**Program 2020 (*Tentative***)

Day 1 | Ocober 28

9:00–9:30 Welcome speech!

9:30–10:30 Keynote

Talk Title: Towards Usable and Secure Graphical Passwords for Smartphones

Hyoungshick Kim, Associate Professor (Sungkyunkwan University, Seoul, South Korea)

10:30–10:45 Coffee Break

10:45-12:05 Session 1: Blockchains and Compliance

Session Chair: Jungwoo Ryoo (Pennsylvania State University, USA)

Medical Blockchains and Privacy in Austria – Technical and Legal Aspects

Andreas Kolan, Simon Tjoa, and Peter Kieseberg

Distributed Unit Security for 5G Base-Stations using Blockchain

William Crowe and Tom Oh

Assessing the sovereignty and security of the Austrian internet

Florian Plainer, Klaus Kieseberg, and Peter Kieseberg

Continuous Security through Integration Testing in an Electronic Health Records System

Saptarshi Purkayastha, Shreya Goyal, Tyler Phillips, Huanmei Wu, Brandon Haakenson, and Xukai Zou

Day 2 | Ocober 29

9:00–9:15 Welcoming Remarks & Introduction to Keynote

09:15 – 10:15 Keynote

Talk Title:

Edgar Weippl, Professor (University of Vienna, Vienna, Austria)

10:15 – 10:30 Coffee Break

10:30–11:50 Session 2: Secure Software Design and Implementation

Session Chair: Simon Tjoa (St. Pölten University of Applied Sciences, Austria)

Compiling and Analyzing Open Source Malware for Research Purposes

Daniel Judt, Patrick Kochberger, Peter Kieseberg, and Sebastian Schrittwieser

Awareness of Secure Coding Guidelines in the Industry – A first data analysis

Tiago Espinha Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque and Daniel Mendez

VM based Malware Security Protection on Android Platform

Anthony Avella, Ian Menovich, Ryan Strimple, and Syed Rizvi

Comparison of various interpolation techniques toinfer localization of audio files using ENF signals

Hyekyung Han, Kanghoon Lee, Youngbae Jeon and Ji Won Yoon

11:50–12:00 Coffee Break

12:00–12:20 Lightning Talk

Blockchain-based Service Performance Evaluation Method Using Native Cloud Environment (Taeyoung Kim and Hyung-Jong Kim)

Day 3 | October 30

9:00-9:15 Welcoming Remarks & Introduction to Keynote

9:15:00–10:15 Keynote

Talk Title: TBA

Speaker Name and Affiliation

10:15–10:30 Coffee Break

10:30 – 11:10 Session 1: Internet of Things (IoT)

Session Chair: Hyoungshick Kim (Sungkyunkwan University, Korea)

WIP: An Internet of Things (IoT) Security Assessment for Households

William Aiken, Jungwoo Ryoo, and Syed Rizvi

Why Compliance is needed for Internet of Things?

Shakir Campbell, Kieran Alden, and Syed Rizvi

11:10 – 11:30 Session 2: Lightning Talk & Closing

Session Chair: Jungwoo Ryoo (Pennsylvania State University, USA)

11:10–11:30: Lightning Talk

A Study on Reflecting User Experiences for Sensor-based Android IoT Services (Jae-Yoon Ahn, Bo-Min Kim, and Hyung-Jong Kim)

11:30–12:00 Closing Remarks & Best Student Paper Award

Full Research Papers

Medical Blockchains and Privacy in Austria – Technical and Legal Aspects

Andreas Kolan, Simon Tjoa and Peter Kieseberg

The utilization of blockchains in the medical domain has been discussed for quite some time, with multiple academic projects targeting various application domains in this field. Still, many countries feature underlying laws and regulations that make this utilization hard to impossible, especially when considering the sensitive nature of medical records. In this work we analyze the specific situation in Austria and analyse the two major regulations that need to be taken into account, the EU-wide GDPR and the Austria-specific ELGA, with respect to blockchain applications in the medical sector in Austria. Furthermore, we outline several additional key issues that need to be taken into consideration, as well as the problem of the most prominent solution, linking to external storage from the blockchain.

