Tuesday July 4

09:00 - 17:00ESSOS 2017


Wednesday July 5

09:00 - 15:00ESSOS 2017
15:00 - 15:30DIMVA Registration
15:30 - 17:00Joint DIMVA/ESSOS 2017 Panel
Exploit Mitigations - Completeness and Effectiveness versus Performance
Chair: Mathias Payer (Purdue University)
Panelists: Thomas Dullien (Google), Cristiano Giuffrida (VU Amsterdam), Michalis Polychronakis (Stony Brook University)
17:00 - 22:00Joint DIMVA/ESSOS 2017 Poster Session and Reception


Thursday July 6

08:00 - 09:00Registration
09:00 - 09:15DIMVA Welcome
09:15 - 10:30Keynote: Thomas Dullien (Google Inc.)
What happens when somebody writes an exploit?
In spite of being central to everything that is going on in IT security, the concept of "exploit" is surprisingly poorly formalized and understood only on an intuitive level by security practitioners. This lack of clear definition has all sorts of negative side-effects: From ineffictive teaching to muddled thinking about mitigations.
In this talk, I will make an attempt to more clearly define what it is that attackers do when they write an exploit - and then talk about what this means for mitigations and secure coding.
10:30 - 11:00Coffee break
11:00 - 12:30Session 1: Enclaves, Isolation, Dominance
Malware Guard Extension: Using SGX to Conceal Cache Attacks
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard (Graz University of Technology)
On the Trade-Offs in Oblivious Execution Techniques
Shruti Tople, Prateek Saxena (National University of Singapore)
MemPatrol: Reliable Sideline Integrity Monitoring for High-performance Systems
Myoung Jin Nam (Secure Software Development Research Centre, Korea University, Seoul, S. Korea); Wonhong Nam (Dept. of Internet & Multimedia Eng., KonKuk University, Seoul, S. Korea); Jin-Young Choi (Secure Software Development Research Centre, Korea University, Seoul, S. Korea); Periklis Akritidis (Niometrics, Singapore)
12:30 - 14:00Lunch break
14:00 - 15:30Session 2: Under the Microscope
Measuring and Defeating Anti-Instrumentation-Equipped Malware
Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D'Alessio, Lorenzo Fontana, Fabio Gritti, Stefano Zanero (Politecnico di Milano)
DynODet: Detecting Dynamic Obfuscation in Malware
Danny Kim (University of Maryland); Julien Roy (SecondWrite LLC); Amir Majlesi-Kupaei (University of Maryland); Kapil Anand, Khaled ElWazeer (SecondWrite LLC); Daniel Buetner (Laboratory of Telecommunication Sciences); Rajeev Barua (University of Maryland)
Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage
George D. Webster, Bojan Kolosnjaji, Christian von Pentz, Julian Kirsch (Technical University of Munich); Zachary D. Hanif (unaffiliated); Apostolis Zarras, Claudia Eckert (Technical University of Munich)
15:30 - 16:00Coffee break
16:00 - 17:30Session 3: Lights, Motors, Action!
Last Line of Defense: A Novel IDS Approach Against Advanced Threats in Industrial Control Systems
Mark Luchs, Christian Doerr (Delft University of Technology)
LED-it-GO: Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED
Mordechai Guri, Boriz Zadov, Yuval Elovici (Ben-Gurion University of the Negev)
A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks
Andrea Palanca (Politecnico di Milano (Italy)); Eric Evenchick (Linklayer Labs); Federico Maggi (Trend Micro, Inc.); Stefano Zanero (Politecnico di Milano (Italy))
18:00Bus Transfer to Conference Dinner
19:00 - 23:00Conference Dinner at Rolandseck Castle (aka Rolandsbogen)


