CFP of interest
Gene Spafford (spaf@cs.purdue.edu)
Mon, 12 Feb 1996 17:21:17 -0500 (EST)
Call for Papers
Invitational Workshop on Computer Vulnerability Data Sharing
Gaithersburg, Md.,
June 10 - 12, 1996.
Sponsored by:
The Advanced Research Projects Agency (ARPA)
The COAST Lab at Purdue University
The National Communications System (NCS)
The National Institute of Standards and Technology (NIST).
Researchers in communities including intrusion detection, security,
incident handling, and software engineering have long expressed an
interest in having access to a repository of vulnerability data that
could be used in their experiments and analyses. These communities
have different requirements for such a repository and would derive
different benefits from it. These differences have often been cited
as obstacles to the creation or sharing of such a repository.
The purpose of this invitational workshop is to bring together interested
researchers from these communities to explore these differences and
questions. We hope to reach a consensus on creating a repository that
can benefit all.
Issues explored at this workshop are expected to include:
* determining a vulnerability classification scheme,
* defining useful levels of abstraction for vulnerability definition
for research, incident handling or intrusion detection,
* developing the data structures and applications to support the
classification scheme,
* developing a sanitization method that protects incident victims,
* ensuring the integrity and authenticity of the repository data,
* regulating access to the data to only those with legitimate need,
proprietary constraints, and other external controls (and defining
what "legitimate need" might be).
Other administrative issues to be addressed include the collection and
dissemination qualifications among the users, overall management of
the repository, and resource requirements. Broader issues would
include unanswered legal questions regarding participation and
information dissemination, participant trust limitations, and creating
a self-supporting capability.
Position papers are invited that address one or more of the following topics:
* How should a repository of vulnerability data be structured?
* What mechanisms should be used to collect, store, sanitize and
disseminate the information?
* What data items should be present in the data?
* Should explicit exploitation scripts, or transcripts of example
exploitations, be included?
* How can the accuracy and quality of the information be ensured?
* Should access to the data be restricted in any way?
* What is the liability issue of disseminating information that
is subsequently used to cause a threat event?
* Who might want to use this data appropriately and how?
* To whom, under what circumstances, and how should the repository
distribute unfixed vulnerabilities?
* What could the subscription model look like to create a
self-supporting repository?
Individuals interested in attending the workshop are invited to submit
a position paper draft to the program committee. Invitations will be
extended by the program committee based on these drafts.
Paper drafts should touch on one more topics suggested by the
above. At least some suggestions should be made to questions or
problems posed in this area.
Papers should be submitted as standard PostScript or as plain ASCII
text via e-mail. Paper copies may be submitted in lieu of electronic
copies by advance permission only -- contact the committee chairs at
the electronic mail address given below. Papers should not exceed 20
printed pages in length, and must NOT contain proprietary or
classified data.
Important Dates:
Extended Abstracts Due: March 8
Invitations extended: April 10
Final Papers due: May 14
Program Committee:
Gene Spafford, Purdue University (co-chair)
Tim Grance, NIST (co-chair)
Rebecca Bace, NSA
Dave Bailey, Galaxy Computer Services
Matt Bishop, UC Davis
Carl Landwehr, NRL
Tom Longstaff, CERT
Teresa Lunt, ARPA
Marv Schaefer, ARCA Systems
Steve Smaha, Haystack Labs. Inc.
Kevin Zeiss, AFIW
Send abstracts or comments to <vuln_workshop@cs.purdue.edu>