I recently attended the USENIX Annual Technical Conference (ATC) 2016 in Denver, Colorado. I was invited to give an industry talk, discussing my Bring Your Own Dilemma paper from last March (touching briefly on the Out Of Box Exploitation paper from May). Instead of just flying in for my talk and flying out, I wanted to hang out for the entire conference and hear some of the other talks. The vast majority of them were academic papers on a variety of subjects, but there are a few that were fairly interesting that I wanted to point out.
Before I get to that, I have to say that I was quite impressed with the speakers in general. Most of them were very bright students, presenting synopses of complex subjects, facing a large number peers they had never met for the first time, and these peers were asking extremely hard questions.
This was an international event with speakers from all over the globe and the conference common language was English (this is typical of a lot of academic or scientific-focused conferences), so you also had speakers who were giving a talk and formulating answers to tough questions in a different language than their native tongue, and for many, it was quite stressful. But all things considered, most speakers held their own and managed to get their points across.
As a security guy, I looked for either the security talks or the ones that had potential security implications, which is kind of a vague way of me saying I would just go to something that sounded interesting, and pretend there was some security connection. With two separate tracks I couldn’t see all of the talks, and there were some hits and misses, but there were a few stand-out presentations:
FastCDC: A Fast and Efficient Content-Defined Chunking Approach for Data Deduplication
In computing, there is often a need for searching for needles in haystacks. This type of thing mainly comes up in compression discussions instead of security, but in a past life, I was on a team that was looking for ways to sift through large chunks of non-encrypted but obfuscated data for specific patterns.
One experiment involved several variations on a rolling hash with the Rabin-Karp algorithm, and subsequent experiments involved techniques for data deduplication are commonly found in modern compression algorithms to improve performance against large datasets.
Long story short, this talk was interesting mainly due to the performance improvements provided by FastCDC vs Gear-based CDC. If any of my very short summation of this talk did not put you to sleep or sound slightly familiar, this paper is worth checking out.
Blockstack: A Global Naming and Storage System Secured by Blockchains
Blockchains are interesting, in that they allow for the association of a specific name with data. Blockstack uses the Bitcoin blockchain, is modeled for decentralized DNS and PKI type services (think authenticating without passwords because the system is cryptographically sure that you are actually “you”), and is open source. In fact, it is currently up and running with 55,000 users using it for PKI. Great stuff.
All Your Biases Are Belong To Us: Breaking RC4 in WPA-TKIP and TLS
This was one of the “Best of the Rest” papers that was originally presented earlier in 2015 and made somewhat of a splash as a practical attack against real-world RC4 implementations. Even though I was familiar with the paper and the attacks described already, it was still a great talk to watch as some of the hurdles and thought processes behind the paper were brought out.
One aspect that was especially nice was the level of explanation. As the person seated next to me pointed out, “I didn’t understand how some of these known plaintext style attack actually worked.” Part of a hallmark of a good presentation is making sure you reach the less technical members of the audience without boring the more technical, and this presentation did that.
COZ: Finding Code that Counts with Causal Profiling
This was my favorite talk. Another “Best of the Rest” paper from 2015, this one that should have made a huge splash but didn’t. In a very easy-to-understand presentation, a methodology for finding areas within code to improve upon speed was laid out, and all it did was make me want to code and run COZ on my code to make it faster. I’ve written programs that were tossed aside for running too slow, and now I want to dig them back out for re-analysis with COZ. The talk was probably best summed up by a Google employee who spoke up during the Q&A: “I don’t really have a question, outside of why haven’t I heard about this sooner?”
As a security guy that has attended and spoken at many conferences, one tends to get a little jaded at times, but I’ve always loved brushing elbows with academia and interacting with students that are just finishing up their formal education because of their enthusiasm and energy. All I can do is hope that these bright people who are getting ready or have recently entered the workforce find a way to keep their energy and spark in order to keep pushing forward.