Monday, November 17, 2014

Fall 2014 Google & UMD Seminar Series

The Fall 2014 Google & University of Maryland Cybersecurity Seminar Series will begin on:

November 20 with Dr. David Brumley from Carnegie Mellon University. 
RSVP here:
Title: Checking the World's Software for Exploitable Bugs

Abstract:  My research teams vision is to automatically check the world's software for exploitable bugs.  Our approach is based on program verification, but with a twist.  Traditional verification takes a program and a specification of safety as inputs, and checks that all execution paths of the program meet the safety specification.  The twist in AEG is we replace typical safety properties with an "un-exploitability'' property, and the "verification'' process becomes finding a program path in which the un-exploitability property does not hold.  Our analysis generates working control flow hijack and command injection exploits for exploitable paths.  I'll discuss our results with a data set of over 33,000 programs.  I will also discuss current challenges and future directions in symbolic execution.

Bio:  David Brumley is an Associate Professor at Carnegie Mellon University with a primary appointment in the Electrical and Computer Engineering Department and a courtesy appointment in the Computer Science Department. He is also the Technical Director of CyLab, the CMU cybersecurity laboratory.  His research focuses on software security.

The second talk will be on December 4 with Dr. Engin Kirda from Northeastern University. 
RSVP for the December 4 seminar here:
Title:  Hidden GEMs: Automated Discovery of Access Control Vulnerabilities in Graphical User Interfaces

Abstract:  Graphical user interfaces (GUIs) are the predominant means by which users interact with modern programs.  GUIs contain a number of common visual elements or widgets such as labels, textfields, buttons, and lists, and GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable.  While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended.  In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.

In this talk, I will present  GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. I will present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications.  I will then present GEM Miner, an implementation of our GEM analysis for the Windows platform.

Bio:  Engin Kirda is a Professor of Computer Science and Engineering at Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. He is also a co-founder and Chief Architect at Lastline, Inc -- a company specialized in advanced malware detection and defense.

Both talks will be held in 1115 Computer Science Instructional Center (CSI) at 5:00 pm. A reception will follow both talks!