Yu Chen | 陈宇, 山东大学网络空间安全学院教授, 博士生导师. 曾先后在中国科学院信息安全国家重点实验室和蚂蚁金服任职工作. 主要研究方向是理论密码学, 专注于基本密码组件、 密码协议(零知识证明、多方安全计算)及其在隐私保护场景(如云计算和金融科技)中的落地应用. 近年以第1/通讯作者在密码学领域的国际高水平会议CRYPTO、ASIACRYPT、PKC、ESORICS、CT-RSA等上发表论文多篇. 主持国家自然科学基金青年项目(1项)、面上(1项)、 作为核心人员参与国家自然科学基金重点项目(1项). 2017年入选中科院青年创新促进会, 2018年获中国密码学会密码创新奖二等奖. 2020年获首届金融密码杯创新大赛团队一等奖、个人一等奖. | Title: Supervisable and Auditable Decentralized Confidential Payment System |
---|---|
Abstract: In this talk, we report the construction of supervisable and auditable decentralized confidential payment (DCP) system. In addition to offering transaction confidentiality, SA-DCP supports secure supervision and privacy-preserving audit. We present a generic construction of SA-DCP system from integrated signature and encryption scheme and non-interactive zero-knowledge proof systems. We then instantiate our generic construction by carefully designing the underlying building blocks, yielding a standalone cryptocurrency called PGC. In PGC, the setup is transparent, transactions are less than 1.3KB and take under 38ms to generate and 15ms to verify. At the core of PGC is an additively homomorphic public-key encryption scheme that we introduce, twisted ElGamal, which is not only as secure as standard exponential ElGamal, but also friendly to Sigma protocols and range proofs. This enables us to easily devise zero-knowledge proofs for basic correctness of transactions as well as various application-dependent policies in a modular fashion. Moreover, it is very efficient. Compared with the most efficient reported implementation of Paillier PKE, twisted ElGamal is an order of magnitude better in key and ciphertext size and decryption speed (for small message space), two orders of magnitude better in encryption speed. We believe twisted ElGamal is of independent interest on its own right. |
Le Guan | - | |
---|---|---|
Le Guan is an assistant professor at the department of computer science in the University of Georgia (UGA). Before joining UGA, he was a post-doctoral researcher at the Pennsylvania State University. He received a PhD from the Institute of Information Engineering, Chinese Academy of Science in 2015, and a BS degree from the University of Science and Technology of China in 2009. His research interests cover many topics in the system security field, including operating systems and mobile systems, with his current research interest focusing on protection techniques applied to low-cost microcontroller unit systems. He has published papers in top-tier system security venues such as IEEE S&P, NDSS, USENIX Security, as well as mobile computing venues such as MobiSys and SenSys. He is a recipient of the distinguished paper award of ACSAC 2017. | ||
Title: Challenges in Designing Dynamic Analysis Tools for Microcontroller-based Embedded Systems | ||
Abstract: Microcontroller units (MCUs) have become popular in recent years, driving a number of security- and safety- critical embedded applications, ranging from industrial automation, smart manufacturing, automotive, to health care and home security. However, these resource-constrained devices lack basic security mechanisms available in traditional architectures. This allows adversaries to easily exploit known or zero-day software vulnerabilities in them, endangering people’s lives, infrastructure safety and even national security. To safeguard these devices, a straightforward solution is to find and fix software bugs before they are deployed. Unfortunately, MCU firmware developers often only have access to rudimentary debugging and testing tools during development. In this talk, we will first discuss challenges in designing security-oriented dynamic analysis tools for MCU-based embedded systems. Then, we will introduce new mechanisms that cross the technical barriers imposed by the unique characteristics of MCU hardware and firmware, and how we leverage them to more efficiently find bugs in MCU firmware. |
