GT - Hackademia: The 2018 Literature Review - Falcon Darkstar Momot & Brittany "Straithe" Postnikoff

hi everyone um obviously has he said I'm straight this is Falcon and we are here to talk about academia the 2018 literature review next so just a bit of background Falcon and I are both sort of situated in both academia and we act as practitioners in the field of it Falcon more so than me but together hopefully we can provide a little bit of insight into some of the things that are happening in academia that you can use or might not know is being researched right now yeah I'm Falcon the Leviathans security researcher I'm still working on my thesis has last year about language theoretic security unfortunately my advisor just got a job as a DARPA PM so

I'm changing slightly how I do that but yeah that's us so this is actually fairly similar to what we did last year except that it's all new content we selected new papers from from the past year so not just from 2018 but actually from all of the conference's that happened after our last talk and so this slide sort of dictates a few interesting things for people who aren't academics mainly how do you get access to papers without having to go through a paywall so the orange line kind of shows go through academics just talk to us we're not that scary hopefully you can send us an email send me a tweet that's probably the easiest way to get a hold of me but

just talk to your local academics or ones on the internet and they can usually give you access to the papers they've written so if you find something online just ask the people who've made it and hopefully they'll help you out the other thing too is you can also go through University Libraries if you can get into a university sit in the library access their computers and print you can also get access to all the papers because usually you get access to papers based on your IP address and not a lot more so that's obviously pretty easy to spoof or just use if you're in a library at a university so you can just go that

way the other way is you can try going through I Triple E or ACM sometimes that works if you want access not all the time that is a great thing on your screen [Laughter] besides okay okay we're good that's better that's fine okay but it is actually okay um but yeah so the other thing too to point out here is that Google Scholar does play a large role on the slide and that's because even as an academic I don't bother going through I Triple E or ACM or any of those to search for papers you just go to Google go to Google Scholar specifically and you can look up all the papers and in when you're searching paper to show you

all the different versions so open access versions ones that are behind paywalls ones that are on every website so especially if a paper has like 15 authors probably each of those authors has a paper on the website it's probably on the paper conference website and into the journals so there's lots of ways to get them yeah we definitely want to save you from paywalls so all the papers that we cite here today all of them are either they're published by the author as well in their personal website which they're allowed to do or they're actually part of an open access journal and so there's an amazing trend right now specifically in the information security academic field whereby most of

our journals and conferences are beginning to absorb the open access thing and so all of the major conferences in the field that are conferences are not journals so that is USENIX I Triple E Oakland otherwise known as security and privacy and ACM CCS and also the pets conference all of them just now publish their papers you don't need to like pay the $50 fee or whatever the heck it is to access them or go through any of these other shenanigans so we've included links to all of them but as of now honest to god if you find a paper that you're interested in and you read the abstract and you're like this abstract really doesn't tell me

anything I'd like to know something about what these people actually did and what they found and if they actually did any real work here even um you can totally you can just put the title in quotes put file type call in PDF and there it will come up and now usually as often as not from the conference itself and it's it's much easier than it was even when we cited this last year and once you find the paper one thing that we come across constantly is people don't know how to read a paper so there's a paper called how to read a paper so I love the how to read a paper paper and what it goes through are these

six steps so when you first get a paper read the abstract is it worth your time next read the headings to understand how the information is laid out and how we're gonna work through it and if you still like it then you read the intro then you read the conclusion and that point you should know what they're gonna tell you and what the results are and if at that point it still doesn't tell you enough it's probably not a great paper but if you still find you like it then you do the full read through doing this process has saved me hours and hours and hours of my life because so many of the papers just go

straight in the trash but the big thing here is if you're first read through with the abstract should be no more than two minutes abstract headings intro and conclusion should be no more than fifteen minutes then we need do the full read-through that should maybe be your half hour two hour but if you're like me and you want to like rip that thing apart and do a full critique and like know exactly how you would attack that paper and destroy it and redo it yourself then you spend three hours on a critique just say so these are sort of the steps you can take most people don't have to worry about number six and at best just go to step

five usually what I look for when I'm reading through the papers is a couple of things what is the technology that they're developing even for what is its purpose or its motivating thing sometimes that is purely academic it's a pure Theory paper and unless you are trying to implement some kind of new state-of-the-art thing in your field than it is about the specific thing that you're doing you can usually just ignore some of them were practical papers like the ones that we've cited today it's useful to go through and look at things such as there was one that I was thinking about including in here and I rejected it was about GPS spoofing it turned out after I read through after

