Lorenzo Cavallaro
Trustworthy AI... for Systems Security
Abstract: No day goes by without reading machine learning (ML) success stories across various application areas. Systems security is no exception, where ML’s tantalizing performance leave one to wonder whether there are any unsolved problems left. However, machine learning has no clairvoyant abilities and once the magic wears off, we’re left in uncharted territory. Is machine learning truly capable of ensuring systems security? In this keynote, we will take malware research as a representative example of a long-studied, thriving, yet challenging subject and, after offering a quick historical perspective, we will illustrate some of the open issues that are affecting learning-based malware models. When relevant, we will also delve into behind-the-scenes aspects to encourage reflection on the reproducibility crisis. Our goal is to foster a deeper understanding of machine learning’s role in systems security along with a discussion on promising directions the research community is and should be pursuing to address such challenges and open problems.

Bio: Lorenzo Cavallaro grew up on pizza, spaghetti, and Phrack, and soon developed a passion for underground and academic research. He is a Full Professor of Computer Science at University College London (UCL), where he leads the Systems Security Research Lab. Lorenzo’s research vision is to enhance the effectiveness of machine learning for systems security in adversarial settings. He works with his team to investigate the interplay among program analysis abstractions, representations, and ML models, and their crucial role in creating Trustworthy AI for Systems Security. Lorenzo publishes at and sits on the Program Committee of leading conferences in computer security and ML, received the Distinguished Paper Award at USENIX Security 2022, and an ICML 2024 Spotlight Paper. He is also Associate Editor of ACM TOPS and IEEE TDSC. In addition to his love for food, Lorenzo finds his Flow in science, music, and family.

Marcel Böhme
How to Solve Cybersecurity Once and For All
Abstract: In Pwn2Own this year, a single person (Manfred Paul) demonstrated successful exploits for all major browsers: Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge. Chrome alone is used by 3.5 *billion* people. Today, thanks to Paul, these major security flaws are fixed. Last year, evidently, the majority of people in the world accessed the internet with the door open to potential attackers—despite decades of research in defensive security, despite an abundance of mitigations, despite dedicated red teams. -- But why? Software is entirely virtual and can be described completely: A program’s source code is meant to formally express the programmer’s intention using the syntactic and semantic rules of the programming language. As the behavior of a software system arises from well-defined instructions, we must be able to formally reason about all its properties. Surely there exists an approach that will forever guarantee the security of our systems. Only, we haven't found it, yet?

In this keynote, I will explore what fundamentally prevents us from making reliable statements about the security of a software system. I will try to substantiate each argument by demonstrating how the corresponding challenge in our defensive strategies is routinely exploited to attack a system despite credible assurances about the absence of security flaws. After the successful deconstruction of the prevalent philosophy, I will introduce a philosophy of vulnerability-guided hardening, where we seek to falsify claims of security using successful attacks as counterexamples.

Bio: Marcel Böhme leads the Software Security research group at the Max Planck Institute for Security and Privacy (MPI-SP) in Germany. His group is interested in the automatic discovery of security flaws in software systems at the very large scale. Apart from the development of practical techniques for vulnerability discovery (incl., fuzzing), his group seeks to identify fundamental limits of existing techniques, studies empirical methods (incl. statistical and causal reasoning) for program analysis, and explores the assurances that software testing provides when no bugs are found. Find us at https://mpi-softsec.github.io/.