Skip to main content

Home

 

Find us on

facebook youtube flickr twitter itunes u logo

Past Talks

Dr. Liz Bowman

Dr. Elizabeth Bowman
U.S. Army Research Laboratory
Artificial Intelligence, Machine Learning and Information: Army Social Computing Research
Tuesday, December 5th
Haldeman 041 Kreindler Conference Room
4:00 PM

Dr. Fabio Pierazzi

Dr. Fabio Pierazzi
Royal Holloway University of London
Network Security Analytics for Detection of Advanced Cyberattacks
Tuesday, November 28th
Sudikoff Trust Lab (L045)
12:30 PM

V.S. Subrahmanian

V.S. Subrahmanian
Dartmouth Distinguished Professor in Cybersecurity, Technology, and Society
Bots, Socks, and Vandals
Tuesday, November 14th
Carson L01
5:00 PM 

Rand Beers

Rand Beers ('64)
Big Data, the Internet, and Social Media:  The Road to the November 2016 Election
Wednesday, November 8th
Haldeman 41 (Kreindler Conference Hall)
4:30 PM 

Fright Night Imge

Wanna See Something REALLY Scary?
ISTS Looks at the Dark Web on Halloween Night
Tuesday, October 31st
S
udikoff  045 Trust Lab (dungeon)
7:30 PM - RSVP
Space is Limited 

Sal Stolfo

Salvatore J. Stolfo 
Columbia University
A Brief History of Symbiote Defense
Tuesday, October 31st
Rockefeller 003
5:00 PM

Dan Wallach

STAR-Vote: A Secure, Transparent, Auditable and Reliable Voting System

Professor Dan Wallach
Rice University
Thursday April 27, 2017
Carson L01, 5:00 PM

Ben Miller Dragos

Pandora's Power Grid - What Can State Attacks Do and What Would be the Impact?

Ben Miller
Chief Threat Officer, Dragos, Inc.
Tuesday May 2, 2017
Kemeny 007, 4:30 PM
Brendan Nyhan

 

 

 

Factual Echo Chambers? Fact-checking and Fake News in Election 2016.

Professor Brendan Nyhan
Dartmouth College
Thursday May 4, 2017
Rocky 001, 5:00 PM

Dickie George

 

Espionage and Intelligence

Professor Dickie George
Johns Hopkins University
Thursday May 11, 2017
Rocky 001, 5:00 PM

Dan Wallach

A Nation Under Attack: Advanced Cyber-Attacks in Ukraine

Ukrainian Cybersecurity Researchers
Thursday April 6, 2017
Oopik Auditorium 5:30 PM

ISTS Information Pamphlet


2012BrochureCover

 

Institute for Security, Technology, and Society
Dartmouth College
6211 Sudikoff Laboratory
Hanover, NH 03755 USA
info.ists@dartmouth.edu
HomeEvents >

Towards a formal theory of computer insecurity: a language-theoretic approach

len meredith
Len Sassaman Meredith L. Patterson

Len Sassaman, Katholieke Universiteit Leuven
Meredith L. Patterson, Independent researcher
Thursday, February 17, 2011
 

Abstract:

Finding weaknesses in computer programs and systems is commonly thought of as a "knack" or "a black art" by industry practitioners and academics alike. This craft of vulnerability analysis is typically taught by example, through case studies of (in)famous vulnerabilities of the past and the often highly idiosynchratic methods used by their discoverers. Moreover, even though we have a number of theories for how to build provably secure systems from scratch, they do not readily yield themselves to finding insecurities in state-of-the-art existing systems.

When we teach students about those pitfalls of insecure programming, we do not involve a theory that would explain the fundamental origins of this insecurity, and neither do we look to such a theory when searching for exploitable vulnerabilities in a piece of software. This is in stark contrast with other areas of CS, where we continually see and use applications of complexity theory, computation theory, various algorithm analysis results, etc.

The authors show their way from asking themselves these questions to identifying the suitable theoretical constructs and using them to expose a slew of high-impact "0day" vulnerabilities in one of the most frequently used security protocols of today, Secure Sockets Layer and X.509 security certificates, used throughout the world to protect e-commerce, as well as confidential and even classified data.

The authors will further show how many classic case studies in software vulnerabilties can be reduced to familiar principles of the formal languages and computation theory and discuss the implications of this reduction for the future of the current Internet protocols and the design of new secure ones.

Finally, the authors will discuss how modern programming language techniques such as monadic programming and parser combinators -- usually considered obscure -- can have a direct bearing on teaching secure programming in such mundane tasks as web application development.

Bio:

Len Sassaman, Katholieke Universiteit Leuven

Len Sassaman is a member of the Shmoo Group, as well as a researcher at COSIC, the COmputer Security and Industrial Cryptography laboratory at Katholieke Universiteit Leuven. He is currently pursuing his PhD in electrical engineering, advised by Bart Preneel and David Chaum. The focus of Len's past research has been privacy-preserving technologies, such as anonymity and confidentiality systems, which emphasize usability as a security parameter in privacy solutions subject to the limitations of today's communication systems. Len has over fifteen years of experience designing and deploying privacy enhancing technologies and evaluating protocol security. Len is the maintainer of the anonymous remailer software Mixmaster, a former Tor and Mixmaster server operator, and has written many papers on the topic of anonymous system design. Len has also consulted on policy issues regarding Internet privacy in today's society.

Len Sassaman also co-invented the field of language-theoretic security research, which is the topic of his talk. Prior to becoming an academic researcher, Len was an active cypherpunk and held such roles as Chief Architect at Anonymizer, Inc., Senior Security Architect at Known Safe, Inc., and a Lead Software Engineer at PGP Security, Inc. Last year at Black Hat, Len presented (with Dan Kaminsky) a series of fatal flaws in the Certificate Authority system, discovered using language-theoretic security analysis methods.

Len has spoken at many security conferences, co-founded the CodeCon and Biohack! conferences and the HotPETS workshop.

--------

Meredith L. Patterson is an independent researcher whose areas of expertise range from CS-related topics such as database design, data-mining algorithms, complexity theory, computational linguistics, information security, and privacy-enhancing technology systems; to synthetic biology, design of transgenic organisms using low-cost, build-it-yourself lab equipment, and human metabolic system studies; and speculative fiction as a published author of multiple short stories, mostly science fiction.

Meredith has a BA in Linguistics from the University of Houston and a MA in Linguistics from the University of Iowa. She is heavily involved with the DIYBio movement, and works on transgenic lactic acid bacteria. She co-founded the field of language-theoretic security research, which she used to successfully defeat such troublesome attacks as SQL injection with her "Dejector" library. Most recently, she presented the Biopunk Manifesto at a UCLA synthetic biology conference, and presented her work with Dan Kaminsky and Len Sassaman on breaking the Internet's certificate authority system (by creating usable, bogus certificates crafted to exploit ambiguity in X.509 parsing implementations using language-theoretic security analysis principles) at the Financial Cryptography 2010 conference.

Meredith lives in Leuven, Belgium. In her spare time, she knits, repairs cars, and hacks on open source software.

 

 

Last Updated: 2/28/11