NERD Summer School


RWTH Computer Science Center (Informatikzentrum)

Building E3 (Erweiterungsgebäude 3), 2nd floor

Street Address: Mies-van-der-Rohe-Straße 35

52074 Aachen

Descriptions: how to get there! (PDF)


Monday 02.09.2019

Usable Security

8:30 Registration
9:00 Welcome notes
Morning Session (9:30am-12pm In this session, we explore user authentication. This includes an overview of the different authentication approaches and how to compare them along different metrics. We will also cover the psychology, usability, and security factors to consider when conducting research in user authentication. Finally, we will explore best practices in conducting user studies involving authentication, and discuss current recommendations.

Sonia Chiasson is the Canada Research Chair in User-Centric Cybersecurity and an Associate Professor in the School of Computer Science at Carleton University in Ottawa, Canada. Prof. Chiasson is the deputy Scientific Director of SERENE-RISC, a national network created to
help protect individuals and organizations from online security and privacy threats. Prof. Chiasson has been conducting research in the field of usable security for 14 years. Her main research interests relate to the human aspects of computer security and privacy with the goal of making security mechanisms easier and safer for people to use.

Afternoon Session (1:30pm – 4:00pm) In this session, we explore usable privacy. The session will start with an interactive discussion of the definition of privacy, then will move on to the contextual nature of privacy, and the apparent disconnect between the stated privacy wishes of users and their actions in protecting their privacy. The session will close with an exploration of current usable privacy practices, as well as examining their applicability to new platforms such as the Internet of Things.

Heather Crawford is an Assistant Professor in the Department of Computer Engineering and Sciences at Florida Institute of Technology in Melbourne, Florida, USA. Dr. Crawford has conducted research in the areas of usable authentication on mobile and wearable devices. Her main research interests remain in the usable security and privacy field with a focus on their applicability to IoT, as well as research in the security of Quantum Computing. Dr. Crawford has won several Teaching Excellence Awards at Florida Tech, and enjoys teaching a variety of graduate and undergraduate courses.

5pm Reception and Poster Session
Tuesday 03.09.2019

IT Security Education

Morning Session (9:30am-12pm) This session will look at best practice and innovative methods for cyber security education at the university level. I’ll start off by looking a “gamification” and the use of Capture The Flag competitions, reviewing there strengths and weaknesses, and presenting a range of good (and a few bad) examples of how others have used these ideas in cyber security courses. Next, I will present some of our own work on building an easy to deploy, self contained CTF VM, and on adding a story to this to make it more engaging to students.
I’ll also discuss a phishing education VM we have developed and how IoT devices can be used in cyber security education. I’ll end by discussing how real computer games can make excellent material for advanced cyber security exercises.

Tom Chothia a Reader in cyber security at the University of Birmingham. His work focuses on the development of formal and automated methods, and their application to finding vulnerabilities in real world systems. He runs research projects on the security of financial systems, industrial control systems and firmware analysis.
His work on pacemaker security, banking security, e-passport traceability and BitTorrent monitoring have all received media coverage. He has also published widely on cyber security education, developing material that is now used at other Universities

Afternoon Session (1:30pm – 4:00pm) This session will explore issues in IT security from a human-centered security perspective, examining challenges faced by end-users. Following this, a variety of gamification and games-based learning techniques will be discussed. The two topics will then be brought together, allowing participants to investigate how gamification techniques can be applied to the domain of security awareness.

Objectives of the session:
1. Identify the key issues the general public face in terms of security awareness.
2. Explore a range of gamification and games-based learning techniques.
3. Establish how to apply gamification techniques to enhance end-user security

Lynsay Shepherd is a Lecturer in Usable Security at Abertay University, Dundee, and works within the Division of Cyber Security, in the School of Design and Informatics. Dr Shepherd holds a PhD in Usable Security, an MSc in Internet Computing, and a BSc (Hons) in
Computing. Dr Shepherd’s research focusses on the human aspects of cyber security, investigating how to effectively communicate security information to end-users.

Evening Programm Guided City Tour
Wednesday 04.09.2019

IT Security Standardization

Morning Session (9:30am-12pm Until very recently, all major security protocol standards (for example, for secure web browsing) were developed with little to no input from academia. However, this situation is now rapidly changing, with the ultimate goal of deploying more secure standards. Prime examples are the recently deployed TLS 1.3 protocol and the ongoing development of the MLS secure messaging protocol. In this session I will explain through several examples how we as academics are trying to assist in the development of these standards. In particular, I will show how the developments in automated analysis tools and pen-and-paper proof methodologies play a crucial role in making the communications of the future more secure. As running examples we will use the TLS 1.3 protocol, which you are probably using in your browser right now, and the MLS protocol for secure group messaging, which is currently under development.

During the last ten years in this area, we encountered many deep technical problems and challenges, some of which we have yet to solve. But we also encountered problems of a different nature: how to interact with standardisation bodies, such as ISO, IETF, 3GPP (5G), and IEEE? The answers are sometimes funny, and sometimes sad, but we are heading in the right direction

Cas Cremers is faculty member at the CISPA Helmholtz Center for Information Security in Saarbruecken, Germany. He obtained his PhD in 2006 from Eindhoven University of Technology in the Netherlands. From 2006 to 2013 he was a postdoctoral researcher, and senior researcher and lecturer, at ETH Zurich in Switzerland. In 2013 he moved to the University of Oxford as an Associate Professor. In 2015 he became (full) Professor of Information security at the University of Oxford. In 2018 he joined the CISPA Helmholtz Center for Information Security in Germany.

