Skip to main content

Seminar:  Safe Software

Date:December 10, 2012 
Talk Title:Safe Software
Speaker:David Brumley
Time & Location:12:00pm - 1:00pm
CIC Building, Pittsburgh

Abstract

Attackers only need to find a single exploitable bug in order to install malware, bots, and viruses on vulnerable computers. Unfortunately, bugs are plentiful. My research teams ambition is to automatically check the world's software, find exploitable bugs, and fix them before they can be used by attackers.  A significant part of this vision is to automatically find bugs and generate exploits proving which bugs are security-critical in off-the-shelf software. We call this the Automatic Exploit Generation (AEG) challenge.

Our approach to AEG is program verification, but with a twist. Traditional verification takes a program and a specification of safety as inputs, and checks that all execution paths of the program meet the safety specification.  The twist in AEG is we replace typical safety properties with an "exploitability" property, and the "verification" process becomes finding a program path in which the exploitability property holds.  I'll discuss our results at automatically finding bugs in heavily-utilized programs, as well as generate working exploits that demonstrate which bugs are most serious.  In the last part of this talk I'll discuss several remaining research challenges. 

Speaker Bio

David BrumleyDavid Brumley is an Assistant Professor at Carnegie Mellon University with appointments in the Electrical and Computer Engineering Department, the Computer Science Department, and CyLab. His work focuses on software security.  Prof. Brumley graduated from Carnegie Mellon University with a PhD in Computer Science in 2008, from Stanford with an MS in Computer Science in 2003, and from the University of Northern Colorado with a BA in Mathematics in 1998. He served as a Computer Security Officer for Stanford University from 1998-2002 where he handled many thousand computer security incidents.

He has received the USENIX Security best paper awards in 2003 and 2007, a member of the 2010 DARPA Computer Science Study Group, a 2010 NSF CAREER award, and a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE).