• Students enrolled in ACSAC Tutorials are provided lunch on the day of their tutorial.

• Although all tutorial attendees will be provided a copy of the materials used by the instructor, only those who pre-register for the tutorial will be guaranteed the tutorial materials at the beginning of the tutorial instruction. Please note that lunch is included in both the full-day and the half-day tutorial fee. See the registration form for more information. Please note the tutorial registration fees are for tutorials only; registration for the technical portion of the Conference is separate.

[ TOP ]

Tutorial M1 (Full Day)

Dr. Steven J. Greenwald
Independent Consultant

Abstract

Designed for the person who is new to the field of Information Systems Security, this is an intensive one-day survey of the most important fundamentals of our field. It is designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. Therefore, its emphasis will be mostly historical in nature, and not necessarily topical. However, it will contain material that every effective practitioner in our field needs to know.

The ideal student is someone who is either entering the field for the first time, needs a refresher regarding the basics, or is starting to prepare for the CISSP exam. This will be a high-speed low-drag course covering a very broad range of material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None

Outline:

1. Introduction. Overview/refresher of the necessary CS background, common definitions, and historical overview and perspectives.
2. Fundamentals. Covers Identification & Authentication, Access Control, Security Kernels, and Security Models.
3. Practice. Provides a brief overview of Unix and Windows NT Security, as well as common errors (e.g., buffer overflows) and security software.
4. Cryptography. A brief overview of cryptography, PKI and standards.
5. Distributed Systems. Covers Web security and other aspects of network and distributed system security.
6. Database Systems. Explores DBMS models and problems.
7. Conclusions and Questions. Seeing the forest for the trees, professional development options, and if time permits any topical or other areas that may be of particular interest.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).

[ TOP ]

Tutorial M2 (Full Day)

Radia Perlman
Sun Microsystems

Charlie Kaufman
Microsoft

Abstract

This tutorial covers the concepts in network security protocols as well as describing the current standards. It approaches the problems first from a generic conceptual viewpoint, covering the problems and the types of technical approaches for solutions. For example, how would encrypted email work with distribution lists? What are the performance and security differences in basing authentication on public key technology versus secret key technology? What kinds of mistakes do people generally make when designing protocols?

Armed with a conceptual knowledge of the toolkit of tricks that allow authentication, encryption, key distribution, etc., we describe the current standards, including Kerberos, S/MIME, SSL, IPsec, PKI, and web security.

Prerequisites:

Nothing other than intellectual curiosity and a good night's sleep in the recent past.

Outline:

1. What is the problem? A quick overview of why network security is needed (remote authentication, private and authenticated email, etc)
2. Overview of cryptography: public key, secret key, hash.
3. Secure email issues (including complications such as distribution lists). Also overview of S/MIME and PGP.
4. Key distribution (PKI and secret-key based systems such as Kerberos).
5. Kerberos details (including Microsoft Kerberos)
6. PKI details (including X.509 and PKIX)
7. Concepts in real-time protocols: authentication handshakes, perfect forward secrecy, session resumption, identity hiding, plausible deniability, denial of service protection. Implications of choosing "layer 3" approach (IPsec) vs "layer 4 approach" (SSL, SSH). How export rules have affected designs.
8. IPsec details: data packet formats (AH and ESP), IKE (key establishment protocol). Problems with IKE. Possible successors to IKE.
9. SSL
10. Web: URLs, HTTP, cookies

About the Instructors:

Dr. Radia Perlman is a Distinguished Engineer at Sun Microsystems. She also teaches network security protocols at Harvard University. She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing) as well as security (sabotage-proof networks). She is the author of "Interconnections: Bridges, Routers, Switches, and Internetworking Protocols", and co-author of "Network Security: Private Communication in a Public World". She is one of the 25 people whose work has most influenced the networking industry, according to Data Communications Magazine. She has an B.S. and M.S. in mathematics and a Ph.D. in computer science from MIT, about 50 issued patents, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Mr. Charlie Kaufman is a former Distinguished Engineer at IBM, where he was Chief Security Architect for Lotus Notes and Domino, as well as having worked within IBM in other security-related areas. Recently he has been involved in analyzing IKE, the authentication portion of IPsec, and designing a replacement protocol which has been adopted by IETF. He is co-author of the book "Network Security: Private Communication in a Public World". He served on the National Academy of Sciences expert panel that wrote the book "Trust In Cyberspace". He currently serves on the IAB, the architecture board of the IETF. Within IETF he has contributed to a number of efforts, including chairing the Web Transaction Security working group. He is currently the editor of the new Internet Key Exchange protocol document for IP Security Protocol Working Group (Ipsec). He holds over 25 patents in the fields of computer security and computer networking.

