Automatically Mitigating and Fixing Software Vulnerabilities

Friday February 23rd, 12-1PM @ BA5205

Speaker: Zhen(James) Huang

Automatically Mitigating and Fixing Software Vulnerabilities

With the rise of smart phones and IoTs, computer systems have become an indispensable part of our lives. Our reliance on computer systems make software security extremely important. However, software security is continuously threatened by software vulnerabilities because software vulnerabilities are commonly used by adversaries to compromise software security, yet manually fixing software vulnerabilities cannot keep pace with the rampant exploits of software vulnerabilities. While it is ideal to fix software vulnerabilities, creating a fix can take time. A faster alternative to fixing software vulnerabilities is mitigating software vulnerabilities via configuration workarounds, which is frequently used in practice to address software vulnerabilities rapidly ahead of the release of security patches. In this talk, I will demonstrate the need for automatic solutions to address software vulnerabilities with a study on the lifecycle and complexity of real-world security patches, and describe systems that I have built to mitigate more software vulnerabilities than configuration workarounds, and to automatically fix real-world software vulnerabilities. These systems leverage novel program analysis techniques to address two main challenges: 1) mitigating large number of software vulnerabilities rapidly and safely, and 2) generating sound security patches for software vulnerabilities involving complex code structure and data structure. I will conclude this talk with future directions on automatically mitigating and fixing software vulnerabilities.

Zhen Huang is a Ph.D candidate in the Department of Electrical & Computer Engineering at University of Toronto. His research focuses on automatically mitigating and fixing software vulnerabilities. Using novel program analysis techniques, he has built two systems to address software vulnerabilities. A system called Talos enables software to defend against exploits to software vulnerabilities rapidly, and a system called Senx automatically fixes software vulnerabilities.