School of Computer and Communication Sciences

The Summer Research Institute 2019

13.06.19 - 14.06.19


The Summer Research Institute (SuRI) is an annual event that takes place at the School of Computer and Communication Sciences of the École polytechnique fédérale de Lausanne, Switzerland. The workshop brings together renowned researchers and experts from academia and industry. It features a number of research talks by speakers from all around the world and is conducive to informal discussions and social activities.

The event is open to everyone and attendance is free of charge.
In case you plan to attend SuRI 2019, please register to facilitate the event's organization.

Program (Overview)


08:30 – 09:00 Welcome coffee
11:00 – 11:30 Coffee break
12:30 – 13:30 Lunch
14:30 – 15:30 tba Thaddeus Grugq
15:30 – 16:00 Coffee break
17:00 – 18:00 Ligthning Talks
18:00 – 22:00 Joint BBQ on the BC rooftop terrace


08:30 – 09:00 Welcome coffee
11:00 – 11:30 Coffee break
12:30 – 13:30 Lunch
13:30 – 14:30 tba Susan McGregor
15:30 – 16:00 Coffee break

Program (Detailed)


09:00 – 10:00   Effective Security for the Post-compliance Era - Security Awareness and Training for Security Specialists – Angela Sasse
In the security industry, it has become a meme that ‘people are the problem’, because they don’t comply with policies and make ‘bad decisions’. Security experts have tried to change this by running security awareness programmes, and trying to identify some factors within humans that makes them ‘better security citizens.’ This talk will present insights from the 2019 ENISA report on security behaviour change. In a nutshell, past and current attempts to change security behaviour by awareness or selection is ineffective because the behaviour is driven by impossible demands and conflicts with productivity goals. Since productivity is paramount in all but a number of organisations, we describe the current state of affairs by paraphrasing management scientist Peter Drucker’s dictum that ‘Culture Eats Strategy for Breakfast’ as ‘Productivity eats security for breakfast, lunch and dinner’.‘Based on the ENISA report and other recent studies reseach, I will outline new thinking and skills that security sprecialists need to develop security solutions that survive first contact with the real world.
10:00 – 11:00   A User-Centric Approach to Securing the HTTPS Ecosystem – Katharina Krombholz
HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are faced with trust indicators and warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility. In this talk, I present recent users-centric research that explains why different types of users still struggle with making informed security decisions. Based on empirical studies with administrators and end users, I discuss multidimensional reasons for vulnerabilities in the HTTPS ecosystem and how a more human-centric approach to the design of cryptographic protocols could mitigate them.
11:30 – 12:30   The Emergence and Implementation of Electronic Identity (E-ID) Systems – Sinisa Matetic
The main aim for any electronic identity (E-ID) system is to enable internet users to identify themselves securely and correctly. The ever-growing global digitalization shows that more and more people are opting and execution various transactions on the internet which require full identification. Thus, the E-ID needs to, without doubt, provide the necessary means for exact identification of a particular user. Requirements for E-ID systems vary depending on the country and jurisdiction, and in Switzerland, the core component of issuing the electronic identity is to perform official checking and confirmation of a person’s existence along with their identifying features such as name, sex, birthday, etc. On the other hand, to support a broad expansion and secure usage of E-ID, the underlying system needs to be carefully designed and implemented. Today, numerous technologies are emerging as potential candidates that can serve as the basis for such a system, however, sometimes implementing the best possible solution may not be compliant with a lot of regulations.
13:30 – 14:30   Exploiting and Mitigating the Rowhammer Vulnerability – Dennis Andriesse

The Rowhammer vulnerability common to many modern DRAM chips allows attackers to trigger bit flips in a row of memory cells by repeatedly accessing the adjacent rows at high frequencies. As a result, attackers can corrupt sensitive data structures (such as page tables, cryptographic keys, object pointers, or even instructions in a program), and circumvent all existing defenses even if no software-level vulnerabilities are present.

In this talk, I’ll discuss the Rowhammer vulnerability and how it can be exploited. I’ll also introduce ZebRAM, a novel and comprehensive software-level protection against Rowhammer. ZebRAM isolates every DRAM row that contains data with guard rows that absorb any Rowhammer-induced bitflips; the only known method to protect against all forms of Rowhammer. Rather than leaving guard rows unused, ZebRAM improves performance by using the guard rows as efficient, integrity-checked and optionally compressed swap space. ZebRAM requires no hardware modifications and builds on virtualization extensions in commodity processors to transparently control data placement in DRAM. This way, ZebRAM manages to provide strong security guarantees while still utilizing all available memory.

14:30 – 15:30   tba – Thaddeus Grugq
16:00 – 17:00   ACM's New Effort in Computer Science and Law – Joan Feigenbaum
The Association for Computing Machinery (ACM) has launched a new effort in the nascent field of Computer Science and Law. In order to stimulate interest in the area and to articulate a broad and compelling agenda, ACM will hold an inaugural Symposium on Computer Science and Law at New York Law School in the Tribeca neighborhood of New York City on October 28 - 29, 2019. This talk will address challenges and opportunities in research, education, and institutional structure that are presented by ACM’s efforts in this area.


