Workshop

Real-Life Impacts of Security Vulnerabilities

April 18, 2024, 13:30–18:30

Alumni Pavillon, ETH Zurich

Convened by

N. Asokan
Senior Fellow 2023–2024

Shweta Shinde
Associate Fellow

Kari Kostiainen

Details

Public event, free of charge.
Venue: Alumni Pavillon (MM C 78.1), ETH Zurich

Further information and documentation on the official event website and the workshop report.

(How) can we assess the realistic real-life impact of claimed security vulnerabilities? This workshop aims to answer this question by starting a conversation among offensive security experts, industry practitioners, and experts in economic matters.

Offensive (information) security is where security researchers analyze existing systems to uncover security or privacy vulnerabilities. Usually, a vulnerability found in a prominent system is accompanied by substantial coverage in the technology, and sometimes even popular, media.

Although claims of security vulnerabilities in top academic conferences are usually technically correct, they may not always have any immediate discernible impact in practice. But practitioners and decision makers need to decide what remedial action, if any, is warranted—ranging from doing nothing to immediate recall or replacement of the system in question. The security research community usually does not have the expertise (and often does not even attempt) to assess the likely real-life impact of a given vulnerability because the impact is dependent not just on technological factors but also on several other factors, chief among them economic.

On the other hand, widespread negative perception from well-publicized vulnerabilities can lead to a substantial opportunity cost. Decision makers in the industry may be tempted to prematurely pull technologies from deployment. Students and researchers may shy away from a particular technology that was found to have vulnerabilities because they perceive it as too risky.

This leads to questions like (how) can we assess the realistic real-life impact of claimed security vulnerabilities? Are there tools, techniques, principles, checklists, or best-practice guidelines that can help? Are there other settings (for example, environmental impact assessments) where similar needs have arisen and addressed? What can security experts contribute to make similar approaches applicable to information security?

A prerequisite to answering this question is starting a conversation among offensive security experts, industry practitioners, and experts in economic matters. We hope to do this by holding a half-day workshop at ETH Zurich bringing together (1) offensive security researchers who have found significant security/privacy vulnerabilities, (2) practitioners with insights about how such vulnerabilities were dealt with in real-life, and (3) economists, actuaries, and accountants who have expertise in methods and processes to assess potential real-world impact (possibly in other similar contexts than just cybersecurity or privacy)

To keep the scope tractable, we can limit the discussion to hardware-assisted security mechanisms where we, the organizers, have expertise in. We plan to have a few short introductory talks to set the stage, followed by a panel involving experts from different disciplines. We hope for very active audience participation.

Program

13:30	Registration and coffee
14:00	Welcome remarks Sebastian Bonhoeffer Director, Collegium Helveticum
14:10	Introduction N. Asokan Collegium Helveticum University of Waterloo, CA
14:25	Finding, Patching, and Promoting Security Research—and what about Sustainability? Daniel Gruss TU Graz, AT
14:45	Modeling Vulnerabilities Based on Attack Value Eduardo Vela Nava Google
15:05	Quantifying Cyber Risk Rainer Boehme University of Innsbruck, AT
15:25	Information Security Vulnerabilities From an Insurer’s Perspective Risk Transfer and the Real-Life Financial Impact on the Economy and General Public Lucas Engl Zurich Insurance
15:50	Coffee break
16:10	Panel discussion Real-Life Impacts of Security Vulnerabilities Moderated by Shweta Shinde ETH Zurich, CH Hans Gersbach ETH Zurich Kaveh Razavi ETH Zurich Mark Brand Google Anders Fogh Intel
	Closing Kari Kostiainen ETH Zurich, CH Followed by a small reception.

Invited speakers & abstracts

Daniel Gruss

Daniel Gruss (@lavados) is an Associate Professor at Graz University of Technology. He has been teaching undergraduate courses since 2010. Daniel’s research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. In 2023, he received an ERC Starting Grant to research the sustainability of security. He frequently speaks at top international venues.

Abstract of his talk:
Every day our systems receive multiple patches against security vulnerabilities. Each of these patches comes with its costs that stack up in an unsustainable way. One of these patches was our KAISER patch against the Meltdown vulnerability we published in 2018. In 2030, a single patch of this gravity could drive up global electricity consumption by 0.5%. We will look at some security issues inside processor microarchitectures and how we can address them. We will understand why the patches are necessary and why they are expensive. Finally, we will discuss how fundamental changes in how we design systems could yield alternatives more sustainable, both in terms of energy consumption and creating systems with inherent strong secure properties.

Eduardo Vela

Eduardo Vela plays a key role in Google’s ongoing battle against vulnerabilities. Working with teams across the company, he helps ensure that flaws in Google products are addressed and that responsible disclosure practices extend throughout the industry. He was one of the pioneers of Google’s bug bounty program and has led it for over a decade, shaping the landscape for ethical security research. Currently he analyzes Linux kernel and CPU exploits to identify and understand fundamental weaknesses. His work aims to strengthen the technological foundation upon which we all rely, enabling a future where everyone can use technology safely.

Abstract of his talk:
A vulnerability on its own doesn’t mean much and not all security holes are created equal. Traditional security checks focus on the technical details of a vulnerability. But to really grasp the risk, we need to broaden our view. This talk explains how the true danger of a vulnerability isn’t just about what it is and how easy it is to exploit. We’ll look at what makes attackers tick, what’s at stake for victims, and a company’s ability to respond all shape the true impact of a vulnerability. By understanding these factors, we can get a better idea of which vulnerabilities pose the biggest risks and how to prioritize fixes accordingly in the long term.

