Tawanda Mashavave '10 (Shamva, Zimbabwe) worked with Associate Professor of Computer Science Mark Bailey this summer on securing vulnerable software using software dynamic translation, a process that modifies how a computer application runs during execution. According to Mashavave, there are many ways a hacker can gain control of computer systems. One common way is for the hacker to look at publicly available source code (i.e. the commands written by a programmer to create a computer program) and manipulate that source code to gain control of its associated program.
Mashavave gave a detailed example of one type of software vulnerability hackers exploit to infiltrate computer programs that he says stems from programmer negligence. We have all come across programs that prompt for user input into a text box. The correct way to print such user input in C, a programming language, is for the programmer to write a statement such as "printf("%s", name)" into the source code, where name refers to the user input. The "%s" forces the program to interpret whatever is typed into the text box as a string, an ordered sequence of symbols chosen from some predetermined set, like letters or numbers.
Many times, however, Mashavave says that programmers become "lazy" and neglect to write %s; consequently, the program can interpret what is typed into the text box as just about anything. Hackers who see this vulnerability in the source code can insert some other instruction into the text box besides the requred user input that allows them to crash the system, view other information stored in memory, execute a malicious program, or perform some other destructive act.
Mashavave is looking at ways to detect whether or not a hacker is trying to infiltrate a program. If hacker activity is detected, he hopes to develop countermeasures such as stopping the programming or putting up a warning so that the malicious code is not executed. To do this, Mashavave is using a computer program known as STRATA, which allows him to modify the way in which a computer application executes.
In preparation for his project, he has done extensive background research by reading papers on software vulnerabilities and virtual machines (a software implementation of a machine (computer) that executes programs like a real machine). Mashavave has also spent time learning how to use STRATA by implementing a solution to another kind of software vulnerability that was developed by a different computer scientist. By replicating this solution, Mashavave became familiar with the intricacies of STRATA.
Mashavave says that this summer has been a great learning experience that really expanded on what he has learned in his computer science courses and enlightened him about the computer science field in general. During the course of his research, Mashavave says he discovered a real interest in computer science and programming, and he hopes to study computer science in graduate school.
Mashavave is a computer science and math double major. This is his first summer of research at Hamilton. On campus, Mashavave is the website administrator for the West Indian and African Association (WIAA), a member of the International Students Organization, a computer science teaching assistant, and a math teaching assistant and grader. He is also a part of the Computer Science Programming Team and plays intramural soccer and cricket.
-- by Nick Berry '09
Mashavave gave a detailed example of one type of software vulnerability hackers exploit to infiltrate computer programs that he says stems from programmer negligence. We have all come across programs that prompt for user input into a text box. The correct way to print such user input in C, a programming language, is for the programmer to write a statement such as "printf("%s", name)" into the source code, where name refers to the user input. The "%s" forces the program to interpret whatever is typed into the text box as a string, an ordered sequence of symbols chosen from some predetermined set, like letters or numbers.
Many times, however, Mashavave says that programmers become "lazy" and neglect to write %s; consequently, the program can interpret what is typed into the text box as just about anything. Hackers who see this vulnerability in the source code can insert some other instruction into the text box besides the requred user input that allows them to crash the system, view other information stored in memory, execute a malicious program, or perform some other destructive act.
Mashavave is looking at ways to detect whether or not a hacker is trying to infiltrate a program. If hacker activity is detected, he hopes to develop countermeasures such as stopping the programming or putting up a warning so that the malicious code is not executed. To do this, Mashavave is using a computer program known as STRATA, which allows him to modify the way in which a computer application executes.
In preparation for his project, he has done extensive background research by reading papers on software vulnerabilities and virtual machines (a software implementation of a machine (computer) that executes programs like a real machine). Mashavave has also spent time learning how to use STRATA by implementing a solution to another kind of software vulnerability that was developed by a different computer scientist. By replicating this solution, Mashavave became familiar with the intricacies of STRATA.
Mashavave says that this summer has been a great learning experience that really expanded on what he has learned in his computer science courses and enlightened him about the computer science field in general. During the course of his research, Mashavave says he discovered a real interest in computer science and programming, and he hopes to study computer science in graduate school.
Mashavave is a computer science and math double major. This is his first summer of research at Hamilton. On campus, Mashavave is the website administrator for the West Indian and African Association (WIAA), a member of the International Students Organization, a computer science teaching assistant, and a math teaching assistant and grader. He is also a part of the Computer Science Programming Team and plays intramural soccer and cricket.
-- by Nick Berry '09
