About

I am currently a fourth year PhD student in Computer Science at Carnegie Mellon University, advised by Phil Gibbons and Todd Mowry. My main research focus is on building efficient and reliable computer systems for heterogeneous architectures. I am also interested in security, program analysis, and formal verification.

During my undergraduate at Arizona State University, I worked on a security analysis of processor microcode with Gail-Joon Ahn, and developed a submersible for exploring subglacial lakes in Antarctica with the late Alberto Behar. I also spent a summer at Imperial College London, where I developed a teaching module on verifying security properties of various network protocols with Michael Huth, and contributed to the development of KLEE with Cristian Cadar.

As an intern, I’ve implemented support for control flow integrity in the WebAssembly compiler toolchain, and closed-case debugging over USB type-C for the Chromebook Pixel 2, both while at Google. I also helped develop a GDB-compatible debugging stub for Android, and a pilot secure Linux-based voting machine platform using Buildroot for a pilot secure design competition, at Sandia National Laboratories.

Projects

FIRMADYNE: Dynamic Linux-based Firmware Analysis

Recently, I led the development of an automated and scalable system for emulation and dynamic analysis of Linux-based embedded firmware, using the QEMU emulator, modified Linux kernels (v2.6.32, v4.1), and a custom userspace NVRAM emulator. In conjunction with 14 previously-unknown vulnerabilities that I discovered, and 60 known vulnerabilities selected from the Metasploit Framework, we showed that over a dataset of 9,486 extracted firmware images across 42 different device vendors, approximately 43% (846/1,971) of network-reachable firmware are vulnerable to at least one exploit. This was featured on Heise Security and PCWorld. We have published a conference paper describing this project, and have released our system as open source.

Processor Microcode

For my undergraduate honors thesis, I analyzed the security of x86 processor microcode, which is used to correct processor errata and implement accelerated cryptographic or virtualization primitives. Although all microcode updates on modern microarchitectures appear to be encrypted, this is not necessarily the case for older microarchitectures, such as AMD’s K8 through 12h. In fact, the integrity of updates for these microarchitectures is only protected by a basic checksum, and can be easily modified, resulting in undetermined behavior ranging from an immediate reboot to a system hang. Additionally, during testing it was determined that malformed microcode updates can trigger potentially exploitable invalid paging requests by the microcode update loader in Linux kernel 3.8.13, which also has very peculiar caching behavior that may prevent correct operation under certain circumstances. Accompanying this work, I have released microparse, a small Python tool that can parse and display binary microcode updates, as well as a comprehensive listing of publicly-available microcode updates for AMD and Intel processors.

MSLED: The Micro Subglacial Lake Exploration Device

During my undergraduate, I helped design and develop the Micro Subglacial Lake Exploration Device, a remotely-controlled submersible that was deployed to subglacial Lake Whillans as part of the Whillans Ice Stream Subglacial Access Research Drilling (WISSARD) project. It contributed to the discovery of biological life within this lake by recording the first imagery of the lakefloor, and was featured on The New York Times, National Geographic, and Nature News. My contributions included redesigning the power electronics to utilize switching DC-DC regulators for increased power efficiency, designing the external lighting array, and developing an epoxy process for protecting the external electronics from the liquid and pressure of the environment. In addition, I implemented the control software on the embedded Atmel ATmega2560 microcontroller, integrated support for compressed video recording in the surface control software, selected a new fluid chemistry for the pressure compensation fluid, and published a journal paper describing this project.

Publications

Papers

Posters

Contact

Computer Science Department
9007 Gates-Hillman Center
5000 Forbes Avenue
Pittsburgh, PA 15213
ddchen@cs.cmu.edu
GitHub
PGP Key

Revision: October 2017