Review of  the
IEEE Security and Privacy Symposium,
Berkeley, California
May 10-12, 2004

Review by Hilarie Orman
May 17, 2004

Selected Commentary on the 2004 Security and Privacy Symposium

[This is a random selection of personal impressions of the conference and does not reflect on the quality of talks omitted]

Social
The venerable (25 years) Security and Privacy Symposium was held at the Claremont Resort and Spa in Berkeley, Calfornia. The symposium has always been at this location, and it probably will continue to be there through 2008. The Sunday evening reception featured beautiful sunset views across San Francisco Bay and excellent hors d'ouerves. There was a good mix of old and new faces, and this was a good time to catch up on the happenings in the security community and to meet new people.

This year I learned that if one goes out the lower parking lot of the Claremont and across the street towards the residential area, and uphill a block to Tanglewood Road, and then up Tanglewood to Tanglewood path, there is access to the Claremont Canyon Reserve. This is a steep walk, but well worth it for the huge eucalyptus trees and sunset view of the entire San Francisco Bay area.

General

Lee Badger, as general chair, welcomed the audience and introduced Dave Wagner, the program chair. The attendance was slightly up for the conference, approaching 200 attendees. This was a good turnout, still 10% shy of the maximum number that the Claremont can handle, but showing a steady upward trend over the last few years. CMU and Berkeley in particular were well-represented. The number of paper submissions for the technical program was markedly increased over last year, with 185 submissions. Paradoxically, only 19 papers were accepted, making for a short program for the two and half days, even with two panels.

There was no "best paper" award.

Session on Attacks and Defenses
The first session had two papers that were notable for their novelty (if not for simple amusement), and one on security problems in Internet protocols when used with "multi-homed" or "IP mobile" computers.

Dmitri Asonov presented a paper about a covert channel analysis of acoustic emanations from ordinary computer keyboards. He showed that each key has a detectable acoustic signature which he tentatively attributed to percussion in the stop plate of the keyboard. He recommended designing the keys to minimize the energy in the two part "click". Some audience members privately wondered if mechanical wireless keyboards were an obvious follow-on invention.

Adam Stubblefield presented an analysis of the electronic voting software revealed on the Diebold website last year. The software had a number of flaws, including a hard-coded DES key, and even the comments gave cause for amusement. While Diebold may have been unfortunate to have had their source code inadvertantly revealed, it seems clear that informed scrutiny of voting software can help eliminate security flaws and ultimately increase confidence in the software.

Tuomas Aura's presentation on how transport layer security measures can be thwarted when endpoints have multiple and/or variable IP addresses was an interesting litany of problems. While some of the problems afflict mechanisms that are fragile and lightweight in the first place (such as "cookies"), it is certainly true that multiple addresses complicate any part of a transport protocol that needs to maintain authenticated state while being address-aware.

Panel on Electronic Voting
Dan Wallach, Rice University
Dana DeBeauvoir, County Clerk, Travis County, Texas
Josh Benaloh, Microsoft Research

The voting panel presented three viewpoints: advocacy of paper ballots produced by electronic machines and tabulated by optical readers, thus combining the best of both the electronic and the paper world (Wallach); a recommendation for electronic voting methods that permit verifying election results with untrusted software (Benaloh); the need for a easily usable election system that could be quickly and continuously estimated through partial tabulation (DeBeauvoir). The advantages of electronic voting are numerous, though perhaps not immediately obvious. Accessibility is important for handicapped voters and for those with special language needs. Ballot specialization (the ability to include exactly those issues and elected positions relevant to each district) helps the election officials. DeBeauvoir's practical experience with voting procedures and use of electronic voting machines was a refreshing view into the real world of voting and how conscientious officials deal with testing and using the machines.

The open discussion brought up one non-obvious problem with giving a voter a paper copy of his vote (to use in disputes) is that it facilitates vote selling and coercion. Opinions varied on whether or not electronic voting needed to deal with this problem.

All agreed that the ability to validate the electronic vote was very important, but there was no consensus on best method.

Panel on Grand Challenges in Computer Security Research
Virgil Gligor, University of Maryland
Mike Reiter, Carnegie Mellon University
Dan Simon, Microsoft Research
Gene Tsudik, UC Irvine

The "Future Directions" panel had four diverse viewpoints:

  1. "I'll puke if I see another paper about X" (Tsudik)
  2. Emergent properties of wireless ad hoc sensor networks (Gligor)
  3. Usability and security, from the Grand Challenges workshop (Reiter)
  4. Usability, plumbing, and potholes (Simon)
Each member of the panel gave a good presentation, and few people whose research interests lie within Tsudik's hurling range will ever forget his comments. Overall, though, this seemed a disjointed set of presentations and yielded no insight into what the future directions are likely to be.

Session on Denial of Service
Michael Collins presented an analysis of the effectiveness of several proposed methods for "target-resident" DOS protection measures. His conclusion, elucidated by Jay Lepreau, was that no method seemed to provide satisfactory performance with respect to both Type 1 and Type 2 errors.

Session on Network Security
Jaeyeon Jung presented work on detecting machines engaging in "port scanning", a method of finding vulnerable computers on a network. Machines doing port scans are often compromised by a worm or other form of malicious software, so finding port scanning machines quickly is a way to protect a network. By careful analysis using Bayesian probabilities, the researchers were able to tune their detection algorithms to find port scanners accurately with as few as 5 probes, much reduced from other methods that might need 100 probes to achieve similar accuracy.

A paper by Maxwell Krohn et al. presented a method for verifying the packets used in rateless erase codes. Because the packets are not necessarily sequential, ordinary methods for authenticating transport protocols like TCP are not applicable. Their method does not require a public key signature on each packet, thus relieving the sender of some computational burden.

It was left to Nikos Triandopoulos to present "Multicast Authentication in Fully Adversarial Networks", a topic denounced by Tsudik in his Grand Challenges presentation. However, the paper did contribute a definition of "adversarial network" that encompasses both invalid messages and message floods, the latter being something that has been traditionally ignored in security modeling.

Business Meeting
The conference probably will be at the Claremont for the next 3 years, there being no objection from the room, but it will be held later in the month than has been traditional. The Claremont has become an expensive venue, and the conference now needs sponsorship in order to provide the Sunday reception. The Monday reception is not as lavish, and the breakfasts and breaks are skimpy (in the opinion of this writer).

Next year's general chair will be Steve Tate, and the program chair will be Michael Waidner.

The open discussion at the Tuesday afternoon business meeting showed some disagreement in the program committee about the reasons for the high rejection rate. The main reason seemed to be that the committee could not reach consensus on more than 19 papers. One member opined that the standards being set by the committee were not exactly aligned with the needs of the conference. A non-committeee member said that recent experience with other security conferences indicated that the quality of the submissions was generally low. Offered remedies included advising the program chair that a full-length program was a priority, even if the committee could not come to consensus on the final few papers, volunteering for the program committee, submitting papers, and trusting in the wisdom of the program committee.