Presentations 2

3:00 pm to 4:00 pm
3:00 - 3:20
"Who Hit Me and Why Does It Matter: Legal and Policy Challenges in Attributing Cyber Attacks"
“Whodunit?” It’s the first question in every cop show and at the heart of much of criminal justice. Likewise, identifying attackers in cyberspace is foundational to deterring bad behavior, whether by adversary nations or terrorist or other criminal groups. Without reliable “attribution” -- that is, identifying agents responsible for an attack, and the country or other entity directing them -- attackers can act with impunity. More importantly, reaching the wrong conclusion about an attacker could have catastrophic consequences, perhaps even leading to an unintended war. In the realm of nations, being able to demonstrate the sponsor of an attack enables military, diplomatic and legal response options. Conversely, being able to demonstrate responsibility enables victim nations to take responsive action against the right attacker – and demonstrate to the world that the is justifiable. On a smaller, but no less important, scale, accurate and provable attribution enables prosecutors to bring attackers to justice – if they can catch them.
Yet, our current methods of attribution, at least those that can be discussed in public, are extremely limited. This has become apparent in recent months as the United States has struggled to publicly demonstrate Russian responsibility for attempted interference with our elections. However, the law in this area is surprisingly undeveloped. In many ways, it’s still the Wild West out there when it comes to placing responsibility for cyberattacks; there are no agreed rules. UCI’s Cybersecurity Policy & Research Institute is conducting a research project around laws and policies governing attribution in multiple settings and this presentation will provide some preliminary thoughts on this important issue.
Bryan Cunningham is the Executive Director for UCI’s Cybersecurity Policy and Research Institute. He is a leading international expert in cyber security, privacy, trade secret protection, employee monitoring and government surveillance issues, with special expertise in US and European Union data protection law and compliance. Bryan developed this unique practice through extensive experience in senior US Government intelligence and law enforcement positions. Most recently, he served as Deputy Legal Adviser to then-National Security Advisor Condoleezza Rice. He also served six years in the Clinton Administration, as a senior CIA officer and federal prosecutor. He drafted significant portions of the Homeland Security Act and related legislation, helping to shepherd them through Congress. He was a principal contributor to the National Strategy to Secure Cyberspace, worked closely with the 9/11 Commission and has provided legal advice to Presidents, National Security Advisors, the National Security Council, and other senior government officials on intelligence, terrorism, cyber security and other related matters. Bryan is a cybersecurity and privacy lawyer who has advised clients on data and critical infrastructure protection and privacy programs.
3:20 - 3:40

"Automatic Generation of Inter-Component Communication Exploits for Android Applications"
Joshua Garcia, Associate Project Scientist, ISR, UC Irvine
Although a wide variety of approaches identify vulnerabilities in Android apps, none attempt to determine exploitability of those vulnerabilities. Exploitability can aid in reducing false positives of vulnerability analysis, and can help engineers triage bugs. Specifically, one of the main attack vectors of Android apps is their inter-component communication interface, where apps may receive messages called Intents. In this paper, we provide the first approach for automatically generating exploits for Android apps, called LetterBomb, relying on a combined path-sensitive symbolic execution-based static analysis, and the use of software instrumentation and test oracles. We run LetterBomb on 10,000 Android apps from Google Play, where we identify 181 exploits from 835 vulnerable apps. Compared to a state-of-the-art detection approach for three ICC-based vulnerabilities, LetterBomb obtains 33%-60% more vulnerabilities at a 6.66 to 7 times faster speed.

Joshua Garcia is an Associate Project Scientist at the Institute for Software Research at the University of California, Irvine (UCI) and the Software Engineering and Analysis Lab at UCI’s Department of Informatics. His current research interests including mobile security, testing, and analysis—and addressing problems of software architectural drift and erosion. Before joining UCI, he was a Postdoctoral Research Fellow at George Mason University’s Department of Computer Science. He received three degrees from the University of Southern California: a B.S. in computer engineering and computer science, an M.S. in computer science, and a Ph.D. in computer science. His industrial experience includes software-engineering or research positions at the NASA Jet Propulsion Laboratory, the Southern California Earthquake Center, and Xerox Special Information Systems.

3:40 - 4:00
"Privacy Compliance by Design: Enhancing Industry Software Practices For Compliance with Privacy Laws and Regulations"
Sameer Patil, Assistant Professor, Indiana University Bloomington
Companies must comply with relevant privacy laws and regulations when developing and deploying software systems. However, the regular occurrence of privacy violations and related lawsuits suggests that software professionals find privacy compliance challenging. Moreover, privacy compliance testing often occurs at later stages and may be performed by individuals external to the core team, thus raising the cost of addressing and fixing non-compliance. Paying attention to privacy compliance from early stages of software development can address these challenges. To this end, we are exploring 'privacy ideation cards’ as a lightweight tool to make privacy laws and regulations understandable to software professionals and usable in their everyday work practice. Use of the cards in real-world settings in industry and academia indicates their promise in facilitating privacy compliance as well as in helping students learn about tackling privacy issues in software systems.

Sameer Patil is an Assistant Professor in the School of Informatics and Computing at Indiana University, Bloomington (IU) and a fellow of IU’s Center for Applied Cybersecurity Research (CACR). Prior to joining IU, he was an Assistant Research Professor in the Department of Computer Science and Engineering at New York University’s Tandon School of Engineering where he was a member of the NYU Center for Cybersecurity. Previously, he was a Research Scientist at Yahoo Labs in Sunnyvale, CA and at the Helsinki Institute for Information Technology (HIIT) in Finland. He has also held Visiting Professor appointments at the Vienna University of Economics and Business, Austria and University of Siegen, Germany. Sameer holds a Ph.D. in Information and Computer Science from the University of California, Irvine, two Master’s degrees (Computer Science & Engineering and Information) from the University of Michigan, Ann Arbor, and a Bachelor’s degree in Electronics Engineering from the University of Bombay, India. Sameer’s research interests lie at the intersection of Privacy and Cybersecurity, Human Computer Interaction (HCI), and Social Computing. The results of his research have been published at top-tier conferences, such as CHI, CSCW, and SOUPS, and he holds several US patents. Sameer’s research has been funded by the National Science Foundation and Google.