CASA Summer School on Backdoors and Trojans - June 22-25, 2020, Bochum, Germany
Our CASA Summer School on Backdoors and Trojans will investigate the different aspects of "Trojans", i.e., built-in malicious manipulations. Looking at the Snowden files and the current discussion of the trustworthiness of foreign-built (telecommunication) equipment shows the relevance of the topic. What's special about this summer school is that we take a holistic look at Trojans, meaning: we investigate how Trojans can occur on all different layers of a digital system. Such an interdisciplinary approach is quite different from the treatment in the literature, where Trojans are usually considered isolated technical artifacts. Another feature of the summer school is that every day will include of an extensive hands-on session in the afternoon, together with the opportunity for participants to discuss their own work. We hope that this structure will allow participants to gain a broad, interdisciplinary view on the exciting topic of Trojans.
We have attracted top speakers for the CASA Summer School on Backdoors and Trojans. Daniel J. Bernstein and Tanja Lange will talk about crypto-based Trojans, with a focus on the threat posed by standardization. Christof Paar and his team will show hardware reverse engineering in the context of low-level hardware Trojans. Angela Sasse will discuss the role that human factors play in introducing and avoiding Trojans. Lucas Davi will highlight how software-based crypto Trojans can be realized in real-world settings.
Registration
The Cluster of Excellence CASA (Cyber Security in the Age of Large-Scale of Adversaries) invites young scholars from all disciplines to participate at the CASA Summer School on Backdoors and Trojans.
We appreciate participants working in technical areas as well as from the humanities.
Registration is on a "first come, first served" basis and attendance is limited to 52 participants.
Please register here.
Fees
The participation fee will be 140 Euro. The fee includes refreshments and lunch.
In addition we will have a Conference Dinner and a Meet Up that is included in the fee.
A few weeks after registration we will send you details concerning payment and money transfer.
Scholarships
We award travel scholarships for all young researchers and we award some especially to women - so please apply! Your application should include the following:
- CV
- Letter of Motivation (1000 words max.)
- Research background/discipline and prior knowledge on IT Security
- Description of your current research project (1000 words max.)
Please apply by sending your application as PDF in one document to susanne.kersten at rub.de. You will receive feedback regarding funding decision in April 2020.
Accomodation
Staying in a hotel is not covered in the fees!
Bochum provides various possibilities to stay overnight. You’ll find a selection listed below
- Hotel IBIS Zentrum am Hauptbahnhof (http://www.ibis.com/Bochum, ~70 Euro / night)
- Hotel Plaza (http://www.plaza-bochum.de, ~70 Euro / night)
- Art Hotel Tucholsky (http://www.art-hotel-tucholsky.de, ~80 Euro / night)
- Park Inn (http://www.park-inn-bochum.de, ~120 Euro / night)
- Youth Hostel Bochum (http://www.jugendherberge.de, B&B ~30 Euro / night)
We have reserved a number of rooms in different hotels - please contact Nadine.Overkamp AT rub.de.
Speakers CASA Summer School
Daniel J. Bernstein & Tanja Lange, June 22, 2020
"Crypto Backdoors"
Daniel J. Bernstein is the designer of the "tinydns" software used by Facebook to publish server addresses, the "ChaCha20" cipher used in the Wireguard VPN, the "dnscache" software used by Cisco's OpenDNS to handle 175 billion address requests per day from 90 million Internet users, the "SipHash" hash function (co-designed with Jean-Philippe Aumasson) used by Python to protect against hash-flooding attacks, and the "Curve25519" public-key system used by WhatsApp for end-to-end encryption. Cryptographic algorithms designed by Bernstein are used by default in Apple's iOS, Google's Chrome browser, Android, etc., encrypting data for billions of users.
Tanja Lange holds the chair for Cryptography at the Technische Universiteit Eindhoven, the Netherlands. She is an expert on curve-based crypto and post-quantum crypto. Her work brings together mathematics and cryptology to create more secure cryptographic implementations and protocols.
