Abstract: Computer systems are highly vulnerable; attackers everyday discover new security vulnerabilities and exploit them to compromise the target systems. This talk will present our approaches to automatically prevent software vulnerabilities from exploitation. In particular, this talk will describe in detail two classes of vulnerabilities: an emerging class, called "type confusion" (or "bad casting"), that are commonly seen in modern web browsers, and a new class that we discovered, called "uninitialized padding," causing information leakage in the Linux kernel. This talk will explain what these vulnerabilities are, how attackers exploit them, why/how developers introduced them, and why it is non-trivial to avoid them in complex, real-world programs. Finally, our approaches to automatically eliminate them in practice will be demonstrated.
Bio: Taesoo Kim is a Catherine M. and James E. Allchin Early Career Assistant Professor in the School Computer Science at the Georgia Institute of Technology (Georgia Tech). He also serves as the director of the Georgia Tech Systems Software and Security Center (GTS3). He is genuinely interested in building a system that prioritizes security principles first and foremost. Those principles include the total design of the system, analysis of its implementation, elimination of certain classes of vulnerabilities, and clear separation of its trusted components. His thesis work, in particular, focused on detecting and recovering from attacks on computer systems, known as "undo computing." He holds a S.M. (2011) and a Ph.D. (2014) from MIT.
Host: Armando Solar-Lezama