BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Memento EPFL// BEGIN:VEVENT SUMMARY:IC Colloquium: Securing clouds and webs -- A tale of bug detection and exploit mitigation DTSTART:20211216T161500 DTEND:20211216T171500 DTSTAMP:20260528T093200Z UID:43832a08bb3004f4c62ab684554dc919561f69643d6862b6666f5862 CATEGORIES:Conferences - Seminars DESCRIPTION:By: Manuel Egele - Boston University\nVideo of his talk\n\nAbs tract\nBugs in software are omnipresent and exploitable bugs (i.e.\, vulne rabilities) can be leveraged by attackers to violate the security assumpti ons and\nguarantees of affected systems. Software security research broadl y knows two orthogonal approaches to deal with bugs and vulnerabilities: B ug detection\n(ideally pre-deployment) and exploit mitigation (usually pos t-deployment).This talk will introduce recent achievements from my researc h group along these two dimensions.\n\nMorphuzz\, an automated bug detecti on system\, analyzes hypervisors (e.g.\, QEMU\, bhyve)\, the cornerstone o f modern cloud infrastructures\, for bugs and\nvulnerabilities. By bending the input space for virtual device implementations\, Morphuzz identified dozens of bugs and vulnerabilities\, generated easy to\nreproduce bug repo rts\, and allowed developers to devise fixes for the identified issues. Th ese outcomes already improved the security of the most popular open source hypervisor (QEMU) which features prominently in many cloud-deployments wo rldwide.\n\nAs an exploit mitigation technique\, Saphire leverages the ins ight that software exploits frequently benefit from suboptimal software de sign\; specifically\nignorance towards the principle of least privilege. T hus\, Saphire retrofits the principle of least privilege onto web-applicat ions created in PHP (PHP powers\n~75% of public web-sites). Through static analysis Saphire determines the set of system calls each PHP script requi res to operate correctly and uses SECCOMP to ensure that only these system calls can be invoked by each script. This yields a powerful defense again st popular and devastating web attacks such as remote code execution at <2 % worst-case performance overhead.\n\nTo ensure benefit beyond the academi c publications we had both systems assessed through Usenix' artifact evalu ation process and their code is publicly\navailable. Moreover\, Morphuzz h as been upstreamed into the QEMU source repositories\, and continuously an alyzes QEMU via OSSFuzz\, where it continues to deliver bug reports and se lf-contained reproducers.\n\nBio\nManuel Egele is an Associate Professor i n the Department of Electrical and Computer Engineering at Boston Universi ty (BU) where he co-directs the Secure Systems Lab (SeclaBU). He also hold s an affiliate appointment with the Computer Science department at BU. Pri or to his appointment at BU\, he was a Systems Scientist at Carnegie Mello n University. Before that\, he was a post-doctoral researcher at the Compu ter Security Group of the Department of Computer Science at the University of California\, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (20 11) degrees in computer science from the University of Technology in Vienn a. His research interests span all areas of systems and software security – in particular mobile and embedded systems security\, web security\, an d malicious code analysis.\n\nDr. Egele's recent research projects revolve around the large-scale and automated analysis of Internet of Things firmw are\, cloud hypervisors\, and the\nPHP ecosystem.  He also directs resear ch that creates new computer architectural features to benefit software se curity goals.  Dr. Egele serves on\nthe technical program committees of t he big-four security conferences\, he was the program committee chair of R AID 2020\, and serves as associate editor for the IEEE Transactions on Pri vacy and Security. His research was recognized through a variety of awards \, such as two Best Paper Awards (DIMVA 2019\, ASIACCS 2018)\, a Distingui shed Paper Award (NDSS 2011)\, and the Junior PI Award of the Austrian Sci entists in Northern America (AScINA) network (2019).\n\nMore information LOCATION:https://epfl.zoom.us/j/61106824259?pwd=aUJ5cVdaT0huS2FDU3lrdTRwZ1 cyZz09 STATUS:CONFIRMED END:VEVENT END:VCALENDAR