THREADS 2014: Scaling Security
Every day we trust more about our lives and our society to internetworked information systems. The development of these systems is accelerating in pace and increasing in complexity -- it is now common to deploy code multiple times per minute to worldwide production systems. To cope with this increasing complexity, more development and deployment tasks are becoming fully automated.
Security must be a core part of our new technology and fully integrated into an increasingly automated development and deployment model. THREADS will present new research and workshops about integrating security into modern software development and operations.
Companies such as Amazon and Netflix deploy code to worldwide production systems several times per hour. Tesla automobiles download software updates over the Internet to provide new functionality. An Internet-connected thermostat is a best-selling home automation gadget.
Traditional models of security are increasingly irrelevant in a rapidly updated world of Internet-connected devices. Gating deployments by manual security assessments would erase the point of agile development and continuous deployment. Endpoint security products can’t target rapidly updated customized embedded platforms like cars and thermostats. The new model of security has to focus on automation, integration, detection and response time.
This year’s THREADS conference will focus on how to automate security. The goal of automating security is to ensure that security is never a roadblock, but a core part of development and operations. The success of automated security is essential to our ever more internetworked society and devices.
Thursday, November 13 - Research
The research portion of THREADS will discuss the latest academic and industrial advances in security automation for the identification of errors in programs and intrusions in networks. This will include dynamic and static analysis, symbolic execution and constraint solving, data flow tracking and fuzz testing, host and network monitoring, and related technologies. This research advances the state of the art in reasoning about applications and systems to discover security vulnerabilities, identify flaws in applications, and formulate effective defenses.
- Static Translation of X86 Instruction Semantics to LLVM With McSema (Trail of Bits)
- Smten and the Art of Satisfiability-based Search (SRI Internation)
- Reverse All the Things with PANDA (Columbia University)
- Transparent ROP Detection using CPU Performance Counters (Intel & Harvard University)
- Code Pointer Integrity (Stony Brook University)
- Reasoning about Optimal Solutions to Automation Problems (Veracode)
- Improving Scalable, Automated Baremetal Malware Analysis (GTISC)
Friday, November 14 - Development
The development portion of THREADS will discuss strategies to integrate security into your development pipeline: what automated analysis tools are available, how to integrate them with developers, and how to provide feedback to developers that encourage reporting instead of assigning blame. Other talks will show you how to add security monitoring triggers to existing monitoring infrastructure, and how to tune these triggers to information attackers want to steal. Our focus is on practical examples and lessons learned when automating security.
- Building Your Own DFIR Sidekick (Github)
- CRITs: Collaborative Research Into Threats (MITRE)
- Cleaning Up the Internet with Scumblr and Sketchy (Netflix)
- GitHub AppSec: Keeping up with 111 prolific engineers (Github)
- Augmenting Binary Analysis with Python and Pin (Etsy & NYU-Poly)
- Are attackers using automation more efficiently than defenders? (ESET)
- Automatic Application Security @twitter (twitter)
- Operating system analytics and host intrusion detection at scale (Netflix)
- How Yelp Makes Sense of CSP Reports @ Scale (Yelp)
When & Where
Cyber Security Awareness Week (CSAW) is the largest student-run cyber security event in the nation, with a research conference that attracts some of the biggest names in the industry, and a career fair with an impressive list of corporate partners. It’s a weekend of competitions, keynote talks and cyber security events, designed to prepare best-performing students with the skills and knowledge to shape the future of the industry.
THREADS is an annual conference that focuses on pragmatic security research and new discoveries in network attack and defense. Held each year during NYU-Poly's Cyber Security Awareness Week (CSAW) in Brooklyn, NY, THREADS is organized by NYU-Poly Hacker in Residence Dan Guido with the help of cyber security students at the university.
THREADS aims to present and discuss cutting edge, peer reviewed, industrial and academic research in computer and network security. THREADS focuses on developments and advances in attack techniques and attacker methodologies. We want to discuss what vulnerabilities exist and how attackers of today and tomorrow exploit those vulnerabilities.