March 10, 2022
Yueqi Chen
Despite significant efforts on cybersecurity, we are observing an increasing number of attacks in recent years. The reason for this harsh reality is all our efforts aim at individual incidents and there is no deep understanding of attack surfaces in software systems. As a result, software systems are integrated with too many individual patches and ad-hoc mitigations, which introduces unacceptable overhead but not substantial security benefits. In this talk, I will present a systematic approach to understanding attack surfaces. This approach provides security analysts and developers with the ability to quantify the impact of attack surfaces and facilitate the development of universal and effective defense solutions. Technically, this approach consists of two steps - induction and deduction. The induction step summarizes the security incident and abstracts the essential attack surface behind the incident. The deduction step generalizes the essential attack surface to different systems and applies it in the exploitation of different error types. By mitigating the generalized attack surface, the developers can design universal protections. In this talk, I will illustrate this research approach starting from a security incident in the Linux kernel. I will present a universal and effective defense that mitigates the generalized attack surface and is widely adopted in various commodity Operating System kernels. In the future, I plan to further advance this systematic approach and make it a fundamental part of the entire software development lifecycles. More specifically, I will: 1) enrich induction and deduction techniques for more attack forms under new contexts, 2) formalize the description of attack surfaces, and 3) quantify the security of systems to optimize and re-construct existing defenses architecture.