The Taub Faculty of Computer Science Events and Talks

Racing to be first to market and deploy new features, developers rely on many external libraries to underpin their software. Each library uses more libraries, creating vast networks of dependencies that the developers know little about and have no control over, forming a knowledge gap that quickly turns into technical debt. Repaying this debt is difficult, as analyzing or examining all libraries is infeasible, and worse, the debt keeps growing due to frequent library updates. Attackers move quickly to collect on this debt by reverse-engineering security updates into 1-day attacks or injecting malicious code into libraries.

In this talk I will present the systems I built to tackle these challenges: (1) detecting vulnerable libraries in firmware by comparing multiple significant code segments aligned via re-optimizing and normalizing; (2) streamlining software dependency updates via a production-ready hybrid static-dynamic approach for studying the risks of the update before applying it; (3) detecting rogue updates via trust-domain-based tracking for data-flows between different packages in JavaScript code; and (4) hardening applications against data deserialization attacks via a novel type inference technique we call Static Duck Typing, which is based on object behaviors and usage.