Information Security at ETH Zurich Institute of Information Security at ETH Zurich Zurich Information Security and Privacy Center

Transcription

1 Information Security at ETH Zurich Institute of Information Security at ETH Zurich Zurich Information Security and Privacy Center Department of Computer Science

2 Introduction Our society is undergoing a profound transformation into the information society of the future. Technological developments bring an increased reliance on networked information systems as well as an expansion of physical devices and IT systems. Both come with associated security risks. To counter these risks we need a commitment to expand our science base in information security. Our responses at ETH Zurich to this challenge are the Institute of Information Security at the Computer Science Department and the Zurich Information Security & Privacy Center (ZISC). Our goal is to address the security risks of existing and emerging technologies and systems. We conduct both fundamental and applied research in Information Security, and develop techniques, methodologies, and tools for improving the reliability and security of complex systems. We construct and implement security-critical systems and develop better processes for their construction. We further validate the security of existing IT and cyberphysical systems using rigorous approaches for modeling, testing, and verifying their security.

3 Information Security Research at ETH Institute of Information Security The Institute of Information Security was founded in 2011 and consists of three research groups: - Information Security Group led by Prof. David Basin (since 2003) - System Security Group led by Prof. Srdjan Capkun (since 2006) - Network Security Group led by Prof. Adrian Perrig (since 2012) A fourth, affiliated group is the Information Security and Cryptography Group led by Prof. Ueli Maurer. Zurich Information Security and Privacy Center The Zurich Information Security & Privacy Center (ZISC) was founded in 2003, to bring together researchers from academia, industry, the financial and services sector, and public administration for joint efforts in information security. ZISC consists of the following industry partners: ArmaSuisse, Credit Suisse, Google, and Kaba. ZISC academic partners at ETH Zurich are: Information Security Group (D-INFK) led by Prof. David Basin, System Security Group (D-INFK) led by Prof. Srdjan Capkun, Information Security and Cryptography Group (D-INFK) led by Prof. Ueli Maurer, Network Security Group (D-INFK) led by Prof. Adrian Perrig, Communication Systems Group (D-ITET) led by Prof. Bernhard Plattner.

4 Information Security Group Description of the Area The Information Security Group carries out research on methods and tools for the analysis and construction of safe and secure systems. This includes methods for specifying systems, developing systems in correctness-preserving ways, and verifying or testing existing systems and infrastructures, including hardware security modules, security protocols, access control and usage control infrastructures, and embedded systems. Our goal is not only to build or analyze particular systems, but also to develop better methods and tools for system engineering and quality assurance activities. Description of the Research We build on foundations from mathematical logic, discrete mathematics, cryptography, algorithms, complexity theory, and probability theory. In doing so, we develop foundations, methods, and tools for system construction, where we can make mathematically precise statements about the system s behavior. Examples of tools include: model-checkers for security protocols, runtime monitors that evaluate whether a system s behavior conforms to the specified policies, and testing tools that generate test cases from high-level system specifications. We evaluate and improve these artifacts through case studies with our industrial partners.

5 System Security Group Description of the Area The System Security Group performs research on the security and privacy of existing computing and communication systems and develops foundations for securing future systems. The systems in our focus include embedded, standalone, and networked devices as well as their wired and wireless communication. Typical systems under investigation are mobile and portable devices (such as smartphones, RFID chips, and smartcards), ranging and localization systems, storage devices, cloud computing services as well as networks such as the Internet. Description of the Research Our research covers secure systems and components (such as secure ranging, jamming-resistant transmissions, and device identification). It considers both attacks and countermeasures. We design and analyze security protocols and investigate the resistance of existing protocols against attacks. We also design, propose, and validate practical countermeasures. Our analyses are based on theoretic considerations, simulations, and practical experiments. They enable us to model attacks and understand the security level of existing systems. We develop proof-of-concept implementations and realizations of attacks and countermeasures.

6 Network Security Group Description of the Area In network security, we study security aspects of communication: from the availability and the secrecy of end-to-end communication all the way to user-level properties such as privacy and anonymity. We consider general adversary models that range from adversarial governments, to malicious system administrators, to «script kiddies» who launch attacks from their bedroom. We also consider secure execution primitives as they pertain to correct execution of software on networking devices. Our goal is to build secure communication systems that provide useful properties (such as availability) in the presence of a clever and sophisticated adversary. Description of the Research We consider the security of all layers of communication, however, our work focuses mainly on the network layer, transport layer, and application layer. In terms of types of networks, most of our work is in internet and intranet security, but we also consider more specialized networks such as mobile device networks, vehicular networks, and datacenter networks. Exciting and challenging problem domains, that we are mainly active in, include routing security, defenses against DoS and DDoS attacks, and Internet trust establishment infrastructures such as certification authorities for SSL/ TLS. We analyze our designs with formal methods and mathematical analyses, and we evaluate them through Internet-scale simulations and prototype implementations.

