Automatically Mitigating and Fixing Software Vulnerabilities

Friday February 23rd, 12-1PM @ BA5205

Speaker: Zhen(James) Huang

Title:
Automatically Mitigating and Fixing Software Vulnerabilities

Abstract:
With the rise of smart phones and IoTs, computer systems have become an indispensable part of our lives. Our reliance on computer systems make software security extremely important. However, software security is continuously threatened by software vulnerabilities because software vulnerabilities are commonly used by adversaries to compromise software security, yet manually fixing software vulnerabilities cannot keep pace with the rampant exploits of software vulnerabilities. While it is ideal to fix software vulnerabilities, creating a fix can take time. A faster alternative to fixing software vulnerabilities is mitigating software vulnerabilities via configuration workarounds, which is frequently used in practice to address software vulnerabilities rapidly ahead of the release of security patches. In this talk, I will demonstrate the need for automatic solutions to address software vulnerabilities with a study on the lifecycle and complexity of real-world security patches, and describe systems that I have built to mitigate more software vulnerabilities than configuration workarounds, and to automatically fix real-world software vulnerabilities. These systems leverage novel program analysis techniques to address two main challenges: 1) mitigating large number of software vulnerabilities rapidly and safely, and 2) generating sound security patches for software vulnerabilities involving complex code structure and data structure. I will conclude this talk with future directions on automatically mitigating and fixing software vulnerabilities.

Bio:
Zhen Huang is a Ph.D candidate in the Department of Electrical & Computer Engineering at University of Toronto. His research focuses on automatically mitigating and fixing software vulnerabilities. Using novel program analysis techniques, he has built two systems to address software vulnerabilities. A system called Talos enables software to defend against exploits to software vulnerabilities rapidly, and a system called Senx automatically fixes software vulnerabilities.

Spiffy: Interpreting Metadata for File System Applications

Thursday February 8th, 12-1PM @ BA5205

Speaker: Jack Sun

Title:
Spiffy: Interpreting Metadata for File System Applications

Abstract:
Many file system applications such as defragmentation tools, file system checkers or data recovery tools, operate at the storage layer. Today, developers of these storage applications require detailed knowledge of the file system format, which takes a significant amount of time to learn, often by trial and error, due to insufficient documentation or specification of the format. Furthermore, these applications perform ad-hoc processing of the file-system metadata, leading to bugs and vulnerabilities.

We propose Spiffy, an annotation language for specifying the on-disk format of a file system. File system developers annotate the data structures of a file system, and we use these annotations to generate a library that allows identifying, parsing and traversing file-system metadata, providing support for both offline and online storage applications. This approach simplifies the development of storage applications that work across different file systems because it reduces the amount of file-system specific code that needs to be written.

We have written annotations for the Linux Ext4, Btrfs and F2FS file systems, and developed several applications for these file systems, including a type-specific metadata corruptor, a file system converter, and an online storage layer cache that preferentially caches files for certain users. Our experiments show that applications that use the library to access file system metadata can achieve good performance and are robust against file system corruption errors.

Bio:
Kuei (Jack) Sun is a fourth year PhD student supervised by Prof. Ashvin Goel and Prof. Angela Demke Brown. The focus of his research is on simplifying the development of file-system aware applications, as well as improving the robustness of these applications.