Modern systems are mainly composed of IoT devices and Smartphones. Most of these devices use ARM processors, which, along with flexible licensing, have new security architecture features, such as ARM TrustZone, that enables execution of secure applications in an entrusted environment. Furthermore, well-supported, extensible, open-source embedded operating systems like Android allow the manufactures to quickly customize their operating system with device drivers, thus reducing the time-to-market.
Unfortunately, the proliferation of device vendors and race to the market has resulted in poor quality low-level system software containing critical security vulnerabilities. Furthermore, the patches for these vulnerabilities get merged into the end-products with a significant delay resulting in the Patch Gap, which causes the privacy and security of billions of users to be at risk.
In this talk, I will show that the existing techniques are inadequate to find the security issues and how, with certain well-defined optimizations, we can precisely find security issues. Second, I will present my solution to the problem of Patch Gap by showing a principled approach to port patches to vendor product repositories automatically. Finally, I will present my ongoing work to automatically port C to Checked C, which provides a low overhead, backward-compatible, and memory-safe C alternative that could be used on modern systems to prevent security vulnerabilities.
Aravind Machiry is a Ph.D. candidate in Computer Science at the University of California, Santa Barbara. He is a recipient of various awards, such as the Symantec Research Labs Fellowship and UCSB Graduate Division Dissertation Fellowship. His work spans across various aspects of System security and Program analysis. His research resulted in various Open-source security tools and several Common Vulnerability Exposures (CVEs) in critical system software such as kernel drivers, Trusted Execution Environments, and bootloaders. His research is also academically recognized with awards such as Distinguished Paper Award, Internet Defense Prize, an invitation to present at CSAW Applied Research Competition. Previously, Aravind received his Master’s degree in Information Security from the Georgia Institute of Technology.