Sekar and Polychronakis awarded $3.5M to address security vulnerabilities

The latest software development practices can turn out new programs and products in record time. However, with enhanced speed and convenience come “code bloat,” creating a larger attack surface with a proliferation of security vulnerabilities, just waiting for hackers. Recent advances in software development often result in the need for constant system updates or bug fixes. Failure to implement these “fixes,” as believed to be the case in the recent Equifax breach, cost the end-user time and money.

A team of researchers in the Department of Computer Science at Stony Brook University were recently awarded $3.5M by the Office of Naval Research to address “debloating,” by removing unneeded code and constraining the use of remaining code, thus enhancing performance as well as security. In this project, entitled “Multi-layer Software Transformation for Attack Surface Reduction and Shielding,” Professors R. Sekar and Michalis Polychronakis will leverage recent advances they have made in binary code analysis and transformation, to remove code bloat and tighten security of today's software.

“Our project is based on the experience and insight gained from our prior research in this area. To keep it well-managed and to optimize effectiveness, we specifically targeted three main areas: code analysis foundations, debloating and dynamic attack surface reduction, and software shielding,” said Polychronakis.

“The attack surface will be reduced by removing unnecessary code and restricting capabilities of remaining code,” Sekar says. “We plan to disrupt unintended data flows that are often used in exploits and freeze data that does not need to be modified during operation.”

New protection mechanisms will help shield software against exploitation, while significantly advancing control-flow containment, code isolation, and diversification.

“Professors Sekar and Polychronakis’ transformative work is critical to addressing the issues we face in today’s era of exponential technological growth,” said Fotis Sotiropoulos, Dean of the College of Engineering and Applied Sciences. “I congratulate them on this recognition from the Office of Naval Research, and thank them for their important contributions to the College and to Stony Brook University.”

This funding comes to Stony Brook through an Office of Naval Research Broad Agency Announcement that seeks “innovative scientific and technological solutions to address U.S. Navy and Marine Corps” challenges. The Department of Computer Science, part of the College of Engineering and Applied Sciences, has received close to $7M in various research awards this summer. According to Samir Das, Chair of the CS department, cybersecurity research, conducted through Stony Brook’s National Security Institute, represents more than 60% of the summer research funding.

About the Researchers

Professor Sekar is a graduate of the Department of Computer Science at Stony Brook, earning his PhD in 1991. His research focus is on software and systems security, and solving practical problems and building real systems including software vulnerability mitigation, malware, intrusion detection, and management of distributed systems.

Michalis Polychronakis joined the Department of Computer Science as an assistant professor in 2015 and earned his PhD in computer science from the University of Crete, Greece. Before joining Stony Brook, he was an associate research scientist at Columbia University. His research focuses on network and system security, network monitoring and measurement, and online privacy.

-Story credit: Christine Cesaria, Chris Maio

​Photo credit: @SIOBHANSPIX