Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

Research Overview

Secure Systems Lab is a leader in the area of software security. Our research addresses security threats due to benign software vulnerabilities, as well as those due to untrusted code and malware. Our techniques target all phases of cyber attacks, including:

  • prediction (software and configuration vulnerability analysis),
  • prevention (blocking exploit mechanisms, policy enforcement),
  • detection (host and network-based intrusion detection),
  • containment (isolated execution environments and virtual networks),
  • response (self-healing and self-regenerative techniques), and
  • recovery (contamination analysis and rollback).

Below is a sampling of our research. For more information, please click on the menu items on the right, or visit our publications page.

  • Randomization-based defenses for memory error exploits. We were one of the inventors of the popular address-space randomization (ASR) technique that has proven to be so effective that it found its way into many modern OSes like Linux and Windows. We have the first paper  [81] on this topic, and have developed techniques for achieving ASR on Linux  [81] as well as Windows  [60].

    We subsequently developed the technique of relative address randomization  [69]. Most recently, we explored another facet of randomization, namely, data-space randomization  [52].

  • Automata models of program behavior. We first proposed the use of finite-state automata models  [89] for system-call based anomaly detection. Since then, automata models have become the de-facto standard for system-call anomaly detection, and have been the topic of much research in academia as well as some products in the industry.

    Our dataflow anomaly detection  [66] work extended these automata models to capture rich information on system-call arguments. Recently, we demonstrated a class of mimicry attacks on system-call anomaly detectors called persistent interposition attacks  [56].

  • Taint-enhanced policy enforcement.Taint-tracking has recently become very popular in software security. It requires fine-grained program transformation, and hence early works suffered from very high performance overheads. We developed the first technique that reduced the overhead for taint-tracking C-programs by an order of magnitude  [64]. We also showed that taint-tracking, combined with security policies, can effectively block exploits of most common software vulnerabilities, including buffer-overflows, format-string attacks, SQL injection, cross-site scripting, command injection, path traversals, etc.

    Recently, we developed a technique for taint-tracking on binaries  [55] that represented a 3+-fold performance improvement over the best reported previously. We have also developed a new black-box technique  [45] for inferring taint, and developed a proactive malware defense  [54] based on taint-tracking.

  • Model-based Vulnerability analysis. Our work in 1998  [97] (which was subsequently expanded  [86]) was the first to develop a systematic approach for discovering unknown vulnerabilities in computer systems using a model-based analysis, and specifically, using customized model-checking techniques; and to generate attacks automatically from this analysis. Model-checking has subsequently become very popular for analyzing security vulnerabilities, forming the basis of works such as MulVal and many works on attack graphs.

    Subsequently, we explored the use of model-checking for security policy generation  [78] for untrusted code. Our ongoing work uses model-based analysis for analyzing trust in distributed systems, and for software vulnerability detection.

  • Automated generation of attack-blocking signatures. Initial research in this area was based on discovering invariants in the payloads of network-based attacks. Unfortunately, this requires a large number of attack samples, and moreover, could be easily evaded by knowledgeable attackers. In contrast, we developed the first techniques that produced very general signatures from a single attack sample. See here for a technique based on program behavior models, and here for a technique based on forensic analysis of process memory. These signatures are vulnerability-related rather than payload-based, and are hence difficult to evade.

    Our current work automates signature generation for web application vulnerabilities. These signatures are meant to be deployed on web application firewalls such as ModSecurity.

  • Untrusted code security.Safe execution can be achieved by enforcing approapriate security policies on untrusted code. The biggest challenge, then, is the development of these policies. In the model-carrying code  [78] project, we developed techniques that enabled code producers and consumers to collaborate in order to largely automate the generation of policies. Our award-winning Alcatraz  [77] and Safe execution environments  [74] projects explored a different approach for simplifying policy development that was based on the concept of logically isolated execution.

    More recently, we developed tools for automating the generation of information flow policies, which formed the basis of our proactive malware defense  [54]. In this context, we also addressed the problem of secure software installation  [51]. Finally, we extended the concept of isolated execution to networks via the concept of logically isolated virtual networks  [70, 50].

Overview

Research Areas

Source-code analysis/transformation
Binary analysis/rewriting
Policy/Specification Languages
OS and Virtualization Techniques
Algorithms
Learning/anomaly detection
Formal methods/Foundations


Research Problems

Randomization/Memory Errors
Information flow analysis
Automated Exploit Defenses
Virtual Network Lab
Safe execution/attack recovery
Automated signature generation
Malware/Untrusted code defense
Intrusion/Anomaly detection
Fast packet matching
Policy generation tools


Local Search



Home Contact NSI Computer Science Stony Brook University

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.