Wednesday, August 3 | Thursday, August 4 | Friday, August 5

9:00 a.m.–10:30 a.m.	Wednesday
Opening Remarks, Awards, and Keynote Keynote Address Computer Security in the Real World Butler W. Lampson, Microsoft and MIT Listen in MP3 format After thirty years of work on computer security, why are almost all the systems in service today extremely vulnerable to attack? The main reason is that security is expensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there's been little damage, people decide that they don't need much security. In addition, setting it up is so complicated that it's hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security. In a distributed system with no central management like the Internet, security requires a clear story about who is trusted for each step in establishing it, and why. The basic tool for telling this story is the "speaks for" relation between principals that describes how authority is delegated, that is, who trusts whom. The idea is simple, and it explains what's going on in any system I know, although the many different ways of encoding this relation often make it hard to see the underlying order.
10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m.	Wednesday
REFEREED PAPERS Securing Real Systems Session Chair: Adrian Perrig, Carnegie Mellon University Awarded Best Student Paper! Security Analysis of a Cryptographically-Enabled RFID Device Steve Bono, Matthew Green, and Adam Stubblefield, Johns Hopkins University; Ari Juels, RSA Laboratories; Avi Rubin, Johns Hopkins University; Michael Szydlo, RSA Laboratories Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John C Mitchell, Stanford University Cryptographic Voting Protocols: A Systems Perspective Chris Karlof, Naveen Sastry, David Wagner, University of California, Berkeley	INVITED TALKS Human-Computer Interaction Opportunities for Improving Security Ben Shneiderman, University of Maryland Listen in MP3 format Creating a more secure computing and communications environment requires cooperation among many disciplines. Human-computer interaction (HCI) researchers can contribute by participating in user interface design for system managers and every level of users. The standard HCI processes could clarify the currently confusing array of features that overwhelms many users and leads to errors or frustration. First steps would include clear task analysis and a hierarchical decomposition of objects and actions that enable users to develop a meaningful mental model tied to their needs, rather than the intricacies of system architecture. Then carefully chosen evaluation methods could assess interface designs during development and usage. A second HCI contribution might be tied to information visualization tools to enable system managers to better monitor activity, detect attacks, and trace attackers. Temporal pattern search, network traffic analysis, and hierarchical clustering tools are potential contributions.    This talk includes a proposed graphic user interface, FORTS (File-sharing Onweb with Realistic Tailorable Security), for specifying and monitoring security/privacy status. This interface is meant to be multi-layered to allow users to choose the level of complexity and protection they need. Based on a fortress model, FORTS shows more secure areas deeper in the fort, and multiple gates to allow incoming/outgoing traffic with comprehensible activity logs.
12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.-3:30 p.m.	Wednesday
REFEREED PAPERS Panel: National ID Cards Moderator: Niels Provos, Google Panelists: Drew Dean, SRI International; Carl Ellison, Microsoft; Daniel Weitzner, World Wide Web Consortium	INVITED TALKS Homeland Security: Networking, Security, and Policy Douglas Maughan, DHS, HSARPA Listen in MP3 format This presentation will provide an overview of the recently created Department of Homeland Security, its Science and Technology Directorate, and some of the research initiatives started in the Department. Many of these initiatives provide examples where networking, security, and policy come together in interesting ways as the Department works with critical infrastructure providers to secure the nation's infrastructures. This presentation will explore these issues and provide an opportunity for an open discussion surrounding the various homeland security applications.
3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m.	Wednesday
REFEREED PAPERS Diagnosing the Net Session Chair: Angelos Keromytis, Columbia University Empirical Study of Tolerating Denial-of-Service Attacks with a Proxy Network Ju Wang, Xin Liu, and Andrew A. Chien, University of California, San Diego Robust TCP Stream Reassembly in the Presence of Adversaries Sarang Dharmapurikar, Washington University; Vern Paxson, International Computer Science Institute, Berkeley Countering Targeted File Attacks Using LocationGuard Mudhakar Srivatsa and Ling Liu, Georgia Institute of Technology	INVITED TALKS Electronic Voting in the United States: An Update Avi Rubin, Johns Hopkins University In July 2003, my research team published an analysis of Diebold's Accuvote TS and TSX voting machines, which were used in public elections all over the United States. We found serious security flaws in the machines, and a general lack of understanding of software and computer systems. Since then, the debate around electronic voting has intensified. In the two years since we published that report, I have become very involved in the issue at a national and local level, going so far as to become an election judge in Baltimore County. Maryland is one of the battleground states with respect to e-voting. In this talk, I will review the security issues around e-voting and voting procedures and will provide an update on where things stand in my state and at the federal level.
