NSA’s Best Scientific Cybersecurity Research Paper Competition was initiated in 2013 with the intent to encourage the development of scientific foundations in cybersecurity and support enhancement of cybersecurity within devices, computers, and systems through rigorous research, solid scientific methodology, documentation, and publishing. Papers published in peer-reviewed journals, magazines, or technical conferences are eligible for nomination.
The National Security Agency’s Research Directorate selected “Spectre Attacks: Exploiting Speculative Execution” as the winner of its 8th Annual Best Cybersecurity Research Paper competition.
Originally published at the 2019 IEEE Security & Privacy Symposium, the winning paper, in combination with Meltdown, another award-winning paper released earlier by the same researchers, launched a global effort to mitigate critical vulnerabilities in processors.
Although the Spectre vulnerability was independently discovered and reported by various teams of researchers from Europe and the United States, twelve researchers collaborated to document their findings within one paper. The twelve researchers and their institutions are:
• Paul Kocher, Independent
• Jann Horn, Google Project Zero
• Anders Fogh, Intel Corporation
• Daniel Genkin, University of Michigan
• Daniel Gruss, Graz University of Technology
• Werner Haas, Cyberus Technology
• Mike Hamburg, Rambus Labs
• Moritz Lipp, Graz University of Technology
• Stefan Mangard, Graz University of Technology
• Thomas Prescher, Cyberus Technology
• Michael Schwarz, CISPA Helmoholtz Center for Information Security
• Yuval Yarom, University of Adelaide and Data61
The landmark Spectre research uncovered how a performance feature of modern computer and mobile device processors is vulnerable to leaking private and sensitive data. Specifically, when idle, modern processors predict what will be needed to be computed next and then use this predictive result if the prediction is correct and discard the result if incorrect. The researchers found an opportunity to leak data when they tricked the processor in computing a prediction that would be found to be incorrect and a violation of security protections — a vulnerability internationally known as Spectre.
The winning research team demonstrated that a long-held bedrock assumption about computing security was not valid. Their efforts visibly displayed key tenets of science including the importance of reviewing past results, testing assumptions, employing rigorous methodologies, and verifying and documenting results. Already having been cited in 1,000+ subsequent research papers, this study is spawning a review of previous research and launching new inquiries. Additionally, the paper had broad scope because the researchers tested many platforms to understand the nature of the issue. This research will have a profound impact on how future processors and computers are built.
For this year’s paper competition, a group of ten internationally renowned cybersecurity experts along with NSA experts collectively reviewed 52 nominated papers. After review and ranking, the Distinguished Experts forwarded their recommendations to the NSA for final selection.
This year’s winning research received high praise from the experts including, “This paper is hugely influential, well written, and well done scientifically,” and “This paper is top notch, pure and simple.”
The Distinguished Experts were:
• Dr. Whitfield Diffie, Unaffiliated
• Prof Kathleen Fisher, Tufts University
• Dr. Dan Geer, In-Q-Tel
• Dr. Eric Grosse, Unaffiliated
• Dr. John Launchbury, Galois Inc
• Dr. Sean Peisert, Lawrence Berkeley National Laboratory
• Prof Stefan Savage, University of California, San Diego
• Mr. Phil Venables, Goldman Sachs
• Dr. Arun Vishwanath, Unaffiliated
• Ms. Mary Ellen Zurko, MIT Lincoln Laboratory
The 9th Annual Best Scientific Cybersecurity Paper Competition will open for nominations on December 15, 2020. NSA welcomes nominations of papers published during calendar year 2020 in peer-reviewed journals, magazines, or technical conferences that show an outstanding contribution to cybersecurity science.
Visit the Best Scientific Cybersecurity Paper webpage for more information on the paper competition.
To learn more about the Science of Security (SoS) and join the 2,000 researchers collaborating via the SoS-Virtual Organization, visit https://cps-vo.org/group/sos.