possible to provide safety guarantees for legacy C code efficiently. It supports the compartmentalization of software so that a vulnerability in one part of the code can be contained. This session gives an overview of these exciting and promising new technologies.


This session is intended for software developers using C or a related programming language, and anyone interested in fundamental new developments in software security.

Speakers
FP

Frank Piessens

Full professor, KU Leuven


Monday February 18, 2019 11:00 - 12:30
West wing (room Lemaître)
 
Tuesday, February 19
 

14:00

Techniques for developing and testing secure software components
Discover a technology stack that allows us to construct distributed software systems with well-defined security guarantees. We will address testing, formal verification, and runtime isolation.


Abstract
Software vulnerabilities occur when a system can be abused in ways not anticipated by the designers, developers or testers. However, the current approach to finding vulnerabilities resembles the search for a needle in a haystack. Modern testing techniques promise to systematize this search. Complementary, formal verification provides convincing arguments for the absence of vulnerabilities. But these arguments often overlook that the verified software does not run in an isolated environment.

This talk focuses on modern approaches to automated testing, formal software analysis, and verification. Many of these tools and techniques integrate efficiently with current approaches to secure software development and security testing. Furthermore, we explore how to integrate a verified component in an untrusted infrastructure. Learn what is possible today through a couple of industrial cases and large-scale verification efforts!


This session is intended for architects, developers, testers, software security, and verification engineers.

Speakers
JT

Jan Tobias Muehlberg

Research manager, KU Leuven


Tuesday February 19, 2019 14:00 - 15:30
Main building (room Lemaire)
 
Thursday, February 21
 

09:00

Trusted Execution Environments and how far you can trust them
Modern processors provide Trusted Execution Environments that allow you to protect software components even from an untrusted operating system. Learn when and how to use them!


Abstract
Imagine that you have developed the perfectly secure piece of software. You did your best engineering effort; you used safe programming languages; you tested it thoroughly; you even did a bit of formal verification for the most critical parts. Now you want to deploy it, and you realize that you can't really trust the client's PC, their software stack to be up-to-date, or even their operating system to not tamper with your software. How could you possibly protect your software from malicious low-level interactions?

In this session, you will learn how to leverage component isolation and remote software attestation as provided by modern Trusted Computing techniques. A number of processors provide different variants of these security primitives: Cloud providers allow you to run SGX enclaves, mobile devices feature TrustZone technology, and with Sancus there is even an emerging solution for light-weight embedded devices. The session will focus on using these platforms to build secure distributed applications.


This session is intended for architects, developers, testers, software security, and verification engineers.

Speakers
JT

Jan Tobias Muehlberg

Research manager, KU Leuven


Thursday February 21, 2019 09:00 - 10:30
Main building (room Lemaire)
 
Friday, February 22
 

09:00

The Foreshadow attack - from a simple oversight to a technological nightmare
2018 was the year speculative execution vulnerabilities caused havoc in the IT industry. In this talk, we discuss the Foreshadow/L1TF vulnerability, its cause, its impact and how to mitigate it.


Abstract
Today's societies rely heavily on isolation mechanisms provided by microprocessors. Unfortunately, this year it became clear that chip designers made serious security errors during the design of their processors. By exploiting subtle design flaws, attackers can break such fundamental isolation primitives.

Last August, we disclosed our Foreshadow attack after going through an 8-month coordinated disclosure process with Intel. This attack enables attackers to access any data present in the L1D cache, even across protection domains. This required both microcode patches as significant changes in the process and virtual machine scheduler. The total cost of these defenses runs in the billions of dollars. In this session, we will discuss how Foreshadow and related speculative execution attacks operate, how the vulnerabilities they exploit got introduced in the first place, and how they got mitigated. We will also discuss how the industry as a whole should prepare for any future attacks to come.


This session is intended for anyone interested in how low-level security architectures can be bypassed by speculative execution side-channels.

Speakers
RS

Raoul Strackx

Post-doc, KU Leuven


Friday February 22, 2019 09:00 - 10:30
West wing (room Lemaître)