Detecting Deep Vulnerabilities in Systems Code

Faculty:Tuba Yavuz
Description:Security and reliability of IoT systems depend on the security and reliability of the system code and APIs that they are built on. The nature of system code makes it very challenging to detect deep bugs that get triggered on a specific input or system state. State-of-the-art program analysis techniques produce either too many false positives or cannot detect deep bugs.Our approach leverages the knowledge of the programming model to improve the precision and effectiveness of static program analysis. We have detected several deep bugs that involve callback execution using static program analysis including the use-after-free in the usbtv driver, CVE-2017-17975, and API misuse vulnerabilities in the audio and network drivers.