Distributed Unit Security for 5G Base-Stations using Blockchain

William Crowe and Tom Oh

5G in the United States has been rapidly growing this past year as the New Radio (NR) standards have been finalized. The top three US cellular carriers cover most major cities in 2019, and the plans are to cover most of the nation by the close of 2020. Field testing shows that 5G is meeting the promise of gigabit speeds and single digit latency over millimeter wave. 5G Security is ever so more critical with the expectation of massive IoT, M2M, VANET, and High-Speed Fixed Wireless. More devices will rely on commercially available wireless internet, it should be expected that 5G Security will be thoroughly tested by unscrupulous individuals. To enhance security, this paper will cover utilizing Blockchain for identity management of the next generation NodeB (gNB) for the user equipment (UE) would make Rogue Cellsite, man-in-the-middle-attacks, or Stingray much harder to perform. This would prevent the UE from blindly connecting to any gNB it sees and sharing sensitive information because of the connection requested from an untrusted source. While there are other potential security flaws in 5G, implementing Blockchain in a commercial network would enhance attach and handover security for all devices that use 5G.

Assessing the sovereignty and security of the Austrian internet

Florian Plainer, Klaus Kieseberg and Peter Kieseberg

With many people depending on the internet in their daily work lives, the question on dependencies of these services arises. In this work we provide the methodology and analysis results regarding the security and dependencies of important Austrian sites on other nations and (potentially vulnerable) resources. Furthermore, we added a specific sub set to the analysis, focusing on governmental sites due to their increased importance.

Continuous Security through Integration Testing in an Electronic Health Records System

Saptarshi Purkayastha, Shreya Goyal, Tyler Phillips, Huanmei Wu, Brandon Haakenson and Xukai Zou

The estimated average cost of a healthcare data breach in 2019 was $6.45 million, which is the highest among all industries. Yet, security remains an afterthought in many digital health applications. Formal methods for testing for bugs are commonplace in software development through the use of unit testing, integration testing, system testing, and acceptance testing. More so, in modern software engineering, continuous integration is a well-known concept to run automated tests soon after any code change, when the system builds and notifies the development team of the test results. In this paper, we describe the use of a popular Python unit testing framework to implement a formal method of security testing. Common Vulnerability Scoring System (CVSS) is used to calculate metrics that represent the state of security of a deployed system. We developed a series of Pytest Behavioral Driven Development (BDD) scripts to test the Authentication and Availability of a widely used Electronic Health Records System called OpenMRS. The advantage of using the BDD approach is that testing scripts, called Gherkin files, can be read and understood by the developers as well as the non-developer stakeholders. The use of Gherkin serves two purposes: firstly, it serves as the project’s documentation, and secondly, it automates the tests. The use of the CVSS score between 0 to 10 becomes an objective metric to compare every code change, thus achieving continuous security. We plan to expand BDD scripts to attacks like Denial of Service, Session Hijacking, SQL Injection, and other privilege escalation attacks.

Compiling and Analyzing Open Source Malware for Research Purposes

Daniel Judt, Patrick Kochberger, Peter Kieseberg and Sebastian Schrittwieser

Malware obfuscation can make both automatic and manual analysis of its binary code and the contained functionality significantly more time consuming. For malware research it would therefore be useful to be able to study the effects of different obfuscation methods on the resulting binary code. While some obfuscations are applied through rewriting of the binary, others have to be applied at source code level or during compile time. However, the source code of in-the-wild malware is often not available. For this paper, we collected the source code of eleven open source malware samples from the past 12 years and analyzed if they still compile on current systems. Furthermore, basic static analysis was performed to evaluate the usefulness of the resulting binaries for further malware obfuscation research. Our results indicate, that it is possible to compile available samples with moderate effort and the resulting binaries are very well suited for research purposes.

