_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 187 September 24, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of the book, "From Day Zero to Zero Day" by Eugene Lim o o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Computer Society recently held elections, and we are pleased to congratulate Terry Benzel, long-time leader in the sphere of cybersecurity, and especially of all things related to the Security and Privacy Symposium, on her election to the position of Vice President. The results of the election for officers and the Board of Governors is here: https://www.computer.org/press-room/joaquim-jorge-elected-ieee-computer-society-2027-president Somberly we note that two important figures in the history of computer security died recently: George Davida, who was a founder of the Security and Privacy Symposium, and Marv Schaefer, a researcher who was a pioneer in secure operating system design and the precise definition of security requirements. Information about them can be found at ACSA's In Memoriam page: https://www.acsac.org/acsa/memoriam.html (Davida will be added soon; see also his University of Wisconsin obituary at https://uwm.edu/engineering/george-davida-professor-emerit-passed-away-in-august/). It may be hard for people to remember the early days of our research field when conferences were small and papers were few. There were not many computers, and threats were minimal. That was the era when the foundational work was done by a handful of far-sighted people. News for this issue of the newsletter includes a recent report on the investigation into a widespread cyberattack on telecommunications infrastructure last year. The actors behind the attack could have acquired information of some kind or another for almost everyone in the US. In terms of database technology, an index for 350 million objects is not much of a challenge. There have been so many disclosures of personal information over the last several years that it would be surprising if such a database did not exist. Moreover, several different entities are probably maintaining their own versions of this. Should the "Whole Earth Phone Book" be a public service? ---------- Old Time EMail Blues You ain't nothin' but a filter, Just Bayesian design. You ain't never caught a phisher, Well, you ain't no friend of mine. When they said you was accurate, Well, that was just a lie You found false positives, And you ain't no friend of mine. (With apologies to The King), ---------- Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich "From Day Zero to Zero Day" Sep 22, 2025 ____________________________________________________________________ "From Day Zero to Zero Day" by Eugene Lim No Starch Press, 2025 ISBN ISBN-13: 978-1-7185-0394-6 (print), ISBN-13: 978-1-7185-0395-3 (ebook) 319 pages + xxv, first edition, June 2025 Recent software supply chain attacks on npm (Node Package Manager) repositories for JavaScript/Node.js code have brought upon us references to Frank Herbert's 1965 science-fiction novel "Dune" with its "Shai-Hulud" worms. "Shai-Hulud" is what security analysts have named this campaign in connection with the npm attacks. As we seek some projects for the upcoming shorter days (at least in the Northern Hemisphere now), we could of course consider re-reading the "Dune" novel or watching the corresponding movie(s)... Why not also consider reading about vulnerability discovery and reverse engineering? The continued challenges of new cybersecurity threats require constant recalibrating of our abilities to analyze malware or regular software applications, especially when we have to deal with zero-day vulnerabilities. To help with this process, Eugene Lim wrote "From Day Zero to Zero Day," a 340+ pages book to cover the various phases of vulnerability discovery and analysis. This book focuses on three major techniques in vulnerability research: code review, reverse engineering, and fuzzing. The author takes a practitioner-centric and hands-on approach for describing the various techniques, focusing on examples of actual (often C) code, screenshots, and web links (URLs). The book is divided into three parts, with each containing several chapters. Each chapter begins with a quote and concludes with a summary. There are no formal literature references other than perhaps URLs, but the book does have a companion website with downloads. The focus of the book is on the Linux operating system environment, with some stray MS Windows mentions. The main hardware focus concerns the Intel x86/x64 hardware architecture. Those on ARM architectures should be warned that some of the code may not run for them, or at least not natively or without a proper emulation layer. In the Introduction, the author sets the stage for the reader, identifies who the book is for, identifies the online resources, and recommends other books to complement the reading of his book. Some of those books the author mentions have been reviewed in this book review column. The author starts with - no surprise there - with a "Chapter 0," as the Day Zero. Here the reader learns about the basic terminology and how to navigate the various parts of the book, covering what a vulnerability is, what vulnerability research is, in particular zero-day vulnerability research, and how to approach any potential projects. The chapter actually starts with a quote about rapid learning from - you guessed it - Frank Herbert's "Dune." In Part I 'Code Review,' the reader is introduced to Taint Analysis in Chapter 1, 'Mapping Code to Attack Surface' in Chapter 2, and 'Automated Variant Analysis' in Chapter 3. Each chapter is structured in such a manner that simple examples are expanded into mini projects that the reader can try on their own. Command lines and configuration settings are clearly outlined and easy to follow. In Part II 'Reverse Engineering,' the topic shifts to something that is sometimes considered more an art than a science: reverse engineering of code. In Chapter 4 'Binary Taxonomy,' the discussion starts with Node.js Electron applications to be reverse engineered, switches to Intermediate Representations (a halfway point of sorts between source code and machine code), and eventually shifts to Machine Code. Chapter 5 'Source and Sink Discovery' delves into the free tool Ghidra (developed and maintained by NSA) for static analysis, discusses dynamic analysis, and explores exploitability of the vulnerabilities. Chapter 6 'Hybrid Analysis in Reverse Engineering' goes into code coverage, emulation, and symbolic analysis. In each of these chapters, examples of tools to achieve the various tasks are presented. In Part III 'Fuzzing,' the author shifts gears to discovering vulnerabilities by the techniques known as fuzzing, where various inputs are tried on programs to trigger errors and possibly crashes. In Chapter 7 'Quick and Dirty Fuzzing,' a few simple fuzzing techniques are shown for a protocol (e.g. the MQTT protocol, used for IoT) and there is also a reference to OSS-Fuzz, commonly used by Google on open-source software for vulnerability discovery. Chapter 8 'Coverage-Guided Fuzzing' shifts to tools such as American Fuzzing Lop (AFL) and its variants, as well as those and can measure how much of the code was covered by the fuzzing tool(s). In Chapter 9 'Fuzzing Everything' there is an expansion to other languages (e.g. Go) and different binary models. In the end, Chapter 10 'Beyond Day Zero,' the book wraps up with a more procedural tone and elaborates on vulnerability disclosure, CVE assignment, and integrating vulnerability discovery into the software development lifecycle. The summary at the end of Chapter 10 functions as the conclusion of the book, as it goes over all the parts with their respective chapters and ties all the pieces together. This book, written by the competent and accomplished Eugene Lim, is aimed at a practitioner security analyst/engineer audience or perhaps university students seeking more practical exploration. It does provide technical details for those wishing to explore the topic further, not just the "simple" examples discussed in the book. While there are no formal literature references, the URLs provided in the book and the companion code site give the reader ample opportunities to "play" with the techniques outlined in the book. As a caveat, many of the techniques are tied to contemporary operating systems and associated command lines. Time will tell how this seemingly more tutorial-oriented book will age. Nevertheless, the general principles and techniques will give the reader a solid introduction to the field, or perhaps fill a few gaps along the way for those who are already more or less versed in it. I enjoyed reading this book. It will find its place on my bookshelf for any unsuspecting student to discover should they ask about vulnerability discovery or zero days. --------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html IEEE Transactions on Privacy, https://www.computer.org/csdl/journals/pr Submission date: On-going ESORICS 2025 30th European Symposium on Research in Computer Security, Toulouse, France, September 22-26, 2025. https://www.esorics2025.org/ SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ Submission date: 24 September 2025 DPM 2025 20th Workshop on Data Privacy Management, Co-located with ESORICS 2025, Toulouse, France, September 25, 2025. https://deic.uab.cat/dpm/dpm2025/ SECAI 2025 Workshop on Security and Artificial Intelligence, Co-located with ESORICS 2025, Toulouse, France, September 25-26, 2025. https://sites.google.com/view/secai2025/home CBT 2025 9th International Workshop on Cryptocurrencies and Blockchain Technology, Co-located with ESORICS 2025, Toulouse, France, September 25, 2025. http://cbtworkshop.org/ STM 2025 21st International Workshop on Security and Trust Management, Co-located with ESORICS 2025, Toulouse, France, September 25-26, 2025. https://www.nics.uma.es/stm2025/index.html IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ Submission date: 30 September 2025 FPS 2026 18th International Symposium on Foundations & Practice of Security, Brest, France, November 