Hongxin Hu | - | |
---|---|---|
Hongxin Hu is an Associate Professor in the Department of Computer Science and Engineering at University at Buffalo, SUNY. He is a recipient of the NSF CAREER Award for 2019. His research spans security, privacy, networking, and machine learning. He has participated in multiple cross-university, cross-disciplinary projects funded by NSF. His research has also been funded by USDOT, Google, VMware, Amazon, Dell, etc. He has published over 100 refereed technical papers, many of which appeared in top-tier conferences such as CCS, USENIX Security, NDSS, SIGCOMM, ICML, and CHI, and well-recognized journals such as IEEE TIFS, IEEE TDSC, IEEE/ACM TON, and IEEE TKDE. He is the recipient of the Best Paper Awards from ACSAC 2020, IEEE ICC 2020, ACM SIGCSE 2018, and ACM CODASPY 2014. His research has won the First Place Award in ACM SIGCOMM 2018 SRC. His research has also been featured by the IEEE Special Technical Community on Social Networking and received 50+ press coverage including ACM TechNews, InformationWeek, Slashdot, etc. | ||
Title: Enforcing Safety and Security Policy with Real IoT Physical Interaction Discovery | ||
Abstract: The Internet of Things (IoT) platforms bring significant convenience for increased home automation. Especially, these platforms provide many new features for managing multiple IoT devices to control their physical surroundings. However, these features also bring new safety and security challenges. For example, an attacker can manipulate IoT devices to launch attacks through unexpected physical interactions. Unfortunately, very little existing research investigates the physical interactions among IoT devices and their impacts on IoT safety and security. In this talk, I will present a novel dynamic safety and security policy enforcement system called IoTSafe, which can capture and manage real physical interactions considering contextual features on smart home platforms. |
Qinsheng Hou | - | |
---|---|---|
侯勤胜,清华大学-奇安信联合研究中心研究员。 主要研究方向为Android系统与软件安全、软件供应链安全、IoT软件安全性分析及沙箱技术。相关研究工作在Usenix Security和AsiaCCS会议上发表,授权发明专利一项,获得GeekPwn 2020新基建安全大赛优胜奖。 | ||
Title: Android固件生态的大规模安全测量 | ||
Abstract: 在这项工作中,我们对Android固件生态系统的安全性进行了大规模的综合测量。 我们的研究基于来自100多个供应商的数千个固件映像和几百个相关的CVE。 为了自动化完成分析,我们设计了一个分析框架来完成ROM爬取、 ROM解析、补丁分析和应用分析。通过海量数据分析和案例探索, 我们得到了一些有意义的发现。 |
Xinyi Huang | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
黄欣沂, 福建师范大学计算机与网络空间安全学院教授,博士生导师, 长期从事公钥密码研究,研究工作获教育部自然科学奖一等奖(第3完成人); 担任中国密码学会理事、《中国科学:信息科学》青年编委,AsiaCCS2016等学术会议主席; 入选教育部青年长江学者和福建省“百人计划”,主持国家自然科学基金优青项目和重点项目。 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Title: Towards Efficient Privacy-Preserving Inspection of TLS Encrypted Traffic | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Abstract: Network middleboxes perform deep packet inspection to detect anomalies and suspicious activities in network traffic. However, increasingly these traffic are encrypted and middleboxes can no longer make sense of them. This raises the problem of privacy-preserving inspection on TLS encrypted traffic. In this talk will first introduce the need for TLS traffic inspection and the problem with the existing approach. Three recent proposals, namely Blindbox, PrivDPI and Pine, will be then introduced. Finally, I will present conclusion and future direction. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Shouling Ji | |
---|---|
纪守领, 浙江大学“百人计划”研究员、 博士生导师、浙江大学滨江研究院国产信创研究中心副主任, 获佐治亚理工学院电子与计算机工程博士学位、 佐治亚州立大学计算机科学博士学位,入选国家和省部级人才计划。 主要研究方向为人工智能与安全、数据驱动安全、 软件与系统安全和大数据分析,发表论文100余篇, 包括IEEE S&P, USENIX Security, ACM CCS, KDD等CCF A类论文70余篇,研制的多个系统在大型平台上获得部署应用。 获国家优秀留学生奖、8项最佳论文奖、浙江大学先进工作者等奖项。 | |
Title: Label Inference Attacks Against Vertical Federated Learning | |