7 Cryptography Group Description of the Area The research in the Cryptography Group spans a wide spectrum of topics in the foundations of cryptography and its applications, ranging from public-key encryption to quantum cryptography and from digital money to e-voting protocols. The primary focus is on the mathematically sound definition and design of cryptographic primitives as well as the sound design of protocols composed of several cryptographic primitives. The current ad-hoc approach to protocol and system design leads to a possibly endless alternation between the discovery of protocol flaws and the proposal of fixes for the flaws. Cryptography research must break this cycle. Description of the Research In essence, a cryptographic security statement is a mathematical proof. We develop mathematical concepts and tools to perform such security proofs in a simple, concise, precise, and composable manner. We also design new cryptographic primitives and protocols with an emphasis on efficiency and provability, leading to new applications. Another line of research deals with the realworld semantics of cryptographic schemes such as digital evidence systems based on signatures, certificates, and time stamps, or public-key infrastructures.

8 Zurich Information Security and Privacy Center < ZISC makes it possible to address challenging research questions because partners bring in complementary expertise > Dr. Günter Karjoth, ZISC partner Vision There is nothing more difficult to predict than the future. This statement also holds for the future of information security where rapid changes in technology require both answering new challenges and questioning the adequacy of well-established solutions. Our vision is that security will be predictable, robust, and pervasive: predictable in that it is possible to rigorously establish that systems have the desired properties; robust in that the solutions will scale and work even in unforeseen environments; and pervasive in that security will be widespread, integral, and an often unseen part of all computing and communication technologies. This vision is not a dream. Our research splits the described challenges into several fundamental questions. One such question is how to build the next generation of secure systems from the ground up. This encompasses, for example, new building blocks for secure systems such as cryptographic primitives and protocols, their integration into enterprise systems, and the design of fundamentally different applications. Another question asks how best to build secure systems from existing, commercial off-the-shelf parts. This includes system development and information assurance methods as well as intrusion detection and prevention.

9 Research at the ZISC Research is one of ZISC s central pillars. It is carried out witin the context of research projects, which address a broad spectrum of issues ranging from core research problems to concrete applications in information security. Each project typically runs for two to three years and is carried out by a joint team from ETH Zurich and industry. The core of each team is a doctoral or postdoctoral researcher who is supported by various ETH Zurich research groups and members from different partners. The teams are designed to combine expertise from several groups and to ensure that theory and practice are optimally combined. < ZISC offers a unique model of collaboration between top academic and industrial partners > Dr. Vincent Lenders, ZISC partner Our experience with this structure is very positive both in terms of research results and the learning experience within project teams. It is common that projects give rise to many follow-up questions that feed back into new ZISC activities and collaborations.

10 Education and Training Information Security Master at ETH < We provide worldclass academic education and training in information security. We maintain close links to industry and provide first-hand knowledge transfer from research to education and training > Our master track in Information Security is amongst the most comprehensive study programs in information security worldwide. The program offers more than 15 security-related courses and seminars covering a number of topics including cryptography, formal methods, system security, security engineering and network security. Under appropriate prerequisites our courses are also open to participation from industry and the public. Since the establishment of the master track in Information Security in 2006, over 100 students have graduated. For more information, visit PhD Studies in Information Security An increasing number of PhD students are graduating in topics on Information Security at ETH every year. Applications are handled directly by the individual research groups. Workshops, Seminars and Talks A core component of the knowledge transfer between academia and industry are annual workshops in Information Security attended by participants from academia, industry, and the public sector. These workshops consist of a series of lectures and tutorials given by leading experts in their respective fields. Examples of past workshop topics include Secure Mobile and Cloud Computing (2012), Digital Forensics and Security (2010) and Virtualized Environments and Cloud Computing (2009).

11 About ETH and D-INFK ETH Zurich has come to symbolize excellent education, groundbreaking research, and applied results that are beneficial for the society as a whole. ETH Zurich works on long-term solutions to global challenges. ETH Zurich regularly appears at the top of international rankings as one of the best universities in the world. 21 Nobel Laureates have studied, taught or conducted research at ETH Zurich, among them Albert Einstein and Wilhelm Conrad Röntgen. ETH Zurich has more than 17,000 students from approximately 80 countries, 3,700 of whom are doctoral candidates. More than 400 professors teach and conduct research. ETH has a long running and successful history of designing computer systems and developing software tools. The Department of Computer Science was formally formed in Since then, it has quickly grown and developed into the renowned institution it is today. ETH nowadays regularly appears as the highest ranked university in Computer Science in Continental Europe and among the best 10 universities worldwide. < Founded in 1855, ETH Zurich offers researchers an inspiring environment and students a comprehensive education as one of the leading international universities for technology and the natural sciences > More than 30 professors from over 10 countries are active at this institution. More than 250 PhD students, research assistants, and senior scientists contribute to maintain the high standards in research and teaching for which the department is known worldwide.

12 Contact and Addresses ETH Zurich, Institute of Information Security, CNB F, CH-8092 Zurich, Switzerland Phone: +41-(0) Fax: +41-(0) ETH Zurich Department of Computer Science Universitätstrasse 6 / CAB CH-8092 Zurich