NSF Awards Tegan Brennan $575K to Improve Software Security and Performance
Tegan Brennan, assistant professor in the Department of Computer Science at Stevens Institute of Technology, is working to keep programs that optimize computer code from accidentally exposing your private information to hackers. With a five-year, $574,990 CAREER grant from the National Science Foundation (NSF), Brennan is developing a system that improves software performance while ensuring security on the computers, cell phones and other devices people use every day. The CAREER award, one of NSF’s most prestigious grants, recognizes the potential of early-career faculty to make transformative contributions.
One example of the issue Brennan is addressing arises every time you enter your password onto a website or app.
“The site could check if your password is correct by looking at each character,” she explained. “If any one of those characters doesn’t match, you can't log in. If the first character is wrong, though, it will return the error more quickly than if the issue is with a later character. An attacker with the sophisticated ability to take timing measurements could exploit this systematically, running tests with various characters until one takes longer than the rest. The attacker then knows what the first character is and moves on to the next character and eventually cracks the whole password.”
Savvy developers build guardrails into their programs to prevent threats such as this. Unfortunately, even the best-laid plans can go astray when just-in-time compilers — systems that translate and continuously optimize those source codes into codes the machines can use — make things faster through changes that inadvertently create such risks and leak information.
Brennan has spent a lot of her research time delving into such “side-channel vulnerabilities.”
“One of the sneaky things I discovered is that despite all the research into making programs ‘side-channel safe,’ the just-in-time compiler can reintroduce these differences that were already removed,” she noted. “The compiler collects information at runtime, deciding to optimize code that is executed a lot to make the whole code more efficient. That can impact the timing information that the developer has carefully tried to balance and introduce threats that had already been removed.”
It’s all in the timing
Brennan is developing tools and techniques that make the job of Java and JavaScript developers and security practitioners easier while removing these timing-related threats. She plans to modify existing just-in-time compilation frameworks to go beyond implementing optimizations. Her vision is to have these enhanced compilers detect optimizations that could introduce security risks, measure the impact of those risks, decide whether to implement the changes and use machine learning to continue to make smarter decisions that balance performance and security.
“The main goal of compilation engines has been preserving program functionality, making sure the code does the right thing and does it efficiently,” she said. “Compilers are already looking at what parts of the code are executed how many times. They’re also collecting runtime information. Eventually, compilers might also be able to balance resources, considering how much memory is used, and whether it's resource-use-friendly. They’re already collecting that information, so why not make our job easy and reuse the information they already collect for us?”
The ultimate goal, of course, is to ensure unquestionably trustworthy software systems.
“We are all using these systems, running apps and programs that leverage languages using just-in-time compilation,” Brennan said. “And we all have to trust that the developers did their best to prevent every potential vulnerability. But now, with the framework we’re developing to do that for developers, we can help them optimize security, and we'll do it in an automated way so they can ensure reliable results.”
Learn more about academic programs and research in the Department of Computer Science:
