Graduate Q&A with Carter Yagemann: Self-Taught Cybersecurity Expert

Carter Yagemann began his career as a cybersecurity expert by building operating systems with the spare parts he found in his parents’ basement after school. Attacking and defending his own computers in high school helped lay the groundwork for the research he would undertake while studying at Georgia Tech. 

Yagemann is walking the graduation stage today and receive his Ph.D. from the School of Cybersecurity and Privacy where he was advised by Professor Wenke Lee. After graduation, Yagemann is joining faculty at The Ohio State University where he has accepted the position of assistant professor.  

Why did you choose systems and software security as your area of study?

During my undergraduate studies at Syracuse University, JPMorgan Chase & Co. took an interest in my self-taught cybersecurity skills and hired me as an intern to conduct cyber-threat intelligence. In short, my job was to understand the latest cyber-attacks that could be used against the company and devise plans for remediation.
 
It was during my internship that I decided to make cybersecurity my career, but I still wasn't sure if industry was the best place for me. I joined a lab at Syracuse and found that academic research gave me even more freedom to pursue interesting topics.

What is a research project you are proud of? 

One of my recent projects takes a closer look at the process and challenges of reporting bugs to developers for patching. I discovered that the artifacts sent to developers in bug reports are inadequate, requiring extensive additional work by the developer to make sense of what's wrong with the program and how to fix it. As a result, it's now typical for popular projects to have over a thousand unopened bug reports sitting in a queue with no means for the developers to catch up.
 
To address this, I've created a system for automatically determining the root cause of bugs encountered in computer programs so developers receive the information they need to understand and fix the problem. My system works using a combination of processor tracing, which records the sequence of instructions executed by the computer, and symbolic analysis.

This combination of capabilities can automatically uncover the memory corruptions caused by severe bugs and then look back over the trace to determine their origins. It can then derive a preliminary patch that developers can test and refine into an official solution.
 
What was the impact of these findings?

I have used my system over the past year to analyze popular open-source projects, leading to the discovery of over 20 new severe software vulnerabilities. Thanks to the reports produced by my system, the developers have been able to fix these issues, creating a more secure software ecosystem.