the abstract and about their headings it was about GPS spoofing specifically using crowdsourcing to mitigate GPS spoofing that was intended to drive drones into the ground well I mean I let the drones go into the ground place ordnance will just it will ignore this paper um so you can figure out the author's motivations the end after the conclusion is a great part place to figure out the author's motivations too because you can figure out who funded the research on what country who's DoD is responsible for this so this is why I kind of start to read the papers I start at the top and then I go very quickly toward the end and then I start to dig in and skim

for parts that I'm interested in digging into once this is done the important thing to look in at at these papers is for every assertion they make try and validate for your own understanding why it is that they think that that assertion is true and once you start digging into them that way instead of merely reading them top to bottom you start to really get into the researchers head and understand where they were going with the whole paper and so we're hoping that we have a number of papers here for selection I'm hoping that at least one of these papers is relevant to something that one of you do and you can go through this exercise on your own and

hopefully find some new avenue at least you might get a white paper out of it so um so the Sears literature so as we go through these the idea is just to give you a bit of awareness about what's out there what you could be using if you have any questions about the papers ask the authors that are at the bottom of the page we also have links that will be at the bottom of every page so feel free to take pictures and if you have any questions we will take those at the end okay so here's the first paper that we selected as being a particularly relevant piece of research for the information security community this year

paper is clocks crew exposing the perils of security oblivious to energy management now what this is is it's a paper about scenarios where you have partial access to a machine but not full access so for example the machine is a general-purpose computing platform like your laptop but it's enforcing DRM against you and the way that it's enforcing DRM against you might well be that it has all of the DRM functionality and arm trustzone how many papers at Def Con have started with well they used arm trustzone to enforce DRM and then no more trustzone well um this paper kind of takes that a step further what it does is it says all of these arm processors for the most

part because power management and power efficiency and battery life are such important things now they all have dynamic voltage and frequency scaling parameters well this is turns out is really useful because on Sonne isn't responsible for maintaining these it's usually like the kernel driver writes to a file or writes to an address and it's like yeah we think you should scale the clock down now because the thing that we're doing we don't think the user really cares about the performance or we think that like the screen is locked or something so don't worry about burning the battery trying to get stuff done quickly however you might now recall the existence in general of glitching attacks well how do

we push things we glitch them by varying the voltage and frequency most of the time we mess with clock and we mess with a voltage so what the what the researchers did is they actually took an armed device and then they used the the dynamic voltage and frequency scaling parameters to actually glitch away trust zones so that their code was now running in the trust zone and they could just read whatever they liked because they bypassed the trust on verification checks so this was a paper where not only did they theorized that this was possible and cyllage eyes it with other techniques some of them they've cited industry for they actually went ahead and did it and they have proof of

concept they didn't attach the proof of concept unfortunately I think so if you wanted to replicate the results or you were wondering how to do it probably this is one of those cases where much like we said last year emailing them and saying hey I'm really interested in your work because I have this project and I'm trying to improve the security of this consumer device or better still hey I'm Google and I want this to be not how can I and and then maybe specific examples will be forthcoming but the paper does give you enough to really dig down into the weeds of exactly how they perform this attack and enough to replicate it the other interesting thing here too is

that pets one of the conference's that we did talk about does accept replication papers so this is something that the industry is or academic industry is trying to focus on a bit more is replication to make sure that these results can be verified year after year in different environments so if you do decide to try this and see if it still works on your machines or in separate environments please do try and submit it to a conference and if you need help with that talk to one of us this one's also open access you can get it directly from the source and so if you want it we will put these slides online the URLs to the papers are at the

bottom of it otherwise you know how to find them right next paper so sometimes people just take certain things for granted like users will plug in USB sticks right we all talk about you know how some vendors will put USB sticks on the tables here at besides I know they did that about two or three years ago and we had to tell a bunch of new people who hadn't been in the industry very long don't put that in your computer because people will just plug them in but we kind of take that for granted that this is a given so this paper what it actually did was test this like is this an actual thing do we have the stats to

back up this statement and so what they did was they drop USB sticks unfortunately just in a university area because of course ethics and students and researchers this is what we have access to but they had a file on the USB stick so I would say hey if you find this please contact us because unfortunately putting beacons and stuff on USB sticks are not allowed under ethics even though I try doesn't quite work something about abusive systems but anyway so you put a file on there and ask people to open it and basically said please contact us if you find this and they drop these USB sticks in public areas around the university in dorms in

