The software and systems on which we depend are not formed completely by the organizations which created them, instead, they are assembled from a variety of pre-existing subcomponents created by disconnected actors operating within a complex supply chain. Any analysis of computing system security and privacy is incomplete without an understanding of this supply chain of both ephemeral and physical components that comprise computing systems on which we depend. Frailties existing at any one of the manifold nodes in the supply chain can have downstream effects both directly and indirectly to the security and resiliency of the assembled computing system.
This workshop seeks to gather case studies, empirical analysis, and research focused on understanding potential threats to the computing system supply chain, both hardware and software, and their future mitigation. This workshop will, through panels of noted experts, invited and paper presentations, provide case studies for improving policy and practices, as well as promising research and tools to address this national challenge.
The Cyber Resilient Supply Chain Technologies (CReSCT) Workshop will explore research and case studies to characterize, measure and enhance supply chain security for computing systems. Participants will consist heavily of academic and industry researchers but are also expected to include researchers from the National Laboratories and government agencies with a supply chain risk management mission related to computing systems.
Research advances presented at the workshop may help industry and government make powerful impacts to mitigate existing computing system supply chain vulnerabilities.
Topics of Interest include (but not limited to):
• Studies of specific hardware or software supply chains for computing systems
• Hardware or software analysis techniques where the end goal is computing system supply chain verification
• Methods for analysis of the supply chain for computing systems
• Risk models for management of supply chains, either in the chain or in the end device
• Integration of complexity models highlighting aspects such as emergent behaviors, self-organization, sudden transitions, large events, self-organization, evolutionary dynamics and fundamental uncertainty.
• Tools and techniques for designing hardware and software components resistant to unauthorized supply chain modifications
• Tools and techniques for hardware and software modification detection
• Tools and techniques for hardware and software counterfeit detection
• Software bill of materials, case studies or analysis methods
• Hardware bill of materials case studies or analysis methods
• Supply chain research and empirical studies affecting embedded, 10T, or specialty computing systems, or research highlighting distinctions in the associated supply chains
• Tools for analyzing software and hardware composition data to assist in risk analysis at scale
• The role and risks of policy tools such as transparency to better secure the supply chain
• Direct and indirect security and privacy effects of manipulation of computer system supply chain elements
One author of each accepted paper is expected to present the paper at the workshop. The format will be traditional conference-style research presentations with questions from the audience. Interactive and engaging presentations are welcomed.
Following notification to authors, more information will be provided regarding speaking times and other details. Accepted papers will be made available on the workshop web site. Authors are free to submit work appearing in CReSCT’20 to other venues following the workshop (including extended versions of their short CReSCT work based on feedback received at the workshop), subject to those venues' restrictions.
For consistency, many aspects of these instructions are drawn from the co-located IEEE Symposium on Security and Privacy guidelines.
To be considered, papers must be received by the January 20, 2020 submission deadline. Extensions will not be granted. Submissions must be original work and may not be under submission to another venue at the time of review (but as mentioned above, work may be submitted to other venues following the workshop).
Submitted papers must be no longer than eight pages, including all figures. References and appendices will not count towards this limit, but reviewers are not required to read appendices.
Papers must be formatted for US letter (not A4) size paper. The text must be formatted in a two-column layout, with columns no more than 9.5 in. tall and 3.5 in. wide. The text must be in Times font, 10-point or larger, with 11-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. LaTeX submissions should use IEEEtran.cls version 1.8. Submissions may be automatically checked for conformance to these requirements. Failure to adhere to the page limit and formatting requirements are grounds for rejection without review.
Submissions must be in Portable Document Format (.pdf). Authors should pay special attention to unusual fonts, images, and figures that might create problems for reviewers. Your document should render correctly in Adobe Reader 9 and when printed in black and white.
Papers must be submitted to the CReSCT submission site and may be updated at any time until the submission deadline. During the submission process, you will be asked to supply information regarding potential conflicts of interest of the paper's authors with program committee members. The review process is single-blind.
Authors are responsible for obtaining appropriate publication clearances. Final versions of papers should include sources of funding. One of the authors of the accepted paper is expected to present the paper at the conference.
Idaho National Laboratory
University of Illinois at Urbana Champaign
Idaho National Laboratory
University of Idaho