Wednesday, August 3 | Thursday, August 4 | Friday, August 5
9:00 a.m.–10:30 a.m.	Thursday
REFEREED PAPERS Managing Secure Networks Session Chair: Adam Stubblefield, Johns Hopkins University An Architecture for Generating Semantic Aware Signatures Vinod Yegneswaran, Jonathon T. Giffin, Paul Barford, and Somesh Jha, University of Wisconsin, Madison MulVAL: A Logic-based Network Security Analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel, Princeton University Detecting Targeted Attacks Using Shadow Honeypots K. G. Anagnostakis, University of Pennsylvania; S. Sidiroglou, Columbia University; P. Akritidis, K. Xinidis, and E. Markatos, Institute of Computer Science—FORTH; A. D. Keromytis, Columbia University	INVITED TALKS Cybersecurity: Opportunity and Challenges Pradeep K. Khosla, CyLab This presentation will provide an overview of the research in CyLab. CyLab is a university-wide multidisciplinary research center with the goal of combining technology, business, and policy to impact industry. In addition, CyLab has a strategic interest in outreach and awareness for the masses. Toward achieving this goal, it is developing innovative games and curricula. This talk will provide an overview of some the research projects in CyLab and will also describe our strategy.
10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m.	Thursday
REFEREED PAPERS Panel: Sniffing Conference Networks: Is It Legal? Is It Right? Panelists: Abe Singer, San Diego Supercomputer Center; Bill Cheswick, Lumeta Corp.; Paul Ohm, U.S. Department of Justice; Michael Scher, Security Technologist, Attorney, Anthropologist, Nexum, Inc. It has become commonplace at some computer conferences, especially security conferences, for someone to "sniff" the network—monitor other users' communications. Often this is for the purpose of intercepting usernames and passwords transmitted in cleartext, sometimes publicly posting the information found. The person sniffing may or may not be officially affiliated with the conference, and the activity is often condoned or approved by the conference organizers (although not by USENIX), and many of the participants. But is such activity legal? It may very well not be, or only under very limited circumstances. Who has standing to "permit" the activity, and who is liable for the results? Aside from whether or not the activity is criminal, there is also the ethical issue. Is sniffing a conference network the "right thing to do"? What example does it set? What message does it send? These issues have been highlighted by some heated complaints at recent USENIX conferences. This panel will discuss these legal and ethical issues.	INVITED TALKS Treacherous or Trusted Computing: Black Helicopters, an Increase in Assurance, or Both? Bill Arbaugh, University of Maryland A lively and mostly healthy debate has focused on the trusted computing initiatives of several prominent vendors. Both sides of this debate have made some relevant and some not so relevant claims—not to mention a little fear, uncertainty, and doubt (FUD). In this talk, I will present the history of trusted computing from before the "Orange Book" to what we might see tomorrow. Along the way, I'll try to sort out the real technical and policy issues from the FUD. In the end, my hope is that you can make an informed decision on whether these initiatives are treacherous or trusted.
12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.–3:30 p.m.	Thursday
REFEREED PAPERS Attacks Session Chair: R. Sekar, Stony Brook University Where's the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel, David Evans, and Nathanael Paul, University of Virginia Automating Mimicry Attacks Using Static Binary Analysis Christopher Kruegel and Engin Kirda, Technical University Vienna; Darren Mutz, William Robertson, and Giovanni Vigna, University of California, Santa Barbara Non-Control-Data Attacks Are Realistic Threats Shuo Chen, University of Illinois at Urbana-Champaign; Jun Xu and Emre C. Sezer, North Carolina State University	INVITED TALKS How to Find Serious Bugs in Real Code Dawson Engler, Stanford University This talk will describe new dynamic bug-finding techniques that work well on real code, our experiences with both static and dynamic techniques, and several widely held myths in the bug-finding community.
