The Eindhoven Institute for the Protection of Systems and Information (EiPSI) celebrated its first anniversary last Friday. The opening in 2008 was already a very nice event, and I was looking forward to the announced talks for the anniversary.
As expected, I wasn’t let down this time either. The first speaker was Andy Clark from Detica Forensics. He held a very entertaining talk about security delusions, including e.g. why putting everything in “the cloud” (meaning mostly all those Web 2.0 services like Facebook, GMail, Twitter etc.) is of more harm to the privacy of the individual than most people think. Nothing new from a technical point of view, but interesting nonetheless. According to the hands raised when Andy asked the audience various questions, I was also only one of a few people with only fully encrypted HDs and without accounts in any of the major Web 2.0 social networking sites. The paranoia comes with the job I guess… ;).
The next talk was held by Boris Škorić from the TU/e and covered Physical Unclonable Functions (PUFs). Those are e.g. interesting for anti-counterfeiting measures. Today, anti-counterfeiting features like holograms are still counterfeited, as the production process is repeatable. With PUFs, processes can be used which cannot be run a second time, but create something uniquely identifiable.
After lunch break, Benne de Weger (also TU/e) gave his talk about the creation of a rogue CA certificate. This was first published in December by a whole group of security researchers (him being one of them) at the 25C3 and caused quite a stir back then. Have a look at this website for more information and a link to the video from the congress, if you’re interested in more details.
Finally, David Naccache (ENS) gave an introduction to side channel attacks and how to solve at least parts of the problem. He first demonstrated how his research group was able to transfer bits of information between two computers which were placed in the same rack or blade, but otherwise completely separated from each other. They did it by raising or lowering the heat one machine emitted, and measuring the fan speed in the other. They were able to read about 1 bit per 13 minutes, which is quite slow, but still proves the point. In a second part of his talk, he introduces the subleq machine. This is a Turing-complete machine with only one instruction:
subleq a b c
It subtracts b from a and branches to c if the result is less or equal to 0. He then proceeded to build “normal” assembler instructions from this like mov, clr etc. The advantage of such a machine is that there’s no way of running side channel attacks by measuring differences between assembler instructions, as ultimately, there is only one instruction.
All in all, it was again a nice event with interesting talks and the opportunity to chat with like-minded people during the coffee- and lunch breaks. I’m looking forward to seeing what EiPSI will do on the second anniversary :).
Post a Comment