Aravind will show how the new architecture features in ARM processors can lead to security issues by introducing new attack vectors.
Abstract: Modern systems are mainly composed of IoT devices and Smartphones. Most of these devices use ARM processors, which, along with flexible licensing, have new security architecture features, such as ARM TrustZone, that enables execution of secure applications in an untrusted environment. Furthermore, well-supported, extensible, open-source embedded operating systems like Android allow the manufactures to quickly customize their operating system with device drivers, thus reducing the time-to-market. Unfortunately, the proliferation of device vendors and race to the market has resulted in poor quality low-level system software containing critical security vulnerabilities. Furthermore, the patches for these vulnerabilities get merged into the end-products with a significant delay resulting in the Patch Gap, which causes the privacy and security of billions of users to be at risk. In this talk, I will show how the new architecture features in ARM processors can lead to security issues by introducing new attack vectors. Second, I will show that the existing techniques are inadequate to find the security issues and how, with certain well-defined optimizations, we can precisely find the security issues. Third, I will present my solution to the problem of Patch Gap by showing a principled approach to port patches to vendor product repositories automatically. repositories automatically. Finally, I will present my ongoing work to automatically port C to Checked C, which provides a low overhead, backward-compatible, and memory-safe C alternative that could be used on modern systems to prevent security vulnerabilities.
Biosketch:Aravind Machiry is a Ph.D. candidate in Computer Science at the University of California, Santa Barbara. He is a recipient of various awards, such as the Symantec Research Labs Fellowship and UCSB Graduate Division Dissertation Fellowship. His work spans across various aspects of System security and Program analysis. Specifically, he works on applying static/dynamic program analysis and fuzzing to solve various system security problems. He is also interested in identifying and improving the weaknesses of static program analysis.
Events are free and open to the public unless otherwise noted.