*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Protecting computer systems through eliminating or analyzing vulnerabilities
Byoungyoung Lee
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Thursday, July 14, 2016
Time: 2 PM to 4 PM EST
Location: KACB 3126
Committee:
---------------
Dr. Wenke Lee (Co-Advisor, School of Computer Science, Georgia Tech)
Dr. Taesoo Kim (Co-Advisor, School of Computer Science, Georgia Tech)
Dr. William R. Harris (School of Computer Science, Georgia Tech)
Dr. Alex Orso (School of Computer Science, Georgia Tech)
Dr. Weidong Cui (Microsoft Research Redmond)
Abstract:
---------------
There have been tremendous efforts to build fully secure computer
systems, but it is not an easy goal. Making a simple mistake
introduces a vulnerability, which can critically endanger a whole
system's security.
This thesis aims at protecting computer systems from
vulnerabilities. We take two complementary approaches in achieving
this goal, eliminating or analyzing vulnerabilities. In the
vulnerability elimination approach, we eliminate a certain class
of memory corruption vulnerabilities to completely close attack
vectors from such vulnerabilities. In particular, we develop tools
DangNull and CaVer, each of which eliminates popular and emerging
vulnerabilities, use-after-free and bad-casting, respectively.
DangNull relies on the key observation that the root cause of
use-after-free is that pointers are not nullified after the target
object is freed. Thus, DangNull instruments a program to trace the
object's relationships via pointers and automatically nullifies all
pointers when the target object is freed. Similarly, CaVer relies
on the key observation that the root cause of bad-casting is that
casting operations are not properly verified. Thus, CaVer uses a
new runtime type tracing mechanism to overcome the limitation of
existing approaches, and performs efficient verification on all type
casting operations dynamically. We have implemented these protection
solutions and successfully applied them to Chrome and Firefox
browsers. Our evaluation showed that DangNull and CaVer imposes 29%
and 7.6% benchmark overheads in Chrome, respectively. We have also
tested seven use-after-free and five bad-casting exploits in Chrome,
and DangNull and CaVer safely prevented them all.
In the vulnerability analysis approach, we focus on a timing-channel
vulnerability which allows an attacker to learn information about
program's sensitive data without causing a program to perform
unsafe operations. It is challenging to test and further confirm
the timing-channel vulnerability as it typically involves complex
algorithmic operations. We implemented SideFinder, an assistant tool
identifying timing-channel vulnerabilities in a hash table. Empowered
with symbolic execution techniques, SideFinder semi-automatically
synthesizes inputs attacking timing-channels, and thus confirms the
vulnerability. Using SideFinder, we analyzed and further synthesized
two real-world attacks in the Linux kernel, and showed it can break
one important security mechanism, Address Space Layout Randomization
