By Sara Novak
Credit: University of Virginia School of Engineering and Applied Science
By Sara Novak
They’re called “zero-day attacks” and they’re what keeps cybersecurity experts like Ashish Venkat up at night.
These are the cyberattacks that disable large-scale computer programs, catching their victims off guard. In recent years, they’ve been happening more often and have become increasingly difficult to fix.
“The term zero-day attack means that a developer didn’t know about the flaw beforehand giving them zero days to fix it,” said Venkat, the William Wulf Career Enhancement Assistant Professor in the Department of Computer Science at the University of Virginia School of Engineering and Applied Science. “A new attack is discovered every 17 days and it takes an average of 15 days to patch these vulnerabilities.”
Vulnerabilities Are Costly to Patch
Companies large and small as well as individuals spend far too much time and money fixing these flaws. And, Venkat said, they end up introducing more vulnerabilities while they’re trying to patch old ones.
Venkat recently received a CAREER Award from the National Science Foundation with the goal of solving these urgent issues. It’s one of the NSF’s most prestigious awards in support of early-career faculty who have the potential to lead advances from within their field. Venkat joined the University of Virginia in 2018 shortly after obtaining his Ph.D. from the University of California San Diego.
His fix could both reduce attack response time and protect programs from other attacks while an issue is being mitigated. Venkat’s team will develop a “decoupled” security response, which means designing a holistic security-centric hardware software stack that allows technicians to go into a computer system to fix a vulnerability through a separate security entrance, on demand and in the field.
Innovation Could Lead to Faster Response Time
“As long as computer systems have flaws, cybercriminals will try to exploit them,” said Sandhya Dwarkadas, the Walter N. Munster Professor and chair of computer science at UVA. “Ashish’s proposed stack is an innovative use of integrated hardware and software components dedicated to security functions. His project addresses a critical need and I look forward to following his progress.”
Venkat’s system could help him stop emerging zero-day cyberattacks within 24 to 48 hours, 13 days faster than the average response time today. His solution also could reduce the significant time and dollar costs of frequent patching, redeployment and hardware upgrades.
When cybersecurity experts are trying to reach the site of a problem, they often leave doors open behind them on the way. Venkat’s decoupled approach will create a security tunnel running through the system so that in the midst of a cyberattack, technicians can rapidly locate the vulnerable component and enforce an appropriate security policy to fix it without opening new entry points for bad actors.
“The decoupled hardware software stack allows security policies to be defined in software, but enforced in hardware, enabling versatility, flexibility and efficiency at the same time,” Venkat said. “In fact, the project’s second objective is to design new computer hardware to enforce emerging cybersecurity measures against a range of attacks without compromising efficiency.”
The third objective is to enable the new hardware to continuously track the flow of information for precise enforcement of software-defined security policies.
Building a Cyber Workforce for the Future
The CAREER Award, which totals over half a million dollars, also has an educational component. As computer software gets more complicated and is made up of increasingly specialized components, it’s getting harder to train the next generation of cyberexperts — both technicians to work on the systems and researchers to assess impending threats.
The goal, Venkat said, is to improve cybersecurity curricula and awareness for high school, vocational and college students. As part of the project, his team will establish a mentorship program for undergraduate students, including groups traditionally underrepresented in engineering and computer science, to help build a cybersecurity workforce for the future.
Finally, Venkat isn’t limiting his approach to cybersecurity defense — he’s also using offensive tactics, known as ethical or “white hat” hacking. The practice uses a team of highly trained ethical hackers to examine a system before a hack occurs.
“You teach students how to ethically hack a system with the goal of better understanding potential vulnerabilities and to improve the security of modern systems,” Venkat said.
His research group earned significant press attention in 2021 for discovering a security vulnerability that impacted millions of computers with Intel and AMD processors. Subsequent efforts to discover vulnerabilities includes their work on hardware Trojan attacks, which has been nominated for a best paper award at DATE 2023, the Design, Automation and Test in Europe conference.
Real-World Implications for Real People
Venkat is also concerned about building protections against global threats such as the WannaCry ransomware attack in 2017. Exploiting a vulnerability in the Microsoft Windows operating system, WannaCry spread to more than 200,000 computers in 150 countries within days — harming large and small organizations, including hospitals. The malware, which can self-propagate across networks, encrypted the computers’ data and demanded cryptocurrency payments in exchange for returning control of the computers to their owners.
“These attacks can go after anyone, not just huge corporations,” Venkat said. “They can put mom-and-pop companies out of business, they can impact your grandmother. “When companies aren’t able to invest in cybersecurity, sometimes they just go out of business because their insurance premiums become so inflated.”
Venkat’s goal is to create a set of cybersecurity fixes that are economical for individuals and small businesses alike.
“There’s an urgent need for systems that are designed to be secure from inception and to tighten security around already deployed systems vulnerable to attack,” he said. “I’m passionate about this work because, in the end, it’s people who are harmed by zero-day and other cyberattacks.”