IEEE SecDev 2016: Security Innovation in Design and Development

Facebooktwitterredditpinterestlinkedintumblrmail

Michael Hicks, professor of Computer Science at the University of Maryland in College Park, talks about the new conference from the IEEE Cybersecurity Initiative. The following post was originally posted on his site, The Programming Languages Enthusiast.

The IEEE Cybersecurity Development (SecDev) Conference is a new conference focused on designing and building systems to be secure. It will be offered for the first time in Boston, MA, on November 3-4, 2016. This event was conceived, and is being organized, by Rob Cunningham; I’m pleased to be the PC Chair.

As stated in the call for papers, this first iteration of the conference is seeking short (5-page) papers, extended (1-page) abstracts, and tutorial proposals. The submission deadline is June 21, 2016 — if you have new results, old results you’d like to repackage, a tool, a process, a vision, or an idea you’d like to share with those working to make systems more secure, please consider submitting a paper!

This blog post explains why I think we need  this conference, what I expect the first year to look like, and what sort of papers we hope to get, in question & answer format.

Who is SecDev for?

SecDev is targeting both researchers and practitioners. The goal is to encourage and disseminate ideas for secure system development among academia, industry, and government. Developers have valuable experiences and ideas that can inform academic research, and researchers have concepts, studies, and even code and tools that could benefit developers.

During this first year, we are soliciting speakers and activity organizers directly in addition to having an open call for papers and tutorials whose submissions will be judged by a program committee made up of those from academia and industry. In future years, we expect the academic research component of the conference to expand, but since time is short it will be less ambitious this year.

Why a new conference?

SecDev’s focus is on ideas, research, and experience on how to design and develop secure systems. Many existing conferences cover these topics, but not as their focus. On the academic side, we see papers on secure design and development in security conferences (like IEEE S&P); in programming languages conferences (like PLDI); in software engineering conferences (like FSE); and in many others. On the industry side, conferences like AppSec, RSA, and Shmooconalso cover building secure systems. But these conferences often include secure development as one topic among many others, and/or they fail to bring together researchers and practitioners; as such they do not galvanize the broader community that is needed to solve a pressing problem.

Why is “building security in” an important focus?

A lot of interest in cybersecurity, at least in my experience, derives from “hacking,” i.e., finding vulnerabilities in software systems and exploiting them. There is no doubt that this is an important (and fun) activity. However, skilled hackers are not necessarily skilled builders. Good system design involves employing principles (per Saltzer and Schroeder) like principle of least privilege, small trusted computing base, etc. Those good at finding and exploiting flaws need not have a good grasp of these principles.

For that matter, you don’t have to be a skilled hacker to be a secure developer. As one example: It takes a fair amount of skill to find and exploit a memory error like a buffer overflow or use-after-free. But you can write software that is impervious to such exploits without knowing how the exploits work: Use a type-safe (or memory-safe) programming language. To avoid SQL injection, useprepared statements.

Of course, knowing both attacks and defenses is the ideal. My point is that attack and defense are distinct (but overlapping) domains, and advances can be made independently in each.

What about theory: Isn’t it important?

Yes! Some of the best security work involves carefully worked-out mathematics; think about the success of cryptography here. There are many excellent conferences for exploring the theoretical foundations of security (e.g., Computer Security Foundations Symposium). SecDev is interested in papers that look to incorporate theoretical insights into actual practice.

What should SecDev papers look like?

In this first year, SecDev is soliciting short papers that present innovations, experience-based insights, or a vision. We are also interested in tutorials. Thedeadline is June 21, 2016.

A good SecDev paper may resemble an elaborated vision statement, a grant proposal, or a mini-keynote summarizing prior work and directions.  A good SecDev tutorial will introduce interested practitioners and researchers to technologies (e.g., languages, tools, frameworks) that show promise in aiding the development of secure systems.

SecDev is interested in work that has a demonstrated connection to building systems that are more secure. It is not enough to show that an existing system, however prominent, is insecure. Nor is it enough to propose a new cryptosystem or formal security model with nice mathematical properties but no concrete exploration of how it would be used to build systems more securely. Instead, papers should be about (as a few examples) how a development library, tool, or process can produce systems resilient against certain attacks; how a formal foundation could underpin a language, tool, or testing strategy that can help produce stronger systems; and experience, designs, or applications showing how cryptography can be used effectively to secure systems.

As such, I think those in the programming languages community, among many others, have a lot to contribute to SecDev. For more information, see the call for papers. I look forward to seeing what you have to offer!