Eye Eye, by mrmanc

Eye Eye, by mrmanc

I am doing some research on inference attacks in advance of one of my RSA Conference sessions and happened across this very interesting piece of research by Roya Ensafi, Mike Jacobi, and Jedidiah R. Crandall from the University of New Mexico’s Department of Computer Science entitled, “Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper.” Not only is it absolutely true (and frankly, this applies to practitioners too), but it’s another fascinating example of how games (and game theory) can teach us about real scenarios we face every day.

One key element to understand in this paper is this is a lab environment that is closely monitored with a tight feedback loop that allowed the game makers to squish bugs and alter elements of the game that made the inference attacks possible. It also allowed for some more real-world attack scenarios by first only disallowing DoS attacks (for obvious reasons), and telling the students that if they didn’t cheat, they really weren’t trying to win.

On a somewhat related note, having security professionals up-level a little bit to discuss business flows can help them identify potential areas for attack before bad stuff happens. So while every attack is different, and the constructs of Ensafi, Jacobi, and Crandall’s Werewolves of Miller’s Hollow may not always apply, your system’s vulnerability to side-channel attacks does. Give it a read!


Reference:

Ensafi, R., Jacobi, M., & Crandall, J. R. (2012, August). Students Who Don’t Understand Information Flow Should be Eaten: An Experience Paper. In Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test (pp. 10-10). USENIX Association.

This post originally appeared on BrandenWilliams.com.