Learning from Authoritative Security Experiment Results (LASER) Workshop

Call for Papers

Workshop Overview

The LASER workshop series focuses on learning from and improving cybersecurity experiment results. The workshop strives to provide a highly interactive, collegial environment for discussing and learning from experimental methodologies, execution, and results. Ultimately, the workshop seeks to foster a dramatic change in the experimental paradigm for cybersecurity research, improving the overall quality and reporting of practiced science.

Each year, the LASER committee chooses a slightly different focus and approach to help the community reach the overall goals of the effort. This year, the LASER workshop gathered a group of authors of accepted ACSAC papers to come together to explore and discuss the experimental aspects of their work amongst themselves and with other workshop participants. Conference papers all too often must focus on research results and contain limited discussion of the experimental aspects of the work. LASER will provide authors the opportunity to lead focused discussion on the experimental approaches and methodologies used to obtain their results.

We invite open participation by others interested in being part of and learning from such discussions. To participate, simply register for the workshop.

Workshop Format

The workshop will be structured as a true “workshop” in the sense that it will focus on discussion and interaction around the topic of experimental methodologies, execution, and results with the goal of encouraging improvements in experimental science in cybersecurity research. Authors will lead the group in a discussion of the experimental aspects of their work.

Areas of interest include, but are not limited to, the following:

• Research questions and/or hypothesis
• Experimental methodologies used and/or developed
• Experiment design
• Use of simulation, emulation, virtualization, and/or physical testbeds
• Use of specialized hardware including CPS and IoT devices
• Modeling of human-behavior characteristics
• Software tools used and/or developed to perform experimentation
• Approaches to experiment validation, monitoring, and data collection
• Datasets used and/or developed to perform experimentation
• Measurements and metrics
• Analytical techniques used and/or developed to evaluate experimental results

As a group, participants will discuss these areas and answer interesting questions such as:

• Did you use experimentation artifacts borrowed from the community?
• Did you attempt to replicate or reproduce results of earlier research as part of your work?
• What can be learned from your methodology and your experience using your methodology?
• What did you try that did not succeed before getting to the results you presented?
• Did you produce any intermediate results including possible unsuccessful tests or experiments?

Preliminary Agenda 

Workshop Papers

Participants in the LASER Workshop are invited to write new papers on their experimental work. The papers will be published in post-workshop proceedings. The new papers will be driven and guided, in part, by the discussions and interactions, and possibly even new collaborations, forged at the workshop.

Draft papers will be due approximately two months after the workshop. The program committee will review papers and provide notifications and feedback one month after submission. Final camera-ready papers will be due approximately one month later.

Important Dates

• LASER Workshop @ ACSAC: December 8, 2020
• Draft Papers Submitted: February 8, 2021
• Notifications and feedback: March 8, 2021
• Final Papers Submitted: April 8, 2021
• Papers Published: May 8, 2021

Program Committee

The program committee is currently being formed. More information will be provided later.

Organizers

• David Balenson (SRI International)
• Terry Benzel (USC-ISI)
• Laura S. Tinnel (SRI International)

Further Information

Please see www.laser-workshop.org for more information about the LASER Workshop Series and http://2020-acsac.laser-workshop.org/ for more information about LASER 2020. Send questions to info@laser-workshop.org.

Invited Talk

Invited Talk: Experiments, Methods, Measurements, and Instruments -- A Few Details

Abstract: Much of computer science and computer security & privacy is based on the results of experiments.  The dependability or reliability of these results turns on a number of details regarding the experimental methodology itself, how various experimental factors are measured, and the instruments with which those measurements are taken. This talk reviews a few details of experimentation that are overlooked at the risk of failure or, perhaps worse, propagating wrong results.

Speaker Bio:

Roy Maxion is a research professor in the Department of Computer Science at Carnegie Mellon University, Pittsburgh. His current research interests are keystroke biometrics, reliability, and research methods in computer science. He won the 2019 IEEE/Dependable Systems and Networks Test of Time Award, with his student, Kevin Killourhy, for their 2009 paper, "Comparing Anomaly Detection Algorithms for Keystroke Dynamics." He is on the editorial boards of the International Journal of Machine Learning and IEEE Security & Privacy. He is an IEEE Fellow.

Detailed Paper & Author Information

Proceedings Frontmatter

Guide Me to Exploit: Assisted ROP Exploit Generation for ActionScript Virtual Machine
Fadi Yilmaz; Meera Sridhar; Wontae Choi

Abstract: In this talk, we present the experimental approaches and methodologies of GuidExp, a guided (semi-automatic) exploit generation tool for ActionScript Virtual Machine (AVM) vulnerabilities. GuidExp synthesizes an exploit script that exploits a given ActionScript vulnerability. Unlike other AEG implementations, GuidExp leverages exploit deconstruction, a technique of splitting the exploit script into many smaller code snippets. GuidExp receives hints from security experts and uses them to determine places where the exploit script can be split. Thus, GuidExp can concentrate on synthesizing these smaller code snippets in sequence to obtain the exploit script instead of synthesizing the entire exploit script at once. GuidExp does not rely on fuzz testers or symbolic execution tools. Instead, GuidExp performs exhaustive search adopting four optimization techniques to facilitate the AEG process: (1) exploit deconstruction, (2) operand stack verification, (3) instruction tiling, and (4) feedback from the AVM.

