[הרחב אבסטרקטים - Expand Abstracts]


התכנסות (התחברות לזום)



דברי פתיחה



בני פנקס, אוניברסיטת בר אילן

Hashomer: A Proposal for a Privacy-Preserving Bluetooth Based Contact Tracing Scheme for Hamagen

In recent weeks multiple proposals for schemes allowing contact tracing for combating the spread of COVID-19 have been published (e.g., DP-3T, Google and Apple, and PACT). Many of those proposals try to implement this functionality in a decentralized and privacy-preserving manner using Bluetooth Low Energy (BLE). In this talk, we will describe Bluetooth based contact tracing and the difference between centralized and decentralized approaches. We will then present ``Hashomer'', our proposal for a contact tracing scheme tailored for the Israeli Ministry of Health's ``Hamagen'' application, and describe its security and privacy properties. A prototype implementation of this design can be found at https://github.com/eyalr0/HashomerCryptoRef.

Joint work with Eyal Ronen (TAU)

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



יניב דוד, הטכניון

Neural Reverse Engineering of Stripped Binaries

We address the problem of reverse engineering of stripped executables which contain no debug information. This is a challenging problem because of the low amount of syntactic information available in stripped executables, and due to the diverse assembly code patterns arising from compiler optimizations.

We present a novel approach for predicting procedure names in stripped executables. Our approach combines static analysis with sequence-to-sequence (seq2seq) models. The main idea is to use static analysis to obtain augmented representations of API call sites; encode a set of sequences of these call sites by traversing the Control-Flow Graph; and finally, attend to the encoded sequences while decoding the target name.

We use our representation to drive both LSTM-based and Transformer-based architectures. Our evaluation shows that our model produces predictions that are difficult and time consuming for humans, while improving on the state-of-the art by 20% and improving by 84% over state-of-the-art neural models that do not use any static analysis.

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



הפסקת קפה ומאפה (שירות עצמי)



אור דונקלמן, אוניברסיטת חיפה

Adventures in Cryptographic Standardization

The International Standardization Organization (ISO) is responsible for promoting different types of standards --- from the ISO 9000 series (for quality assurance) to the ISO 27000 series (for computer security). In this talk we will cover a recent adventure in ISO/IEC JTC1 SC27/WG2, the working group discussing cryptographic standards. This adventure starts with a Russian cipher called Kuznyechic (grasshopper), involves the entire world: a young French-man, a Chinese delegation, a very smart elderly Japanese master of rules, which possibly ended with a vote that did not take place in St. Petersburg due to the Corona.

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



איל רונן, אוניברסיטת תל אביב

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise WiFi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly's security. First, we audit implementations, and present timing leaks and authentication bypasses in EAP-pwd and WPA3 daemons. We then study Dragonfly's design and discuss downgrade and denial-of-service attacks. Our next and main results are side-channel attacks against Dragonfly's password encoding method (e.g.~hash-to-curve).

We believe that these side-channel leaks are inherent to Dragonfly. For example, after our initial disclosure, patched software was still affected by a novel side-channel leak. We also analyze the complexity of using the leaked information to brute-force the password. For instance, brute-forcing a dictionary of size 10^10 requires less than $1 in Amazon EC2 instances. These results are also of general interest due to ongoing standardization efforts on Dragonfly as a TLS handshake, Password-Authenticated Key Exchanges (PAKEs), and hash-to-curve. Finally, we discuss backwards-compatible defenses, and propose protocol fixes that prevent attacks. Our work resulted in a new draft of the protocols incorporating our proposed design changes.

Joint work with Mathy Vanhoef (New York University Abu Dhabi)

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



איתי בוכנר, CERT-IL, מערך הסייבר הלאומי

ICS – Industrial Cyber Scanning, The hidden world of industrial components

PLCs act as the bridge between the physical world and the cyber domain, the logic embedded in them controls the process and the active field devices. Although a cyber-attack on PLCs can result in a massive collateral damage there is not enough awareness to this threat vector. Recent reports indicate that actors take advantage of ICS equipment accessible over the Internet in order to manipulate or interrupt the physical process. The INCD is aware of this threat vector, and works to mitigate it. The presentation will cover ICS fundamentals and the actions taken by INCD to address this issue.

Itay is the Cyber Technology Manager of the Israeli CERT (CERT-IL). He has over 10 years in the cyber security field with an extensive background of ICS security.

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



הפסקת צהריים (אוכל ביתי יוגש למכינים בעצמם)



שרה ביתן, הטכניון

Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs

The Siemens industrial control systems architecture consists of Simatic S7 PLCs which communicate with a TIA engineering station and SCADA HMI on one side, and control industrial systems on the other side. The newer versions of the architecture are claimed to be secure against sophisticated attackers, since they use advanced cryptographic primitives and protocols. In this paper we show that even the latest versions of the devices and protocols are still vulnerable. After reverse- engineering the cryptographic protocol, we are able to create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker. As a first example we extend attacks that can remotely start or stop the PLC to the latest S7-1500 PLCs. Our main attack can download control logic of the attacker's choice to a remote PLC. Our strongest attack - the stealth program injection attack - can separately modify the running code and the source code, which are both downloaded to the PLC. This allows us to modify the control logic of the PLC while retaining the source code the PLC presents to the engineering station. Thus, we can create a situation where the PLC's functionality is different from the control logic visible to the engineer.

Joint work with Eli Biham, Aviad Carmel, Alon Dankner, Uriel Malin (TAU) and Avishai Wool (TAU)

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



לירן טל, Snyk

Malicious Modules on npm - a series of unfortunate events

With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how malicious npm packages work, how to avoid them and apply npm and Node.js security best practices every developer should know with hands-on live hacking.

Liran Tal is a Developer Advocate at Snyk and a member of the Node.js Security working group. Among his security activities Liran also published Essential Node.js Security and O’Reilly’s Serverless Security books, and is a core contributor to OWASP NodeGoat project. He is passionate about the open source movement, web technologies and testing and software philosophy.

* וידאו (לינק ליוטיוב)



דניאל שפירא, Palo Alto Networks

The Common Pitfalls of Cloud Native Software Supply Chains

Today modern cloud native infrastructure is composed of various CNCF projects to build, manage, and deploy containerised applications in an automated manner. These tools provide great flexibility, ease of use, and speed up development, but the ecosystem is developing at a blazing fast pace, which in turn causes various little mistakes in the products that could leave the supply chain up for grabs for a motivated adversary. In this talk we will follow the path of the software supply chain and explore its components and their common problems, and finally dive into a couple of container escape examples.

Daniel is a Sr Staff Researcher at PANW, currently involved in security research of CNCF projects with a focus on OS implementations. For the past 11 years Daniel has found and fixed critical security problems for various enterprises, government agencies, healthcare and open-source projects in the US, Europe & Israel. He is passionate about breaking and rebuilding stuff, and his work provides him the joy to do it on a daily basis in a productive manner.

* שקפים (PDF)
* וידאו (לינק ליוטיוב)



דברי סיום



ההרצאות תתקיימנה בעברית - Lectures will be given in Hebrew
שקפי ההרצאות יופיעו בדף זה לאחר האירוע, מותנה באישור המרצים