The Snowden revelations in 2013 shook up the cryptographic community when documents showed evidence of actions to subvert standards and restrict "indigenous cryptography". This day will shine a light on the history of the most famous standardized back door, the Dual-EC pseudo-random number generator, and how it came into being a standard. The day will also cover some lesser-known back doors and the terminology of kleptography.
Christof Paar & Research Group, June 23, 2020
„Hardware Trojans and How to Find Them“
Christof Paar is director at the Max Planck Institute for Cybersecurity and Privacy in Bochum and research professor at the University of Massachusetts Amherst. He has been working in Embedded Security since 1995. In 1999, he co-founded CHES, the Conference on Cryptographic Hardware and Embedded Systems. His research interests include hardware security, low-level Trojans, physical layer security and application security in embedded systems.
Christof and his group will first highlight the threat posed by extremely low-level hardware Trojans for ASICs and FPGAs. We will then give an introduction to hardware reverse engineering (HRE). In the hands-on session, participants will be able to work on reversing hardware circuit using the powerful open-source HRE tool “HAL”.
Angela Sasse & Research Group, 24. Juni 2020
"Now Johnny can encrypt (maybe). But does he want to?"
M. Angela Sasse is the Professor of Human-Centred Security at Ruhr University Bochum, Germany. She read psychology in Germany before she obtained an MSc in Occupational Psychology from Sheffield University and an PhD in Computer Science from the University of Birmingham. She started investigating the causes and effects of usability issues with security mechanisms in 1996. Her 1999 seminal paper with Anne Adams, Users are Not the Enemy, is one of two papers that founded the research area of usable security. She was the founding Director of the UK Research Institute for Science of Cyber Security (RISCS) which promotes multidisciplinary evidence-based research into the effectiveness of cyber security policies and measures. Since 2018, she is the Professor of Human-Centred Security at RUB and leads Hub D (Usability) of the Cluster of Excellence CASA.
Within CASA, we are researching what experts and non-experts know about security threats and the role of encryption in defending against them, and how that knowledge fosters adoption and use. Currently our research focuses on 'general' and 'technical' users - such as developers and systems administrators.
In the first half of Hub D day of the summer school, we will present an overview of the research on this topic to date, starting with Whitten & Tygar's seminal 1999 USENIX paper 'Why Johnny can't encrypt'. We will critically review how researchers have tried to improve the usability of tools, and whether this has increased usage and decreased mistakes. We will then present what we know about the mental models of different user groups, and how these influence adoption and usage. One of the conclusions is that the current terminology and communications around encryption are confusing and off-putting. In the second half of the day, we will conduct some hands-on user research and design exercises in small groups - how we can find out what protection users want? how should we represent those security properties in user interfaces of tools, and the communication that accompanies them? Expect lego, plasticine, coloured pens and post-its.
Lucas Davi & Research Group, June 25, 2020
“Software Attacks Against Real-World Crypto Schemes”
Lucas Davi is an assistant professor for Secure Software Systems at University of Duisburg-Essen, Germany. He received his PhD from TU Darmstadt in computer science. His research focus includes aspects of system security, software security, and trusted computing, especially software exploitation techniques and defenses. He received best paper awards at DAC, ACM ASIACCS, and IEEE Security and Privacy. His PhD thesis on code-reuse attacks and defenses has been awarded the ACM SIGSAC Dissertation Award 2016.
Memory corruption attacks exploit software errors to hijack applications by performing arbitrary reads and writes to main memory. While traditional attacks required the attacker to directly inject malicious code into the memory space of an application, modern attacks either only induce malicious execution by means of a combination of existing code (return-oriented programming) or only manipulate variables without violating the program’s control flow (data-oriented exploits). For the case of real-world crypto schemes, these attacks are capable of stealing and altering cryptographic material. In this tutorial, we provide an overview of the state-of-the-art memory exploitation techniques and defenses. We start with the main principles of memory exploitation covering stack smashing, return-oriented programming, and data-oriented programming. Next, we present modern defense techniques such as control-flow integrity and memory randomization. In the second part of this tutorial, we continue with a hands-on lab where attendees will have the opportunity to construct proof-of-concept memory exploits that undermine cryptographic schemes deployed by the target application.