Link to ACSAC Paper   Link to ACSAC Paper Abstract      Slides      Paper

Speaker Bios:

Dr. Fadi Yilmaz is a Ph.D. lecturer in the Department of Computer Engineering at Ankara Yildirim Beyazit University. His current research interests are automatic exploit generation, program synthesizing, language-based security, and grey-box fuzzing. He received his bachelor’s degree in computer engineering from TOBB Economics and Technology University (ETU), Ankara, Turkey, in 2009, his Master’s degree in Computer Science from Florida State University (FSU), Tallahassee, Florida, in 2014, and his Ph.D. degree in Software and Information Systems from the University of North Carolina at Charlotte, NC, USA.

Dr. Meera Sridhar is an Assistant Professor in the Department of Software and Information Systems at UNC Charlotte. Her research interests span language-based and systems security, formal methods, and their application to web, mobile and Internet-of-Things security. Her research is currently supported by the National Science Foundation (NSF). Dr. Sridhar is a member of ACM, ACM-W and WiCyS. Dr. Sridhar received her Bachelor’s in Computer Science from Carnegie Mellon University in 2002, graduating with University and College Honors. She received her Master’s in Computer Science from Carnegie Mellon University in 2004, and her Ph.D. in Computer Science from the University of Texas at Dallas in 2014. Dr. Sridhar is an International Baccalaureate Diploma holder from the International School Manila, Philippines.

Dr. Wontae Choi is an individual researcher. He is currently working as a software engineer at Google, Inc. However, the work presented in the workshop is a personal project and did not happen in the Google Inc. context. The work also does not express the views or opinions of Google Inc. Previously, Wontae worked on automated test generation, type system, and static program analysis. He received B.S. and M.S. in Computer Science from Seoul National University in 2008 and 2010. He received his Ph.D in Computer Science from University of California, Berkeley in 2017.

A Process Cycle View on Utilizing Security and Privacy Research to Realize Novel Forms of Industrial Applications and Collaboration
Jan Pennekamp; Erik Buchholz; Yannik Lockner; Markus Dahlmanns; Tiandong Xi; Marcel Fey; Christian Brecher; Christian Hopmann; Klaus Wehrle

Abstract: Cybersecurity research is not only indispensable to secure industrial networks and cyber-physical systems, but also provides the opportunity to realize novel forms of industrial applications and collaboration: By applying methods and tools developed by the security and privacy community to industrial use cases in the context of cyber-physical systems and the Industrial Internet of Things (IIoT), we can provide functionality which was previously considered impossible due to confidentiality and privacy concerns. Examples range from secure multi-hop accountability in supply chains over end-to-end encrypted message brokers on shopfloors to privacy-preserving production process parameter exchange and applicable company benchmarking.

However, to date, only few real-world applications were proposed, mainly because addressing novel use cases is challenging and requires intensive cooperation between industrial companies and cybersecurity experts to come up with suitable use case-fitting solutions. Such cooperation nowadays is severely hindered, as industrial companies either do not have the required data readily available or they are reluctant to share them due to privacy concerns. Likewise, cybersecurity experts might lack a sufficient understanding of industrial processes, a respective vision of future applications, and the required contacts to significantly advance real-world applications.

In this talk, we will give an overview of our experiences on performing research in the intersection of cybersecurity and industrial application, stemming from several practically applicable research projects (published at ACSAC 2020 among others). In particular, we highlight and discuss about the complete process cycle and challenges that arise when researching at such a practical intersection. We start with the identification of a use case, continue with the acquisition of data and its analysis, the research and development phase, and eventually talk about the evaluation and dissemination of results.

Overall, we present a methodology of how to conduct practical research on realizing novel forms of industrial applications and collaboration through security and privacy, including an overview of common challenges and pitfalls as a way to bootstrap further research in this emerging research area.

Link to ACSAC Paper   Link to ACSAC Paper Abstract     Slides     Paper

Speaker Bios:

Jan Pennekamp received the B.Sc. and  M.Sc. degrees in Computer Science from RWTH Aachen University. He is a researcher at the Chair of Communication and Distributed Systems (COMSYS) at RWTH Aachen University. His research focuses on security & privacy aspects in the Industrial Internet of Things (IIoT), mainly in the context of collaboration between multiple (distrustful) stakeholders. In particular, his special interests include privacy-enhancing technologies (also in a more general scope), the design of privacy-preserving protocols, and secure computations as well as their application.

Martin Henze is a post-doctoral research fellow within the Cyber Analysis & Defense Department at the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE. His research interests lie primarily in the area of security and privacy in large-scale communication systems, especially focusing on cybersecurity challenges in the industrial and energy sectors. Besides his efforts to secure industrial systems and networks, he is actively advocating for the benefits of applying methods from the security and privacy community to securely realize novel forms of industrial applications and collaboration.

