UNIVERSITY PARK, Pa. — Hong Hu, assistant professor in the Penn State College of Information Sciences and Technology (IST), earned a five-year, $654,681 U.S. National Science Foundation (NSF) Early Career Development (CAREER) Award for a project titled, “Enhancing Practical Defense Mechanisms Against Memory Errors and Attacks.”
Q: What do you want to understand or solve through this project?
Hu: In response to ongoing threats from memory errors and cyberattacks on computer software systems, the security community is actively developing and refining a variety of defense mechanisms. These efforts aim to minimize performance overhead and improve compatibility for practical deployment while ensuring robust protection against determined attackers.
To achieve this balance, new proposals often involve modifying existing defenses or integrating recent technological advancements. However, these updates can sometimes introduce new vulnerabilities. For instance, configurable defenses, which allow users to customize protection granularity — such as checking pointers only for memory writes — or adjust enforcement mechanisms in resource-constrained environments, may inadvertently create new attack surfaces. Attackers could potentially exploit these weaknesses by targeting and corrupting critical variables to weaken or disable the defenses.
Considering these challenges, this project is set to evaluate practical defense mechanisms. The goal is to measure their effectiveness, identify any weaknesses, and address the issues discovered to ensure robust protection against sophisticated cyber threats. This initiative is a crucial step toward bolstering software security and safeguarding against malicious exploits.
Q: How will advances in this area impact society?
This research aims to introduce innovative approaches for understanding common weaknesses in practical memory defenses and exploring potential optimizations such as debloating, which reduces a software’s attack surface by removing pieces of code that are not required by users. Additionally, the project will focus on developing solutions to prevent misuse and detect advanced stealthy attacks.
The outcomes of this project are set to initiate a significant paradigm shift toward automated defense evaluation and enhancement, with far-reaching implications across various research fields, including software security, system security and program analysis. The tools developed and released through this project will accelerate research; bolster global collaborations in these domains; and offer enduring value to academia, security organizations, and software and hardware vendors.
Q: How will undergraduate and/or graduate students contribute to this research?
Undergraduate and graduate students will actively participate in the various stages of the research process, from conceptualization to experimentation and analysis. They will assist in developing the tools and solutions aimed at preventing misuse and detecting advanced stealthy attacks. They’ll work closely with IST faculty as well as researchers from Ohio State and the University of California to enhance their collaborative and networking skills. They’ll also help to design and implement programs that cultivate interest in computer science and security among K-12 students, which can help build a pipeline of future researchers and security professionals.
Q: The CAREER award recognizes your potential as a researcher, educator and leader in the field. How do you hope to fulfill that potential?
I aim to drive groundbreaking research that addresses critical challenges in software and system security.
This includes developing and implementing a comprehensive curriculum that integrates cutting-edge research into undergraduate and graduate courses. And I will create opportunities for students to engage in hands-on projects and real-world problem-solving, bridging the gap between theoretical knowledge and practical application.
I will assemble multidisciplinary research teams, promoting a collaborative and inclusive culture that harnesses diverse talents and perspectives to tackle complex security challenges. I intend to engage with the broader community, including industry partners, government agencies and educational institutions, to address pressing security issues and influence policy and practice.
And I will advocate for and implement initiatives that promote diversity and inclusion within the field of computer science and security. This includes outreach programs to underrepresented groups and efforts to create a more equitable research and learning environment.
By pursuing these goals, I hope to make significant contributions to the field, inspire the next generation of researchers and security professionals and uphold the responsibilities that come with the CAREER award.