Internet of things (IoT) devices were heterogeneous, commonly with vendor-specific protocols, designs and implementations for device access, communication, and security. The IoT ecosystem's heterogeneous nature has posed fundamental challenges for consumer usability and device security. In response, industry–unifying standards for IoT design and implementation have emerged. For example, Matter is a standard for smart home and IoT (Internet of Things) devices at application and transport layers. The Matter open-source design and implementation are being contributed across the IoT industry and increasingly adopted by real-world IoT applications and devices. Standard communication protocols such as MQTT, LoRaWAN, and CoAP have also been widely used by IoT devices, the clouds, and user apps.

Any security and privacy problems in standardized IoT practices can be easily inherited by real IoT products of many manufacturers. This workshop aims to shift the research focus and consider the foundational role of IoT design standards and their open-source implementation in the security, privacy, and trustworthiness of IoT systems. The IoT stakeholders and open-source community are expected to integrate and implement practical and rigorous security and privacy measures to ensure the standardized practices are soundly designed and implemented.

cfp anchor

Call for Paper

We invite researchers and practitioners to submit original research papers for the first workshop on Security and Privacy in Standardized IoT (SDIoTSec 2024). The aim of this workshop is to bring together experts from academia and industry to discuss and address security and privacy challenges posed by standardizing IoT design and implementation and their real-world deployments. The expected impacts include significantly eliminating security and privacy threats in both the design and implementation space of IoT.

Scope and Topics of Interest

The research should be related to emerging IoT standards (such as Matter), or common/standardized IoT design and implementation ("common" means shared by multiple vendors). The research is related to security, privacy, safety, and governance of IoT systems.

Specific topics of interests include but are not limited to the following:

• Novel attacks
• Privacy-enhancing techniques
• Problems related to heterogeneous IoT design and practices
• Formal methods to find attack vectors or for defense
• AI/ML/NLP based methods for analysis of specifications
• Program analysis on implementation of Matter, or other standard implementation of IoT systems
• End-user facing problems
• Problems in real-world adoption of IoT-standard design and implementations
• Policies or governance issues related to Matter or emerging IoT standards.
• Surveillance and censorship related to Matter or emerging IoT standards
• Anonymity and pseudonymity related to Matter or emerging IoT standards
• Case studies and real-world experience related to Matter or emerging IoT standards

The PC will select a best paper award for work that distinguishes itself in advancing the security, safety, and privacy of standardized IoT design and implementation.

Submission Instructions

Submitted papers must be in English, unpublished, and must not be currently under review for any other publication. Submissions must be a PDF file in double-column NDSS format (https://www.ndss-symposium.org/ndss2024/submissions/templates/). We accept (1) regular papers with up to 8 pages, (2) short papers or work-in-progress papers with up to 4 pages. The page limits does not include bibliography and well-marked appendices, which can be up to 2 pages long. Note that reviewers are not required to read the appendices or any supplementary material. Authors should not change the font or the margins of the NDSS format. The review process is double-blind. (Papers must be submitted in a form suitable for anonymous review: no author names or affiliations may appear on the title page, and papers should avoid revealing authors’ identity in the text.) All papers must be in Adobe Portable Document Format (PDF) and submitted through the web submission form via Hotcrp (link will come soon).

Important Dates (AoE Time)

Publication and presentation

All papers will be published by the Internet Society. At least one author of each accepted submission will register and present at the workshop. Authors are responsible for obtaining appropriate publication clearances. We are expecting to hold an in person conference and that authors will be able to travel to the conference to present their paper, but will make allowances for remote presentation in cases where all authors of a paper have legitimate reasons they are unable to attend in person.

Program anchor

Program

February 26 (Monday)

13:35 PM - 14:30 PM | keynote #1 | Cockatoo Room

Dr. Michael J. Fagan National Institute of Standards and Technology



Bio: Michael Fagan is a Computer Scientist and Technical Lead with the Cybersecurity for IoT Program which aims to develop guidance towards improving the cybersecurity of IoT devices and systems. The program works within the National Institute of Standards and Technology’s Information Technology Laboratory (ITL) and supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of IoT systems, products, connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, academia, and consumers, the program aims to cultivate trust and foster an environment that enables innovation on a global scale. Michael leads work exploring IoT cybersecurity in specific sectors or use cases, such as enterprise systems, the federal government, and consumer home networks. He holds a Ph.D. in Computer Science & Engineering.

