Title: Protecting computer systems through eliminating or analyzing vulnerabilities

Byoungyoung Lee
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Thursday, July 14, 2016
Time: 2 PM to 4 PM EST
Location: KACB 3126

Committee:
---------------
Dr. Wenke Lee (Co-Advisor, School of Computer Science, Georgia Tech)
Dr. Taesoo Kim (Co-Advisor, School of Computer Science, Georgia Tech)
Dr. William R. Harris (School of Computer Science, Georgia Tech)
Dr. Alex Orso (School of Computer Science, Georgia Tech)
Dr. Weidong Cui (Microsoft Research Redmond)

Abstract:
---------------

There have been tremendous efforts to build fully secure computer

systems, but it is not an easy goal.  Making a simple mistake

introduces a vulnerability, which can critically endanger a whole

system's security.

This thesis aims at protecting computer systems from

vulnerabilities. We take two complementary approaches in achieving

this goal, eliminating or analyzing vulnerabilities.  In the

vulnerability elimination approach, we eliminate a certain class

of memory corruption vulnerabilities to completely close attack

vectors from such vulnerabilities.  In particular, we develop tools

DangNull and CaVer, each of which eliminates popular and emerging

vulnerabilities, use-after-free and bad-casting, respectively.

DangNull relies on the key observation that the root cause of

use-after-free is that pointers are not nullified after the target

object is freed.  Thus, DangNull instruments a program to trace the

object's relationships via pointers and automatically nullifies all

pointers when the target object is freed.  Similarly, CaVer relies

on the key observation that the root cause of bad-casting is that

casting operations are not properly verified.  Thus, CaVer uses a

new runtime type tracing mechanism to overcome the limitation of

existing approaches, and performs efficient verification on all type

casting operations dynamically.  We have implemented these protection

solutions and successfully applied them to Chrome and Firefox

browsers. Our evaluation showed that DangNull and CaVer imposes 29%

and 7.6% benchmark overheads in Chrome, respectively. We have also

tested seven use-after-free and five bad-casting exploits in Chrome,

and DangNull and CaVer safely prevented them all.

In the vulnerability analysis approach, we focus on a timing-channel

vulnerability which allows an attacker to learn information about

program's sensitive data without causing a program to perform

unsafe operations.  It is challenging to test and further confirm

the timing-channel vulnerability as it typically involves complex

algorithmic operations.  We implemented SideFinder, an assistant tool

identifying timing-channel vulnerabilities in a hash table. Empowered

with symbolic execution techniques, SideFinder semi-automatically

synthesizes inputs attacking timing-channels, and thus confirms the

vulnerability.  Using SideFinder, we analyzed and further synthesized

two real-world attacks in the Linux kernel, and showed it can break

one important security mechanism, Address Space Layout Randomization