Date/Time
Date(s) - 06/26/2024
12:00 PM - 1:00 PM
Add to Google Calendar or iCal/Outlook Calendar
To watch the recorded webinar, click on the recording.
Play Video
Speaker:
Dr. Houman Homayoun is a professor in the Department of Electrical and Computer Engineering at the University of California, Davis.
Abstract:
In the domain of Internet of Things (IoT) systems, firmware constitutes an essential element, orchestrating the operational control of hardware components and playing a pivotal role in maintaining both the functional integrity and security of these devices. This talk will delve into the security challenges and cutting-edge solutions pertinent to the firmware of IoT systems, presenting our latest findings from research published in recent NDSS and USENIX security conferences. Our studies focus on two types of firmware vulnerabilities: those in bare-metal firmware and those in Linux-based firmware, each with its unique security implications and solutions.
The first study investigates vulnerabilities in bare-metal firmware of IoT devices. We detail a specific vulnerability involving the malicious configuration of power management integrated circuits (PMIC), which can lead to significant device malfunctions such as battery degradation and sensor data corruption. Through a methodical reverse engineering process using tools like Ghidra and Python scripting, we present the FANDEMIC attack, which alters PMIC settings to induce such failures. Our research demonstrates the attack on actual hardware platforms and discusses effective mitigation strategies to safeguard against such vulnerabilities.
The second paper addresses firmware security in Linux-based IoT systems, focusing on BusyBox—an essential suite of Linux commands used ubiquitously in embedded devices. We reveal the presence of vulnerabilities due to outdated BusyBox versions and introduce innovative testing strategies, including the use of Large Language Models (LLM) for generating initial seeds in fuzz testing. This approach enhances the efficiency of identifying potential crashes and vulnerabilities. Additionally, we explore the effectiveness of reusing crash data from similar firmware to expedite the testing process, showcasing significant improvements in the discovery and management of firmware vulnerabilities.
Speaker Bio:
Houman Homayoun is a Professor in the Department of Electrical and Computer Engineering at the University of California, Davis. He holds a Ph.D. in Computer Science from the University of California, Irvine, obtained in 2010 after receiving a four-year fellowship from the Computer Science Department. He earned his MS in Computer Engineering from the University of Victoria in 2005 and a BS in Electrical Engineering from the Sharif University of Technology in 2003.
Before his appointment at UC Davis, Houman was an Associate Professor at George Mason University and was recognized as an NSF Computing Innovation Fellow by the CRA-CCC, spending two years at the University of California, San Diego, from 2010 to 2012.
At UC Davis, Professor Homayoun leads the National Science Foundation IUCRC Center for Hardware and Embedded Systems Security and Trust (CHEST). Under his leadership, CHEST tackles pressing security challenges in hardware and embedded systems to ensure their safety and reliability. His significant contributions through CHEST have garnered congressional support, with allocations of $3M and $9M budget highlighted in the National Defense Authorization Acts of 2021 and 2024, respectively.
Houman’s research focuses on hardware security and trust, applied machine learning and AI, data-intensive computing, and heterogeneous computing. He has published over 200 technical papers in prestigious conferences and journals, directed over $18M in research funding from various agencies, and received multiple best paper awards at GLSVLSI, ICCAD, ICDM, DCAS, ISVLSI, and DATE.
Additionally, Houman served as an Associate Editor of IEEE Transactions on VLSI from 2017 to 2022, has chaired significant ACM conferences, including the Great Lake Symposium on VLSI, and has been involved in advisory capacities such as a Member of the Advisory Committee for Cybersecurity Research and Technology Commercialization in Virginia, and as a core group member of the hardware security body of knowledge development team supported by the Department of Defense.
Registration
Bookings are closed for this event.