Program Analysis for Security and Safety Workshop Discussion

Nantes, France, July 4, 2006

 

http://research.ihost.com/password/

 

Final Program

 

Call for Papers

With the advent of the Internet, software security has become more important than ever.  Unfortunately, still now, the security of a software system is almost always an afterthought. When security problems arise, understanding and correcting them can be very challenging.  On the one hand, the program analysis research community has created numerous static and dynamic analysis tools for performance optimization and bug detection in object-oriented programs.  On the other hand, the security and privacy research community has been looking for solutions to automatically detect security problems, privacy violations, and access-control requirements of object-oriented programs.  The purpose of this workshop is to bring together members of both these communities and to encourage program analysis researchers to see the applicability of their work to security and privacy—an area of research that still needs exploration.

 

Topics of Interest

      Analysis of cryptographic systems and implementations

      Analysis of network and security protocols

      Automatic detection of attacks against networks and machines

      Automated tools for source- and compiled-code analysis

      Authentication and authorization of users, systems, and applications

      Bug finding

      Detection of mutability, accessibility, and isolation policy violations

      Identification of denial-of-service attacks

      Input validation

      Intrusion and anomaly detection

      Language-based security

      Operating system security

      Privacy analysis

      Security in heterogeneous and large-scale environments

      Security in the presence of agents and mobile code

      Security policy analysis

      Static analysis for program verification

      Static analysis techniques for soundness, precision, and scalability

 

Important Dates

      Submission Deadline: Sunday, April 30, 2006 (extended)

      Author Notification: Friday, May 19, 2006

      Camera-ready Copy: Monday, June 5, 2006

 

Submission Guidelines

We welcome two types of papers:

Type 1: Technical Papers

These papers present mature technical and research material.

Type 2: Position, Exploratory, or Preliminary-work Papers

These papers may describe work in progress or new research ideas.

 

Papers must be written in English.  Please note that PASSWORD, consistent with other scientific conferences and workshops, accepts only original papers that have not been published and are not under review for publication elsewhere.

 

E-mail the submission by the indicated deadline to the Program Chairs following these instructions:

      The subject of the e-mail should be “PASSWORD Submission”

      The e-mail should contain the paper abstract not to exceed 150 words

      Attach a PDF version of the paper, printable on both US Letter and A4 sized paper

      Indicate whether the paper is of Type 1 (Technical Papers) or Type 2 (Position, Exploratory, or Preliminary-work Papers)

      Indicate if any of the authors is a member of the Program Committee

      Indicate which authors of the paper are currently full-time undergraduate or graduate university students

 

Publication of Papers

The best papers accepted at PASSWORD, selected by the Program Committee, and the table of contents of the entire workshop will be published in ACM SIGPLAN Notices.

 

Information for Attendees

Registration of workshop participants has to be done in two mandatory steps:

1. Contact the organizers of the workshop (in order to ensure that the participant limit has not been exceeded) by sending them an email with subject “PASSWORD Attendance”.
2. Register on the ECOOP 2006 Web site either as a worskhop-only attendee or as a regular attendee.  The latter includes access to workshops and to the main conference.

 

Program Organization

Program Chairs

      Francesco Logozzo, École Normale Supérieure, Paris, France

      Marco Pistoia, IBM T. J. Watson Research Center, Hawthorne, New York, USA

Program Committee

      Sabrina De Capitani Di Vimercati, University of Milan, Milan, Italy

      Stephen J. Fink, IBM T. J. Watson Research Center, Hawthorne, New York, USA

      Robert J. Flynn, Polytechnic University, Brooklyn, New York, USA

      Charles Hymans, European Aeronautic Defence and Space Company, Paris, France

      Trent Jaeger, Pennsylvania State University, University Park, Pennsylvania, USA

      Francesco Logozzo, École Normale Supérieure, Paris, France

      Nasir Memon, Polytechnic University, Brooklyn, New York, USA

      Greg Morrisett, Harvard University, Cambridge, Massachusetts, USA

      David A. Naumann, Stevens Institute of Technology, Hoboken, New Jersey, USA

      Marco Pistoia, IBM T. J. Watson Research Center, Hawthorne, New York, USA

      Jan Vitek, Purdue University, West Lafayette, Indiana, USA

      Eran Yahav, IBM T. J. Watson Research Center, Hawthorne, New York, USA

      Steve Zdancewic, University of Pennsylvania, Philadelphia, Pennsylvania, USA

      Xiaolan Zhang, IBM T. J. Watson Research Center, Hawthorne, New York, USA

      Roberto Zunino, University of Pisa, Pisa, Italy

 

IBM Research Best Paper Student Award

The Security and Privacy and the Programming Languages and Software Engineering departments at the IBM T. J. Watson Research Center are jointly sponsoring the IBM Research Best Paper Student Award.  The purpose of this recognition is to encourage talented students to submit papers with high research contents.  To qualify for this award, at least one of the lead authors of the paper must be a full-time undergraduate or graduate university student at the time the paper is submitted.  When submitting their papers, the authors must explicitly specify the names of the authors who are full-time undergraduate or graduate students at the time of the submission.  The Program Committee will decide which paper will receive the award based on research quality and originality.

 

Advance in Intrusion Detection
Jan Vitek, Purdue University

Host-based intrusion detection systems attempt to identify attacks by discovering program behaviors that deviate from expected patterns.  While the idea of performing behavior validation on-the-fly and terminating errant tasks as soon as a violation is detected is appealing, this presents numerous practical and theoretical challenges.  In this talk, we focus on automated intrusion detection techniques, i.e. techniques which do not require human intervention.  Of particular interest are techniques that rely on, or leverage, programming language semantics to find novel ways of detecting attacks.  We will review the main attack models, describe the state of the art in host-based intrusion detection techniques, and conclude with a list of challenges for the research community.

 

Static Analysis for Stack-Inspection and Role-Based Access Control Systems
Marco Pistoia, IBM T.J. Watson Research Center

This talk presents a static analysis framework for statically representing the execution of software programs and the flow of security information in those programs.  The results of the analysis can be used to automatically identify security properties of software and evaluate security policies.  The analysis can be applied to evaluate security policies in both stack-inspection based authorization systems, such as Java, Standard Edition (SE) and .NET Common Language Runtime (CLR), and Role-Based Access Control (RBAC) systems, such as Java, Enterprise Edition (EE) and CLR.  Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data.  In this talk, we present also a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy.  Relying on a location-consistency property, we show how to infer whether an operation-based RBAC policy is equivalent to any data-based RBAC policy.