Systems Seminar

EPFL IC Systems Seminar

Securing Clouds and Webs -- A Tale of Bug Detection and Exploit Mitigation



Abstract

Bugs in software are omnipresent and exploitable bugs (i.e., vulnerabilities) can be leveraged by attackers to violate the security assumptions and guarantees of affected systems. Software security research broadly knows two orthogonal approaches to deal with bugs and vulnerabilities: Bug detection (ideally pre-deployment) and exploit mitigation (usually post-deployment).This talk will introduce recent achievements from my research group along these two dimensions.

Morphuzz, an automated bug detection system, analyzes hypervisors (e.g., QEMU, bhyve), the cornerstone of modern cloud infrastructures, for bugs and vulnerabilities. By bending the input space for virtual device implementations, Morphuzz identified dozens of bugs and vulnerabilities, generated easy to reproduce bug reports, and allowed developers to devise fixes for the identified issues. These outcomes already improved the security of the most popular open source hypervisor (QEMU) which features prominently in many cloud-deployments worldwide.

As an exploit mitigation technique, Saphire leverages the insight that software exploits frequently benefit from suboptimal software design; specifically ignorance towards the principle of least privilege. Thus, Saphire retrofits the principle of least privilege onto web-applications created in PHP (PHP powers ~75% of public web-sites). Through static analysis Saphire determines the set of system calls each PHP script requires to operate correctly and uses SECCOMP to ensure that only these system calls can be invoked by each script. This yields a powerful defense against popular and devastating web attacks such as remote code execution at <2% worst-case performance overhead.

To ensure benefit beyond the academic publications we had both systems assessed through Usenix’ artifact evaluation process and their code is publicly available. Moreover, Morphuzz has been upstreamed into the QEMU source repositories, and continuously analyzes QEMU via OSSFuzz, where it continues to deliver bug reports and self-contained reproducers.

Bio

Manuel Egele is an Associate Professor in the Department of Electrical and Computer Engineering at Boston University (BU) where he co-directs the Secure Systems Lab (SeclaBU). He also holds an affiliate appointment with the Computer Science department at BU. Prior to his appointment at BU, he was a Systems Scientist at Carnegie Mellon University. Before that, he was a post-doctoral researcher at the Computer Security Group of the Department of Computer Science at the University of California, Santa Barbara. He received his M.Sc. (2006) and Ph.D. (2011) degrees in computer science from the University of Technology in Vienna. His research interests span all areas of systems and software security – in particular mobile and embedded systems security, web security, and malicious code analysis.

Dr. Egele’s recent research projects revolve around the large-scale and automated analysis of Internet of Things firmware, cloud hypervisors, and the PHP ecosystem. He also directs research that creates new computer architectural features to benefit software security goals. Dr. Egele serves on the technical program committees of the big-four security conferences, he was the program committee chair of RAID 2020, and serves as associate editor for the IEEE Transactions on Privacy and Security. His research was recognized through a variety of awards, such as two Best Paper Awards (DIMVA 2019, ASIACCS 2018), a Distinguished Paper Award (NDSS 2011), and the Junior PI Award of the Austrian Scientists in Northern America (AScINA) network (2019).