3:30 p.m.–4:00 p.m.   Break
4:00 p.m.–5:30 p.m.	Thursday
REFEREED PAPERS Protecting the Network Session Chair: Niels Provos, Google Awarded Best Paper! Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon, University of Wisconsin, Madison Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda, Japan Advanced Institute of Science and Technology; Ko Ikai, National Police Agency of Japan; Motomu Itoh, Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) On the Effectiveness of Distributed Worm Monitoring Moheeb Abu Rajab, Fabian Monrose, and Andreas Terzis, Johns Hopkins University	INVITED TALKS Open Problems with Certifying Compilation Greg Morrisett, Harvard University Proof-carrying code was introduced by Necula and Lee as a technique for minimizing trusted code: instead of monitoring or analyzing code to see if it is trustworthy, we require that the code comes with a machine-checkable, mathematical proof that the code respects a desired security policy. In practice, checking the proof is easy when compared to constructing one, so the framework shifts the hard work from the code consumer to the code producer. Unfortunately, it doesn't eliminate the hard problem: how does a code producer construct the proof? Certifying compilers provide part of the answer: A certifying compiler takes as input high-level source code and a proof that the source code respects the policy, and then transforms the code and proof in parallel. In this fashion, it is able to automatically output the required proof at the machine-code level. For simple policies, such as memory-safety and type-safety, the proof can be automatically constructed at the source level, assuming we start with a type-safe source language. Unfortunately,most of the code that needs to be trustworthy is written in type-unsafe languages such as C or C++, so we need some way to realize proofs for these languages. Furthermore, we need support for security policies that go well beyond type-safety. I will survey some of the research that has been done, and that needs to be done to achieve these goals, so that we may one day realize the full potential of proof-carrying code.
Wednesday, August 3 | Thursday, August 4 | Friday, August 5
8:30 a.m.–10:30 a.m.	9:00 a.m.–10:30 a.m.
REFEREED PAPERS Defenses Session Chair: Yoshi Khono, University of California, San Diego Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman, University of Arizona Efficient Techniques for Comprehensive Protection from Memory Error Exploits Sandeep Bhatkar, R. Sekar, and Daniel C. DuVarney, Stony Brook University Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam, Stanford University OPUS: Online Patches and Updates for Security Gautam Altekar, Ilya Bagrak, Paul Burstein, and Andrew Schultz, University of California, Berkeley	INVITED TALKS What Are We Trying to Prove? On the Relevance of Certified Code to Computer Security Peter Lee, Carnegie Mellon University Since 1996 there has been tremendous progress in developing the idea of certified code, including both proof-carrying code (PCC) and typed assembly language (TAL). In a certified code framework, each program (which is usually in machine-code binary form) comes equipped with a certificate that "explains," both rigorously and in a manner that is easily validated, why it possesses a formally specified safety property. A substantial amount of the research work in this area has been directed towards the problem of how to make certified code a practical technology—what one might call "proof engineering." Thus, many of the advances have been in methods for representing the certificates in the most compact and efficiently checkable way. A considerable amount of effort has also gone into the development of prototype tools that explore how to handle realistic programs written in realistic languages. In this talk, I will start with a brief overview of the current state of these and other current concepts in certified code. Then I will consider a very different but equally practical question: Just what is it that we are trying to prove, especially if we want to be relevant to computer security? Today, certified code systems do not prove the semantic equivalence between source and target programs. Nor do they prove the absence of most kinds of trojan horses, covert channels, or race conditions. While the safety properties provided by current certified code systems are, in fact, of central importance to computer security, I will argue that there are potentially great opportunities in investigating an expansion of the kinds of properties that these systems reason about.
10:30 a.m.–11:00 a.m.   Break
11:00 a.m.–12:30 p.m.	Friday
REFEREED PAPERS Building Secure Systems Session Chair: Somesh Jha, University of Wisconsin, Madison Fixing Races for Fun and Profit: How to Abuse atime Nikita Borisov, Rob Johnson, Naveen Sastry, and David Wagner, University of California, Berkeley Building an Application-aware IPsec Policy System Heng Yin and Haining Wang, College of William and Mary Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation Jim Chow, Ben Pfaff, Tal Garfinkel, and Mendel Rosenblum, Stanford University	INVITED TALKS Four Lightning Talks Ben Laurie, The Bunker I spend my life doing a dozen different things at once. So, rather than concentrate on one thing which might bore you, I would prefer to spark everyone's interest (at least occasionally) by talking about several of the things that have been distracting me recently. Included may or may not be: anonymous instant messaging, bolting capabilities onto existing languages, why packaging is bad for security, problems in DNSSEC and ruminations on writing an OpenPGP library. But since I'm writing this abstract in April and talking in August, there may be even more cool topics to discuss.
12:30 p.m.–2:00 p.m.   Lunch (on your own)
2:00 p.m.–3:30 p.m.	Friday
Work-in-Progress Reports and Closing Remarks