On the Feasibility of Automating Stock Market Manipulation
Carter Yagemann; Simon P. Chung; Erkam Uzun; Sai Ragam; Brendan Saltaformaggio;
Wenke Lee

Abstract: In our recent work, we presented the first findings on the feasibility of using botnets to automate stock market manipulation using stolen online brokerage accounts. Due to the ethical and legal dilemmas surrounding this topic, we had to devise a unique experimental design based on cutting-edge simulations of automated trading agents, and then set about justifying the validity of our results based on historical market data, case files from real-world fraud litigation, prior work on agent-based trading, and our own survey of online brokerage defenses. Ultimately, our simulations were able to demonstrate that modestly sized botnets using stolen accounts could achieve profits comparable to other monetization schemes (e.g., click fraud) while being robust to factors like network latency and other background traders. We also explored the current state of fraud detection and outlined the challenges with detecting and preventing malicious automation.

Link to ACSAC Paper   Link to ACSAC Paper Abstract     Slides

Speaker Bio:

Carter Yagemann is a Ph.D. student in Computer Science at the Institute for Information Security & Privacy, Georgia Institute of Technology, where he works with Professor Wenke Lee and Professor Brendan Saltaformaggio on topics surrounding automated software vulnerability detection and remediation, hardware-accelerated defenses, digital forensics, machine learning, malware, and biometric privacy. He previously received his B.S. and M.S. in Computer Science at Syracuse University and has several years of experience working for JPMorgan Chase & Co. in ethical hacking and cyber-threat intelligence.

Analyzing IoT Malware
Emanuele Cozzi; Pierre-Antoine Vervier; Matteo Dell'Amico; Yun Shen; Leyla Bilge; Davide Balzarotti

Abstract: We share our experience in analyzing a large dataset of IoT Linux malware, with the goal of reconstructing the lineage, evolution, and variants of each family.

We first attempted analysis by collecting 183 different numeric and categorical features in 7 different categories for each binary file, reflecting most approaches adopted in related work; we found, through manual verification, that an analysis based on these features was not sufficient to get us reliable results. We then took a different approach, based on code-level analysis and function similarity, which instead gave us results with satisfying accuracy.

In this talk, we will discuss the steps that lead to our final results, including data collection, how we navigated through the many degrees of freedom that such an analysis has, and how we dealt with scalability issues.

Link to ACSAC Paper   Link to ACSAC Paper Abstract     Slides

Speaker Bios:

Emanuele Cozzi is a PhD candidate at the Software and System Security group at EURECOM. His research interests are on exploring new static and dynamic analysis techniques for binary analysis, with particular emphasis on Linux and IoT malware analysis.

Matteo Dell’Amico is a researcher at EURECOM. His current research is focused on the design of scalable algorithms to make sense of massive security data, and on ways to reason on trust and reputation on the Internet. Matteo's research interests touch security and distributed systems; he has investigated topics such as peer-to-peer systems, machine learning, reputation systems, distributed backup and storage, recommender systems, scheduling, and password security.

Session Key Distribution Made Practical for CAN and CAN-FD Message Authentication
Yang Xiao; Shanghao Shi; Ning Zhang; Wenjing Lou; Y. Thomas Hou

Abstract: Recent standardization effort led by AUTOSAR has provided general guidelines for developing next-generation automotive communication network technologies with built-in security. A key security mechanism is message authentication between ECUs for countering message spoofing and replay attack. While many message authentication schemes have been proposed by prior work, the important issue of session key establishment for authentication purposes with AUTOSAR compliance was not well addressed.

In the paper titled “Session Key Distribution Made Practical for CAN and CAN-FD Message Authentication” we propose an AUTOSAR-compliant key management architecture that considers practical requirements imposed by the automotive environment. Based on this architecture, we describe a baseline session key distribution protocol called SKDC that realizes all designed security functionalities and propose a novel secret-sharing-based protocol called SSKT that yields improved communication efficiency. Both SKDC and SSKT are customized for CAN/CAN-FD bus deployment.

In this talk we focus on the experimental aspect of our work. First, we show the implementation details of the two protocols, with a special attention on the design choices we made for realizing finite field arithmetic and polynomial computation which is aimed at optimizing SSKT’s efficiency in automotive environment. Second, we demonstrate the Arduino-based hardware testbed and discuss the results and challenges arisen from the evaluation process. Lastly, we lay out plan for future improvements and solicit feedback.

Link to ACSAC Paper   Link to ACSAC Paper Abstract     Slides

Speaker Bio: 

Yang Xiao is a 4th-year Ph.D. student in the ECE Department at Virginia Tech, supervised by Prof. Wenjing Lou. He received his B.S. degree from the EE Department at Shanghai Jiao Tong University and M.S. degree from the ECE Department at University of Michigan, Ann Arbor. His research interests lie in network security, IoT security, and decentralized systems.