cafeterias in hallways that sort of stuff classrooms whatever and the interesting thing is is that they found I think was over 30 percent of people or something plugged in the USB 6 and contacted them was that the stat yeah but it was a larger amount than I would expect how to actually plugged it into the computer and read the file not just plugged it in and deleted everything and used it immediately or anything like that and it was interesting because some of the reasons that people would plug it in were because they wanted to find the original owner they were looking for details on it that they could contact somebody or return it to somebody so

they were they specifically made sure there were files in the USB stick that said like you know family photos and stuff like that to see if people would go for like the really like juicy things right away or if they go for like the contact file and it was pretty much yeah who'd I return this to is the files that they would check first but they would pick it up so this is something that I think is useful for our community because they're announced to back up what people are saying yep this is a talk this is a paper that would actually be very useful if you happen to be a red teamer somewhere they

include a lot of information about statistics about which USB drives were picked up when and by whom and like the kinds of people who inserted them where and where they dropped them and if you wanted to make sure that your users pick up at least a few of them and remember that like you probably have your own scoping constraints but they're likely different from the researchers ethical constraints you might be able to get more fidelity and data out of a corporate network you could literally just do the thing that they did and probably get pretty good persuasive results about why you need to double your security training budget this year so anyways um reverse engineering x86

processor microcode is another very interesting paper that was released this year somewhat in the vein of the second to last one that we were talking about this paper in my opinion the title cells extremely short I'm sure they reverse engineered it here's what they did they D captain AMD processor that they bought off a shelf analyzed exactly how the firmware how the micro code updates work discovered that the micro code updates were protected only by a checksum constructed their own micro code update based on reviewing the existing micro code update staring at the D capped chip and reading AMD's patents about the matter and then they successfully uploaded it into an ARM processor resulting in a permanent and

undetectable kernel implant because also the mechanism for conducting the micro credit ate was itself handled by micro code um so the processor is pretty much over I have no idea how Intel exactly protects their micro code updates but you might want to think a little bit about have it turned out that the only thing that was standing between you and a micro code implant was like chain-of-custody on the processor versus the RMA process and like lack of ability to load a kernel driver custom kernel boot loader or other code that runs in ring zero so this paper really should serve as a call to people in industry who happened to be right servers with AMD processors in them to

wonder you know can we really trust this anymore for most most workloads I mean let's be perfectly honest the answer is probably no one's gonna do this to you but it was blindingly easy and next year maybe someone might hopefully get to include that in next year's literature review so this paper when coding style survives compilation so this is a really interesting paper and it's kind of been a thing that's going across industry Mia I've seen multiple universities working on this all at once and so these papers are starting to come out but imagine you are needing to remain anonymous for some reason or another say you want to contribute to a codebase but you don't

want it to be attributed to you either for you know wanting to travel reasons and you don't want to be working on something that could get you in trouble or if you are like a number of women you want to remain anonymous and don't want people to necessarily know Hugh ARS they're more likely to accept your github requests or github holes because that's another paper I probably should have included in here but say you want to remain anonymous you can actually look at people's code and Dean and on D anonymize who they are so this paper goes through that and there are tons of other papers that have come out tons I say like there's probably 12 I've read

this year on this topic that I've come out and it's just basic little thing it's like where do you have your curly braces how do you name your variables for example there are some some habits people would have like putting a letter representing the data type at the beginning of a variable so if there's a double it would start with a D and they would write the rest of the variable name behind it whether people use snake case or screaming snake case or whatever all these little details you could tell who somebody was that was programming and it was interesting because they even brought non-programmers in to help figure out how they would do naanum eyes

the code or what they thought was kind of unique about something and even people who never touch code before we're just like oh this is extremely obvious it would be things like how many variables people would set up ahead of time which order they put them in why they'd put them in that order how many indents they do so there's a lot of work going on right now about how to make code very consistent looking like weather so there's some companies that they're coding standards are ready that you have to follow but in other places like say you're contributing to github different projects could offer different code to go through your code and put it in a different visual manner

so people couldn't tell who you are which is kind of interesting if your privacy or anonymity is at stake this paper is immensely applicable to those people who are doing attribution for obvious reasons attribution has been done this way in the past and it turns out that this and other studies have shown that individuals who write malicious software individuals who write shell code typically have a library of library functions that they use in particular ways ways that they construct buffers algorithms that they're capable of including in their code and this has absolutely been used in the past to fingerprint even nation-state level implants so I just want to say some of the things I said about this were