Women in IT Security Workshop 25-26 June 2020, Bochum, Germany
The CASA Summer School on Backdoors and Trojans officially ends on Thursday, June 25, 2020, at 3:30 pm after the Short Presentations.
For all women interested in IT security and cryptography, it will continue on Thursday evening, 25 June 2020:
You are cordially invited to a fireside dinner with Melanie Rieback. Starting at 17:30 hrs you will be able to discuss with snacks and drinks. Melanie Rieback will give a keynote speech from about 6:00/6:30 pm for round about 1 hour.
On Friday from 9 am to 1 pm there will be a female hacker workshop with Jiska Classen. Everything you need for this, we will tell you after registration in a separate e-mail.
The Women in IT Security Workshop will end with a lunch. It will be held in English.
Registration
As a participant of the CASA Summer School on Backdoors and Trojans you can register for the Women in IT Security Workshop within the registration form.
If you only want to register for the Women in IT Security Workshop, please use this LINK.
Fees
There is no participation fee.
Scholarships
If you are female and have already been awarded a CASA Summer School on Backdoors and Trojans Scholarship, this also applies to the workshop. You do not need to reapply.
If you are only attending the Women in Cryptography Workshop, you can also apply for a travel grant.
Your application should provide the information mentioned above.
Please send your application as PDF in one document to susanne.kersten AT rub.de
Speaker Women in IT Security Workshop
Melanie Rieback, June 25, 2020
"Avant-Garde InfoSec"
Dr. Melanie Rieback is the CEO/Co-founder of Radically Open Security, the world’s first non-profit computer security consultancy company. She is also a former Assistant Professor of Computer Science at the Free University of Amsterdam (VU) who performed RFID security research (RFID Virus and RFID Guardian), that attracted worldwide press coverage, and won several awards (Mediakomeet, ISOC Award, NWO I/O award, IEEE Percom Best Paper, USENIX Lisa Best Paper). Melanie worked as a Senior Engineering Manager on XenClient at Citrix, where she led their Vancouver office. She was also the head researcher in the CSIRT at ING Bank, where she spearheaded their Analysis Lab and the ING Core Threat Intelligence Project. For fun, she co-founded the Dutch Girl Geek Dinner in 2008. Melanie was named 2010 ICT Professional of the Year (Finalist) by WomeninIT, one of the 400 most successful women in the Netherlands by Viva Magazine (Viva400) in 2010 and 2017, one of the fifty most inspiring women in tech (Inspiring Fifty Netherlands) in 2016, 2017, and 2019. She was also called the Most Innovative IT Leader by CIO Magazine NL (TIM Award) in 2017, and one of the 9 Most Innovative Women in the European Union (EU Women Innovators Prize) in 2019. Her company, Radically Open Security was named the 50th Most Innovative SME by the Dutch Chamber of Commerce (MKB Innovatie Top 100) in 2016.
Computer Science can be radical, political, expressive, and artistic. This presentation will share my own experiences with hacking and Radically Open Security, critically reflect on Computer Science education, and suggest ways to leverage our "craft" for positive disruptive change.
Jiska Classen, June 26, 2020
"Wireless Signal CTF with HackRFs"
Jiska Classen is a postdoc researcher at Secure Mobile Networking Lab, TU Darmstadt. Her research focus is wireless and mobile security, such as Bluetooth chips in recent mobile devices.
In this workshop, you can play a capture the flag game within various signals. You will learn how to demodulate and decode wireless signals. The challenges address all skill levels, so you will still have fun if you are completely new to signal processing. The skills acquired in this workshop will help you in analysing real-world wireless systems. Practical wireless security is often underestimated and considered complex, while opening garage doors or switching traffic lights can be surprisingly easy.
Requirements: Please bring a laptop, ideally with Gqrx SDR (Linux) oder SDRSharp (Windows) pre-installed.
Get the PDF here.
