- You are subscribed to this talk through .
- You are watching this talk through .
- You are subscribed to this talk. (unsubscribe, watch)
- You are watching this talk. (unwatch, subscribe)
- You are not subscribed to this talk. (watch, subscribe)
Checking the World's Software for Exploitable Bugs
My research teams vision is to automatically check the world's software for exploitable bugs. Our approach is based on program verification, but with a twist. Traditional verification takes a program and a specification of safety as inputs, and checks that all execution paths of the program meet the safety specification. The twist in AEG is we replace typical safety properties with an ``un-exploitability'' property, and the ``verification'' process becomes finding a program path in which the un-exploitability property does not hold. Our analysis generates working control flow hijack and command injection exploits for exploitable paths. I'll discuss our results with a data set of over 33,000 programs. I will also discuss current challenges and future directions in symbolic execution.
David Brumley is an Associate Professor at Carnegie Mellon University with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the Technical Director of CyLab, the CMU cybersecurity laboratory. His research focuses on software security.
Prof. Brumley received his PhD in Computer Science from Carnegie Mellon University, an MS in Computer Science from Stanford University, and a BA in Mathematics from the University of Northern Colorado. He served as a Computer Security Officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the CMU Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. He received the USENIX Security best paper awards in 2003 and 2007, an ICSE distinguished paper award in 2014. Prof. Brumley honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists according to wikipedia), and a 2013 Sloan Foundation award.