09:00 – 10:00   Less Insecure (But Still Useful) Secure Hardware – James Mickens
Trusted hardware attempts to provide software with silicon-guaranteed security, for some definition of “security.” Unfortunately, modern trusted hardware is either too simple to provide rich notions of security (see TPM chips), or is so complex that the secure hardware itself is vulnerable to microarchitectural exploits (see SGX and TrustZone). In this talk, I will give an overview of these tragedies, and then propose a series of increasingly outlandish approaches for designing hardware that provides non-trivial security properties without exposing a large hardware-level threat surface. Depending on the audience’s reaction, I will then be elected the mayor of Lausanne, or I will be chased into the ocean and forced to swim back to America.
10:00 – 11:00   Advanced Cryptography on The Way To Practice – Mariana Raykova
In this talk I will overview latest developments in several areas of advanced cryptography which constructs tools that enable protection of private data while computing on it. I will focus on the efficiency perspective covering existing implementations and systems using these tools. I will talk about examples in the areas of secure multiparty computation, differential privacy and zero knowledge proofs.
11:30 – 12:30   Trusting Machine Learning: Privacy, Robustness, and Interpretability Challenges – Reza Shokri

Machine learning algorithms have shown an unprecedented predictive power for many complex learning tasks. As they are increasingly being deployed in large scale critical applications for processing various types of data, new questions related to their trustworthiness would arise. Can machine learning algorithms be trusted to have access to individuals’ sensitive data? Can they be robust against noisy or adversarially perturbed data? Can we reliably interpret their learning process, and explain their predictions? In this talk, I will go over the challenges of building trustworthy machine learning algorithms in centralized and distributed (federated) settings, and will discuss the inter-relation between privacy, robustness, and interpretability.

Reza shokri is an Assistant Professor of Computer Science at the National University of Singapore (NUS), where he holds the NUS Presidential Young Professorship. His research is on adversarial and privacy-preserving computation, notably for machine learning algorithms. He is an active member of the security and privacy community, and has served as a PC member of IEEE S&P, ACM CCS, Usenix Security, NDSS, and PETS. He received the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies in 2018, for his work on analyzing the privacy risks of machine learning models, and was a runner-up in 2012, for his work on quantifying location privacy. He obtained his PhD from EPFL. More information: https://www.comp.nus.edu.sg/~reza/

13:30 – 14:30   tba – Susan McGregor
14:30 – 15:30   Knowing Without Seeing: Privacy Preserving Data Analysis and Data Protection Law – Michael Veale
Cryptosystems for privacy-preserving data analysis are often motivated by a desire to analyse data that is held by a range of actors that wish to keep it private either because their own privacy is at stake, or they are legally or ethically obliged to do so on behalf of others. The premise for much encrypted data analysis is that there are a range of functions which would take components from two or more of these datasets as input, and produce an output that would broadly not be seen as private. But, how far does this help actors mitigate or even escape obligations, particularly those under European data protection law? In this talk, I will analyse techniques and applications of secure multiparty computation, homomorphic encryption and zero-knowledge proofs in the context of the GDPR, considering in particular the ways these technologies can be purposed to make coercive systems for users, rather than just protective ones. In many cases, these technologies sit uneasily with the framework as we see it today: they do not fall out the scope of the law, but arguably, neither are users sufficiently protected against developers of cryptosystems seeking to force users to perform potentially manipulative protocols.
16:00 – 17:00   Scalable Privacy-Preserving Computing with High Numerical Precision – Dimitar Jetchev
In this talk, I will present and discuss recent novel techniques for scalable privacy-preserving computing with high numerical precision. Apart from well-known applications to engineering and scientific problems (such as satellite collision detection), high-precision computing on large datasets is becoming relevant to machine and statistical learning systems designed to detect rare events (such as fraud transactions in FinTech, predictive maintenance in manufacturing, or rare diseases in healthcare). I will describe an approach based on Fourier transforms that allows to evaluate efficiently various non-linear functions in the setting of secure multi-party computations (SMPC). Finally, I will present a novel practical and scalable data-independent approach to compiling privacy-preserving programs that is applicable to both SMPC systems and fully-homomorphic encryption (FHE) systems.


If you're flying in, Genève-Cointrin is the nearest international airport. By train, it takes ~45 minutes to reach Lausanne. Zürich Airport is about ~2.5 hours away by train. To get information on train schedules, please see the Swiss Rail website.

To reach the SuRI venue from the EPFL M1 metro station, please check the map below.


EPFL's Summer Research Institute has a long and successful history. For more information on past editions of the event refer to the links below.

2018 - 2017 - 2016 - 2015 - 2014 - 2013 - 2012 - 2011 - 2010 - 2009
2008 - 2007 - 2006 - 2005 - 2004 - 2003 - 2002 - 2001 - 2000