actually from other papers as well and just a conglomeration of the ideas so it's not all just in this one paper but this is a good place to start and there's great references yep we forgot to mention it in the introduction part but one of the best ways if you want to really dig into a paper and you find that you didn't quite get enough for the paper didn't really tell you anything on their references they put you must when you publish one of these papers you must put the reference beside the text which is being referenced and it's very good practice to go and if there's a dubious statement and it's cited actually read

the thing that it cited to make sure that it actually does say that Wikipedia too but beyond this that is the way that I when I am doing my own literature reviews and writing a paper on a topic myself and will try to broaden my search results in the body of knowledge that's available to me look through the citations the other thing is usually citation indexes such as web of science can show you what all papers cited this one to tell you what else builds on the techniques that were introduced here and then you get kind of a web or a cluster of related work and it's kind of awesome so um relatedly compiler assisted code randomization is

a little bit of a thing now um so we have a SLR already you all know what a SLR does and you love it of course but a SLR only randomizes the first few the first a little bit of the address on 32-bit it's actually like hardly any added entropy at all in 64-bit it's quite a bit of added entropy but you know the best way if you really would like your payloads to work if you want to jump to whatever gadget you have or make a rope chain the best way to do your thing is figure out if there's some way that you can leak an address from the currently loaded module leak it

adjusts all your addresses with an exploit linker ething and then run your payload on this stops that the way in which this stops that is I similar to some previous work that I'm aware of and what it does is they actually take the binary on that they're compiling they've instrumented LLVM to emit its normal debug information are sorry clang to emit its normal debug information into the LVM code but still more and this enables them to have as part of the install script for a package a script that runs through and conducts what they're calling basic block order randomization on everything and of course the the start off sets of sections and everything else so that

every basic block in the program now is at a different place and an equivalent install elsewhere so this is okay your servers should be cattle they should all be clones of each other but we still want hurt immunity and now a Rob Schoen that was developed with disclosures from one or they downloaded the package and happen to know what distribution you're using no longer work on any other install of that same software anywhere else because everything is reordered and your gadgets are all in a different place and I believe although I'm not 100% certain these researchers also found some kind of some some assembly Homa phones if you will whereby the the same instruction sequence two different instruction

sequences might have the same or indistinguishable effects but one of them will include your op gadget and the other one won't so this this effectively breaks your ability to pre construct ROC and therefore I think it's pretty awesome paper for defenders not only this but they actually wrote the tool it's in Python bundled it as part of I believe apt or something like this and it's actually on github so you can download it and run it on your own code and run your own baselines it takes from one to ten seconds to do basic block randomization on an entire compiled program and you too can compiler assisted code randomization okay and this paper turtles locks and bathrooms

it was a paper that was presented about two weeks ago or less pets and what I really like about it is they had asked a bunch of people from I think was the age eight like age seventy to draw what they felt privacy represented so they could get an idea of the graphical representation people have for privacy and hopefully use that so we can help drive what symbols and metaphors that we use as security professionals to talk about people are to talk to people about how different security tools and techniques or to help them out now the interesting thing was is people drew anything from turtles to locks to bathrooms and there were a number of

things they looked at like context who is with or what the metaphors were and one of my favorite ones was the turtle so someone who drew a turtle and when it was in its shell it needed privacy and it was taking its privacy and it always had the opportunity to have privacy but when the turtle wanted to share it could come out of his shell and it's like that was a really cute idea but would anybody think of using a turtle before that to demonstrate privacy another really interesting thing is that it was much easier for people to represent the absence of privacy than private privacy itself so things like having people intrude on them like that they draw this

out and things like that and so that also is kind of an interesting to think a thing to think about SME who designs systems is maybe the bigger thing is not to show when something is safe but to show when something is not safe when it's not private right and so this is something obviously that Google Chrome has started doing with the you know HTTP sites and all of that is making more obvious that it isn't the baseline safe that people are probably expecting because they don't know how things work so this paper goes through all those all the pictures that they saw they actually have the whole gallery of pictures that people drew available on

the website as well which you can see in the paper but it goes through all the stats of you know who finds what more important based on age range gender and that sort of thing so definitely a fun one to check out if you're into design and if you want to know how people think about what you're trying to tell them if you are in the position of developing security training or trying to make users care about privacy or even educating activists for example or refugees about how to stay private online or preserve aspects of their privacy that they value if you read that paper it will give you unbelievably large amounts of insight into what the

people who are studied are thinking and what their existing perceptions are so that you can frame the language of privacy in their terms and forever put a rest to these strange discussions that you have with people of how can I stay private online on Facebook mm-hmm yes and one of the things that the researchers tried to do when they wrote this paper is to put it in terms of two of the biggest privacy frameworks already which is also interesting because they do compete a little bit so you can see how both models break down or are successful based on this new research as well all right next paper so away from the human angle again here's

another annoying paper of a strange side-channel attacks that are absolutely impossible to mitigate did I mention that there was some work on row hammered this year as well um yeah a paper that didn't quite make my shortlist I included an attack whereby they proposed some novel mechanisms for conducting row hammer showed that they were immune to every existing mitigation and said in conclusion row hammer is still a thing you're not done yet this paper is in a similar vein what they did is they found a construct that you can make in in FPGAs and I wish that I could have lifted the diagram out of the paper on basically the construct these so an FPGA to put it in very

simple terms is a device whereby you can program it in such a way that it implements what would otherwise be a circuit made entirely of discrete logic so you program it and you say you make a NAND gate here and you connect it to this or gates and input one and then this other thing to this or gate input two and then the output goes to GPIO pin six and then you interface with it as a normal device and this is programmable so these things are amazing because you can write a program in basically logic and then you can have it compiled into a circuit board effectively that you flash on to something that processes it all in

real time instead of iteratively like normalcy fused to you this has been a massive innovation for making a lot of processing and in particular cryptographic processing extremely fast now you see where I'm going here we love to use this to make password cracking rigs but we also love this to make cryptographic accelerators many many things um so if you can get a side channel attack on this device keys are probably going to be disclosed and that's precisely what these researchers did so they constructed a logic circuit that consisted basically of a flip-flop and and gate in loops so that it would kind of self oscillate with a clock signal introduced by the FPGA this is

called a ring oscillator it's effectively just a bunch of logic that feeds back on itself to to oscillate now as we know the propagation time in logic depends on many factors it depends on the implementation of gates in your logic family and it depends upon the timings of the chips that you're using and sometimes even the lengths of wire if you're at a particularly high frequency but it also depends on voltage which is why like if you overclock your processor sometimes you need also to over volt it so that things arrive at the correct time in the correct order so in this case what they did is they used this ring oscillator to measure the

delay for propagation among other parameters and they effectively made a voltmeter on the FPGA that they can put wherever they like on the FPGA now this is particularly relevant because many vendors including Amazon I think I know scale way and a couple of other folks I think of a scale way anyway lots of folks are selling basically timeshare on FPGA is in the cloud and so if you can get on someone else's FPGA and put voltmeters all over it then suddenly you're able to conduct power analysis side-channel attacks and that is what the researchers did they did proof of concept for this as well I don't believe that they included source for it but they actually attacked a

cryptographic operation that they conducted in an existing secure element right beside their malicious FPGA code and recovered in aes-128 key and so this paper is kind of interesting so most of my research is usually using robots - social engineer people so I usually read a lot of social papers a lot of robot papers and this one I was really excited for and then it actually turned out to be a great paper on how people should do remote work which is kind of interesting so what it was is there was two people working locally one working remote over telepresence robot which actually ended up just being a robot sitting on a table so it's no better than Google Hangouts

anyway but the interesting thing was is they did a few experiments where they were basically trying to translate from one language to another and it was language that no one in the experiment and any of the participants in experiment had heard of but they had a symbol chart and how they varied the experiments is to see who had the symbol chart whether is the people locally had all the resources so the problem and the symbol chart or the other version of the experiment was the telepresence person had the symbol chart and what the end of finding was that the people who were local didn't like the person who was remote they didn't like or they didn't

trust that the person who's remote could do anything they didn't see value in the person who could do remote unless they had the key because the remote person had to offer something very unique and something that only they could do that the local people couldn't do in order to be seen as a valued person on the team how many people here have experienced that right so this is the thing is if you're somebody who's in charge of a team and somebody wants to work remotely what is suggested in the paper is actually to give those people access to resources and cut everybody else off of those resources I wouldn't necessarily agree with this because it could actually reduce

productivity but the important thing is to find a specific role or set of tasks that only that remote person can do to give them a little bit value to everybody else on the team how you do that is still something that needs to be researched but hopefully these people follow up as they said they have want to in their future work all right next one the rise of the citizen developer assessing the security impact of online app generators and who knew that online app generators were thing okay a few a few people have seen them so these are programs that leg or web service is really where you give the web service a high-level description of your app in

