Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.
Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:
- Specificity of (constraints on) propagation method
- Manner of movement in target network (e.g. lateral, higher value targets)
- Specificity and severity of exploits (e.g. higher CVSS scores), and
- Customization of payload (code and tools used).
Potential additions to the criteria include code reuse, design metrics (e.g. cyclomatic complexity), measures of modularity, and current trends in targeting trust infrastructure.
What might be the policy implications of being able to differentiate early in the detect/respond lifecycle? Would a victim respond differently if it could be determined if the attack is mil vs mal ware? If, as a victim, you know that attacker had no concern if the attack was brought to light? If they were not subject to the existing set of legal tools? If they have brought state level resources to bear on the attack?
Another paper that looks at the potential impact of international politics on security was Peace vs. Privacy: Leveraging Conflicting Jurisdictions for Email Security. The authors take the assumption of perpetual hostility to build a foundation for security (talk about a new paradigm) where cloud-based service providers in conflicting jurisdictions are used to separate key and encrypted content transmission and storage. Their email prototype does not require creation of keying materials before receiving confidential email. The only prerequisite is that the sender and receiver are following each other on Twitter.
Exploiting the Physical Environment for Securing the Internet of Things continues in an area that uses randomness provided by the physical environment to build security solutions. For example, using the shared entropy in ambient audio, luminosity modalities or electromagnetic emanations to build context based solutions. They take this approach with a key establishment system, deriving a shared secret on resource-constrained devices with a tight power budget, coupled with a rigorous security analysis. What sorts of IoT context and uses cases might benefit from this? Hospitals? Tanks?
Several papers explore the territory of security decision-making. “If you were attacked, you’d be sorry”: Counterfactuals as security arguments explores the argumentation side of security decision-making. This early-days work is aiming at a structure to help decision makers properly integrate “what-if” scenarios, which can be a huge challenge to appropriately take account of. These scenarios are complicated by rare events with catastrophic consequences, active adversaries, questionably appropriate countermeasures (based on values or context), and countermeasures that reduce some and increase other risks. I’m hoping the authors get to the point where they produce a framework that can be tried out on some security business decisions.
Examining the Contribution of Critical Visualisation to Information Security applies LEGO to visualization 
of security facts, figures, and values, to do user-led risk assessment. Their case study was the design of a micro-payment service to be delivered using Internet-Protocol TV for low-income families to make payments and manage money, using television as an interface. The LEGO artifact was utterly engaging; I wanted to try it out!
The rest of the papers can be seen through the usable security lens, a topic near and dear to my heart. Developers, administrators, employees and end users, and their relationship to security, all get some airtime. Interested in learning more? Proceedings with the final papers on all of these are due out in November.
Hi Mary Ellen,
I’m interested in the topic of how component failures or faults can lead to security vulnerability. The latest example is Google’s exploitation of a DRAM row hammer condition to gain access to privileged memory. Is there a forum to discuss other IC fault mechanisms and their impact on security?
Thanks,
Charlie
Hi Charlie, I’m not aware of any forum quite like that. You might try searching scholar.google.com for Fault Injection Attacks to try to get a sense of where those discussions happen in research (looks like dependability and crypto forums at a glance).
Thanks for the content update.
What is the definition of Milware?
How does it differ from Malware?
You know like APT
Hi Nir, in the context of the paper, the term “milware” refers to malware authored by a nation state (or their delegate). The researchers are looking for exactly that; ways to determine if and how malware from state actors is different from malware from other places. They have an initial set of criteria that works for their sample so far.