Computer security is evolving from a prescriptive engineering discipline into a science, where security problems and defenses are understood as a product of technical, social, and economic forces. Central to the scientific method is the idea that empirical evidence is the ultimate arbiter, and this is no less true in computer security. Computer systems are built on countless implicit and explicit security assumptions, and empirical methods offer the only means to study these assumptions. Indeed, it is by attacking security assumptions, and not the security models themselves, that attackers most often undermine our defenses. The evidence-based approach to security offers principled empirical techniques to study contemporary security phenomena by exposing our underlying assumptions, leading to more effective defenses and security models more closely aligned with reality.
I will highlight the contributions of evidence-based security with three examples from my work. First, I will explain how attackers undermine the security assumptions of CAPTCHAs, once conceived as a means to prevent automated abuse of online services. Rather than being an absolute barrier to abuse, we now understand CAPTCHAs as an economic deterrent that increases attacker cost. In the second part of the talk, I will explain how an evidence-based approach steers us to re-examine our assumptions about spam, one of the most visible forms of online service abuse. I will describe the spam value chain, the business process through which spam is monetized, and describe an evidence-based intervention aimed at disrupting the profitability of spam. Finally, I will explain how implicit assumptions about cyber-physical systems allowed Volkswagen to cheat on diesel emissions testing, and the challenges of ensuring regulatory compliance of cyber-physical systems.
Kirill Levchenko is an Associate Research Scientist at the University of California, San Diego. He received his Ph.D. from the University of California, San Diego in 2008 and his B.A. in Mathematics and Computer Science from the University of Illinois at Urbana-Champaign in 2001. His research applies evidence-based techniques to a broad range of computer security domains, including e-crime and cyber-physical systems.