some way that depends on which specific service that it is you storyboard it you give them your assets you say alright when they click this button send this request that you are all the sort of stuff okay and we use these so that the citizen developer is the term of art used here that is a non programmer can cause their own Android or iOS app to spring into existence and publish it into the Play Store and have it work this really opens up the ecosystem a lot I mean to be perfectly honest it does kind of suck that to have the app experience or to integrate something with an app you need to have a developer

with specific expertise in that exact framework or learn it yourself so these these things are kind of useful but the researchers evaluated a whole bunch of them about 15 things like apps guys are and Appy pie and I think the other one was Seattle cloud and the looked at a few things about them the first thing that they looked for was whether they could cluster which apps word generated by which app generator which they found actually they could do with almost perfect accuracy the next thing that they did was they analyzed a number of those apps which happens to comprise by the way over eleven percent of the apps on the Google Play Store alone

yes eleven percent yes um and they found unsurprisingly I suppose that the app generator has introduced a lot of a lot of errors they introduced a lot of TLS verification errors they introduced a lot of code injection problems they introduced spurious trackers in telemetry that the developers were not likely necessarily aware of and may not have included in their EULA's and so the title of this isn't apps generators considered harmful because that's passe but the conclusion that they wrote in the paper was that every single or nearly every single online app generator that they surveyed had failed to protect their users from attacks that only they were capable of protecting the user against remember that the user is a

citizen developer they're not a developer much less a security analyst they could not find these issues in the apps themselves independently and in fact do not likely have the resources or the incentives to do or you an awareness of the fact that they would need to do so and so the researchers correctly say these app generators have an absolute need as the last line of defense to guard against these attacks and in the main have failed to do so they cited which specific attacks each online app generator tended to introduce I do not believe that any of them was completely free from attacks although the most reported attack class was simply excessive permissions which is

kind of like the thing that happens in Android all the time excessive permissions whether it's a vulnerability really is contextually dependent but the vast majority of them had many other vulnerabilities as well including introducing injection attacks that could have compromised users devices compromised the application workflow and so this was really a call to action to say we really need to do something about this um a call to action to whom this is one of those scenarios where that the motto of Dartmouth is Vox Clementis into Sarto the voice crying in the wilderness we spend so much time in khadeem eeeh shouting into the void and it's really my hope that somebody who is able to kind of get keep these

applications getting into the Google Play Store for example might leverage the results of the clustering to say hey you know we notice that you're probably using online app generator queue make sure that you updates or you know consider this consider that the exact mechanics of doing this are something that only somebody who is in that position would be able to work out and the researchers don't actually go that far but they do have a call to action to the community of security researchers to just keep calling these out because it's an absolute bug mine and speaking of people who actually follow through and permissions and all of this this is a great paper that I've actually been able

to see presented three times now and it will actually be presented at crypto and privacy village if any of you are going to Def Con but it's actually a great paper that talks about how apps that are targeted towards children are the thing here is that they went through a bunch of apps that are listed on the Play Store as for being for children and they went through and they actually like tore them apart reversed them and they looked specifically at some of the libraries and there are a few libraries that are used over and over for some basic things but they also include ads and marketing right in them and if you actually read

the agreements for usage for these libraries they say like these this should not be used in children's children's apps because they contain behavioral targeting which is not okay under Coppa in the States and so the interesting thing here is that tons of them were in these children's apps and this information was being sent and a lot of the information that wasn't what supposed to even be sent to these advertisers so they kept behaviorally target children was done plain text because of course there's still security problems so this paper amazing it goes through all this but then they also created a website where you can check the apps that your children use or you know other people's children's use

and see what the violations are which is amazing we say actually follow through with a tool which is very nice to see but yeah so definitely check this out crypto and privacy village I know they'll do a better job than I can I don't remember off the top of my head but of course you can always check out the paper we have the link at the bottom and there'll be a URL in there but yeah so a few of the people you might recognize I'm in Alice alazhari she's been around here at some of the conference's a few times she'll be presenting at crypto and privacy village with some of the other people so next

we're gonna go on to bridging the gap all right so that's that's a conclusion of all of the papers that we selected in our review there were so many vets that didn't make the shortlist for the cuts just calling back to the last one for example when one of the biggest topics in the academic community this year was security and privacy implications of various things that we have implemented on marginalized communities and on victims of domestic violence in particular and so there are a very large number of papers that got published this year about surveys of apps that were used for for domestic partners surveillance which is a very polite term for it among other things um and