Friday July 7

09:00 - 09:15PoliCTF Kickstart
09:15 - 10:30Keynote by Christopher Kruegel (University of California, Santa Barbara)
Finding Vulnerabilities in Embedded Software
Embedded devices have become ubiquitous, and they are used in a range of privacy-sensitive and security-critical applications. Most of these devices run proprietary software (firmware), and little documentation is available about the software's inner workings. Firmware, like any piece of software, is susceptible to a wide range of errors. These include memory corruption bugs, command injection vulnerabilities, and application logic flaws. Embedded device vendors typically do not provide source code for their proprietary firmware. Hence, all analysis has to be performed directly on binary code. This is challenging because binary code lacks the high-level, semantically rich information about data structures and control constructs that are present in a program's source code. To address the analysis challenges, we have developed angr. angr is an open-source binary analysis platform that implements many static analysis techniques and supports symbolic execution of binaries.
In this talk, we will discuss some of the inner workings and design choices in angr. A common limitation of many contemporary techniques to detect vulnerabilities in binary code is that they only find shallow bugs and struggle to exercise deeper code paths. To drive the analysis deeper into a program, we introduce novel techniques to improve the scalability of our system. These techniques frequently rely on interesting compositions of different analysis approaches, in a way that leverages the advantages of each individual approach while compensating for their respective limitations. We will also cover a novel detection model that allows us to identify authentication bypass vulnerabilities (or, less formally, backdoors), an important class of logic flaws. To automatically find backdoors, we introduce the concept of input determinism, which captures an attacker's ability to determine the input necessary to execute privileged operations of the device. Finally, we will shed some light on angr as an integral component in the automated vulnerability finding, exploitation, and patching engine that participates in DARPA's Cyber Grand Challenge (CGC), the first competition where autonomous programs participate in a capture-the-flag competition.
10:30 - 11:00Coffee break
11:00 - 12:30Session 4: Fighting the Fight
Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps
Thomas Barabosch, Niklas Bergmann, Adrian Dombeck, Elmar Padilla (Fraunhofer FKIE)
SPEAKER: Split-Phase Execution of Application Containers
Lingguang Lei (Institute of Information Engineering, Chinese Academy of Sciences; George Mason University); Jianhua Sun (College of William and Mary); Kun Sun (George Mason University); Chris Shenefiel (Cisco Systems, Inc.); Rui Ma, Yuewu Wang (Institute of Information Engineering, Chinese Academy of Sciences); Qi Li (Tsinghua University)
Deep Ground Truth Analysis of Current Android Malware
Fengguo Wei, Yuping Li (University of South Florida); Sankardas Roy (Bowling Green State University); Xinming Ou (University of South Florida); Wu Zhou (Didi Labs)
12:30 - 14:00Lunch break
14:00 - 15:30Session 5: Dive into Code
HumIDIFy: A Tool for Hidden Functionality Detection in Firmware
Sam Thomas, Flavio D. Garcia, Tom Chothia (University of Birmingham)
BinShape: Scalable and Robust Binary Library Function Identification Using Diverse Features
Paria Shirani, Lingyu Wang, Mourad Debbabi (Concordia University)
SCVD: A New Semantics-Based Approach for Cloned Vulnerable Code Detection
Deqing Zou, Hanchao Qi (Huazhong University of Science and Technology); Zhen Li (Huazhong University of Science and Technology; Hebei University); Song Wu, Hai Jin, Sujuan Wang, Yuyi Zhong (Huazhong University of Science and Technology)
15:30 - 16:00Coffee break
16:00 - 17:30Session 6: Web of Threats
On the privacy impacts of leaked password databases
Olivier Heen, Christoph Neumann (Technicolor)
Unsupervised Detection of APT C&C Channels using Web Request Graphs
Pavlos Lamprakis, Ruggiero Dargenio, David Gugelmann (ETH Zurich); Vincent Lenders (Armasuisse); Markus Happe, Laurent Vanbever (ETH Zurich)
Measuring Network Reputation In The Ad-Bidding Process
Yizheng Chen, Yacin Nadji, Rosa Romero-Gomez, Manos Antonakakis, David Dagon (Georgia Institute of Technology)