Spam, Drugs, and Diesel: An Evidence-Based Approach to Computer Security
Computer security is evolving from a prescriptive engineering discipline into a science, where security problems and defenses are understood as a product of technical, social, and economic forces. Central to the scientific method is the idea that empirical evidence is the ultimate arbiter, and this is no less true in computer security. Computer systems are built on countless implicit and explicit security assumptions, and empirical methods offer the only means to study these assumptions. Indeed, it is by attacking security assumptions, and not the security models themselves, that attackers most often undermine our defenses. The evidence-based approach to security offers principled empirical techniques to study contemporary security phenomena by exposing our underlying assumptions, leading to more effective defenses and security models more closely aligned with reality.I will highlight the contributions of evidence-based security with three examples from my work. First, I will explain how attackers undermine the security assumptions of CAPTCHAs, once conceived as a means to prevent automated abuse of online services. Rather than being an absolute barrier to abuse, we now understand CAPTCHAs as an economic deterrent that increases attacker cost. In the second part of the talk, I will explain how an evidence-based approach steers us to re-examine our assumptions about spam, one of the most visible forms of online service abuse. I will describe the spam value chain, the business process through which spam is monetized, and describe an evidence-based intervention aimed at disrupting the profitability of spam. Finally, I will explain how implicit assumptions about cyber-physical systems allowed Volkswagen to cheat on diesel emissions testing, and the challenges of ensuring regulatory compliance of cyber-physical systems.