The Research Directorate of the National Security Agency is pleased to announce the winner of this year's Science of Security (SoS) Best Scientific Cybersecurity Paper Competition. The competition was established to recognize the current security paper that best reflects the conduct of good science in the work described. SoS is a broad enterprise, involving both theoretical and empirical work. While there can only be one best paper, any one paper cannot span that full breadth. Nonetheless, the field is broad and work in all facets is encouraged and needed. The common denominator across the variety of approaches is solid methodology and effective communication, so those aspects of the papers were strong factors in our decision.
This year's winner, "Memory Trace Oblivious Program Execution," is a research paper presented at the 2013 IEEE Computer Security Foundation written by Chang Liu, Dr. Michael Hicks, and Dr. Elaine Shi. Their research centered on a scientific foundation for the use of Oblivious RAM (ORAM) in programs. Two aspects of the paper were compelling to the reviewers. First, it builds a bridge between cryptographic research and information flow research, and shows how the latter can help one apply cryptographic advances in a principled and secure manner. Second, it establishes a scientific foundation for the use of ORAM in programs. It provides a valuable and exciting direction toward making ORAM practical.
Of the 35 papers nominated, one paper received honorable mention: "Rethinking SSL Development in an Appified World" by Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Dr. Matthew Smith from the Distributed Computing and Security Group at Leibniz University in Hannover, Germany. Their paper was presented at the 2013 ACM Conference on Computer and Communications Security. The paper studies the possible causes of SSL problems on appified platforms. The results show that the root causes are not simply careless developers, but also the limitations and issues of the current SSL development paradigm. The authors took an unusual step which was highly important - they systematically contacted developers who had produced insecure code.
The authors designed and implemented a framework that allows them to protect their network connections via configuration. The honorable mention paper provides good signposting for how security research should be done: starting with evidence and a careful analysis of the problem, its causes, the various stakeholders involved, and why existing solutions are not working.
Chang Liu, Dr. Michael Hicks, and Dr. Elaine Shi will be honored on September 18th at an award ceremony, hosted by the NSA's Director of Research, where their paper will be presented before an audience of cybersecurity experts. Sascha Fahl and Dr. Matthew Smith will also be honored during the ceremony for their research as this year's honorable mention. The competition reflects the Agency's desire to increase scientific rigor in cybersecurity.
Eight distinguished experts were among the reviewers for this year's paper competition:
- Dr. Whitfield Diffie, Cybersecurity Advisor
- Dr. Dan Geer, In-Q-Tel
- Dr. John McLean, Naval Research Laboratory
- Prof. Angela Sasse, University College London
- Prof. Fred Schneider, Cornell University
- Mr. Phil Venables, Goldman Sachs
- Prof. David Wagner, University California at Berkeley
- Dr. Jeannette Wing, Microsoft Research
After reviewing the papers in an open nomination process, these experts provided individual recommendations along with researchers from NSA's Trusted Systems Research Group and Information Assurance Directorate. Dr. Wertheimer, Director of Research at NSA made the final decision.
As the only "in-house" organization in the Intelligence Community dedicated to advancing intelligence through science, the NSA Research Directorate creates breakthroughs in science, technology, engineering, and mathematics. The discoveries enable NSA to achieve and sustain intelligence advances against immediate and emerging threats to U.S. national security.
Additional details about this year's competition can be found at the Science of Security Virtual Organization website.