{"469931":{"#nid":"469931","#data":{"type":"event","title":"MS Defense by  Kevin Flansburg","body":[{"value":"\u003Cp\u003EHello, I would like to announce my masters thesis defense.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EName:\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003E\u0026nbsp; \u0026nbsp; Kevin Flansburg\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EAdvisor:\u003C\/p\u003E\u003Cp\u003E\u0026nbsp; \u0026nbsp; Taesoo Kim\u003C\/p\u003E\u003Cp\u003ECommittee Members:\u003C\/p\u003E\u003Cp\u003E\u0026nbsp; \u0026nbsp; Polo Chau\u003C\/p\u003E\u003Cp\u003E\u0026nbsp; \u0026nbsp; Manos Antonakakis\u003C\/p\u003E\u003Cp\u003EDate and Time:\u003C\/p\u003E\u003Cp\u003E\u0026nbsp; \u0026nbsp; November 23, 2015 11:00 AM\u003C\/p\u003E\u003Cp\u003ELocation:\u003C\/p\u003E\u003Cp\u003E\u0026nbsp; \u0026nbsp; Klaus 3100\u003C\/p\u003E\u003Cp\u003ETitle:\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003Cstrong\u003E \u0026nbsp;\u0026nbsp;A Framework for Reproducible Exploit Testing Environments\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EAbstract:\u003C\/p\u003E\u003Cp\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cbr \/\u003ETo demonstrate working exploits or vulnerabilities, people often share\u003Cbr \/\u003Etheir findings as a form of proof-of-concept (PoC) prototype. Such\u003Cbr \/\u003Epractices are particularly useful to learn about real vulnerabilities\u003Cbr \/\u003Eand state-of-the-art exploitation techniques.\u0026nbsp; Unfortunately, the shared\u003Cbr \/\u003EPoC exploits are seldom reproducible; in part because they are often not\u003Cbr \/\u003Ethoroughly tested, but largely because authors lack a formal way to\u003Cbr \/\u003Especify the tested environment or its dependencies.\u0026nbsp; Although exploit\u003Cbr \/\u003Ewriters attempt to overcome such problems by describing their\u003Cbr \/\u003Edependencies or testing environments using comments, this informal way\u003Cbr \/\u003Eof sharing PoC exploits makes it hard for exploit authors to achieve the\u003Cbr \/\u003Eoriginal goal of demonstration.\u0026nbsp; More seriously, these non- or\u003Cbr \/\u003Ehard-to-reproduce PoC exploits have limited potential to be utilized for\u003Cbr \/\u003Eother useful research purposes such as penetration testing, or in\u003Cbr \/\u003Ebenchmark suites to evaluate defense mechanisms.\u003C\/p\u003E\u003Cp\u003E\u003C\/p\u003E\u003Cp\u003EIn this paper, we present XShop, a framework and infrastructure to\u003Cbr \/\u003Edescribe environments and dependencies for exploits in a formal way, and\u003Cbr \/\u003Eto automatically resolve these constraints and construct an isolated\u003Cbr \/\u003Eenvironment for development, testing, and to share with the community.\u003Cbr \/\u003EWe show how XShop\u0027s flexible design enables new possibilities for\u003Cbr \/\u003Eutilizing these reproducible exploits in five practical use cases: as a\u003Cbr \/\u003Esecurity benchmark suite, in pen-testing, for large scale vulnerability\u003Cbr \/\u003Eanalysis, as a shared development environment, and for regression\u003Cbr \/\u003Etesting. We design and implement such applications by extending the\u003Cbr \/\u003EXShop framework and demonstrate its effectiveness with twelve real\u003Cbr \/\u003Eexploits against well-known bugs that include GHOST, Shellshock, and\u003Cbr \/\u003EHeartbleed.\u0026nbsp; We believe that the proposed practice not only brings\u003Cbr \/\u003Eimmediate incentives to exploit authors but also has the potential to be\u003Cbr \/\u003Egrown as a community-wide knowledge base.\u003C\/p\u003E\u003Cp\u003E\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cbr \/\u003E\u003C\/p\u003E\u003Cp\u003E \u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"A Framework for Reproducible Exploit Testing Environments"}],"uid":"27707","created_gmt":"2015-11-16 07:58:30","changed_gmt":"2016-10-08 02:14:50","author":"Tatianna Richardson","boilerplate_text":"","field_publication":"","field_article_url":"","field_event_time":{"event_time_start":"2015-11-23T15:00:00-05:00","event_time_end":"2015-11-23T17:00:00-05:00","event_time_end_last":"2015-11-23T17:00:00-05:00","gmt_time_start":"2015-11-23 20:00:00","gmt_time_end":"2015-11-23 22:00:00","gmt_time_end_last":"2015-11-23 22:00:00","rrule":null,"timezone":"America\/New_York"},"extras":[],"groups":[{"id":"221981","name":"Graduate Studies"}],"categories":[],"keywords":[{"id":"111531","name":"ms defense"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[{"id":"1788","name":"Other\/Miscellaneous"}],"invited_audience":[{"id":"78771","name":"Public"}],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":[],"slides":[],"orientation":[],"userdata":""}}}