Our research group works on various computer security problems,
particularly focusing on software security and systems security areas.
The followings introduce our major research areas:
Confidential Computing
With the advent of AI, ML, and Big Data, the data computation is
probably the most important task in modern computing systems. In this
sense, confidential computing techniques ensure confidentiality and
integrity guarantees while performing the data computation, which is
already shipped with commodity CPUs (e.g., Intel SGX and AMD SEV) and
serviced by major clouds (e.g., Microsoft Azure and Google Cloud). Our
research focuses on providing secure computing environments for the
confidential computing or developing new security applications
leveraging confidential computing techniques.
Chancel [NDSS 21] develops
a two-way sandbox for application enclaves in Intel SGX. It
designs per-thread software-fault isolation technique to ensure
that all the out-going data from the enclave is encrypted.
BlackMirror [CCS 20]
prevents gaming wall hacks, a game hacking technique in online
games. Using Intel SGX, it constructs a blackbox for a game
client such that there's no way that the game cheating engine sees
the gaming memory.
Trustore [CCS 20] implements
FPGA-based secure storage for TEEs. Since Trustore's secure
storage is completely isolated from other computing components
and thus imposes no hardware resouce sharing, it is secure
against timing side-channel attacks.
Obfuscuro [NDSS 19] enables generic oblivious execution for
applications running on Intel SGX. It ensures that all control- and
data-flows of an application are performed through ORAM such that
the target application is secure from side-channel attacks.
Vulnerability Finding
This area aims at automatically finding vulnerabilities in various
software or system products. We leverage various analysis techniques
to identify previously unknown vulnerabilities, ranging from
fuzzing and symbolic execution to static analysis, which
identified numerous vulnerabilities from popular products—including
Linux, Windows, Mac OS X, QEMU, Chrome, Firefox, RISC-V, etc.
CAFL [USENIX Sec 21]
presents a constraint-guided fuzzing technique, which guides the
fuzzing exploration towards a set of control- and
data-constraints. Automatically generating such constraints based
on either crash dumps or code patches, we showcase how CAFL can be
used for crash reproduction and PoC exploit generation.
CrFuzz [FSE 20] is a
fuzzer to discover bugs in user applications. It features a
clustering analysis to automatically predict if a newly given
input would be accepted. CrFuzz discovered 277 previously unknown
vulnerabilities, which includes popular target applications such
as FFMpeg, ImageMagick, and Graphicsmagick.
HFL [NDSS 20] is a kernel
hybrid-fuzzer, performing both symbolic execution and traditional
fuzzing. It features tailored fuzzing techniques to specifically
address challenges in fuzzing the kernel---such as converting
indirect control transfers to direct transfers, inferring system
call sequence, and identifying nested argument types. HFL
discoverd 24 new vulnerabilities in the Linux kernel.
Razzer [SP 19] is a fuzzer
designed to detect race condition vulnerabilities in the Linux
kernel. Using the static analysis, Razzer guides the fuzz testing
towards potential data race spots, and tames non-deterministic
nature of race bugs to be deterministic to better identify the
race bug. Razzer discovered 30 new race vulnerabilities in the
Linux kernel.
Attack (Hacking)
Computer systems keep evloving, so attacking techniques against
computer systems keep evloving as well. Clearly understanding the new
and emerging attack techniques are important to computer systems,
because one can develop mitigation techniques against such a newly
learned attack vector. More critically, this provides a key insight
into how our computer systems of today (as well as future) should be
designed and implemented in responses to the emerging attack vectors.
ExpRace [USENIX Sec 21]
proposes a new exploitation technique for kernel data races. In
order to tame the non-deterministic nature of race issues, ExpRace
carefully raises interrupt events through various kernel
mechanisms such as reschedule IPI, TLB shootdown IPI, membarrier
IPI, and hardware interrupts. ExpRace was able to exploit 10
real-world kernel race vulnerabilities within 10 to 118 seconds,
all of which were not possible to exploit without ExpRace.
Defense
In order to fully compromise a system, attackers will have to perform
certain behaviors against a victim system. As such, this research area
aims at learning such abnormal attacking behaviors and thus nullifying
the attacks, thereby protecting the system from being compromised.
Kard [ASPLOS 21] dynamically
detects data races caused by inconsistent lock usage. Kard
leverages commodity per-thread memory protection, Intel Memory
Protection Keys (MPK), so as to ensure that a shared object is
only accessible to a single thread in its ciritical section.
CaVer [USENIX Sec 15] is a
runtime bad-casting detection tool for C++ programs. It performs
program instrumentation at compile time and traces the runtime
type inforamtion. We applied CaVer to large-scale software
including Chrome and Firefox browsers to stop bad-casting or
type-confusion vulnerabilities.