Preliminary Programme
Tutorials take place on Monday, 25th June.
The time grid for tutorials and workshops will follow soon.
Blockchain and Hyperledger Fabric
Marko Vukolic and Alessandro Sorniotti
(full day)
Hyperledger Fabric is a modular and extensible open-source system for deploying and operating permissioned blockchains. Fabric is currently used in more than 400 prototypes and proofs-of-concept of distributed ledger technology, as well as several production systems, across different industries and use cases. Starting from the premise that there are no “one-size-fits-all” solutions, Fabric is the first truly extensible blockchain system for running distributed applications. It supports modular consensus protocols, which allows the system to be tailored to particular use cases and trust models. Fabric is also the first blockchain system that runs distributed applications written in general-purpose programming languages, without systemic dependency on a native cryptocurrency. This stands in sharp contrast to existing blockchain platforms for running smart contracts that require code to be written in domain-specific languages or rely on a cryptocurrency. To support such flexibility, Fabric takes a novel approach to the design of a permissioned blockchain and revamps the way blockchains cope with non-determinism, resource exhaustion, and performance attacks.
In this tutorial we first start from explaining blockchain as a technology and then dive into Hyperledger Fabric architecture, its distributed systems and security aspects as well as hands-on-exercises on deploying Fabric and developing distributed applications for Fabric.
DevOps Practices for Building
Secure and Resilient Cloud-Native Web Applications
Harigovind Ramasamy, Long Wang and Richard Harper
(full day)
The goal of the tutorial is to introduce DevOps practices, and explore how the combination of DevOps practices and cloud-native technologies has become a game changer for rapidly creating secure and resilient web applications. The tutorial is designed to be hands-on and will be organized as a full-day activity.
First, we will introduce motivation, terminology, theory, concepts of DevOps practices. DevOps is a cultural movement that has become popular in software engineering, and widely adopted by industry leaders such as Facebook, Amazon, Google, Netflix, and IBM. By focusing on automation and monitoring at all steps of software construction, from integration, testing, releasing to deployment and infrastructure management, DevOps practices allow businesses to move with increased agility and stability so that they can innovate at scale.
Second, we will examine the implications of DevOps for building secure web applications. We will explain how DevOps practices can be weaved into the traditional Secure Software Development Lifecyle model (SDLC). Then, we will present the OWASP Top 10 List of web application security vulnerabilities. To guard against those vulnerabilities, we will provide examples of tools than can be embedded in a DevOps Continuous Integration Continuous Delivery (CICD) pipeline. Such tools facilitate secure software development and delivery into production environments. We will re-inforce these examples through hands-on exercises.
Finally, we will examine the benefits of DevOps practices for creating resilient applications on the cloud. We will present types of failures on the cloud, and methods for handling them. Through hands-on exercises, we will guide the participants to create DevOps toolchains for building, deploying, and managing geo-distributed, disaster-tolerant, highly available web applications that can be updated/patched without downtime.
Building Distributed Enclave Applications with Sancus and SGX
Jan Tobias Muehlberg and Jo Van Bulck
(half day)
Trusted computing architectures such as Intel SGX, ARM TrustZone,and Sancus have been around for a number of years. By enforcing strong integrity, confidentiality, and attestation guarantees with a minimal (hardware-only) trusted computing base, these architectures aim to provide a root-of-trust for the development of dependable and highly secure systems. However, few real-world applications leverage trusted computing, and approaches to interconnect these applications in heterogeneous distributed environments remain not well-understood.
This tutorial outlines the development of such security-sensitive networked applications. Participants will learn how to write enclaved software modules for
both the open-source embedded Sancus research architecture, as well as for off-the-shelf Intel SGX x86 platforms. We will furthermore show how to make Sancus/SGX enclaves interact securely in a distributed application. Our approach is distinguished by a notion of end-to-end security and secure I/O, where the overall application’s behavior depends solely on selected device drivers and data processing enclaves.
The tutorial will cover common pitfalls for enclave development, and feature hands-on programming exercises on deploying, attesting, and interacting with basic Sancus/SGX enclaves. Our practical setup uses an automotive industry-standard CAN bus to interconnect Intel SGX machines with Sancus-enabled microcontrollers. We provide Sancus I/O driver modules plus a CAN authentication library that allows participants to easily setup secure communication channels.
Fault Injection with FAIL*
Horst Schirmeier and Olaf Spinczyk
(half day)
Fault injection has been a standard technique for test, measurement, and comparison of fault-tolerance implementations for decades. By using, for example, a virtual machine emulating faulty hardware, the developer of a software-implemented fault tolerance method can test the implementation, and measure its effectiveness in an adverse environment. Fault injection can also be used to emulate other kinds of faults, such as communication problems, or even programming errors (bugs).
In this hands-on tutorial, we will focus on software-implemented hardware fault tolerance (SIHFT), and introduce the participants to simulation-based hardware fault injection for test and measurement. The open-source fault-injection framework FAIL* will be used to analyze a small example benchmark. Working in groups or autonomously, the participants will – choosing from given suggestions, or inventing their own SIHFT technique – improve the benchmark on the source-code level to make it more resilient against hardware faults. In the grand finale, all solutions will compete for a small prize and, certainly, fame!