Dear all,
Next week, we have the pleasure of having Dr Yaniv David give a talk in the colloquium.
The seminar will be held on Wednesday, January 24th at 14:00. Location: C220.
The title, abstract and bio appear below.
Looking forward to seeing you, Sagie and Liat
*Title:* Challenges and Opportunities In Securing Software Supply Chains.
*Abstract:* Racing to be first to market and deploy new features, developers rely on many external libraries to underpin their software. Each library uses more libraries, creating vast networks of dependencies that the developers know little about and have no control over, forming a knowledge gap that quickly turns into technical debt. Repaying this debt is difficult, as analyzing or examining all libraries is infeasible, and worse, the debt keeps growing due to frequent library updates. Attackers move quickly to collect on this debt by reverse-engineering security updates into 1-day attacks or injecting malicious code into libraries and data used by the applications.
In this talk, I will present the systems I built to tackle these challenges: (1) detecting vulnerable libraries in firmware by comparing multiple significant code segments aligned via re-optimizing and normalizing; (2) streamlining software dependency updates via a production-ready hybrid static-dynamic approach for studying the risks of the update before applying it; (3) detecting rogue updates via trust-domain-based tracking for data-flows between different packages in JavaScript code; and (4) hardening applications against data deserialization attacks via a novel type inference technique we call Static Duck Typing, which is based on object behaviors and usage.
*Bio*: Yaniv is a postdoc at Columbia University working with Junfeng Yang. His research focuses on improving the reliability and safety of software. He is broadly interested in securing systems and program analysis. He received his PhD from the Technion in 2020, where he was advised by Eran Yahav.
Reminder, this is happening today.
On Thu, Jan 18, 2024 at 8:49 AM Sagie Benaim sagie.benaim@mail.huji.ac.il wrote:
Dear all,
Next week, we have the pleasure of having Dr Yaniv David give a talk in the colloquium.
The seminar will be held on Wednesday, January 24th at 14:00. Location: C220.
The title, abstract and bio appear below.
Looking forward to seeing you, Sagie and Liat
*Title:* Challenges and Opportunities In Securing Software Supply Chains.
*Abstract:* Racing to be first to market and deploy new features, developers rely on many external libraries to underpin their software. Each library uses more libraries, creating vast networks of dependencies that the developers know little about and have no control over, forming a knowledge gap that quickly turns into technical debt. Repaying this debt is difficult, as analyzing or examining all libraries is infeasible, and worse, the debt keeps growing due to frequent library updates. Attackers move quickly to collect on this debt by reverse-engineering security updates into 1-day attacks or injecting malicious code into libraries and data used by the applications.
In this talk, I will present the systems I built to tackle these challenges: (1) detecting vulnerable libraries in firmware by comparing multiple significant code segments aligned via re-optimizing and normalizing; (2) streamlining software dependency updates via a production-ready hybrid static-dynamic approach for studying the risks of the update before applying it; (3) detecting rogue updates via trust-domain-based tracking for data-flows between different packages in JavaScript code; and (4) hardening applications against data deserialization attacks via a novel type inference technique we call Static Duck Typing, which is based on object behaviors and usage.
*Bio*: Yaniv is a postdoc at Columbia University working with Junfeng Yang. His research focuses on improving the reliability and safety of software. He is broadly interested in securing systems and program analysis. He received his PhD from the Technion in 2020, where he was advised by Eran Yahav.