25-27, 2025. https://hub.imt-atlantique.fr/fps2025 Submission date: 30 September 2025 WPES 2025 24th Workshop on Privacy in the Electronic Society, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 13, 2025. http://jianying.space/WPES2025/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ MarCaS 2025 3rd LCN Special Track on Maritime Communication and Security, Held in conjunction with the 50th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2025), Sydney, Australia, October 14-16, 2025. https://garykessler.net/lcn_marcas/ ASHES 2025 9th Workshop on Attacks and Solutions in Hardware Security, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://ashesworkshop.online/ QSec 2025 ACM QSec: Quantum Security and Privacy Workshop, Held in conjunction with ACM CCS 2025, Taipei, Taiwan, October 17, 2025. https://acm-qsec.com/ AICCSA 2025 22nd ACS/IEEE International Conference on Computer Systems and Applications, Doha, Qatar, October 19-22, 2025. https://conferences.sigappfr.org/aiccsa2025/ APF 2025 Annual Privacy Forum, Frankfurt a.M., Germany, October 22-23, 2025. https://privacyforum.eu/ XRSecurity 2025 Workshop on Security, Privacy, and Trust in Extended Reality Systems, Held in conjunction with ACM MobiHoc 2025, Houston, TX, USA, October 27-30, 2025. https://xrsecurity.github.io/2025/ ICICS 2025 27th International Conference on Information and Communications Security, Nanjing, China, October 29-31, 2025. https://www.icics2025.org/index.html APWG eCrime 2025 20th APWG Symposium on Electronic Crime Research, San Diego, CA, USA, November 4-7, 2025. https://apwg.org/events/ecrime2025 TPS 2025 7th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications, Pittsburgh, PA, USA, November 11-14, 2025. https://www.sis.pitt.edu/lersais/conference/tps/2025/ TPHAC 2025 IEEE Workshop on Trustworthy and Privacy-Preserving Human-AI Collaboration, Co-located with IEEE International Conference on CIC/TPS/CogMI, Pittsburgh, PA, USA, November 11-14, 2025. https://sites.google.com/pitt.edu/tphac/home SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html Submission dates: 5 June 2025 and 13 November 2025 CANS 2025 24th International Conference on Cryptology and Network Security, Osaka, Japan, November 17-20, 2025. https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/index.html FPS 2026 18th International Symposium on Foundations & Practice of Security, Brest, France, November 25-27, 2025. https://hub.imt-atlantique.fr/fps2025 PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 ACSAC 2025 41th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA, December 8-12, 2025. https://www.acsac.org/ HealthSec 2025 Workshop on Cybersecurity in Healthcare, Co-located with the Annual Computer Security Applications Conference (ACSAC41), Honolulu, HI, USA, December 9, 2025. https://publish.illinois.edu/healthsec2025/ ICISS 2025 21st International Conference on Information Systems Security, Indore, India, December 16-20, 2025. https://iciss.isrdc.in/ IFIP 119 DF 2026 22nd Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 5-6, 2026. http://www.ifip119.org/ ICBC 2026 8th IEEE International Conference on Blockchain and Cryptocurrency, Brisbane, Australia, June 1-5, 2026. https://icbc2026.ieee-icbc.org/ Submission date: 7 January 2026 USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 Submission dates: 26 August 2025 and 5 February 2026 NDSS 2026 Network and Distributed System Security, San Diego, CA, USA, February 23-27, 2026. https://www.ndss-symposium.org/ndss2026/submissions/call-for-papers/ PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php Submission dates: 31 May 2025, 31 August 2025, 30 November 2025, and 28 February 2026 SaTML 2026 4th IEEE Conference on Secure and Trustworthy Machine Learning, Munich, Germany, March 23-25, 2026. https://satml.org/ SP 2026 47th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 18-21, 2026. https://sp2026.ieee-security.org/cfpapers.html ICBC 2026 8th IEEE International Conference on Blockchain and Cryptocurrency, Brisbane, Australia, June 1-5, 2026. https://icbc2026.ieee-icbc.org/ PETS 2026 26th Privacy Enhancing Technologies Symposium, Calgary, Canada, July 20-25, 2026. https://petsymposium.org/cfp26.php USENIX Security 2026 35th USENIX Security Symposium, Baltimore, MD, USA, August 12-14, 2026. https://www.usenix.org/conference/usenixsecurity26 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Thorsten Holz Trent Jaeger Faculty Member Associate Professor CISPA Helmholtz Center for Pennsylvania State University Information Security https://www.cse.psu.edu/~trj1 tcchair at ieee-security.org sp24-chair@ieee-security.org Vice Chair: Treasurer: Alvaro Cardenas Yong Guan Professor Professor University of California, Department of Electrical and Computer Santa Cruz Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2025 Chair: Hilarie Orman Marina Blanton Purple Streak, Inc. Associate Professor 500 S. Maple Dr. University at Buffalo Woodland Hills, UT 84653 sp25-chair at ieee-security.org cipher-editor@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--