CSE Security & Privacy Research Chair's message Reges wins UW teaching award News Warren Jessop retires Datagrams Awards Alumni Achievement Awards Hank Levy elected to NAE Anokwa wins UW grad medal Two win Borg Scholarships Mark Bun wins Goldwater Dodge to competitive workshops CHI Best Paper to HS student Capstone courses Digital design capstone Audio capstone
CSE Security and Privacy Research
Computer security and privacy are important issues for everyone. Individuals want to be protected against identity and personal data theft. Corporations make huge efforts to protect customer information and intellectual property, and keep services running in the face of adversaries. Governments try to protect national secrets and safeguard critical in frastructure. UW CSE is having widespread impact on the computer security and privacy landscape. Below, we hit a few of the highlights. Learn more at:
The winning team for the National Collegiate Cyber
Defense Competition, posing in their makeshift
training room in Sieg Hall. Rear: Karl Koscher
(co-captain), Conrad Meyer, Ian Finder,
Mary Pimenova, Cullen Walsh, Alexei Czeskis
(holding trophy, captain), Melody Kadenko
(team adviser). Front: Mark Jordan, Baron Oldenburg
UW CSE Cyber Defense Team wins top national prize
Each year since the inception of the Pacific Rim Collegiate Cyber Defence Competition in 2008, UW CSE has fielded a team. Each year, UW CSE's team has taken first place in the regional competition and gone on to represent the department, the university, and the region in the national competition. And each year at nationals, the UW CSE team has fallen just shy of placing.
This year, though, was different! This year, the UW CSE Cyber Defense Team came out on top, winning the National Collegiate Cyber Defense Competition (NCCDC). The eight team members were graduate students Alexei Czeskis and Karl Koscher, and undergraduate students Conrad Meyer, Ian Finder, Mary Pimenova, Cullen Walsh, Mark Jordan, and Baron Von Oldenburg. Melody Kadenko served as team adviser.
The NCCDC competition is a three-day event during which teams must defend, administer, and maintain the computer systems of a fictional small company in the face of real attacks. The company network has all the typical small business components: a web server, email, network switch and firewall, a DNS server, customer data and personally identifiable information, intellectual property, workstations, servers, and so on. The types of systems vary (from versions of Windows to different distributions of Linux to Solaris), and the teams know nothing about these prior to the start.
The previous "administrators" of the company were not security minded and left the company systems unpatched, misconfigured, vulnerable, and potentially running intentionally malicious programs. As teams enter the competition area and sit behind their monitors, the red team (professional hackers from the Air Force, Navy, and various consulting firms) begins attacking each company's network. Adding to the pressure, competing teams have to perform standard business operations in the midst of these attacks: setting up VPNs, adding user accounts, performing password audits, adding portals to the company e-commerce website, and more. During the competition, the teams are allowed to bring only paper notes or books with them; no staged resources (online or otherwise) are allowed.
There are no breaks or down-time. Tensions run high and the adrenaline keeps pumping. Services go down. Websites get defaced. Customer data gets lost. There is always more to do than there is time. If a team unplugs its network in order to patch, it loses the competition. This year, one team had all of its computers wiped: all of the company data (and operating systems) gone; none of their machines would boot. In other words, the competition is brutal.
The UW CSE team
The UW CSE team was a bit rag-tag compared to the competition. The team trained on refurbished hardware (pulled from one of the team member's basements) in a makeshift lab in Sieg Hall (which, as alums know well, has seen better days). Unlike the teams from many other schools, they were not sponsored by a company. Administrative staff member Melody Kadenko volunteered as team adviser when it was discovered at the last minute that a rule change required an adviser to accompany each team to the national competition. In the best CSE tradition, though, the team had a lot of spirit, pride, energy, and ability! Part of the team's strength was its ability to innovate, react quickly, and create ad hoc solutions on the spot. For example, one team member wrote a network service monitoring program from scratch that let the team know the instant a service (e.g., HTTP[s], POP/SMTP, DNS) went down. This helped the team catch attacks the instant they happened and prevent them from spreading further. And another member came up with non-standard egress traffic firewall that made it much more difficult for attackers to maintain a persistent threat on the team's systems.
The team's ingenuity was not limited to just the competition environment. While competition rules forbade tampering with other teams and attacking the red team, the rules did not prevent practical jokes regarding the physical access control of the competition. Having read the competition rules ahead of time, the UW CSE team came prepared with a card printer. On the first night, the team created fake red team badges and proudly paraded with them during the second day. The actual red team enjoyed the UW CSE team's badges so much that they traded a real red team badge for one of the UW CSE fake badges.
When tensions ran high during the competition, the UW CSE team came up with humorous ways to bring the atmosphere back to normalcy. The team would break out in song (the Angry Birds theme song) to mimic the Angry Birds peace treaty. This would signal to everyone that it was time to relax and that everything would be okay.
CSE team's fake red team badge
The UW CSE team hoped to finish in the top three, but didn't expect to win — they had enjoyed themselves and performed well, which is what mattered. When another team was announced as the third place winner, UW CSE team members were disappointed — maybe they hadn't made the top three. When another team was announced as the second place winner, hearts sank. Then the winning team was announced: UW CSE! The screaming team members were presented with a huge trophy, which now graces the Allen Center front office. (It's too big to fit in any of our display cases!) Everyone on the team received multiple job offers after the big win (but just about everyone already had plans).
