Third International Workshop on
Code Based Software Security Assessments (CoBaSSA 2007)

http://swerl.tudelft.nl/leon/cobassa2007/

31 October 2007

NEW: CoBaSSA 2007 workshop proceedings

Workshop Program

 08:30 welcome & participant intro  
 08:45 Keynote: The Good, the Bad, and the Ugly From 10 Years of Vulnerability Prevention  
   Crispin Cowan  
 09:45 Searching for Malware  
   Ira Baxter  
 10:10 break  
 10:25 Information Flow Control and Taint Analysis with Dependence Graphs  
   Jens Krinke  
 10:50 Software Security through Targeted Diversification  
   Nessim Kisserli, Jan Cappaert, Bart Preneel  
 11:15 Identifying Source Code Authorship  
   Robert Lange, Jonathan Max-Sohmer, Maxim Shevertalov, Jay Kothari, Spiros Mancoridis  
 11:40 global discussion  
 11:55 wrap-up  
 12:00 end  

Background

Our technological society has become more and more dependent on software that is used to automate everyday processes. This dependence increasingly exposes us to the security threats that originate from malicious software (malware) such as computer viruses and worms and software vulnerability exploits such as remote execution of code or denial of service attacks. Moreover, this exposure is not limited to computer systems but is spreading to common appliances such as mobile phones, PDAs and consumer electronics such as media centers, personal video recorders, etc. since a growing number of these products are made extensible and adaptable by means of embedded software.

The proliferation of malware and exploits requires that action is taken to tackle these issues and evaluate software security to prevent the damage and costs (e.g., data loss, productivity loss, recovery time) that result from security incidents. This calls for measures to assure that a software system has the desired security properties, i.e. that it is free of malware and vulnerabilities. In addition, there is a need for technology for software forensics, for example to detect code authorship or plagiarism.

Workshop History

The First International Workshop on Code Based Software Security Assessments was held in 2005, also co-located with WCRE. CoBaSSA 2005 drew 20 participants from academia and industry/government (approx. 50/50). One of the workshop's results was a top 10 list of open issues in software security research jointly collected, refined and prioritized by workshop participants. The workshop proceedings and results are available from the CoBaSSA 2005 homepage. Participant evaluation indicated a great interest in the return of CoBaSSA as co-located event of WCRE. They all felt it was worthwhile to bring together the people in our community that work on this particular subject.

Objectives

The purpose of this workshop is to bring together practitioners, researchers, academics, and students to discuss the state-of-the-art of software security assessments based on reverse engineering of source or binary code (as opposed to software security assessments that look at the software process that was applied). This includes research on topics like source & binary code analysis techniques for the detection of software vulnerabilities (e.g. detect if code has potential buffer overflow problems) or analysis for the detection of malicious behavior (e.g. detect if code contains an exploit or has viral behavior).

The goal of the workshop is to share experiences, consolidate successful techniques, collect guidelines, and identify open issues for future work.

Topics of interest

Topics of interest include, but are not limited to:

Submissions

Participants are asked to submit a four page position paper (in IEEE proceeding style and PDF format) detailing their experiences or ideas on software security assessments. The organizers will accept position statements based on originality, relevance, and suitability for triggering discussion.

Important Dates

Deadline for submission of position papers: September 17, 2007
Notification of acceptance: September 29, 2007
Final papers due: October 10, 2007
Workshop date: October 31, 2007

Registration

Registration for the workshop is included in WCRE registration. It is also possible to register just for the workshop.

There is an early registration discount which ends October 3rd, 2007.

All CoBaSSA/WCRE registration is handled by the Reengineering Forum. For more information about prices and a registration form see http://reengineer.org/wcre2007/register.php.

Workshop Format

The workshop will be lively and entertaining. It aims at discussion and interaction rather than presentations. However, all participants that submit a position paper will be given a chance to give a short presentation. These presentations will serve to introduce a case study, provoke discussion by presenting a controversial point of view, or introduce new points of view. In order to stimulate debate, each position paper will have a discussant assigned, who has the task to study the position paper in advance, and prepare one or two questions.

The workshop opens with an introduction session where participants can raise the questions they would like to get addressed in the workshop; in the concluding wrap up we'll evaluate how far we got in answering these questions.

The participants presentations take 25 minutes each, of which are at least 5 minutes reserved for questions and discussion. In order to stimulate an informed debate, we request all participants to read the position papers before the workshop, and possibly prepare one or two questions.

In the interest of promoting interactive discussion, the number of participants will be limited to 25.

Dissemination of results

All accepted position papers are published in the CoBaSSA 2007 workshop proceedings which are published as Delft University of Technology technical report TUD-SERG-2007-023.

The results of the workshop will be summarized in a workshop report that will be available from the workshop website after the workshop.

Organization

Organizers: Leon Moonen (Delft University of Technology, The Netherlands)
  Spiros Mancoridis (Drexel University, USA)

For More Information

Leon Moonen  
Delft University of Technology  
Software Engineering Research Group, Faculty EEMCS  
P.O. Box 5031  
2600 GA Delft, The Netherlands  
Leon.Moonen@computer.org  
http://swerl.tudelft.nl/leon/