Software is everywhere and so are software vulnerabilities, affecting individuals, companies and nations. Deliberately planted software vulnerabilities (“malware”) have ravaged nuclear reactors and unintended software vulnerabilities (“bugs”) have recently caused all American Airlines planes to be grounded for hours. Software vulnerabilities elude regression testing because their occurrence often depends on intricate sequences of low-probability events. The alternatives, such as completely automated program analysis and/or formal verification, are riddled with intractable problems that pose practical barriers to achieving scalability and accuracy. This tutorial is aimed at the audience interested in learning about sophisticated software vulnerabilities with dire consequences, and a novel practical approach to detect them. We will present a rigorous framework that integrates automated program analysis and human reasoning. We will demonstrate a suite of supporting tools with unique capabilities that enable human analysts to quickly identify and understand the relevant parts of large software, gather evidence, and perform reasoning experiments in order to discover sophisticated vulnerabilities. This tutorial is based on our research with three Defense Advanced Projects Research Agency (DARPA) projects and our practical experience of applying the research. Discovering sophisticated vulnerabilities in large software is like finding a needle in haystack not knowing what the needle looks like. About 50% of the tutorial will be demonstrations to elaborate the process of discovering vulnerabilities and validating large software. The representative examples will pertain to reliability issues for operating system kernels and sophisticated malware attacks through Android apps.
Venue: 11th International Conference on Information Systems Security (ICISS 2015), Jadavpur University, Kolkata, India, December 16-20 2015
Author: Suresh Kothari