unfortunately we couldn't include any of these in this because the results were very much inconclusive in cited well further work is needed but the thrust that most of these took was effectively an analysis or a survey as we would call it of all of the apps that seemed to do that how they got on devices in the first place what users perceptions of them were what they were being used for and in what contexts and how often this really is again a call to the security industry to do things like well how did the apps get on there they got on there by they were installed using off Play Store mechanisms how can we as a

community because the researchers remember couldn't find a good academic way to get rid of this stuff how can we as an industry help support the effort to get rid of these things so regardless um we wanted to kind of recapitulate some of the stuff that you talked about last year and and bridge the gap and discuss a little bit about how exactly we can go in and collaborate with academics and how you can reach out to them about their projects and see how you can continue their work or work with them in scenarios where you might be able to get a research grant for specifically crossover of technology from academia into industry so first step is seminars

and present presentations and press coverage if you are in a position where you can invite a researcher to come speak at your company to present at your conference or if you have an opportunity to just cover them as journalists this is immensely helpful because researchers in academia are funded based off of citations and how much press they get there are some researchers that because they are super famous in a non-academic context they get more money because more people have heard of them because they end up in the news and so this greatly impacts people's lives and can have great effects for the research going forward so we highly want to recommend and finding these people into the places

that you are a part of and this will also help bridge the gap because then you get an opportunity to hear directly from them what their research is and they can also learn from you and hopefully bring some the ideas that you can't get paid for in your regular day job back into academia and do the research and hopefully publish open access so you can get access back to it because that's one of the great things is like right now again I'm doing robot social engineering no one's gonna pay me for that except for academia because it's something that isn't a widely spread yet

um so another thing with that is if you have a development practice where you're making hardware and software one of the things that academics most needs to conduct our research is the ability to actually work with these devices um if I have to spend all of my time reverse engineering how your cryptographic implementation works so that I can complete my survey this is kind of like a huge albatross around our neck if it's impossible for me to get the hardware that like because you're restricting who you give your dev kits to I actually just got done giving a talk in a different track about some work that I did on some forensic science equipment and unfortunately the work it's over

because we no longer have access to the forensic science equipment that we were testing and so it's virtually impossible for me to forward the field without access to the stuff that that we are trying to study so that's kind of one side of it the other side of it is that to give back one of the larger pushes in the academic community is to publish your artifacts we call them on github this is the source code that you use to conduct your study if you built hardware devices to conduct your study published designs things like that so it's kind of a two-way street that people are still very much still very much beginning to go down but the more people open-source

hardware and software and respond positively to requests of hey I would like a copy of your thing for research purposes the further we all gets and the more that academics can contribute even back to your product development and make suggestions and give technology away and building on that offer to take over or collaborate on projects because when academics create pieces of software it's not for any other human to ever see usually it is I need to get this done for my thesis there's its of no use beyond that so I'm just gonna get it out get it done I don't care and move on and the reason for this is in academia building a tool

is not science we don't care you can't get liked unless you're using it to get numbers out of to see if it works to see if the concept works if it's like that's when it's useful but if it's just making it for the sake of making it my advisor like doesn't exactly like that so this code isn't actually written very nice usually so what people in like that our practitioners can do is offer to take over a project if you see something really cool happening in academia and you're like this was an amazing paper do you have the code and after you've asked them and they're like yeah but and you're like I I will refactor it for you

I will like put all the comments in I will make it look better there you just like okay please take my ugly baby and make it better so this is kind of thing so offer to take it over or like Falcon said we can collaborate by giving tools and software back and forth Hardware back and forth it's really helpful which I guess blends into public/private partnerships a lot of the funding I know for myself I have people just send me a lot of robots cause I'm like hey I'll do a security assessment the like whoo we haven't done one of those and so it's quite often that I'll get like 40,000 dollar robots just like sitting in my

lab for months while I'm traveling and doing stuff because people send them to me and like can you fix our security and I'm like oh that's not good so this is kind of one of the fun things is you can actually sometimes get labs that are willing to go through your hardware completely I'm just to have access to it just to be able to see it or use it for alternative purposes usually when I'm dealing with the robots and I'll say I'll do a security assessment I want to actually social engineer with them not do the security assessment even though that's really fun so it's kind of like I'll scratch your itch back and forth I

mean on the academic side we literally get hidden exposure and you publish get exposure that is how you advance yourself and things that make it easier for you to publish you you can end up doing quite a lot of what would an industry be considered free work analysis of other people's projects that might otherwise be a pen test the only trade-off is that you have to let them publish it I mean I I know people who would be amenable to arrangements where like for example you know we find and do a survey in the security flaws of something and then like wait a little bit to publish until they're fixed or something like this is like it's a price you know from from