[ TOP ]

Tutorial M3 (Full Day)

Dr. Sven Dietrich and Dr. John McHugh
CERT Research Center

Abstract

In the beginning, security was equated to confidentiality and it was considered better for a system to fail (or be forced into failure) than to leak protected information. As the field matured, the emphasis changed and concepts such as "Security-*" giving equal weight to integrity and assured service became acceptable. Concurrently, adversaries realized that attacks that reduced the utility of computing systems to authorized users could be as effective as attacks that compromised sensitive information. In the past year, brute force denial of service attacks based on the exhaustion of the victim's processing or communication resources have become commonplace.

The tutorial will trace the development of denial of service attacks from early, machine crashing exploits to attacks that based on the exploitation of server vulnerabilities or protocol pathologies to consume excessive computing resources to the present day distributed denial of service (DDoS) attacks. Self imposed denial of service attacks in which a system administrator suspends a necessary service in the face of a real or threatened attack will also be considered. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future.

Prerequisites:

A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The tutorial is intended to be useful to system administrators, network administrators and computer security practitioners.

Outline:

1. Fundamentals. Basic networking and routing protocols.
2. Denial of Service. Basic concepts. Vulnerabilities and pathologies. OS support. The jump from DoS to DDoS. Evolution of attack tools.
3. Classes of DDoS tools. What they do. Choices in the attack space. How they work. Currently available tools.
4. Diagnosis of the problem. How do you know you are under attack. Symptoms in your own operational and system monitoring data. Differentiating between flash crowds and attacks. Advances in research. Inspecting a compromised system. Building a monitoring/traffic capture facility.
5. Mitigation. Recognition of the attack. Attack signatures and attack tool identification. DoS vs. DDoS. Indications of single and multiple sources. Creating countermeasures. Techniques for limiting the damage. Characterizing the attacked resources. Infrastructure changes. Traceback. Filtering. Active response. Strikeback.
6. Political hurdles. Dealing with your ISP. Dealing with management.
7. The bright road ahead. DDoS and beyond. Prospects for future advances in attacker tools, Technical, legal, and political mitigation strategies.

About the Instructors:

Dr. Sven Dietrich is a member of the technical staff at the CERTŪ Research Center, where he does research in survivability and network security. His work has included intrusion detection, distributed denial-of-service analysis, and the security of Internet Protocol (IP) communications in space. He was a senior security architect at the NASA Goddard Space Flight Center and has taught mathematics and computer science at Adelphi University. His research interests include, but are not limited to, computer security, cryptographic protocols, and quantum cryptography, and he randomly gives presentations and talks on the subject. Dr. Dietrich has a Doctor of Arts degree in Mathematics, a MS degree in Mathematics, and a BS degree in Computer Science and Mathematics from Adelphi University in Garden City, New York.

Dr. John McHugh is a senior member of the technical staff at the CERTŪ Research Center, where he does research in survivability, network security, and intrusion detection. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.

[ TOP ]

Tutorial M4 (Full Day)

Mr. Daniel Ellis
MITRE

Dr. Nicholas Weaver
UC Berkeley

Abstract

Mobile malicious code (mobile malcode) has resulted in the loss of tens of billions of dollars to the international economy. Far more devastating worms are feasible. Four observations lead us to believe that mobile malcode is a significant and increasing threat. First, many instances of mobile malcode could have caused much greater damage than they did. Second, advancements in malcode technology are making for far more potent attacks. Third, the vulnerabilities which pervade our infrastructure and the fabric of modern life are not being adequately removed and instead are becoming more tightly coupled. And, fourth, users and economies are becoming more dependent on fragile infrastructure.

In this tutorial we present different types of mobile malcode, including viruses and network worms. We focus more on the latter, as the antivirus industry offers reasonably robust defenses against viruses but much poorer defenses against worms. We explain the history of worms and viruses, the anatomy of malicious malcode, what postures and countermeasures help mitigate the threat, and an overview of current efforts to combat the threat. We provide detailed analysis of several examples of contemporary mobile malcode. A student will come away from this tutorial understanding what the threat is, why the threat exists, and what can be done now to help protect their organization from the threat, as well as research areas which might offer substantial protection in the future.

Prerequisites:

A student should have a general understanding of networking, including TCP/IP. An understanding of software and the anatomy of a process will also be helpful.

Outline:

1. Overview. Definition of Mobile Malcode. Subclasses of mobile malcode. Anatomy of mobile malcode. Generalized Worm Strategies. Buffer Overflow Primer
2. Virus History. Early viruses. Fred Cohen's work. Viruses of the late 80's and early 90's. Antivirus technology. Email borne viruses of the 90's.
3. Worm History. Shoch and Hupp's early experiments with worms. The Morris/Internet Worm of 1988. Linux worms of 1999. Windows worms of the same era. Hybrid malcode. Active worms of 2000-2003. Hypothetical Worms proposed in research literature and on the Web. Target discovery strategies.
4. Observations About Technological Malcode Advances. Attributes seen in the wild. Potential features from the underground. Potential features from the goodguys.
5. Defensive Postures & Reactions. Configuration & Risk Management. Perimeters & Least Privilege.
6. Current Research Efforts. DARPA DQ. HP Connection Throttling. IBM Virus Research. Other Research Possibilities?