Scaling Security Practices: Automated Approaches to Eliminate Security Vulnerabilities

Computer systems are highly vulnerable; attackers everyday discover
new security vulnerabilities and exploit them to compromise the target
systems. This talk will present our approaches to automatically
prevent software vulnerabilities from exploitation. In particular,
this talk will describe in detail two classes of vulnerabilities: an
emerging class, called "type confusion" (or "bad casting" ), that are
commonly seen in modern web browsers, and a new class that we
discovered, called "uninitialized padding," causing information
leakage in the Linux kernel. This talk will explain what these
vulnerabilities are, how attackers exploit them, why/how developers
introduced them, and why it is non-trivial to avoid them in complex,
real-world programs. Finally, our approaches to automatically
eliminate them in practice will be demonstrated.
Taesoo Kim is a Catherine M. and James E. Allchin Early Career
Assistant Professor in the School Computer Science at the Georgia
Institute of Technology (Georgia Tech). He also serves as the director
of the Georgia Tech Systems Software and Security Center (GTS3). He is
genuinely interested in building a system that prioritizes security
principles first and foremost. Those principles include the total
design of the system, analysis of its implementation, elimination of
certain classes of vulnerabilities, and clear separation of its
trusted components. His thesis work, in particular, focused on
detecting and recovering from attacks on computer systems, known as
"undo computing." He holds a S.M. (2011) and a Ph.D. (2014) from MIT.