[Colloq] Hiring Talk - David Molnar, 2/26

[Rachel Kalweit]

College of Computer and Information Science Hiring Talk:

Thursday, February 26, 2009
10:45am in room 366 West Village H

David Molnar - PhD candidate at the University of California,
Berkeley

Title: 
Theory Plus Practice in Computer Security : Radio
Frequency Identification and Whitebox Fuzzing

Abstract:

I will describe two areas in computer security that
demonstrate the wide range of techniques, from both
theory and practice, we need to make impact. First,
I treat privacy and security in Radio Frequency
Identification (RFID). RFID refers to a range of
technologies where a small device with an antenna,
or "tag" is attached to an item and can be queried
later wirelessly by a reader. While proponents of
RFID promise security and efficiency benefits, the
technology also raises serious security concerns. I
will describe my work on practical security analysis
of RFID in library books and the United States e-
passport deployments. These deployments in turn
uncover a new theoretical problem, that of "scalable
private authentication." I will describe the first
solution to this problem that scales sub-linearly in
the number of RFID tags.

Second, I describe recent work in "whitebox fuzz
testing," a new approach to finding security bugs.
Security bugs cost millions of dollars to patch
after the fact, so we want to find and fix them as
early in the deployment cycle as possible. I review
previous fuzz testing work, how fuzzing has been
responsible for serious security bugs, and classic
fuzz testing's inability to deal with "unlikely"
code paths. I then show how marrying the idea of
dynamic test generation with fuzz testing overcomes
these shortcomings, but raises significant scaling
problems. Two recent tools, SAGE at Microsoft
Research, and SmartFuzz at Berkeley, overcome these
scaling problems; I present results on the
effectiveness of these tools on commodity Windows
and Linux media playing software. Finally, I close
with directions for leveraging cloud computing to
improve developers' testing and debugging
experience.

The talk describes joint work with Ari Juels and David Wagner (RFID),
and with Patrice Godefroid, Michael Y. Levin, and Xue Cong Li (Whitebox
Fuzzing).

Bio:

David Molnar is a PhD candidate at the University of California,
Berkeley, degree expected Spring 2009. His work centers on privacy,
cryptography, and computer security, advised by David Wagner. Most
recently, he has been interested in RFID privacy, and in applying
constraint solvers to finding software bugs at scale. He is a previous
National Science Foundation Graduate Fellow and Intel Open Collaboration
Research Graduate Fellow.


Rachel M. Kalweit
College of Computer and Information Science
202 West Village H
Northeastern University
phone: 617-373-2462
fax: 617-373-5121
rachelb at ccs.neu.edu