CS Events

Faculty Candidate Talk

Finding Semantic Bugs in Kernels: the Symbolic Way and the Fuzzy Way


Download as iCal file

Thursday, March 05, 2020, 10:30am


Speaker: Meng Xu, Georgia Tech


Meng Xu is a Ph.D. candidate in the school of computer science at Georgia Tech, advised by Taesoo Kim. His research interests are broadly in the areas of system and software security, with a thesis research on finding semantic bugs via symbolic execution and fuzz testing, and rich experience in achieving security with software diversity and N-version programming. His work has uncovered over 100 bugs in foundational software like OS kernels and browsers, appears in top-tier security and system venues, and receives a distinguished paper award at USENIX Security 2018. He also served on the Program Committee of CCS 2018 as well as the Student PC of Oakland 2018 and EuroSys 2018.

Location : CoRE A 301

Event Type: Faculty Candidate Talk

Abstract: The scale and pervasiveness of modern software pose challenges for security researchers: a bug is more devastating than ever, and the growing software complexity keeps exacerbating the situation with more bug species --- expanding the arms race between security practitioners and attackers beyond memory errors. As a consequence, we need a new generation of bug hunting tools that not only scale well with increasingly larger codebases but also catch up with the growing variety of bugs.In this talk, I will present two complementary bug hunting frameworks that meet the scalability and agility requirements: focused symbolic checking and multi-dimensional fuzz testing, and showcase their effectiveness in a challenging arena: OS kernels. While symbolic execution can never scale up to the whole kernel, complete checking may nevertheless be possible in carefully constructed program slices. I will demonstrate how symbolic bug models can help build such slices and enable a jumpstart of symbolic execution from the middle of a program. On the other hand, fuzz testing turns bug finding into a probabilistic search, but current practices restrict themselves to one dimension only (sequential executions). I will illustrate how to explore the concurrency dimension and extend the bug scope beyond memory errors to a broad spectrum of semantic bugs. Finally, I will give a sense of the extensibility of both frameworks with planned bug checker integrations, as well as a vision to have them incorporated into the software development cycle right from day 1.

Contact  Faculty Host: He Zhu