Prof. Ahmad-Reza SadeghiTechnische Universität Darmstadt
Mind the Gap: Smartphone Security and Privacy in Theory and Practice
Monday, September 10, 2012 -- 9.15 – 10.15Abstract: Mobile "smart" devices such as smartphones and tablets have already changed our daily lives in various ways. Many people are literally glued to these devices all through the day. The increasing computing and storage capabilities, new interfaces such as NFC or Smartcards, the vast number and variety of apps available on app stores and markets as well as the connectivity to cloud services are making smart devices convenient replacements for traditional (mobile) computing platforms such as laptops. Not surprisingly enterprises and governments have discovered the potential of these devices enabling "work on the go" for employees either by providing them with the corresponding smart devices, or by the "Bring Your Own Device (BOYED)" philosophy.
On the down side, the increased complexity of these devices as well as the increasing amount of sensitive information (private or corporate) stored and processed on them, from user’s location data to credentials for online banking and enterprise VPN, raise many security and privacy concerns. In particular, the growing number and sophistication of the recent attacks and findings show that the default protection mechanisms offered by smart devices are indeed insufficient.
In this talk we will briefly go through different classes of threats and their relevance as well as the recent academic and industrial approaches and efforts on improving various security and privacy aspects of mobile devices and services with the focus on the currently most popular (open-source) Android OS: While academic research has proposed a number of solutions and tools to protect end-users ranging from security extensions of different Android’s abstraction layers to analysis of apps and app markets, the enterprise solutions deployed today typically focus on device management aspects and malware detection. We will discuss this gap and point out some technical and non-technical challenges and practical problems as well as possible solutions towards establishing smartphone security architectures that allow for a reasonable fine-grained user-centric privacy-protection on the one hand, and corporate security on the other hand.
Short Bio: Ahmad-Reza Sadeghi is a full professor of Computer Science at Technische Universitaet Darmstadt. He is the Director of System Security Lab at Center for Advance Security Research Darmstadt (CASED) and Scientific Director of Fraunhofer Institute for Secure Information Systems (SIT). Since January 2012 he is also the Director of Intel-TU Darmstadt Collaborative Research Institute for Secure Computing in Darmstadt, Germany. He received his PhD in Computer Science with the focus on privacy protecting cryptographic protocols and systems from the University of Saarland in Saarbruecken, Germany. Prior to academia, he worked in Research and Development of Telecommunications enterprises, amongst others Ericson Telecommunications. He has been leading and involved in a variety of national and international research and development projects on design and implementation of trustworthy mobile computing platforms and trusted computing, security in hardware, cryptographic privacy protecting systems, and cryptographic compilers. He has been continuously contributing to the IT security research community and serving as general or program chair as well as program committee member of many conferences and workshops in information security and privacy. He is on Editorial Board of the ACM Transactions on Information and System Security. Ahmad has been awarded with the renowned German prize "Karl Heinz Beckurts" for his research on Trusted and Trustworthy Computing technology and its transfer to industrial practice. The award honors excellent scientific achievements with high impact on industrial innovations in Germany. Further, his group received the second prize of German IT Security Competition Award 2010.
Prof. Gilles BartheIMDEA Software Institute
Computer-Aided Cryptographic Proofs and Designs
Tuesday, September 11, 2012 -- 9.15 – 10.15Abstract: EasyCrypt is a tool for constructing and verifying cryptographic proofs. EasyCrypt can be used as a stand-alone application, or as a verifying back-end for cryptographic compilers. SyntheCrypt is a new tool that synthesizes public-key encryption schemes and generates proofs of security in EasyCrypt.The presentation will outline the language-based methods that underlie the design of both tools and illustrate some of their applications.
Short Bio: Gilles Barthe received a Ph.D. in Mathematics from the University of Manchester, UK, in 1993, and an Habilitation à diriger les recherches in Computer Science from the University of Nice, France, in 2004. He joined the IMDEA Software Institute in April 2008. He has been coordinator/principal investigator of many national and European projects, and served as the scientific coordinator of the FP6 FET integrated project "MOBIUS" for enabling proof-carrying code for Java on mobile devices (2005-2009). He has served as PC (co-)chair of conferences such as VMCAI'10, ESOP'11, and FAST'11. He is a member of the editorial board of the Journal of Automated Reasoning. His research interests include formal methods, programming languages and program verification, software and system security, and cryptography, and foundations of mathematics and computer science. Since 2006, he is working on the development of formal verification tools for cryptographic proofs.
Prof. Christian CachinIBM Research - Zurich
Integrity of Storage and Computations in the Cloud
Wednesday, September 12, 2012 -- 9.15 – 10.15Abstract: A group of mutually trusting clients uses a remote provider to store data or to perform an arbitrary computation service on their behalf. The provider may be subject to attacks and the clients do not fully trust the provider. The clients do not communicate with each other during day-to-day operations, but they would like to verify the integrity of the stored data, the correctness of the remote computation process, and the consistency of the provider's responses.
We present protocols that guarantee atomic operations to all clients when the provider is correct and so-called fork-linearizable semantics when the provider is faulty. Fork-linearizability makes it much easier for the clients to detect violations of integrity and consistency by the provider; specifically, it means that all clients which observe each other's operations are consistent, in the sense that their own operations, plus those operations whose effects they see, have occurred atomically in one sequence. Otherwise, a faulty provider could answer with arbitrary values from past operations and return diverging results to different clients. We describe a protocol for securing an outsourced storage service in this way and show how to extend it to protect arbitrary remote computations.
Short Bio: Christian Cachin is a researcher in cryptography and security at IBM Research - Zurich. He graduated with a Ph.D. in Computer Science from ETH Zurich and has held visiting positions at MIT and at EPFL. Presently he serves as the Vice President of the International Association for Cryptologic Research (IACR) and is an author of the book "Introduction to Reliable and Secure Distributed Programming." His current research interests are the security of storage systems, secure protocols for distributed systems, and cryptography. He contributed to the OASIS Key Management Interoperability Protocol (KMIP) standard and is currently concerned with security in cloud computing.