Current Students
Sudeep Ghosh

Sudeep Ghosh is a third year ECE Ph.D. student investigating new approaches and methods for making software resistant to tampering and reverse engineering. He has not yet presented a dissertation proposal.
 
Wei Hu

Wei Hu is a fourth year Ph.D. student working in the area of software security. The tentative title of his dissertation is Automatic and Efficient Protection against Non-Control-Data Attacks.

Dissertation Proposal Abstract

Memory overwriting vulnerabilities is a common cause of security problems. Exploits usually modify some control data, e.g., return addresses and function pointers, so that the code arranged by the attackers is executed. Due to the popularity of this type of attacks, many defenses have been designed. However, memory overwriting vulnerabilities can also be exploited to modify non-control data, and cause the same level of security compromises. Non-control-data attacks are generally ignored by existing defenses. Therefore, it is foreseeable that as control-flow data protection techniques become widely deployed, attackers will seek to use non-control-data attacks.

The thesis of the proposal is that automated program analysis and transformation can be used to efficiently thwart memory corruption attacks that overwrite non-control data to compromise an application. The key insight into non-control-data attacks is that they must overwrite some security-critical data in order to benefit from the vulnerabilities. If all the potential targets of a non-control-data attack are identified, defenses can be designed to protect them.

This work will define a formal security model that specifies security-critical functions. Using this model, this work will design automated source-code analysis approaches that identify security-critical variables in a program, and develop practical software solutions for protecting identified data items without relying on uncommon hardware features such as word-level memory protection. This research will be validated by implementing the framework and evaluating how its security, scalability and performance overhead are affected by different design choices.

 
Daniel Williams

Dan Williams is a fifth year Ph.D. student working on developing a new model of program development where program metadata is shared across the software development toolchain.  The tentative title of his dissertation is Improved Compiler/SDT Interaction Through Shared Program Metadata.

Dissertation Proposal Abstract

Creating correct, secure and efficient programs is a difficult task. To achieve this goal, tools in the software development toolchain are used to allow programmers to write in high-level languages. While translating the program, the software development tools collect valuable information about the structure of the program (e.g., the program’s control flow and memory layout). This information, known as program metadata, is used by individual programs within the software development toolchain and then typically discarded. However, the collected metadata has many uses, and could be used by other tools, if it were available to them.

One such tool is Software Dynamic Translation (SDT). An SDT system is a tool that programmatically interprets application code before it is executed. SDT has been used in a variety of application domains: runtime optimization, security, and performance analysis, among others. All of these application domains use data about the program while performing various tasks (e.g., securing the control-flow or eliminating dead code). The SDT system can collect this metadata, however, doing complex analysis to gather the required data increases translation overhead. Because of this large potential for metadata use in a variety of SDT application domains, and the need for access to that metadata without the overhead of gathering it, SDT is an ideal candidate for exploring the benefits of shared metadata.

The thesis of this work is that the sharing of program metadata across the software development toolchain can improve program performance, security, and application development. Focusing on the interaction between the software development toolchain and SDT, this work will study the uses, persistence, availability, and practicality of sharing metadata in the process of program translation and execution under an SDT system. This research will be validated by developing SDT-based applications that use program metadata in the domains of optimization, overhead reduction, security, and performance analysis.

 


 

News and Recent Activities

Courses

Research