A team of researchers in the Department of Computer Science was recently awarded $3.5M by the Office of Naval Research to support “debloating,” a process that could help guard against security breaches that threaten the privacy and integrity of personal data.
Debloating is the process of removing and streamlining code, thus enhancing software performance as well as security. As part of the researchers’ debloating project, titled “Multi-layer Software Transformation for Attack Surface Reduction and Shielding,” Professors R. Sekar and Michalis Polychronakis will leverage recent advances they have made in binary code analysis and transformation to remove code bloat and tighten security of today’s software.
“Our project is based on the experience and insight gained from our prior research in this area,” said Polychronakis, a cybersecurity expert who joined the Department of Computer Science as an assistant professor in 2015. “To keep it well-managed and to optimize effectiveness, we specifically targeted three main areas: code analysis foundations, debloating and dynamic attack surface reduction, and software shielding,”
The funding is particularly timely in light of recent news that one of the country’s largest credit reporting agencies, Equifax of Atlanta, was the victim of hacking on a scale that has not been seen in years, exposing Social Security numbers and driver’s license numbers of 143 million U.S. citizens.
So why has cybersecurity become such a problem?
One issue arises from the latest software development practices, which can turn out new programs and products for advanced speed and convenience in record time. Unfortunately, the increased coding, or “code bloat,” creates a larger attack surface with a proliferation of security vulnerabilities, just waiting for hackers. These recent advances in software development often result in the need for constant system updates or bug fixes.
But failure to implement these fixes can result in breaches — some of which, like the Equifax hack, can result in the mass exposure of private data.
“This is the absolute worst digital data breach in recorded history,” said Radu Sion, professor in the Department of Computer Science, and founder of Stony Brook’s National Security Institute. “Not only is its magnitude staggering, but its implications are bordering on disastrous and are likely to haunt us for decades.”
This is because the type data leaked are much more important than email account login info or targeted phishing results, Radu said. As a culture dependent on technology and thus more coding across our digital infrastructure, we have left ourselves vulnerable because we value growth in the market over stronger security, he explained.
“The attack surface will be reduced by removing unnecessary code and restricting capabilities of remaining code,” said Sekar, who received his PhD from Stony Brook in 1991. “We plan to disrupt unintended data flows that are often used in exploits and freeze data that does not need to be modified during operation.”
New protection mechanisms will help shield software against exploitation while significantly advancing control-flow containment, code isolation and diversification, Sekar added.
“Professors Sekar and Polychronakis’ transformative work is critical to addressing the issues we face in today’s era of exponential technological growth,” said Fotis Sotiropoulos, dean of the College of Engineering and Applied Sciences (CEAS). “I congratulate them on this recognition from the Office of Naval Research, and thank them for their important contributions to the College and to Stony Brook University.”
This funding comes to Stony Brook through an Office of Naval Research Broad Agency Announcement that seeks “innovative scientific and technological solutions to address U.S. Navy and Marine Corps” challenges. The Department of Computer Science, part of CEAS, has received nearly $7 million in research awards this summer. According to Samir Das, the department chair, cybersecurity research conducted through Stony Brook’s National Security Institute represents more than 60 percent of the summer research funding.“Unfortunately, this is not the last breach to expect,” Sion said.
About the Researchers
R. Sekar is a graduate of the Department of Computer Science at Stony Brook, earning his PhD in 1991. His research focus is on software and systems security, and on solving practical problems and building real systems including software vulnerability mitigation, malware, intrusion detection, and management of distributed systems.
Michalis Polychronakis joined the Department of Computer Science as an assistant professor in 2015 and earned his PhD in computer science from the University of Crete, Greece. Before joining Stony Brook, he was an associate research scientist at Columbia University. His research focuses on network and system security, network monitoring and measurement, and online privacy.