Shuo Chen 240 Coordinated Science Lab. University of Illinois 1308 W. Main St., Urbana, IL 61801 http://www.crhc.uiuc.edu/~shuochen/ Office Phone: (217)333-6861 Email: shuochen@crhc.uiuc.edu RESEARCH INTERESTS Security and fault tolerance, with an emphasis on systems research related to the analyses of real-world security vulnerabilities, security attacks, and the impacts of software/hardware faults on security. EDUCATION Ph.D., Computer Science, University of Illinois at Urbana-Champaign, August 2005, expected (GPA: 3.84/4) Dissertation: Characterizing and Reasoning about Security Vulnerabilities Advisor: Ravishankar K. Iyer M.S., Computer Science, Tsinghua University, China, July 2000 (GPA: 3.85/4) B.S., Computer Science, Peking University, China, July 1997 (GPA: 3.85/4) RESEARCH EXPERIENCES 8/00 – date Research Assistant, Center for Reliable and High-Performance Computing, Univ. of Illinois at Urbana-Champaign. Advisor: Ravi Iyer (1) Analysis and Modeling of the Impacts of Transient Faults on System Security. Fault injection experiments are conducted on network server programs and Linux firewall software [6][7]. The results show a nonnegligible conditional probability of transient faults causing security compromises. A stochastic model is built to quantitatively estimate the frequency of such security compromises in a real operational environment. (2) Analysis and Modeling of Real-World Security Vulnerabilities. A finite state machine model is developed to depict and reason about security vulnerabilities published on Bugtraq and CERT databases [5]. Many common types of vulnerabilities are decomposed to simple predicates to show their root causes. I discovered a new HTTP daemon vulnerability (Bugtraq #6255) during the analysis. (3) Analysis of Deficiencies of Current Security Defensive Techniques. We study many real security vulnerabilities on major network servers and conclude that it is generally applicable to compromise system security by corrupting non-control data. Our attacks evade the detections of many current defensive techniques, such as system call based intrusion detection systems and control data protection techniques, and thus represent a realistic threat to software security [1]. (4) New Security Defensive Techniques. On recognition of deficiencies of current security defensive techniques and the common characteristics of security vulnerabilities, I propose the notion of pointer taintedness, which 5/04 – 8/04 5/03 – 8/03 5/02 – 8/02 5/01 – 8/01 allows formal reasoning of program vulnerabilities and runtime checking of security attacks. A theorem proving technique is developed to extract security specifications from program code [4]. An architecture level defensive technique is proposed and simulated to defeat real security attacks [2]. Both techniques are based on pointer taintedness analysis. Research Intern, Systems and Networking Group, Microsoft Research A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities. Mentors: John Dunagan, Chad Verbowski and Yi-Min Wang A novel tracing technique is designed and implemented for identifying the dependencies of Windows applications on Administrator privileges [3]. The project requires an extensive work on Windows kernel security subsystem. Research Intern, Systems and Networking Group, Microsoft Research Audit-Enhanced Authentication in Kerberos. Mentor: Dan Simon I extended Windows Kerberos subsystem to allow passing extra information transparently in multi-tier applications. The project requires modifications of Kerberos subsystem and Windows kernel security subsystem. Research Intern, Data Network Research Center, Bell Laboratories Detection of Network Denial of Service Attacks Based on TCP-Friendly Characteristics. Mentor: Jose Brustoloni The protocol stack of access routers is modified to automatically and securely detect TCP-unfriendly flows, which are then forwarded in a lower class of service in order to mitigate network congestive denial of service attacks. The project requires an extensive work on the TCP/IP protocol stack of FreeBSD. Research Intern, Network Software Group, Avaya Labs Libsafe for Windows. Mentor: Timothy Tsai Libsafe is a software package originally invented for Linux to detect and foil stack-smashing attacks. I implemented it on Windows [10]. The project requires the function interception technique on Windows, and knowledge about system DLLs. PUBLICATIONS PAPERS UNDER REVIEW [1] S. Chen, J. Xu, E. C. Sezer. “Non-Control-Hijacking Attacks are Realistic Threats”. Submitted for conference publication. PAPERS IN REFEREED CONFERENCES [2] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, R. K. Iyer. “Defeating Memory Corruption Attacks via Pointer Taintedness Detection”. To appear in Proc. of IEEE International Conf. on Dependable Systems and Networks (DSN), Yokohama, Japan, June 28 - July 1,2005. [3] S. Chen, J. Dunagan, C. Verbowski and Y.