1. InfoconDB
  2. Black Hat
  3. Black Hat Asia 2020 Virtual
  4. Complexity Killed Security

Complexity Killed Security

Presented at Black Hat Asia 2020 Virtual, Oct. 2, 2020, 9 a.m. (60 minutes)

<p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In the past decade, we have seen an increasing number of software-based attacks on increasingly complex hardware. Many times, I have been asked: Why don't you just check the hardware documentation?</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">The hardware documentation we would need here is usually not available to us but only to a small set of employees of the corresponding hardware manufacturer.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">However, even if it were available, this would not substantially change our situation. The complexity of a system built from multiple smaller sub-systems is not just the sum of the complexity of the smaller systems. The interaction between the sub-systems leads to unforeseen additional complexity.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">This talk discusses the ironical importance of reverse-engineering human-built and documented things, with several examples where the new perspective led to new security-critical insights.</span></p><p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">We conclude that the constant fight between increasing complexity and security will require more and more effort just to maintain security levels.</span></p>

Presenters:

  • Daniel Gruss - InfoSec Professor, Graz University of Technology
    Daniel Gruss (@lavados) is an Assistant Professor at Graz University of Technology. He finished his PhD with distinction in less than 3 years. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.

Links:

Similar Presentations: