Build Systems that Drive Business
30–31 Oct 2018: Training
31 Oct–2 Nov 2018: Tutorials & Conference
London, UK

Critical Infrastructure Software Security: A Maritime Shipping Study Case

Elisa Heymann (University of Wisconsin-Madison), Bart Miller (University of Wisconsin-Madison)
13:1513:55 Friday, 2 November 2018
Building Secure Systems
Location: Windsor Suite Level: Beginner

Prerequisite knowledge

To gain maximum benefit from this presentation, attendees should be familiar with at least one of the Java, C, C++, or scripting programming languages. This presentation does not assume any prior knowledge of security assessment or vulnerabilities.

Description

We know that serious attacks on software occur world-wide on a daily basis, targeting individuals, corporations and governments alike. When these attacks target the software that controls critical infrastructure such as the power grid or maritime container shipping, the consequences can be even more serious. Vulnerabilities in the software that supports container shipping can disrupt commerce and enable smuggling, theft, and terrorism. And these software vulnerabilities can even sink ships. The key to the prevention of such attacks is a comprehensive cybersecurity program that includes in-depth vulnerability assessment of the software that control the shipping process.
We will describe our experiences applying in-depth vulnerability assessment techniques to a critical part of the software that controls container shipping, terminal operating system (TOS). The in-depth vulnerability assessment is based on our First Principles Vulnerability Assessment (FPVA) methodology. The goal is this methodology is to identify the key (high value) assets in the system, determine their exposure to threats, and then performed detailed analysis of the code associated with those assets. This process proceeds without a preconceive notion of what threats or vulnerabilities might be present.
We will outline the process that we followed, explain the vulnerabilities we found, and describe our suggestions for remediating these vulnerabilities.

Photo of Elisa Heymann

Elisa Heymann

University of Wisconsin-Madison

Elisa Heymann is a senior scientist within the NSF Cybersecurity Center of Excellence at the University of Wisconsin and an associate professor at the Autonomous University of Barcelona, where she codirects the MIST software vulnerability assessment. Elisa was also in charge of the Grid/Cloud Security Group at the UAB and participated in two major European grid projects: EGI-InSPIRE and the European Middleware Initiative (EMI). Elisa’s research interests include security and resource management for grid and cloud environments. Her research is supported by the NSF, the Spanish government, the European Commission, and NATO.

Photo of Bart Miller

Bart Miller

University of Wisconsin-Madison

Barton Miller is a professor of computer sciences at the University of Wisconsin, the chief scientist for the DHS Software Assurance Marketplace research facility, and software assurance lead on the NSF Cybersecurity Center of Excellence. Bart also codirects the MIST software vulnerability assessment project in collaboration with his colleagues at the Autonomous University of Barcelona and leads the Paradyn Parallel Performance Tool project, which is investigating performance and instrumentation technologies for parallel and distributed applications and systems. In 1988, Bart founded the field of fuzz random software testing—the foundation of many security and software engineering disciplines—and in 1992, working with his then-student Jeffrey Hollingsworth, founded the field of dynamic binary code instrumentation and coined the term “dynamic instrumentation,” which forms the basis for his current efforts in malware analysis and instrumentation. His research interests include systems security, binary and malicious code analysis and instrumentation of extreme-scale systems, parallel and distributed program measurement and debugging, and mobile computing. Bart’s research is supported by the US Department of Homeland Security, the Department of Energy, the National Science Foundation, NATO, and various corporations.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)