To learn more about the team or to read interviews given by the team to various media outlets, visit the team page:
For more information, to sponsor the team, donate hardware, or join, contact Alexei Czeskis at aczeskis at cs.washington.edu.
Security and privacy of modern automobiles: Opening new research directions
Road testing on a closed course
(a de-commissioned airport runway).
The experimented-on car, with our
driver wearing a helmet, is in the
background; the chase car is
in the foreground.
UW CSE is for known opening up new security and privacy research directions (e.g., the security of implantable medical devices http://www.secure-medicine.org/). Recently, UW CSE security and privacy researchers partnered with University of California San Diego (UCSD) to form the AutoSec (automotive security) group; together they have once again given the security and privacy research community something new to think about. In their first work, the AutoSec group experimentally found that an attacker who is able to infiltrate virtually any electronic control unit (ECU) of an automobile can leverage this ability to completely circumvent a broad array of safety-critical systems. In their second work, the group showed that an attacker is able to do so remotely. The AutoSec group's findings have not only impacted the scientific community, their efforts have also given rise to new policies at the corporate and legislative level.
The AutoSec group
The AutoSec group is composed of researchers at UW and at UCSD (some of whom are UW CSE alums). The UW CSE team members are PhD students Alexei Czeskis, Karl Koscher, and Franzi Roesner, undergraduate Conrad Meyer, Professor Shwetak Patel — all led by Professor Tadayoshi (Yoshi) Kohno. You can find the full list of the AutoSec members at:
Computers in cars — Some background
Modern automobiles are pervasively monitored and controlled by numerous computers (50-70 in luxury sedans) coordinated via internal vehicular networks. Many of these computers help increase the overall automobile safety, efficiency, and comfort (think anti-lock brakes, airbag sensors, the infotainment system, and lots more). Additionally, automobiles are increasingly becoming connected to the external environment. Many modern cars not only have a radio with CD/AM/FM/XM/ USB capabilities, but also have complex telematics systems (e.g., BMW's ConnectedDrive, Ford's Sync, GM's OnStar, and others). Most of these systems can connect to a phone through Bluetooth for hands-free calling, to satellites through GPS for in-car navigation, to the cellular network for data services (e.g., map data or on-demand help), and some telematics systems are even deploying app-stores. The AutoSec group formed to investigate (both theoretically and experimentally) what could happen if a malicious person attacked these systems.
What the AutoSec group did
The team bought two mid-range 2009 sedans — one to be used at UCSD, the other at UW — to replicate and validate experiments. Next, the AutoSec group analyzed, researched, and investigated how various car electronics worked. They did not have access to any manufacturer tools or information other than was publicly available. During their investigation, the AutoSec group developed sophisticated firmware and software for analyzing and auditing the automotive environment. Many of the initial tests were performed in the laboratory and were verified with the car on jack stands. Finally, after the group had uncovered many potentially alarming vulnerabilities, the findings were validated on live road tests on a decommissioned airport runway.
Recent UW CSE security and privacy accomplishments
What the AutoSec group found
The group found that an attacker who was able to compromise any one of the car's many computers, could fully control almost every other computer in the car. For example, the AutoSec group showed full control of the lights, windows, doors, radio, dash, heating and cooling. They could also enable or disable any or all of the brakes, start or kill the engine, release the shift solenoid, or reverse the brake pedal function. Furthermore, they were able to replicate all of these capabilities both at rest and at speed. Some tests were not performed because of safety concerns (like deploying the airbag). These findings, a detailed analysis of how and why these issues occurred, along with recommendations as to what could be done, were presented at the 2010 IEEE Symposium on Security and Privacy in Oakland, California.
While the paper was well received by members of the automotive industry, others considered the possibility of a remote compromise of a car somewhat far fetched. In response, the AutoSec group conducted more research and published a follow-up paper showing that remote attacks are possible. For example, the group created a file that would play normally on a PC, but when burned on a CD and inserted into a car, would exploit the radio, causing arbitrary code to execute. The demo CD had a benign payload that would unlock the car doors. In other attacks, the group showed that they were able to remotely exploit the car (over an arbitrarily long distance) by calling it (the car's telematics system has a publicly callable number), playing a specially crafted sequence of sounds, and again causing arbitrary code to execute. The group found a variety of mid-range attacks as well — i.e., via Bluetooth. The results were presented to the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration in March 2011 and will be published at the USENIX Security Symposium in August 2011.
AutoSec group impact
The group's findings have had tremendous impact upon industry and in research communities. Automotive manufacturers, law enforcement officers, and the government are taking this work seriously. Multiple working groups and workshops have been organized to investigate automotive safety and security more fully. The National Highway Traffic Safety Administration (NHTSA), the Society of Automotive Engineers (SAE), and other safety/standards organizations have noted these results and have contacted the AutoSec group for advice.
For more information, please visit the AutoSec groups page at: