Seminar Series Archive
Zhiyun Qian
University of California, Riverside
April 1, 2022
11:00am - 12:00pm
Title:
Fighting Vulnerabilities With Process, Insight, and Automation
Abstract:
Vulnerabilities are the driving force of cybersecurity research. Despite our best intentions and efforts, vulnerabilities are not going away any time soon. This is because the abstractions and layers we create to manage complexity are unfortunately never perfect. Flaws can occur within each layer and even across layers (e.g., side channels), often breaking our assumptions and reliance on simplifications. Moreover, the diverse types of vulnerabilities make it challenging to come up with universal solutions. Because of the inherent difficulty in eliminating vulnerabilities entirely, in practice, we need a process to cope with them.
In this talk, I will discuss my journey in fighting vulnerabilities through the process of vulnerability modeling, discovery, assessment, and remediation. In each task of the process, we are often required to answer questions with binary answers such as "is there a vulnerability?", "is the vulnerability exploitable?", and "is the vulnerability patched?". Even though the answer looks simple, it can be quite difficult to arrive at the right answer. This is because all of these questions require some unique thought process, some way of searching, or insights in general. These insights can come from both academia and the hacking community (e.g., regarding exploitation techniques). We bridge the gap by taking insights from both communities and feeding them into automated solutions. The talk will cover my experience practicing vulnerability research on both novel and known types of vulnerabilities.
In this talk, I will discuss my journey in fighting vulnerabilities through the process of vulnerability modeling, discovery, assessment, and remediation. In each task of the process, we are often required to answer questions with binary answers such as "is there a vulnerability?", "is the vulnerability exploitable?", and "is the vulnerability patched?". Even though the answer looks simple, it can be quite difficult to arrive at the right answer. This is because all of these questions require some unique thought process, some way of searching, or insights in general. These insights can come from both academia and the hacking community (e.g., regarding exploitation techniques). We bridge the gap by taking insights from both communities and feeding them into automated solutions. The talk will cover my experience practicing vulnerability research on both novel and known types of vulnerabilities.
Speaker Bio:
Zhiyun Qian is the Everett and Imogene Ross associate professor in the CSE department at the University of California Riverside. His main research interests are in the area of system and network security, including vulnerability discovery, side channel analysis, applied program analysis, system building, and measurement of real-world security problems. He is a recipient of the ACM CCS Distinguished Paper Award in 2020, Applied Networking Research Prize from IRTF in 2019, NSF CAREER Award in 2017, Facebook Internet Defense Prize Finalist in 2016. He is also a Pwn2Own 2021 winner and the most creative idea winner in Geekpwn 2016.