MC2 Symposium


Gary McGraw, Ph.D.

CTO, Cigital

Bug Parades, Zombies, and the BSIMM: A Decade of Software Security

Only ten years ago, the idea of building security in was brand new. Back then, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust.  We have come a long way since then. Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security.  Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, the publication of Lipner and Howard’s Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security.  Now, ten years later, Microsoft has made great strides in software security and building security in---and they’re publishing their ideas in the form of the SDL. Right about in the middle of the last ten years (five years in) we all collectively realized that the way to approach software security was to integrate security practices that I term the "Touchpoints" into the software development lifecycle.  Now, at the end of a decade of great progress in software security, we have a way of measuring software security initiatives called the BSIMM.  BSIMM is helping transform the field from an art into a measurable science.  This talk provides an entertaining review of the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives of today.


Gary McGraw

Bio: Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for SearchSecurity and Information Security Magazine, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient (acquired by Twitter), Fortify Software (acquired by HP), Invincea, and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics.  Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by SearchSecurity).


Andrew Myers, Ph.D.

Professor, Cornell University

New methods for controlling timing channels

Recent work has reinforced the danger of timing channels, by showing that the timing of network packets can be used to learn private information including private keys, and that coresident programs on the same cloud computing node can quickly learn cryptographic keys by timing cache probes. It is hard to show that a sufficiently clever adversary cannot analyze timing measurements to learn about any information that influences timing.

Our research group has been making progress on this long-standing problem. The key idea is to delay the actions observable to the adversary so that the times at which they occur conform to predictions generated by a algorithm. If this algorithm does not use sensitive information, adversaries learn very little -- they could have made the predictions themselves. Using such a mechanism, we can derive bounds on timing leakage, achieving even asymptotically sublinear leakage under reasonable assumptions. When applied to web applications, predictive mitigation appears to be effective in practice.

A harder problem is preventing timing leakage to a coresident attacker. How can programmers know when their programs are leaking information through timing, given that language abstractions intentionally hide the low-level features that create timing channels? To enable static reasoning about timing channels, we formalize some assumptions about the underlying language implementation. These assumptions guide the design of both secure hardware and secure programs. Though these assumptions can be satisfied using stock hardware (at a performance penalty), we model custom hardware whose design was guided by these assumptions, and show that it can control timing channels in real programs.

Joint work with Danfeng Zhang and Aslan Askarov.


Andrew Myers

Bio: Andrew Myers is a Professor in the Computer Science Department at Cornell University in Ithaca, NY. He received his Ph.D. in Electrical Engineering and Computer Science from MIT in 1999.

His research interests include computer security, programming languages, and distributed and persistent objects. His work on computer security has focused on practical, sound, expressive languages and systems for enforcing information security. The Jif programming language makes it possible to write programs which the compiler ensures are secure. The Polyglot extensible compiler framework is now widely used for programming language research.

Myers is the recipient of an Alfred P. Sloan Research Fellowship, a George M. Sprowls award for outstanding MIT Ph.D. thesis, the Cornell Provost's Award for Distinguished Scholarship, the SIGPLAN 2009 Most Influential POPL Paper award for a paper in POPL 1999, and the Best Paper Award for papers in SOSP 2001 and SOSP 2007.

Myers is currently on the editorial boards of ACM Transactions on Computer Systems and the Journal of Computer Security. He has served on the editorial board of ACM Transactions on Information and System Security. He has served on more than 30 other conference program committees, and has chaired those of the IEEE Security and Privacy Symposium and the IEEE Symposium on Computer Security Foundations.