Byoungyoung Lee - Purdue University
Students: Fall 2024, unless noted otherwise, sessions will be virtual on Zoom.
Protecting Computer Systems by Eliminating Vulnerabilities
Nov 02, 2016
Abstract
Many system software are performance critical, and they are typicallyimplemented in unsafe programming languages that are efficient but prone
to security vulnerabilities. Existing approaches to address vulnerable
software tend to address some specific harmful effects (e.g., detection
based on evidence of an exploit), and thus have limited
effectiveness. For example, there have been many unfortunate cases where
security holes are again uncovered in the supposed "patched" or
protected systems security.
My research aims to eliminate the root cause of vulnerabilities. In this
talk, I will present two tools that I have developed, DangNull and
Caver. These tools protect a system from well-known as well as emerging
memory corruption vulnerabilities including use-after-free and
bad-casting. Specifically, DangNull relies on the key observation that
the root cause of use-after-free is that pointers are not nullified
after the target object is freed. Thus, DangNull instruments a program
to trace the object's relationships via pointers and automatically
nullifies all pointers when the target object is freed. Similarly, CaVer
relies on the key observation that the root cause of bad-casting is that
casting operations are not properly verified. Thus, CaVer uses a new
runtime type tracing mechanism to overcome the limitation of existing
approaches, and performs efficient verification on all type casting
operations dynamically. We have implemented these protection solutions
and successfully applied them to Chrome and Firefox browsers. Our
evaluation showed that DangNull and CaVer imposes 29% and 7.6% benchmark
overheads in Chrome, respectively. We have also tested seven
use-after-free and five bad-casting exploits in Chrome, and DangNull and
CaVer safely prevented them all.
About the Speaker
Byoungyoung Lee is an Assistant Professor in the Department of
Computer Science at Purdue University. His research is in the general
area of computer security and privacy. In particular, his focus is in
systems security, designing and implementing secure systems through
analyzing and eliminating vulnerabilities. His research identified and
helped to fix more than 100 security critical vulnerabilities in the
major software including the Linux Kernel, Chrome, Firefox, and
Safari. He received the Internet Defense Prize by Facebook and USENIX
and the best applied security research paper (the 3rd place) by
CSAW. His work has been published in top-tier security conferences
(Oakland, USENIX Security, CCS, and NDSS) as well as other top-tier
computer science conferences (SOSP, ATC, KDD, and WWW). More
information about him can be found at https://lifeasageek.github.io.
Computer Science at Purdue University. His research is in the general
area of computer security and privacy. In particular, his focus is in
systems security, designing and implementing secure systems through
analyzing and eliminating vulnerabilities. His research identified and
helped to fix more than 100 security critical vulnerabilities in the
major software including the Linux Kernel, Chrome, Firefox, and
Safari. He received the Internet Defense Prize by Facebook and USENIX
and the best applied security research paper (the 3rd place) by
CSAW. His work has been published in top-tier security conferences
(Oakland, USENIX Security, CCS, and NDSS) as well as other top-tier
computer science conferences (SOSP, ATC, KDD, and WWW). More
information about him can be found at https://lifeasageek.github.io.