About

I graduated from the Computer Science PhD program at Carnegie Mellon University, advised by Phil Gibbons, in June 2021. My main interests are security, systems, and compilers.

As an intern, I implemented support for control flow integrity in the WebAssembly compiler toolchain, and closed-case debugging over USB type-C for the Chromebook Pixel 2, both while at Google. I also helped develop a GDB-compatible debugging stub for Android, and a pilot secure Linux-based voting machine platform using Buildroot for a pilot secure design competition, at Sandia National Laboratories.

During my undergraduate at Arizona State University, I worked on a security analysis of processor microcode with Gail-Joon Ahn, and developed a submersible for exploring subglacial lakes in Antarctica with the late Alberto Behar. I also spent a summer at Imperial College London, where I developed a teaching module on verifying security properties of various network protocols with Michael Huth, and contributed to the development of KLEE with Cristian Cadar.

Recent Projects

HerQules: Securing Programs via Hardware-Enforced Message Queues Code Paper

A framework for enforcing integrity-based security policies, using a hardware-enforced AppendWrite inter-process communication primitive between a monitored program and an external verifier. We implement our IPC primitive in a PCIe-based FPGA, and in the microarchitecture via modeling and simulation. For performance, both programs execute concurrently, and synchronize only at system calls to prevent potentially-compromised programs from affecting externally-visible side effects. As a case study, we enforce a strong pointer-integrity-based control-flow integrity policy, and evaluate the correctness, effectiveness, and performance of our HQ-CFI design against past work on a variety of benchmarks.

TardisTM: Incremental Repair for Transactional Memory Code Code Paper

A software-based transactional memory system that supports incremental repair of concurrency conflicts, instead of aborting and rolling back a transaction. To do so, we design a finer-grained dependency tracking mechanism in the transactional runtime, define the semantics for optional repair handlers, and extend the conflict detection algorithm to verify that all repairs are complete. We evaluate our system on a set of benchmark programs, against a baseline system that does not support repair.

FIRMADYNE: Dynamic Linux-based Firmware Analysis Code Paper

An automated and scalable system for emulation and dynamic analysis of Linux-based embedded firmware, using the QEMU emulator, modified Linux kernels (v2.6.32, v4.1), and a custom userspace NVRAM emulator. In conjunction with 14 previously-unknown vulnerabilities that I discovered, and 60 known vulnerabilities selected from the Metasploit Framework, we showed that over a dataset of 9,486 extracted firmware images across 42 different device vendors, approximately 43% (846/1,971) of network-reachable firmware are vulnerable to at least one exploit. This was featured on Heise Security and PCWorld.

Past Projects

Processor Microcode Code Paper

An analysis of the security of x86 processor microcode, which is used to implement certain processor instructions and correct processor errata. Although all microcode updates on modern microarchitectures appear to be encrypted, this is not necessarily the case for older microarchitectures, such as AMD’s K8 through 12h. In fact, the integrity of updates for these microarchitectures is only protected by a basic checksum, and can be easily modified, resulting in undetermined behavior ranging from an immediate reboot to a system hang. Additionally, malformed microcode updates can be incorrectly cached and trigger invalid paging requests by the microcode update loader in Linux kernel 3.8.13. Accompanying this work, I have released microparse, a small Python tool that can parse and display binary microcode updates, as well as a comprehensive listing of publicly-available microcode updates for AMD and Intel processors.

MSLED: Micro Subglacial Lake Exploration Device Code Paper Website

A remotely-controlled submersible that was deployed to subglacial Lake Whillans as part of the Whillans Ice Stream Subglacial Access Research Drilling (WISSARD) project. It contributed to the discovery of biological life within this lake by recording the first imagery of the lakefloor, and was featured on The New York Times, National Geographic, and Nature News.

Publications

Contact

Computer Science Department
9007 Gates-Hillman Center
5000 Forbes Avenue
Pittsburgh, PA 15213
ddchen@alumni.cmu.edu
GitHub
PGP Key

Icons by Font Awesome, CC BY 4.0

Revision: June 2021