Abstract: IoT technologies bridge domains to create innovative solutions, but this can shift trust balances and strain cybersecurity and privacy. Since humans are commonly the beneficiaries or targets of IoT systems, concerns about privacy (and safety) may be heightened. Also, IoT can both have more sensitive position in a network and fewer power, computing, etc. resources than other equipment (i.e., is constrained). Towards solving these challenges, IoT can leverage existing standards, but new standards are needed for at least some cases. Of course, cybersecurity and privacy management is technology agnostic and standards for these domains certain apply to IoT, but especially for the cybersecurity practitioner, realities of IoT (e.g., constraints) can break expectations built into the standards or how they are generally understood and used. Today, standards and national efforts around cybersecurity and privacy of IoT abound. Notable examples in the United States are the Cybersecurity Improvement Act and CyberTrust Mark cybersecurity labeling program for consumer IoT. Globally, multiple nations are exploring their own labeling programs, including, but not limited to Singapore and Japan. In the European Union, efforts are underway to ensure the cybersecurity of IoT products via the Cyber Resiliency Act. In the standards space, we can look to solutions from IETF for device intent signaling and device on-boarding, among other topics and efforts such as 27400 series from ISO. These efforts are welcome since IoT adoption depends on delivering solutions that preserve cybersecurity and privacy. Research and then standards can help bridge these gaps and inform efforts to raise the bar of cybersecurity and privacy for IoT across all sectors since doing so can motivate trust in and adoption of the technology.

15:40 PM - 16:35 PM | Keynote #2: Stacking up the LLM Risks: Applied Machine Learning Security | Cockatoo Room

Dr. Gary McGraw



Title: Stacking up the LLM Risks: Applied Machine Learning Security

Bio: Gary McGraw is co-founder of the Berryville Institute of Machine Learning where his work focuses on machine learning security. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Calypso AI, Legit, Irius Risk, Maxmyinterest, and Red Sift. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to CodeDX (acquired by Synopsys), Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the Luddy School of Informatics, Computing, and Engineering.

Abstract : I present the results of an architectural risk analysis (ARA) of large language models (LLMs), guided by an understanding of standard machine learning (ML) risks previously identified by BIML in 2020. After a brief level-set, I cover the top 10 LLM risks, then detail 23 black box LLM foundation model risks screaming out for regulation, finally providing a bird’s eye view of all 81 LLM risks BIML identified. BIML’s first work, published in January 2020 presented an in-depth ARA of a generic machine learning process model, identifying 78 risks. In this talk, I consider a more specific type of machine learning use case—large language models—and report the results of a detailed ARA of LLMs. This ARA serves two purposes: 1) it shows how our original BIML-78 can be adapted to a more particular ML use case, and 2) it provides a detailed accounting of LLM risks. At BIML, we are interested in “building security in” to ML systems from a security engineering perspective. Securing a modern LLM system (even if what’s under scrutiny is only an application involving LLM technology) must involve diving into the engineering and design of the specific LLM system itself. This ARA is intended to make that kind of detailed work easier and more consistent by providing a baseline and a set of risks to consider.

venue anchor

Venue

SDIoTSec’24 is co-located with the Network and Distributed System Security (NDSS'24), on February 26, 2024. It will be held at the Catamaran Resort Hotel & Spa, San Diego, California.

organization anchor

Organizing Committee

Workshop Co-chairs

L. Jean Camp (Indiana University Bloomington)

Luyi Xing (Indiana University Bloomington)

Program Committee

Omar Alrawi (Georgia Institute of Technology)

Long Cheng (Clemson University)

Soteris Demetriou (Imperial College London)

Weijia He (Dartmouth College)

Carl Gunter (University of Illinois Urbana-Champaign Champaign)

Xiali (Sharon) Hei (University of Louisiana at Lafayette)

Hongxin Hu (SUNY, University at Buffalo)

Yan Jia (Nankai University)

Adwait Nadkarni (College of William & Mary)

Guojun Peng (Wuhan University)

George Polyzos (Athens University of Economics & Business)

Sophie Stephenson (University of Wisconsin-Madison)

Jesse Sowell (University College London)

Ziming Zhao (SUNY, University at Buffalo)

Yifan Zhang (Indiana University Bloomington)

Contacts

Contact SDIoTSec 2024 chairs at: SDIoTSec@gmail.com.