Women in Security and Cryptography Workshop (WISC)

Vom 27. bis 29. Juni 2023 richtete das Exzellenzcluster CASA zum zweiten Mal den WISC-Workshop aus, diesmal in Präsenz. Absolventinnen und herausragende Studentinnen aus dem Bereich der IT-Sicherheit und verwandten Bereichen verbrachten drei spannende Tage in Bochum, um gemeinsam zu lernen und sich zu vernetzen.

Referentinnen:

• Claudia Diaz, KU Leuven
• Cynthia Sturton, University of North Carolina at Chapel Hill
• Jade Philipoom, Google/Open Titan
• Maria Eichlseder, TU Graz
• Shruti Tople, Microsoft Research
• Yixin Zou, Max-Planck-Institut für Sicherheit und Privatsphäre

Außerdem: Podiumsdiskussionen, Posterpräsentationen, Networking-Aktivitäten und vieles mehr!

Zum ausführlichen Rückblick auf die WISC 2023

Cynthia Sturton

Bringing Symbolic Execution to the Security Verification of Hardware Designs

The verification of hardware designs is a key activity for ensuring the correctness and security of a design early in the hardware lifecycle. In this talk I will discuss our work developing a new point in the hardware verification space: software-style symbolic execution. Symbolic execution generalizes testing by replacing concrete values with symbols, with each symbol representing the set of possible values of the variable. This path-based symbolic analysis allows for deep and precise exploration of the design’s state space. However, symbolic execution infamously suffers from the path explosion problem. In this talk I will first present two strategies we developed to leverage the modular and cyclical nature of hardware designs to manage the path explosion problem: hardware-oriented backward search and piecewise composition. I will then present our results using symbolic execution for the security verification of hardware designs, first for assertion-based verification, in which we find bugs that current state-of-the-art model checking does not, and second for information-flow analysis in which we eliminate many of the false-positive flows that static analysis or taint tracking can produce.

Yixin Zou

Learning from the People: A Human-Centered Approach in Security and Privacy Research

There is an increasing appreciation for human factors in security and privacy research. The knowledge of people’s concerns, needs, and expectations provide valuable insights for improving security and privacy systems. Meanwhile, people often do not use existing tools and strategies to the full extent – and it is not their fault. In this talk, I will draw from my research to demonstrate the value of incorporating human factors in designing security and privacy mechanisms, and the need of considering digital equity in people’s ability to protect themselves. In the first part, I will feature my line of work on data breaches as a case study, showing how examining consumer reactions could inform the design of more effective breach notifications. In the second part, I will feature my work with various marginalized populations–such as survivors of intimate partner violence, older adults, and Muslim-American women–and trauma-informed computing as a unifying framework for creating safer technology experiences for all. Throughout the talk, I will highlight how this human-centered approach can lead to positive impacts on industry practices, public policy, and educational efforts around security and privacy.
CONTENT WARNING: some parts of the talk will include descriptions of physical/emotional violence, harassment, and trauma.

Shruti Tople

Unlocking the Vault: Analyzing Data Leakage in Language Models

Language models have brought remarkable advancements in natural language processing but concerns regarding data leakage and privacy have arisen. In this talk, we delve into analyzing data leakage in language models, unlocking the vault to understand the risks involved. The talk investigates the implementation of language models that have been fine-tuned using private data. The focus is to analyze the leakage of sentence-level information and personally identifiable tokens from these models, all within a black-box setting. Additionally, we delve into the privacy-utility effects of mitigation techniques, such as differential privacy, when applied during the training of these models.  By gaining insights into the risks and understanding the impact of privacy-preserving measures, we can work towards building more secure and privacy-aware language models that preserve user trust while driving innovation in natural language processing.

Maria Eichlseder

Ascon - The new NIST standard for lightweight cryptography

Integrating cryptographic algorithms in IoT systems and other constrained environments is often difficult due to limited resources and additional security challenges. Driven by this demand, NIST has initiated a lightweight cryptography competition between 2019 and 2023. Among 57 submissions, Ascon has been selected as the new standard for authenticated encryption and hashing. In this talk, we show how Ascon was designed to address the specific challenges in the IoT, including security, performance, and footprint. Since ciphers are not used in an ideal world, we show how Ascon also improves robustness against certain implementation attacks and mistakes. Finally, we take a look at the standardization process itself and discuss our experience with different cryptography competitions.

Jade Philipoom

The Joy of Cryptographic Implementation

This talk will focus on how implementers transform cryptographic algorithms from academic papers into production code. I'll draw on real examples from my work developing a low-level cryptographic library for the OpenTitan hardware project. In this context, it's vital to optimize for speed and space without compromising security. We'll also discuss the complexities of considering physically present attackers and interacting with hardware accelerators.

Claudia Diaz

The Nym network: Incentivized mixnets

This talk will introduce the Nym network, a recently deployed system for communication privacy that is based on an incentivized mixnet. We will first review different existing approaches to communication privacy and discuss their tradeoffs, in order to situate mixnets within the solution space. We will then present the Nym system design and its components, which include a Loopix-based mixnet for anonymously routing packets, Coconut-based credentials to enable private access, and an incentive mechanism to reward mixnet nodes for their work while supporting scalability, decentralization, reliability and cost-effectiveness.

Workshops

"Securing your success: Presentation skills for young scientists", von Sandra Schlagheck
Presenting yourself and your research convincingly is essential to your professional success. This workshop aims to encourage reflection on presentations, give tips on preparing for them, and practice using voice and body language. To this end, the workshop includes short inputs and exercises on the foundation (topic, audience, purpose), preparation (collect, structure, formulate), and practice (voice, body language, stage fright).

"Allyship and the Power of Networks", von Louisa van den Bosch und Judith Valceschini
In our workshop “Allyship and the Power of Networks” we will look at the importance of finding and creaVng networks for FLINTA* (Female, Lesbian, Intersexual, Non-Binary, Trans- and A-Gender) to support ourselves and our peers in mainly cis-male dominated spaces and industries. We are looking to empower ourselves and find our strengths in shared experiences. Further we will reflect on how we can use our own advantages and privileges to share space and power with colleagues in our own fields of work who are less privileged and more marginalized than we are ourselves.

Copyright/Fotos: CASA, Mareen Meyer