Protecting Computer Systems through Eliminating Vulnerabilities

Abstract

Many system components and network applications are written in unsafe programming languages that are prone to memory corruption vulnerabilities. To combat countless catastrophes from these vulnerabilities, there have been many defense research efforts. However, these were largely limited because their techniques focused on certain negative side effects from those vulnerabilities. As a result, there have been many unfortunate cases when security holes in these mitigation solutions are later uncovered, and significantly thwart the security of underlying systems. In this talk, I'll present a protection system which completely eliminates the root cause of those vulnerabilities. Specifically, I have targeted two popular and emerging vulnerabilities, use-after-free and bad-casting, each of which can be addressed with protection systems that I developed as a student at Georgia Tech: DangNull and caver, respectively. Since DangNull and caver directly fix the origin of such issues, they do not leave any security holes that attackers could abuse in the future. DangNull and caver have been recognized by both academia and industry for their highly practical impacts: Facebook and USENIX awarded the Internet Defense Prize, and CSAW awarded the "best applied security research paper." Meanwhile, Google and Mozilla deployed DangNull and Caver, respectively, in their development infrastructures.