ASET Colloquium
Preventing Catastrophe from Sophisticated Software Sabotage An Introduction to Detecting Security and Safety Vulnerabilities in Embedded Software
by Prof. Suraj Kothari (Department of Electrical and Computer Engineering, Iowa State University, USA)
Friday, December 7, 2012
from
to
(Asia/Kolkata)
at Colaba Campus ( AG-66 )
at Colaba Campus ( AG-66 )
Description |
On August 17, 2009 at the Sayano-Shushenskaya hydroelectric power station in Khakassia, Russia, excessive vibration caused a 920-ton turbine to break apart and release pressurized water which flooded the facility killing 75 people and causing a power grid failure. The control software designed to shut down the turbine in the event of excessive vibration was not operating at the time. General Keith B. Alexander, commander of U.S. Cyber Command noted that we are living in a time where such a deadly incident could also happen as a result of a cyber attack. Ubiquitous software has made cyber security an urgent safety and national defense issue. Unfortunately, cyber security measures in use today are woefully inadequate. Software sabotage now differs as much from conventional hacking as biological warfare differs from hand grenades. Catastrophe is all but inevitable if cyber security measures fail to match the sophistication of saboteurs. Stealing secrets from a smart phone, damaging a nuclear reactor and bringing down a power grid are disasters easily within the reach of todayfs cyber attackers. A television, a mobile phone, a car, a nuclear reactor, a missile, a power grid, in fact anything that contains sophisticated software can be a target for these attacks. These new attacks result from misbehaving functional mutations of software. These mutations can appear in limitless variations that make them extremely difficult to identify with conventional security measures, particularly when they lie dormant before striking. Detecting these attacks is intrinsically different from detecting other software safety and security vulnerabilities. The new attacks, like cancer, present the challenge of distinguishing between normal and abnormal, and they can go undetected before irreversible damage is done. Just as screening for cancer must be done using sophisticated laboratory techniques, critical code must be examined with sophisticated software analysis techniques. This introductory talk will provide an overview of progression of ten years of our research from analysis tools for safety-critical avionics software to our current DARPA-funded research on malware detection in Android apps. The talk will provide an introduction to the mathematical framework we have developed for analyzing large software and include a short demonstration to illustrate how challenging analysis can be done in minutes using one of our interactive tools as opposed to a manual analysis that would take days. SPEAKER'S PROFILE: Dr. Kothari led the effort at Iowa State University to establish the software engineering degree program in 2007 that has flourished over years. He founded EnSoft in 2002. EnSoftf's products for developing software for safety-critical control systems are licensed worldwide by avionics, automobile, electronics, and other manufactures. Dr. Kothari has given several invited colloquiums and keynote talks, and served as a Distinguished ACM Lecturer. Currently, he is leading a multi-million dollar Automated Program Analysis for Cybersecurity (APAC) DARPA project. Dr. Kothari was awarded in 2012 the Iowa State Board of Regents Professor Award for excellence in Research, Teaching, and Service. |
Organised by | Dr. Satyanarayana Bheesette |