Abstract: As the initial variant of federated learning (FL), horizontal federated learning (HFL) applies to the situations where datasets share the same feature space but differ in the sample space, e.g., the collaboration between two regional banks, while trending vertical federated learning (VFL) deals with the cases where datasets share the same sample space but differ in the feature space, e.g., the collaboration between a bank and an e-commerce platform. Although various attacks have been proposed to evaluate the privacy risks of HFL, yet, few studies, if not none, have explored that for VFL. Considering that the typical application scenario of VFL is that a few participants (usually two) collaboratively train a machine learning (ML) model with features distributed among them but labels owned by only one of them, protecting the privacy of the labels owned by one participant should be a fundamental guarantee provided by VFL, as the labels might be highly sensitive, e.g., whether a person has a certain kind of disease. However, we discover that the bottom model structure and the gradient update mechanism of VFL can be exploited by a malicious participant to gain the power to infer the privately owned labels. Worse still, by abusing the bottom model, he/she can even infer labels beyond the training dataset. Based on our findings, we propose a set of novel label inference attacks against VFL. Our experiments show that the proposed attacks achieve an outstanding performance. We further share our insights and discuss possible defenses. Our research can shed light on the hidden privacy risks of VFL and pave the way for new research directions towards more secure VFL. |
Zhiqiang Lin | |
---|---|
Dr. Zhiqiang Lin is Professor of Computer Science and Engineering at The Ohio State University (OSU). His research interest lies in software security and trusted computing (particularly trusted execution environments), with an emphasis on developing automated program analysis (e.g., binary analysis and reverse engineering techniques), system abstractions, and tools, and applying them for securing both the application programs including mobile apps and the underlying systems software such as OS kernels and hypervisors. He is a recipient of NSF CAREER award, AFOSR Young Investigator award, and Faculty Research Awards from Vmware and Amazon. | |
Title: Software Security: Past, Present, and Future | |
Abstract: Despite decades of efforts in defending against memory corruptions, we still cannot see the end and today the exploitation of memory corruption in our daily used software such as web browsers and servers is still one of the most dangerous threats. While there are many reasons for that, the most important one is there is still a lack of defense that is backwards compatible and meanwhile has extremely low overhead. In this talk, Dr. Lin will first provide a historical overview of the various defenses that have been proposed (some of which have been deployed), and discuss their pros and cons. Then, he will talk about some of the recent efforts from his group on hardening the COTS binaries through static binary rewriting. Finally, he will shed light on the future defense. |
Ding Wang | |
---|---|
汪定, 南开大学教授,博士生导师, 密码科学与技术系主任,天津市网络与数据安全技术重点实验室副主任, 研究方向为数字身份安全。近年来以第一作者(或通讯作者) 在IEEE S&P、ACM CCS、USENIX Security、NDSS和IEEE TDSC、 IEEE TIFS等国内外刊物发表论文60余篇,被引用3300余次,H-index为27。 主持国家重点研发计划课题、国家自然科学基金、装备预研、国家某部社研等项目10余项。担任CCF《技术动态》编委, CCF推荐期刊WCMC、IJISP、《计算机科学》、 《电子与信息学报》等7个国内外期刊的编委/执行编委,获教育部自然科学一等奖(排名第2)、 天津市科技进步二等奖(排名第4)、北大优博、CCF优博、ACM中国优博。 2019年入选南开大学“百青计划”, 2020年入选天津市青年科技优秀人才, 2021年入选爱思唯尔“中国高被引学者”。 | |
Title: 如何攻击和生成诱饵口令 | |
