August Meeting – There’s a hole in my bucket, dear Liza — Examining side channel leaks in web apps (Ben Holland)

Ben’s presentation on YouTube:
Topic: There’s a hole in my bucket, dear Liza — Examining side channel leaks in web apps.
Speaker: Ben Holland
Date: Tuesday, August 18th
Time: 6-7pm (doors open at 5:30)
Where: (2900 University Blvd, Ames)
Think twice before you optimize that code!  You might just give away the farm. Side channel attacks were traditionally used to reverse engineer cryptographic hardware circuits using power analysis, but more recently timing information is being used to deduce the sensitive inner workings of software. The steady stream of side channel exploits coming out academia and the security community continue to demonstrate the seriousness of the problem and DARPA’s current Space/Time Analysis for Cybersecurity (STAC) program indicates that we need a solution now. Let’s take a look at a few real examples of information leakage through side channel attacks in web apps and learn to spot them together.  If there’s a hole in your bucket, then fix it, dear Henry.
Speaker Bio
Ben Holland is a research scientist at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. He’s lectured on security topics for courses in program analysis and operating system principles.  Ben has given talks at Derbycon 4.0 in Louisville, Kentucky and at DARPA’s headquarters in Arlington, Virginia. His past work experience has been in mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. He holds a master’s degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA’s Space/Time Analysis for Cybersecurity (STAC) program with plans to start a PHD program in Fall 2015.