Workshop on Real-life impacts of security vulnerabilities (2024)

Introduction

Offensive (information) security is where security researchers analyze existing systems to uncover security or privacy vulnerabilities. Usually, a vulnerability found in a prominent system is accompanied by substantial coverage in the technology, and sometimes even popular, media.

Although claims of security vulnerabilities in top academic conferences are usually technically correct, sometimes they may not have any discernible impact in practice immediately. But practitioners and decision makers need to decide what remedial action, if any, is warranted – ranging from doing nothing to immediate recall or replacement of the system in question. The security research community usually does not have the expertise (and often does not even attempt) to assess the likely real-life impact of a given vulnerability because the impact is dependent not just on technological factors but also on several other factors, chief among them economic.

On the other hand, widespread negative perception from well-publicized vulnerabilities can lead to a substantial opportunity cost. Decision makers in the industry may be tempted to prematurely pull technologies from deployment. Students and researchers may shy away from a particular technology that was found to have vulnerabilities because they perceive it as too risky.

This leads to questions like (how) can we assess the realistic real-life impact of claimed security vulnerabilities?  Are there tools, techniques, principles, checklists, or best-practice guidelines that can help? Are there other settings (for example, environmental impact assessments) where similar needs have arisen and addressed? What can security experts contribute to make similar approaches applicable to information security?

A prerequisite to answering this question is starting a conversation among offensive security experts, industry practitioners, and experts in economic matters. We hope to do this by holding a half-day workshop at ETH Zurich bringing together (1) offensive security researchers who have found significant security/privacy vulnerabilities, (2) practitioners with insights about how such vulnerabilities were dealt with in real-life, and (3) economists, actuaries, and accountants who have expertise in methods and processes to assess potential real-world impact (possibly in other similar contexts than just cybersecurity or privacy)

To keep the scope tractable, we can limit the discussion to hardware-assisted security mechanisms where we, the organizers, have expertise in. We plan to have a few short introductory talks to set the stage, followed by a panel involving experts from different disciplines. We hope for very active audience participation.

Event Details

When: April 18, 2024
Where: ETH Zürich, Alumni Pavillon, Rämistrasse 101, 8092 Zürich

eth1

eth2

eth3

Note: The funicular “Polybahn” is your easiest way up the hill, but will be very busy.
You can also take tram #6 (direction Zoo) from stop “Bahnhofstrasse/HB” or tram #10 (direction Airport) from stop „Bahnhofplatz/HB“ to stop „ETH/Universitätsspital“.

Registration

Thu 18Apr2024

Real-life impacts of security vulnerabilities Workshop 2024

From 13:30 until 18:30

At Alumni Pavillon (MM C 78.1) at ETH Zurich

More Info and Registration

Preliminary Program

Thursday, April 18, 2024


13:30-14:00: Registration and Coffee
14:00-14:10: Welcome, Prof. Bonhoeffer (Director, Collegium Helveticum)
14:10-14:25: Introduction, N. Asokan (University of Waterloo)
14:25-14:45: Talk by Daniel Gruss (TU Graz)
14:45-15:05: Talk by Eduardo Vela Nava (Google)
15:05-15:25: Talk by Rainer Boehme (University of Innsbruck)
15:25-15:50: Talk by Lucas Engl (Zurich Insurance)
15:50-16:10: Break
16:10-17:40: Panel discussion, host: Shweta Shinde (ETH Zurich), participants: Hans Gersbach (ETH Zurich), Kaveh Razavi (ETH Zurich), Mark Brand (Google), Anders Fogh (Intel)
17:40-17:55: Closing, Kari Kostiainen (ETH Zurich)
18:00: Apéro

Organizers

Sponsors

We gratefully acknowledge the support of

in organizing this workshop.

Administration



Saskia Wolf 
(ETH Zurich)

 



Vivien Klomp 
(ETH Zurich)

 

 

Invited Speakers

Anders Fogh is technical lead for offensive security research at Intel and is an Intel fellow. He is a reowned expert on microarchitecture and memory security. He has more than 20 years of experience with security and low-level topics and is work on security has been published in both industry and academic conference such as Black Hat USA and IEEE S&P. He has twice been recognized by the National Security Agency for excellence in research. Before joining Intel he worked as a principal security researcher where he worked on incident response and malware analysis. He spend 15 years of his career going from junior software developer to company founder and lead engineer. Anders holds a degree in economics.

Hotels

These hotels are within walking distance of the venue, but there are plenty more hotels in the Zurich area.

Important Dates

  • Registration deadline: March 31, 2024.
  • Workshop: April 18, 2024.

Contact

For further questions please contact the organizers or the administration team.