Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Is a Game Tiffany Bao

Published byJames White Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Is a Game Tiffany Bao"— Presentation transcript:

1 Security Is a Game Tiffany Bao tiffanybao@cmu.edu
Carnegie Mellon University Today I wanna talk about security as a game,

2 Ph.D. Student for Computer Security
Me Ph.D. Student for Computer Security I am a PhD student, and my research is computer security. When I meet my normal friends, they ask me, hey Tiffany, how should I secure my computer? And when I meet my abnormal friends, a.k.a the hacker friends, they ask me, how to find more vulnerabilities and hack more computers? Well, I am not gonna talk about my answer, especially for the second one. But I do want to show you that, see, different people have different perspectives, and computer security

3 is just a game with different people playing different roles and making different decisions. The players include individuals such as you and me, and also include parties such as companies or countries. We could defend, or attack, if that helps win the game. you might say, well, I am a good person, why would I wanna attack. Yeah, maybe you are, but it doesn’t mean that you are forbidden to attack. You just prefer defending than attacking because defending makes you feel better and it brings you more utility.

4 Do Techniques Help Us Win the Game?
I Don’t Know. Yet how to get more utility in the game? How to win the game? Does technology help us win the game? <- link technique The truth is, I don’t know. But I can show you why answering this question is not that easy.

5 Do Techniques Help Us Win the Game?
Patches help defense. Patch generation techniques help defense. Patches may help generate exploits[1]. Patch generation techniques may not help in the game (as a player may not want to patch). For example, we know that However, patches may actually help generate exploits, especially that we have the apeg technique. Therefore, techniques which quantitatively improve security doesn’t necessarily mean a qualitatively change in the game. [1] D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy.

6 Do Techniques Help Us Win the Game?
for now Do Techniques Help Us Win the Game? ^ The attacker gets benefits from an attack. The attacking techniques help in the game. The victim may attack back to the attacker (due to the Ricochet attack[2]). The attacking techniques may not help in the game (as the players may not even want to attack[3]). [2] T. Bao, Y. Shoshitaishvili, R. Wang and D. Brumley. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits, Proceedings of the IEEE Symposium on Security and Privacy, 2017. And sometimes, even though we are sure that a technique helps, it doesn’t mean that the technique will help you for good. When new techniques come out, the game may change, and the previous conclusion may expire. For example, we know that However, this year we published a paper showing that one can automatically generate an exploit by replacing the shellcode of an existing remote exploit. The occurrence of the technique implies that now the victim can take advantage of a receiving attack and retarget it back to the attacker, which we call it the Ricochet attack. This can be a threat for the attacker, and the attacker may not want to attack. If a player do not want to attack, the attacking techniques, no matter how powerful they are, will not help him in the game. So when we ask if a technique helps us win the game, we should actually ask if the technique helps us for now. [3] T. Bao, R. Wang, Y. Shoshitaishvili, C. Kruegel, G. Vigna and D. Brumley. How Shall We Play a Game? A Game-Theoretical Model for Cyber-warfare, Proceedings of the IEEE Computer Security Foundation, 2017.

7 My Confession I Don’t Know.
Okay. Time for me to confess. I confess that although I have been working on security for a couple of years, I still don't know whether my research really helps us win the security game, let alone whether it makes the world more secure or more chaos. Since I am so confused, I come here to give you this lightning talk, or perhaps, the perplexing talk. I would like to invite you to think about computer security from the game perspective. That means, we need to figure out what the game actually looks like and how techniques changes the outcome of the computer security game.

8 Technique X helps/does not help the players in Game G.
My Plan Game G Technique X Evaluation Framework Technique X helps/does not help the players in Game G. To answer the questions, I plan to work on a framework which takes a technique and a game as inputs, and output whether or not this technique helps the players in the game. I hope that this framework will ultimately help us understand how a technique impacts computer security --- the strategy game that we are playing on live.

9 Lightning enough?

Download ppt "Security Is a Game Tiffany Bao"

Similar presentations

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.
Game Theory Here we study a method for thinking about oligopoly situations. As we consider some terminology, we will see the simultaneous move, one shot.

Game Theory Here we study a method for thinking about oligopoly situations. As we consider some terminology, we will see the simultaneous move, one shot.
1. 2 3 WELCOME TO FOUNDATIONS! In the months ahead, we are going to talk about one of the most important aspects of every ones life. It is at the center.

WELCOME TO FOUNDATIONS! In the months ahead, we are going to talk about one of the most important aspects of every ones life. It is at the center.
Sometimes we can tell how people are feeling by looking at them. How are they feeling?

Sometimes we can tell how people are feeling by looking at them. How are they feeling?
APPROACH AND CONTACT (STEP 2 OF THE SYSTEM MANUAL)

APPROACH AND CONTACT (STEP 2 OF THE SYSTEM MANUAL)
Listening is the highest compliment one can pay to another human being. Listening attentively (actively ): shows respect. builds trust. cements relationships.

Listening is the highest compliment one can pay to another human being. Listening attentively (actively ): shows respect. builds trust. cements relationships.
Healthy Relationships

Healthy Relationships
Exponential Functions

Exponential Functions
Creating your online identity

Creating your online identity
Protecting Your Privacy Online

Protecting Your Privacy Online
L.O: To understand how to use the Internet and ICT equipment safely.

L.O: To understand how to use the Internet and ICT equipment safely.
Unit 2 What should I do? 1st.

Unit 2 What should I do? 1st.
Tiffany Bao∗, Yan Shoshitaishvili†, Fish Wang†

Tiffany Bao∗, Yan Shoshitaishvili†, Fish Wang†
I like to play games and I like to win!

I like to play games and I like to win!
Exponential Functions

Exponential Functions
Automatic Patch-Based Exploit Generation

Automatic Patch-Based Exploit Generation
How are drugs and alcohol portrayed in the media?

How are drugs and alcohol portrayed in the media?
Building the foundations for innovation

Building the foundations for innovation
Damned if you do and Damned if you don’t

Damned if you do and Damned if you don’t
Difficult Conversations

Difficult Conversations

Similar presentations

Ads by Google