the academics perspective because you like to get your research out as quickly as you possibly can but on the other hand one of the biggest things is being able to get access to the stuff that you're trying to test and some of the most amazing work comes out of these sorts of scenarios um there are friends of mine in academia who have been able to publish papers on everything from avionics security to the security of mechanical co bot arms that are used in manufacturing simply because the manufacturers of these things were willing to lend them a device that would otherwise be fantastically expensive so that they could figure out whether in fact the safety guarantees that it was

trying to make we're trail um so anyway let's talk yeah so this is a talk that we saw this and kind of wanted to keep it going which is why we're doing these literature reviews every year that we can because this was a great first bridging of hacking and academia that we really liked so if you want to learn more about how the relationship between the two groups has been in the past this is a good place to start you can also watch our video from last year and also this video as well kind of gives a lot of feedback into why we should give be giving back and forth and how if we shift the culture for hackers and

academics to be more collaborative we might actually get more out of it for both parties so in conclusion we've got a few things please read papers if you see any great ones please send them our way we would love to retweet them make sure that people see them also work with your researchers if you need to set up a collaboration you can contact one of us we will help you find the right researcher for what you're looking for you and even if you just want to write a paper and need guidance please like reach out I'm more than happy to help out with this and do your literature literature reviews for next year we want

to compare yeah it's getting easier and easier to do these literature reviews as well I mean moverá least the program is public usually speaking the papers are embargoed until after the conference actually occurs so if you think that it might be pay weld and you're just being denied access to it double check the date first most of the major work in our field is is open source and is sorry most of the major work in our field is open access and and while researchers are pretty much bound not to pre publish it and scoop their own conference after where the the work becomes widely available so again good places to look our ACM CCS USENIX security and I Triple

E security and privacy and then a whole swath of other talks those are kind of the major ones the pts conference as well is a great place to look for research and potentially journals that are directly within your fields also I mean because you're here I gather that at least your companies are a little bit amenable to sending you to conferences or at least letting you out for the time it takes to come consider attending an academic conference and allowing the academics who have written their papers to kind of plug them to you sometimes it can be a slog sometimes you have to like select carefully which tracks are most relevant to you in particular workshops

tend to be where most of the work that is in a direct vertical of academic study which often corresponds to an industry vertical might lie for example on every year at I Triple E Oakland or security and privacy there is usually a workshop about mobile security specifically and usually a workshop about genomic security and so if you happen to work in one of those areas try to see if you can make it out to one of those conferences and all of the academics will be just all over you once they figure out that you work in industry and can put some of their tools and procedures into practice and then also of course letting them present

their paper to you it's kind of a free literature review great thank you very much [Applause] we've got exactly three minutes for questions anybody have any are we just like good okay well we've got Twitter handles so the question was is how do we keep up to date with papers for myself I typically as well I am a researcher full time so I spend a lot of time reading papers it's usually my bedtime reading I actually got really upset when people interrupt me halfway through a paper cuz I'm like I need to know how this ends it's like they set up the methodology so well I need the results so people like leave me alone while I'm reading papers

now but that's one way is to honestly just go through and find your topic do the Google search find what you're looking for and just read if you want to get the latest stuff though you do stick with the larger conferences there's a whole hierarchy of which conferences are usually best to the ones that are worst the worst ones I can tell you the ones you pay to put your paper in good luck yeah not a good time um those papers typically couldn't get in anywhere else it is true so this is the thing is go for the top-tier conferences like we said CCS pets Oakland and you snicks and you can find all those online that we

can tweet them also if you just want to contact us we can give you more lists and information as well to expand on that a little bit there's kind of like multiple tiers of publication in the academic world there's a distinction between conference papers journal articles and books here we don't usually see much in the way of books that's more of a social science thing conference papers are kind of the quick published route Oakland for instance has a submission process now new as of last year where the you submit the paper and then it actually gets kind of pre published as an accepted paper in there and it gets into I Triple E Explorer search engine for I Tripoli published

papers more or less like a few months after you submit it for publication if it's going to be accepted then it gets embargoed for a few days before the conference and the conference happens and it becomes open access again so looking at conferences in particular rather than journals is one way to go another thing as not a full-time academic that I do is if you happen to be a member or have reason to be a member of of I triple your ACM you can subscribe to things like the magazines communications of the ACM this sort of stuff a journal in your field and then just have it said to you anyway I'm being told that I should stop talking

thanks again [Applause]