Stanford Security Lunch
Winter 2017

Get announcements: Mail Ical

January 04, 2017 No meeting due to Real World Crypto workshop

January 11, 2017 Global Internet Sensing

Speaker:  Matt Kraning (Qadium)

Abstract:  A deep dive into distributed global internet sensing. This talk with cover distributed system design, measuring data accuracy and bias, and next generation deployment topic areas. Applications to global internet security ecosystems and a small number of case studies will be presented.

January 18, 2017 Internet of Things (IOT) Security

Speaker:  Brian Witten (Symantec Labs)

Abstract:  This talk will describe the security mistakes behind some of the headlines of recent IOT security debacles, and also describe current best practices for protecting IOT systems end-to-end, as background for leading edge research in network security and machine learning applicable to IOT security, and walk through a sampling of those research efforts.

January 25, 2017 Deep Learning with Differential Privacy

Speaker:  Ilya Mironov

Abstract:  Machine learning techniques based on neural networks are achieving remarkable results in a wide variety of domains. Often, the training of models requires large, representative datasets, which may be crowdsourced and contain sensitive information. The models should not expose private information in these datasets. Addressing this goal, we develop new algorithmic techniques for learning and a refined analysis of privacy costs within the framework of differential privacy. Our implementation and experiments demonstrate that we can train deep neural networks with non-convex objectives, under a modest privacy budget, and at a manageable cost in software complexity, training efficiency, and model quality.

February 01, 2017 Proofs-of-delay and randomness beacons

Speaker:  Benedikt Bünz

Abstract:  Blockchains generated using a proof- of-work consensus protocol, such as Bitcoin or Ethereum, are promising sources of public random- ness. However, the randomness is subject to manip- ulation by the miners generating the blockchain. A general defense is to apply a delay function, prevent- ing malicious miners from computing the random output until it is too late to manipulate it. Ideally, this delay function can provide a short proof-of- delay that is efficient enough to be verified within a smart contract, enabling the randomness source to be directly by smart contracts. In this paper we describe the challenges of solving this problem given the extremely limited computational capacity available in Ethereum, the most popular general- purpose smart contract framework to date. We introduce a novel multi-round protocol for verifying delay functions using a refereed delegation model.

February 08, 2017 Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge

Speaker:  Florian Tramer

Abstract:  Trusted hardware systems, such as Intel's SGX, aim to provide strong confidentiality and integrity assurances for applications. However, there are serious concerns about the vulnerability of such systems to side-channel attacks. Application confidentiality, in particular, remains an elusive goal due to leakage of data access patterns, timing, and more. In light of these vulnerabilities, we explore use-cases of trusted hardware for which security is not contingent on applications keeping secrets from their environment. To this end, we introduce the abstract notion of a "Sealed-Glass Proofs" (SGP), a primitive that specifically models the capabilities of trusted hardware that can attest to *correct execution* of a piece of code, but whose execution is *transparent*, meaning that an application's secrets and state are visible to other processes on the same host. I will describe one compelling application of SGPs we considered: an implementation of an end-to-end bug bounty (or zero-day solicitation) platform that couples SGPs with smart contracts. Bounty hunters use SGPs (built on top of SGX, for instance) to prove knowledge of a bug or exploit and then proceed to sell their discovery to interested buyers using a cryptocurrency system with sufficiently expressive transactions (e.g., Ethereum or even possibly Bitcoin). Our platform enables a marketplace that achieves fair exchange, protects against unfair bounty withdrawals, and resists denial-of-service attacks by dishonest sellers. This is joint work with Fan Zhang, Huang Lin, Jean-Pierre Hubaux, Ari Juels and Elaine Shi.

February 15, 2017 Attacking Security Hardware using Side Channel Power Analysis

Speaker:  Kevin Kiningham

Abstract:  Side Channel Power Analysis is a well known class of Side Channel Attacks that use the power consumed by a device to reveal sensitive information such as cryptographic keys. In this talk, I review current power analysis techniques and walk through breaking AES128 on a commercially available TPM. In addition, I examine techniques used by hardware manufacturers to guard against power analysis and evaluate their effectiveness. Work done at Google under supervision of Dominic Rizzo and Marius Schilder

February 22, 2017 T/Key: Time--Based Offline Second Factor Authentication Without Server Secrets

Speaker:  Nathan Manohar

Abstract:  Time-based one-time password (TOTP) systems in use today require storing secrets on both the client and the server. As a result, an attack on the server can expose all second factors for all users in the system. We present T/Key, a time-based one-time password system that requires no secrets on the server. Our work modernizes the old S/Key system and addresses the challenges in making such a system secure and practical. Additionally, we develop a near-optimal algorithm for quickly generating the required elements in a hash chain with little memory on the client. Furthermore, we prove a time-space lower-bound on the effort needed to invert a hash chain. We report on our implementation of T/Key as an Android application. T/Key can be used event of a server-side compromise.

March 01, 2017 TBD

Speaker:  Ben Fisch

March 08, 2017 TBD

Speaker:  Henry Corrigan-Gibbs

March 15, 2017 TBD

Speaker:  Saba Eskandarian