Designers of protocols, software, and hardware tend to focus on
algorithmic mechanisms, processes, components, and abstractions.  The
design of the system's input data is more of an afterthought: derived
from the needs of the system's components.  Yet, data read as inputs are
languages that drive systems: they are what control the behavior of
software or hardware processing these data.  Data compose a program that
get interpreted by the virtual machine which is the software or hardware
processing the data. In fact, at times data can be indistinguishable
from code: there are numerous examples of what we generally consider to
be data (such as x86 memory management unit tables and an executable
file's metadata) driving arbitrary computation in the virtual machine
that is processing the data.  Security researchers have long ago
realized the dangers of allowing untrusted sources to inject or affect
the code a system is processing. However, data can be just as dangerous.
Yet we are just beginning to study, understand, and quantify the power
of data in the context of software security. It is time for security
researchers to study the role of data in exploitation; to build methods
and tools that allow designers and security practitioners to more
carefully design data, understand how data can affect the system, and
restrain the power of the virtual machines that process data.  In my
thesis I will design tools that will allow developers more explicitly
and intentionally design their input data and policies that govern the
validation of input data along with tools that ensure such policies are
being enforced.

Committee members:

Sergey Bratus, Research Associate Professor at Dartmouth College
Sean W. Smith, Professor at Dartmouth College
Devin Balkcom, Associate Professor at Dartmouth College
Greg Morrisett, Allen B. Cutting Professor of Computer Science at Harvard University