Abstract: 近年来,大批的知名网站(如Yahoo, Dropbox, Poshmark, Quora, 163,万豪)发生了用户口令文件泄露事件。更为严重的是,这些泄露往往发生了数月甚至数年后才被网站发现,才提醒用户更新口令,然而为时已晚。比如,Nitro PDF在2020年10月泄露了7700用户口令和各类个人身份信息,在2021年1月才发现,这给了攻击者充足的利用时间。 诱饵口令(Honeywords)技术是检测口令文件泄露的一种十分有前景的技术,由图灵奖得主 Rivest 和 Juels在ACM CCS’13 上首次提出。本研究发现,他们给出的4个主要 honeywords 生成方法均存在严重安全缺陷,且此类启发式方法无法简单修补;进一步提出一个honeywords 攻击理论体系,成功解决“给定攻击能力,攻击者如何进行最优攻击”这一公开问题;反过来,攻击者的最优攻击方法可被用来设计最优 honeywords 生成方法,成功摆脱启发式设计。本研究将使honeywords生成方法的设计和评估从艺术走向科学,为及时检测口令文件泄露提供理论和方法支撑。 |
Jun Xu | - | |
---|---|---|
Jun Xu is currently an Assistant Professor in the Department of Computer Science at Stevens Institute of Technology. He received his Ph.D. degree from Penn State University in 2018. His research focuses on software security and system security. His goal is to secure computing systems by neutralizing the risk of vulnerabilities in the software stack. His research has discovered hundreds of software vulnerabilities and led to many papers published in top-tier computer security conferences, including IEEE S&P, ACM CCS, USENIX Security, and Blackhat. He is a recipient of CCS Outstanding Paper Award 2018, Penn State Alumni Dissertation Award, and RSAC Security Scholarship. | ||
Title: The Past, the Present, and the Future of Binary Analysis | ||
Abstract: Binary analysis is a foundational technique to improve the security of legacy code. Binary analysis consits of a broad spectrum of techniques, ranging from low-level disassembly to high level semantic understanding. It has also been applied to various security applications, such as vulnerability finding and malware analysis. In this talk, I will try to give an introductionary overview of binary analysis and its applications. I will explain the underlying techniques of binary analysis from different levels, followed by a summary of the main lines of applications in security. After that, I would like to share my thoughts about the remaining challenges of binary analysis, the new problems, and the future directions. |
Chao Zhang | - | |
---|---|---|
张超,博士, 清华大学副教授(博导),蓝莲花战队教练。获得清华大学学术新人奖、某海外人才计划、MIT TR35 China、求是杰出青年学者、中国科协青托等奖励和荣誉。主要研究软件和系统安全, 在国际四大安全会议发表论文近20篇。 提出了成体系的自动化漏洞挖掘、利用、防御方案, 分别获得腾讯CSS安全探索论坛专业奖、突破奖、微软BlueHat竞赛特别提名奖; 研发的自动攻防系统获得美国国防部DARPA CGC机器自动攻防竞赛初赛防御第一、决赛攻击第二。 | ||
Title: 自动化堆风水技术Maze | ||
Abstract: 漏洞自动利用技术(AEG)通过自动化手段评估漏洞可利用性,成为近年来的智能攻防竞赛(例如DARPA CGC)中最核心的挑战。具体到堆内存相关的漏洞(例如堆溢出、UAF等), 如果要成功利用这些漏洞的话,通常要求程序运行时的堆内存必须符合特定布局。 在实践中,安全专家基于经验并发挥创造性来操纵程序输入,驱动程序实现特定内存布局, 这一过程称为堆风水技术。现有的AEG技术无法有效实现堆风水, 本次报告中演讲者将分享其团队提出的自动堆风水方案Maze。 |
Fangyu Zheng | |
---|---|
郑昉昱,博士,助理研究员, 中科院信工所引进优秀青年人才, 长期从事密码高性能计算、密码应用、密码测评等领域技术研究工作, 以第一/通信作者在TIFS、IPDPS等国内外知名会议/期刊累计发表20篇论文, 主持国家重点研发计划子课题3项、国家自然科学基金项目1项, 主持/参与10余项重要密码国家/行业标准制定, 编写了《密码软件实现与密钥安全》《密码应用与安全性评估》两本专著。 | |
Title: 基于GPU浮点数指令的密码实现技术 | |
Abstract: 现代密码算法一般使用整数作为基础数据单元进行数学变换, 特别是RSA、ECC等公钥密码算法直接依赖于大整数的运算。 因此,绝大多数密码算法实现都是利用计算平台上已经提供的整型数指令以及相应的多精度指令扩展完成密码运算。但在一些计算平台上, 情况可能存在变数,比如GPU。由于图形渲染和大规模科学计算的需要, GPU往往具备强于整型数指令数倍的浮点数计算性能,这也为密码算法实现带来了新的思路和契机。 本次报告主要介绍基于浮点数指令的公钥密码实现框架, 重点介绍如何克服浮点数指令本身的局限性,来逐步挖掘浮点数指令在密码实现中的最大可能。 该项研究在Tesla P100、V100等平台上可达传统整型数实现的2-3倍, 相关研究成果发表在TIFS、IPDPS、ISC等会议/期刊上。 |
Panelists
徐秋亮 | 山东大学软件学院教授。现任中国密码学会常务理事,山东商用密码协会理事长,现主要研究兴趣为安全多方计算理论及实用化、云环境下的数据安全。 |
---|---|
罗鹏 | 商用密码检测中心副主任,研究员级高工,长期从事密码检测工作。曾获得国家科技进步二等奖一项,省部级科技进步一等奖四项。 |
夏鲁宁 | 博士,正高级工程师,北京数字认证股份有限公司研究院院长。中国密码学会会员、密标委应用组责任专家。 |
郁昱 | 上海交通大学计算机系教授,主要从事密码学相关的研究,多项研究成果在三大国际密码会发表。目前担任亚洲指导委员会委员,是美密2021、欧密2020/2022和亚密2018/2020/2021的程序委员会委员。 |
马原 | 中国科学院信息工程研究所副研究员、中国密码学会密码应用安全性评估联委会副主任委员。研究方向为密码应用与安全性评估等,在IEEE TIFS、TCAD、AisaCrypt、CHES等国际顶级期刊和会议上发布论文30余篇,《商用密码应用与安全性评估》教材主编之一,参与《信息系统密码应用基本要求》《密码模块安全要求》等国家标准编制。获中国密码学会优秀青年、密码创新奖等奖项。 |
白小勇 | 炼石网络创始人和CEO,提出AOE面向切面加密技术,实现应用免改造的数据防护,获第七届互联网安全大会(ISC 2019)首届创新独角兽沙盒大赛总冠军。 |
张秉晟 | 国家青年千人、浙江省千人,现任浙江大学百人计划研究员。曾任英国兰卡斯特大学网络安全系主任、信息安全学科带头人。是世界上首个商用安全多方计算平台Sharemind的核心研发人员,设计的区块链治理系统被包括Cardano (Top 10)、Horizen、Ethereum Classic在内的多家区块链系统使用。目前主导ISO/IEC PWI 7748零知识证明国际标准项目。 |