-M. Wang, “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities,” to appear in Proc. of 12th Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 3-4, 2005. (Acceptance rate = 16/124 = 12.9%) [4] S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer, “Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics”, Proc. of 19th IFIP International Information Security Conference, Toulouse, France, August 23-26, 2004. (Acceptance rate < 35/160 = 21.9%) [5] S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer, “Data Driven Finite State Machine Model for Analyzing Security Vulnerabilities”, in Proc. of IEEE International Conf. on Dependable Systems and Networks (DSN), San Francesco, CA, June 22-25, 2003. [6] S. Chen, J. Xu, R. K. Iyer, K. Whisnant. “Modeling and Analyzing the Security Threat of Firewall Data Corruption Caused by Instruction Transient Errors”, in Proc. of IEEE International Conf. on Dependable Systems and Networks (DSN), Washington D.C., June 2326, 2002. [7] J. Xu, S. Chen, Z. Kalbarczyk, R. K. Iyer, “An Experimental Study of Security Vulnerabilities Caused by Errors”, in Proc. of IEEE International Conf. on Dependable Systems and Networks (DSN), Göteborg, Sweden, July 01-04, 2001. JOURNAL PUBLICATIONS [8] S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer. “Security Vulnerabilities: From Analysis to Detection and Masking Techniques”. To appear in Proceedings of the IEEE, Special Issue on Security and Cryptography, 2005. [9] S. Chen, J. Xu, Z. Kalbarczyk, R. K. Iyer and K. Whisnant. “Modeling and Evaluating the Security Threats of Transient Errors in Firewall Software”, in International Journal of Performance Evaluation, Volume 56, Issues 1-4, pp. 53-72, March 2004. TECHNICAL REPORT [10] S. Chen, T. K. Tsai, N. Singh. “Libsafe for Windows NT/2000”. Avaya Labs Research Technical Report ALR-2001-018, August 2001 PRESENTATIONS 1. “A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities”. Presented in 12th Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2/4/2005. Also presented in the Systems & Networking Group, Microsoft Research, Redmond, Washington. 7/27/2004. 2. "Formal Reasoning of Security Vulnerabilities by Pointer Taintedness Semantics". Presented in Computer Engineering Seminar, Coordinated Science Lab, UIUC, 10/12/2004. 3. "A Finite State Machine Methodology for Analyzing Security Vulnerabilities". Presented in IEEE International Conference on Dependable Systems and Networks, San Francisco, 6/2003. Also presented in Computer Engineering Seminar, Coordinated Science Lab, UIUC, 4/15/2003. 4. "Secure Detection and Isolation of TCP-unfriendly Flows". Presented in the Data Network Research Center, Bell Laboratories, Holmdel, New Jersey, 8/2002. 5. "Evaluating the Security Threat of Instruction Corruptions in Firewalls". Presented in IEEE International Conference on Dependable Systems and Networks, Washington D.C., 6/2002. 6. "Libsafe for Windows". Presented in the Network Software Research Department, Avaya Laboratories, Basking Ridge, New Jersey, 8/16/2001. COMPUTER SKILLS Language Systems Proficient in C, Pascal and BASIC. Fluent in x86 assembly Have experience on Linux kernel, FreeBSD kernel, Windows kernel and system DLLs. Networking Have experience on modifying TCP/IP protocol implementations. AWARDS and PROFESSIONAL SERVICES 1. 2. 3. 4. 5. 6. Reviewer for IEEE Transactions on Dependable and Secure Computing (TDSC) Reviewer for 2004 IEEE INFOCOM Student Travel Grant for 2003 IEEE Intl’ Conf. on Dependable Systems and Networks Reviewer for 2003, 2004 IEEE Intl’ Conf. on Dependable Systems and Networks LEGEND Excellent Student Scholarship Peking University 1996 SAMSUNG Excellent Student Scholarship Peking University 1995 PERSONAL Citizen of China, currently on F-1 visa. References Dr. Ravishankar K. Iyer Professor, ECE Department Director, Coordinated Science Lab University of Illinois 1308 W. Main St., Urbana, IL 61801 Phone: 217-333-7774 Email: iyer@crhc.uiuc.edu Advisor Dr. Zbigniew Kalbarczyk Principal Research Scientist Coordinated Science Lab University of Illinois 1308 W. Main St., Urbana, IL 61801 Phone: 217-244-7110 Email: kalbar@crhc.uiuc.edu Co-advisor Dr. Yi-Min Wang Group Manager, Systems Management Research Senior Researcher, Systems and Networking Research Microsoft Research One Microsoft Way, Redmond, WA 98052 Phone: 425-706-3467 Email: ymwang@microsoft.com Internship Mentor Dr. Timothy K. Tsai Sun Microsystems, SunCARE 4140 Network Circle, Mailstop USCA14301, Santa Clara, CA 95054 Phone: 408-276-7186 Email: timothy.tsai@sun.com Internship Mentor