Statement Yonghwi Kwon

I am interested in solving system security problems via program analysis techniques. More speci€cally, I have developed fundamental primitives for the investigation of advanced cyber-aŠacks and the analysis and prevention of everevolving malicious programs and payloads across multiple platforms. In particular, my research focuses on building systems to solve three prominent problems in system security: 1 aŠack provenance and root-cause analysis via causality inference [1, 2], 2 reverse-engineering through cross-platform binary analysis [3, 4, 10], and 3 so‰ware exploit prevention via input randomization [5, 7]. My research has introduced novel techniques along with practical systems, advancing the status quo. In recognition of my contributions, I have been honored with four prestigious awards: Best Paper Award, ACM SIGSOFT Distinguished Paper Award, Maurice H. Halstead Memorial Award, and Microso‡ Most Valuable Professional Award. 1 Research Overview and Highlights 1 Attack provenance via causality inference. Recent cyber-aŠacks are becoming increasingly targeted and sophisticated. A new class of aŠack called Advanced Persistent Œreat, or APT, targets a speci€c organization and compromises systems over a long period of time (e.g., frommonths to years) without being detected. For example, the notorious Stuxnet compromised more than hundreds of thousands of systems through multiple steps. It lurked in the systems for years while silently updating, installing backdoors, and ex€ltrating information. In the end, it even caused physical damages to thousands of machines. It was commented that the aŠack could have caused a nuclear disaster more catastrophic than Chernobyl. Investigating such an aŠack is challenging: (1) it occurs over an extended period of time, and hence, the log €les for the investigation are prohibitively large (e.g., on the scale of TBs), and (2) the aŠack process is highly sophisticated involving a large number of processes and €les. To address the above challenges, my research proposed causality inference to determine dependencies between system calls (e.g., between input and output system calls) and allow investigators to determine the origin of an aŠack (e.g., receiving a spam email) and assess the consequences of the aŠack. I have designed a practical causality inference engine LDX [1] that is 4 times more accurate and 2 orders of magnitude faster (6% runtime overhead) than state-of-the-art taint analysis techniques. Expanding beyond LDX, I have proposed a model based causality inference system, MCI [2]. MCI is practical as it does not require any modi€cation or instrumentation to end-user systems, and it is more accurate and precise (0.1% FP/FN) than the previous state-of-the-art technique BEEP [13] which does require instrumentation (12.8% FP/0.3% FN). LDX andMCI are currently going through tech-transfer as part of theDARPA Transparent Computing (TC) Program, a $5.3 million joint program between SRI International, Purdue Univ., Univ. of Wisconsin-Madison, and Univ. of Georgia. 2 Reverse-engineering through cross-platform binary analysis. Œe recent rise of IoT devices (predicted to reach 20.4 billion by 2020 [14]) such as wearable devices, drones, and self-driving cars raises alarming security concerns. In 2016, 7 massive Distributed Denial of Service (DDoS) aŠacks were all carried out by compromised IoT devices. Popular websites such asAmazon, CNN, and PayPal were a‚ected. In particular, Dyn, a DNS service provider and a victim of one of the aŠacks, lost 24% of customers. During the aŠacks, compromised devices coordinated malicious activities through Command and Control (C&C) protocols. Hence, understanding C&C messages is essential for revealing an aŠacker’s intentions. However, there are two prominent challenges: (1) they target various platforms and architectures (such as ARM, MIPS, and AVR) which many advanced analysis tools do not support, and (2) C&C servers are o‰en not accessible in practice, making reverse-engineering of C&C messages dicult. My research has introduced new paradigms in cross-platform aŠack investigation (e.g., IoT aŠack investigation). Rather than re-implementing analysis tools on multiple platforms, my work enables transforming a program execution on a platform (e.g., ARM Raspberry Pi) into another platform (e.g., x86 Linux) where various analysis tools (e.g., Pin/Valgrind) are already available. My technique, PIEtrace [3], traces and transforms an IoT program execution into a platform-independent C program that can be compiled and run on other platforms. PIEtrace was honored with the Best Paper Award (1/317) and the ACM SIGSOFT Distinguished Paper Award (3/317). Moreover, I have developed a novel system, called P2C [4], which reverse-engineers types and semantics of unknown €les and C&C messages in the following scenario: understanding C&C messages generated in the past and in the absence of C&C servers. P2C has been used to reveal the semantics of C&C messages generated by the Zeus malware, one of the largest known botnets, which infected 3.6 million systems. 3 So…ware Exploit Prevention via Input Randomization. Proactively protecting systems against a wide spectrum of so‰ware exploit aŠacks is of the utmost importance. Unfortunately, the ever-expanding variety of aŠack vectors and methods makes such defenses dicult. Protection targeting speci€c aŠacks such as ROP, use-a‰er-free, and type-confusion can hardly keep up with rapidly growing new aŠack vectors. I have designed a novel so‰ware protection system, A2C [5], that prevents a wide range of aŠacks by randomizing inputs such that any malicious payloads contained in the inputs are corrupted. Œe protection provided by A2C is both general (e.g., against various aŠack vectors including bu‚er-overƒow, integer-overƒow, use-a‰er-free, type-confusion, and ROP) and practical (7% runtime overhead). More importantly, the idea is applicable to many platforms. Speci€cally, my colleagues and I have designed PAD [7], a system that prevents malicious payloads in malvertising aŠacks on web systems via input randomization. PAD successfully prevented real-world malvertising aˆacks including the AdGholas malvertising campaign [15] which a‚ected thousands of victims everyday for over a year using a sophisticated steganography technique.