Afternoon Session (1:30pm – 4:00pm) One of the major challenges ahead of us in applied cryptography is the migration of asymmetric cryptography from RSA/DH/ECDH-based systems to primitives that remain secure in the presentence of quantum adversaries. To tackle this challenge, NIST issued a call for proposals in 2016 and by the deadline in 2017 collected 69 submissions. In January 2019, NIST announced a set of 26 round-2 candidate schemes. In my talk I will give my personal view on this standardization effort; as I am a co-submitter of 7 schemes, this view is certainly going to be biased. Also, it is going to be from a crypto-engineering rather than a cryptanalysis point of view.

Peter Schwabe is an associate professor at Radboud University Nijmegen. He graduated from RWTH Aachen University in computer science in 2006 and received a Ph.D. from the Faculty of Mathematics and Computer Science of Eindhoven University of Technology in 2011. He then worked as a postdoctoral researcher at the Institute for Information Science and the Research Center for Information Technology Innovation of Academia Sinica, Taiwan and at National Taiwan University. His research area is applied cryptography; in particular the optimization of cryptographic and cryptanalytic algorithms in software. The target architectures of this software range from high-end desktop and server CPUs through parallel architectures such as the Cell Broadband Engine and graphics processing units to embedded processors such as ARM and AVR.

Evening Programm Dinner
Thursday 05.09.2019

Application Security

Morning Session (9:30am-12pm There is a near-constant barrage of major breaches of computer security, most recently CapitolOne as late July 2019; it is painfully clear that this challenge is important and far from solved. And the challenge is growing, as there is an ever-growing variety of languages and platforms that must be secured, for which code is developed and tested in an ever-wider variety of environments and with ever more tools. Static program analysis is a promising approach address these concerns, which has already shown results in both academic tools such as FlowDroid and CogniCrypt as well as commercial tools such as AppScan and Coverity. But the range of platforms, languages and tools each can require a different analysis implementations for any security analysis. Thus it is a daunting task to broadly support a broad range of developers to write secure code for the wide range of platforms in diverse languages using a wide range of tools.
The Watson Libraries for Analysis (WALA) framework is working to ameliorate this challenge. It supports multiple popular languages—Java, Javascript and Python—platforms—JVM, Web, Android—and most popular development tools. Across this diversity, WALA provides a uniform interface to state-of-the-art analysis technology, including dataflow analysis, call-graph construction, slicing and others. WALA enables one to write advanced analysis algorithms once and apply them to a wealth of platforms.
In this tutorial, we walk the attendees through how this works in practice. We start with a technical overview of the WALA framework and its support for analysis of mobile code. Then, we briefly present the different platforms, including writing a common concrete app. Finally, we interactively create an analysis algorithm, using the foundations from the first part, and apply it to an app written in the second part across all platforms.Julian Dolby / IBM Research is a Research Staff Member at IBM’s Thomas J. Watson Research Center since 2000. He works on a range of topics, including static program analysis, software testing, the semantic web (AI) and programming technology support for machine learning.
Afternoon Session (1:30pm – 4:00pm)
In recent years, critical infrastructures in various countries have been targeted by cyber attacks. The most famous example of such an attack is Stuxnet which was manipulating the control software running in the embedded control system (ECS). Following Stuxnet, various attacks against ECS devices have been reported, including attacks on the Ukraine electrical grid that caused a nationwide blackout and the targeting of ECS devices in a refinery in Saudi Arabia. This talk consists of three parts.In the first part, we examine ECS security from an attacker’s perspective. We will take a look of  various attack that previously had not been understood and that takes advantage of a specific feature of embedded devices.In the second part, we examine ECSs from a defender’s perspective, and we discuss two protection mechanisms that operate at the device (host) level. These mechanisms are designed to prevent the attacker from gaining access to the ECS device using memory corruption vulnerabilities.  At a low level, these mechanisms also take advantage of some architecture-specific features. We evaluate these techniques and show that they are effective and not easy to bypass.In the third part we will discuss the challenges in embedded devices fuzzing. This is a research topic which is not yet solved but we will discuss our current work and challenges we faced on creating fuzzes for embedded devices and specifically for ICS devices.

Ali Abbasi is a Post-Doctoral researcher at the Chair for System Security of Ruhr-University Bochum, Germany. His research interests are Embedded Control Systems Binary  Security, Real-Time Operating Systems Security and Automotive Security. Ali received a PhD degree from Eindhoven University of Technology, the  Netherlands. In Eindhoven he was working at the Security Group on code-reuse defenses for Programable Logic Controllers (PLC). Abbasi also received a MSc in Computer Science from  Tsinghua University, Beijing, China in 2013 and a BSc in Industrial Engineering from Mazandaran University of Science and Technology, Iran.

Want to attend all or some days of the Summer School? Register here:

    The Summer School will be free of charge for participants, as meals are not included (except coffee breaks).
    We might be able to offer some scholarships to cover travel expenses. If you are interested in one, indicate it above.

    Privacy Statement:
    For questions regarding the processing of personal contact us or the data protection office of the Ruhr University Bochum. Data submitted in this form will only be used for the purpose of organizing this summer school. You can choose to register for our newsletter on upcoming summer schools. If you do not want to receive the newsletter, the data will be stored until the summer school organization is completed (approx. 1 year). If you register for the newsletter your email address will be stored until you unsubscribe. You have the right to request access, withdraw your consent, lodge a complaint.