Lucas Engl

Lucas Engl is a lead for cyber underwriting of large corporations in the specialty insurance department of Zurich Insurance. He is responsible for developing risk transfer solutions for major financial and commercial enterprises with internationally exposed insurance programs, but also involved in handling domestic SME portfolios. In addition to his role in direct insurance as market facing underwriter, Lucas is seasoned with reinsurance on the buyer and seller side as well as captive solutions, working in tight collaboration with the top carriers in the (re)insurance industry. Furthermore, his tasks encompass the maintenance and growth of OSP/MSSP pipelines as well as provision of correlated risk consulting, which aims to improve insureds cyber maturities. With a finance background and high involvement in the cyber insurance market since its early kick-off as mainstream line of business, he is skilled in bridging his know-how to bring both fields closer together.

Abstract of his talk:
This presentation explores information security vulnerabilities from the perspective of insurers, focusing on the risk transfer and the real-life financial impact on the economy and general public. First, the goal is to give a brief introduction to cyber insurance, highlighting its significance in today’s digital landscape. The assessment of a company’s cybersecurity posture is then discussed under consideration of key factors like market cycles, frequency/severity calculations and research on claims data. Understanding these helps insurers evaluate and underwrite policies effectively. Furthermore, we will examine the direct and indirect costs that can result from a cyber incident at a company. By analyzing financial implications such as business interruption, reputational damage, and (regulatory) fines, insurers gain insights into the potential impact on their policyholders and the wider economy. Addressing vulnerabilities of policyholders is a critical aspect explored in the next point. Insurance carriers must develop strategies to mitigate risk and support their insureds in managing and preventing cyber threats. Patch and vulnerability management are identified as crucial components in this process, emphasizing the importance of timely updates and security measures. The presentation highlights the prevalent concerns regarding ransomware actors, financially motivated hackers, and organized crime. Their tactics, motives, and the potential consequences of their actions are discussed, shedding light on the evolving threat landscape. In the context of the workshop, it will be addressed how especially vulnerabilities that are easily exploitable pose significant risks as attackers are likely to move on to the next target if the exploitation process becomes challenging.

Rainer Böhme

Rainer Böhme is Professor of Computer Science and Head of the Security & Privacy Laboratory at the University of Innsbruck in the Austrian Alps. As an engineer with a background in economics and media science, he is known for his interdisciplinary approach to solving challenging problems in information security and privacy. Rainer’s research interests include digital forensics, steganography and steganalysis, privacy-enhancing technologies, economic and behavioral aspects of information security & privacy, and – last but not least – virtual currencies and cryptographic financial instruments. Rainer holds a PhD in Computer Science from the TU Dresden in Germany. He has also held positions at the University of California at Berkeley, the University of Münster in Germany, the MIT Media Lab, and has worked for the European Central Bank and the Bank for International Settlements.

Abstract of his talk:
We introduce a causal model inspired by structural equation modeling that explains cyber risk outcomes in terms of latent factors measured using reflexive indicators. We use the model to classify empirical cyber harm studies. We discover cyber harms are not exceptional in terms of typical or extreme losses. The increasing frequency of data breaches is contested and stock market reactions to cyber incidents are becoming less negative over time. Focusing on harms alone breeds fatalism; the causal model is most useful in evaluating the effectiveness of security interventions. We show how simple statistical relationships lead to spurious results in which more security spending or applying updates are associated with greater rates of compromise. When accounting for threat and exposure, indicators of security are shown to be important factors in explaining the variance in rates of compromise, especially when the studies use multiple indicators of the security level.

Panelists

Anders Fogh is technical lead for offensive security research at Intel and is an Intel fellow. He is a reowned expert on microarchitecture and memory security. He has more than 20 years of experience with security and low-level topics and is work on security has been published in both industry and academic conference such as Black Hat USA and IEEE S&P. He has twice been recognized by the National Security Agency for excellence in research. Before joining Intel he worked as a principal security researcher where he worked on incident response and malware analysis. He spend 15 years of his career going from junior software developer to company founder and lead engineer. Anders holds a degree in economics.

Hans Gersbach is the Co-Director of KOF Swiss Economic Institute since January 2023. He also holds the Chair of Macroeconomics: Innovation and Policy at ETH Zurich (Switzerland). He is a member of the academic advisory council at the Federal Ministry for Economic Affairs and Climate Action in Germany. His current research focuses, among others, on the examination of systemic risk and how to deal with it, for instance in the context of the design of bug bounty schemes and financial stability, as well as on the design of new economic and political institutions for the well-being of societies.

Kaveh Razavi is a former hacker and current professor at ETH Zurich. His students often stumble on security vulnerabilities in popular commodity software and hardware. Consequently, he has been engaging in responsible disclosure with large entities such as Google, Microsoft, Apple, Intel, AMD, ARM, and Samsung for almost a decade. To empower security researchers and protect their anonymity when necessary, he has helped establishing 3rd party responsible disclosure practices in government CERTs in the Netherlands and more recently Switzerland.

Mark Brand is a software engineer on Google’s Project Zero team, which aims to reduce harm caused by targeted attacks on the Internet. His current focus is on web browser security.

Shweta Shinde is an assistant professor at ETH Zurich, where she leads the Secure and Trustworthy Systems Group. Her research is broadly at the intersection of trusted computing, system security, and program analysis. Her group focuses on foundational aspects of confidential computing to protect phones, servers, and accelerators as well as practical aspects of building large systems.