Awareness of Secure Coding Guidelines in the Industry – A first data analysis

Tiago Espinha Gasiba, Ulrike Lechner, Maria Pinto-Albuquerque and Daniel Mendez

Software needs to be secure, in particular when deployed to critical infrastructures. Secure coding guidelines capture practices in industrial software engineering to ensure the security of code. This study aims at assessing the level of awareness of secure coding in industrial software engineering, the skills of software developers to spot weaknesses in software code, and avoid them, as well as the organizational support to adhere to coding guidelines. The approach draws not only on well-established theories of policy compliance, neutralization theory, and security-related stress but also on the authors’ many years of experience in industrial software engineering and on lessons identified from training secure coding in the industry. The paper presents the design of the questionnaire for the online survey and the first analysis of data from the pilot study.

VM based Malware Security Protection on Android Platform

Syed Rizvi, Anthony Avella, Ian Menovich and Ryan Strimple

This paper looks at the different ways in which Android phones can be attacked by android malware, and the different developments in malware protection and detection. The fight against mobile malware is an important one as most people today own cell phones and store valuable personal information on their phones. There are many ways in which a phone can be attacked by malware, and therefore there are many different methods to detect and defend against these attacks. Some experts suggest a decentralized data approach, while others suggest anti-malware hardware is the solution. There are many different Anti-malware hardware devices that all work in different ways and detect malware at different levels. However, there are no full-proof malware detection schemes. It is alarming that there is no common solution to protecting against malware and no way to completely detect malware every time. In this research, we focus on Android malware, specifically malware found on apps from the Google Play Store. One of the ways one would solve this problem is by using virtual machines and compiling malware detection programs on them. To support our VM based malware detection scheme, we develop an algorithm to provide implementation-level details. The practicality of our proposed scheme is shown using multiple case studies.

WIP: An Internet of Things (IoT) Security Assessment for Households

William Aiken, Jungwoo Ryoo and Syed Rizvi

IoT is becoming a common term. More consumers are purchasing and installing household IoT devices such as thermostats, security cameras, and lighting solutions. These so-called smart home appliances supposedly make our lives easier, safer, and more sustainable. However, the benefits come with risks, especially in cybersecurity and privacy. As more IoT hosts connect to a home network, the possibility of potential security breaches also increases. The more hosts in a network, the more opportunities for attackers, which is why users should pay attention to security vulnerabilities and address them as much as possible. In this context, self-assessment of how well a household is doing with IoT security is of great use. This paper proposes an easy-to-use and intuitive assessment tool to realize this idea.

Why Compliance is needed for Internet of Things?

Syed Rizvi, Shakir Campbell and Kieran Alden

The Internet of Things (IoT) is a relatively new concept that has been coined and is now commonly used in the field of Information Technology (IT). This concept is defined as many things, but the simplest way to describe IoT is as the culmination of all of the new devices, systems, applications, technology, etc. that are connected and have the capability to transfer or transmit data without the need of a human or computer. This developing industry is expected to have billions of devices interconnected in the next few years. This growth is happening in all branches of traditional IT. Different divisions of IT, such as the financial division or medical division of IT, are already moving to the IoT. While this technological advancement is conceptually astounding, just like anything new in the world of IT, there arise many questions about the security of, or lack thereof, IoT. Furthermore, the lack of laws and regulations that will set standards for security on the IoT, similarly to how traditional IT has compliance laws for each of the divisions of IT (medical, retail, financial, industrial, etc.). The main purpose of this paper is not to come up with a solution to the lack of security compliance pertaining to the IoT, but identify that the lack of compliance laws for IoT is a problem and that traditional IT compliance laws will not work for the IoT unless modified. Instead, new compliance standards should be established to address the security and privacy concerns of IoT.

Lightning Talk

Blockchain-based Service Performance Evaluation Method Using Native Cloud Environment

Taeyoung Kim and Hyung-Jong Kim

This study presents a performance evaluation system that helps blockchain-based service planners make decisions. This system is offered as Docker and Kubernetes for portability and flexibility.

A Study on Reflecting User Experiences for Sensor-based Android IoT Services

Jae-Yoon Ahn, Bo-Min Kim and Hyung-Jong Kim