SEVENTH FRAMEWORK PROGRAMME THE RED BOOK ARoadmap for Systems Security Research Managing Threats and Vulnerabilities in the Future Internet SEVENTH FRAMEWORK PROGRAMME Information & Communication Technologies Trustworthy ICT NETWORK OF EXCELLENCE Grant Agreement No. 257007 A European Network of Excellence in Managing Threats and Vulnerabilities in the Future Internet: Europe for the World The Red Book: A Roadmap for Systems Security Research Abstract: The Red Book presents a roadmap in the area of systems security, as prepared by the SysSec consortium and its constituency in the first half of 2013. Contractual Date of Delivery August 2013 Actual Date of Delivery August 2013 Dissemination Level Public Editor Evangelos Markatos, Davide Balzarotti Contributors All SysSec partners Quality Assurance M. Almgren, E. Athanasopoulos, H. Bos, D. Balzarotti, L. Cavallaro, S. Ioannidis, M. Lin- dorfer, F. Maggi, E. Markatos, F. Moradi, C. Platzer, I. Polakis, M. Polychronakis, A. Slowin- ska, P. Tsigas, S. Zanero The SysSec consortium consists of: FORTH-ICS Coordinator Greece Politecnico Di Milano Principal Contractor Italy Vrije Universiteit Amsterdam Principal Contractor The Netherlands Institut Eurécom Principal Contractor France IICT-BAS Principal Contractor Bulgaria Technical University of Vienna Principal Contractor Austria Chalmers University Principal Contractor Sweden TUBITAK-BILGEM Principal Contractor Turkey The Red Book. ©2013 The SysSec Consortium. Images ©2013 iStockphoto LP. All Rights Reserved. The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under Grant Agreement Number 257007. This work would not have been possible without the contributions of the SysSec Working Groups, the SysSec Advisory Board, and the broader SysSec community in general. We deeply thank them all. www.syssec-project.eu SYSSEC TASK FORCE for the ROADMAP on SYSTEMS SECURITY RESEARCH CO-CHAIRS Evangelos Markatos Davide Balzarotti SysSec Project Manager SysSec WP4 Leader Foundation for Research and Eurecom Technology - Hellas MEMBERS Elias Athanasopoulos Lorenzo Cavallaro Columbia University Royal Holloway University of London Federico Maggi Michalis Polychronakis Politecnico di Milano Columbia University and FORTH Asia Slowinska Iason Polakis Vrije Universiteit FORTH and University of Crete Magnus Almgren Herbert Bos Chalmers Vrije Universiteit Sotiris Ioannidis Christian Platzer FORTH TUV Philippas Tsigas Stefano Zanero Chalmers Politecnino di Milano CONTRIBUTORS Dennis Andriesse Martina Lindorfer Vrije Universiteit TU Vienna Farnaz Moradi Zlatogor Minchev Chalmers University Bulgarian Academy of Sciences Simin Nadjm-Tehrani Christian Rossow Linköping University Vrije Universiteit Preface fter the completion of its second year of operation, the SysSec Network of Excellence produced this “Red Book of Cybersecurity” A to serve as a Roadmap in the area of Systems Security. To realize this book, SysSec put together a “Task Force” of top-level young researchers in the area steered by the advice of SysSec WorkPackage Leaders. The Task Force had vibrant consultations (i) with the Working Groups of SysSec, (ii) with the Associated members of SysSec, and (iii) with the broader Systems Security Community. Capturing their feedback in an on-line questionnaire and in forward-looking “what if” questions, the Task Force was able to distill their knowledge, their concerns, and their vision for the future. The result of this consultation has been captured in this Red Book which we hope will serve as a Road Map of Systems Security Research and as an advisory document for policy makers and researchers who would like to have an impact on the Security of the Future Internet. How to Read this Book Policy Makers may want to focus on Chapter 1 at page 3 which provides a short Executive Summary of the book and on Chapter 14 in page 103 which describes Grand Challenge Research Problems in the area which can be solved only with the collaboration of several Research Organiza- tions and the support of leading funding Agencies. Related work may be found in the second part of the book in page 107, which provides a good overview of other Research Roadmaps from Europe and from the States. Young Researchers who are interested in doing a Ph.D. in systems security should read the first part of the book, and especially the final section of each chapter, which describes problems that are appropriate to be solved within the context of a Ph.D. thesis. Experienced Researchers may want to focus on the first part of the book, which provides an in-depth treatment of various research problems and in Chapter 14 in page 103, which describes Grand Challenge Research Problems in the area. Journalists may want to focus on sections *.2 and *.3 of the first part, which paint a picture of the average and worst-case consequences of the emerg- ing threats studied. All should read Chapter 2 in page 7, which lists the identified threats, assets and security domains. Contents 1 Executive Summary 3 2 Introduction 7 Part I: Threats Identified 21 3 In Search of Lost Anonymity 21 4 Software Vulnerabilities 27 5 Social Networks 35 6 Critical Infrastructure Security 41 7 Authentication and Authorization 51 8 Security of Mobile Devices 59 9 Legacy Systems 67 10 Usable Security 73 11 The Botnet that Would not Die 81 12 Malware 87 13 Social Engineering and Phishing 93 14 Grand Challenges 103 Part II: Related Work 107 15 A Crisis of Prioritization 107 Contents 16 Forward 109 17 Federal Plan for Cyber Security 113 18 EffectsPlus 117 19 Digital Government 121 20 Horizon2020 123 21 RISEPTIS Report 127 22 ENISA Threat Landscape 131 23 Cyber Security Research Workshop 137 24 Cyber Security Strategy 141 25 The Dutch National Cyber Security Research Agenda 145 A Methodologies 157 B SysSec Threats Landscape Evolution 159 2