3RD IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT)
Secure and Integrated Management in the Cloud and 5G Era
Co-located with IEEE/IFIP IM 2017
Lisbon, Portugal
Keynote II (back to main page)
Shih-Kun Huang
Professor @ National Chiao Tung University, Taiwan
Exploit Generation: Bug as a Backdoor (BaaB)
April 23rd, 1:30pm - 2:30pmAbstract: Software crash is inevitable and the most common type of software failures. This type of failures is characterized in software testing, reliability, and quality assurance, but not in the cyber security. We have studied the software crash behaviors by constructing symbolic failure models, and automatically produce software attacks through the manipulation of the symbolic model. This work has revealed a severe cyber security threats against software quality. That is, software crash failures introduced by bugs are able to be automatically exploited. If bugs are exploited and attacked, arbitrary code can be executed and a backdoor channel will be built. That is the concept and talk title of Bugs as a Backdoor.
If a backdoor channel is built by embedding bugs in the system, former research on Trojan horse identification will be reduced to the finding of software bugs, still an intractable problem in software engineering, and programming languages.
In this talk, we will introduce the development of exploitable crash detection and the process of automatic exploits (attack input) generation. The generation process has been improved and 7,000 times faster than our initial attempt. If attacks are generated by tools from software crashes, Bugs as a Backdoor is feasible without writing an explicit Trojan horse in the system. A programmer or the software vendor can leave bugs in the system, as unintended features and deniable trapdoors.
Biography: Shih-Kun Huang received his B.S. (1989), M.S. (1991) and Ph.D. (1996) in Computer Science and Information Engineering from the National Chiao Tung University, and was an assistant research fellow at the Institute of Information Science, Academia Sinica between 1996 and 2004. Currently he is the deputy director of Information Technology Service Center, and a professor of Department of Computer Science, National Chiao Tung University. Dr. Huang's research integrates software engineering, and programming languages to study cyber security and software attacks. He is the Principal Investigator of the MOST project on Exploitable Software Crash (CRAX and CRAXweb).