Team IDs Real-world Vulnerabilities In Popular Browser During Premier Hackathon
A team of College of Computing students came in second at Pwn2Own, one of the world’s top hacking competition.
School of Computer Science (SCS) Associate Professor Taesoo Kim’s Systems Software & Security Lab (SSlab) Ph.D. students Insu Yun, Yong Hwi Jin, and Jung Won Lim competed in the annual event. Their objective was to exploit popular software with unknown vulnerabilities.
“As a hacker studying offensive security, we always dreamed of participating in Pwn2Own,” Yun said.
The SCS team exploited Apple’s Safari internet browser. Although the browser category is known to be more difficult, the team was attracted to how technically interesting the challenge was, according to Yun.
The team was also set up for success because the underlying Safari operating system is *nix, a category the team members were familiar with. Adding to their advantage, they also had written an exploit for Safari just last July so they were able to apply that knowledge here as well.
Multiple vulnerabilities are required to attack a modern browser. The team found new six vulnerabilities to compromise Safari, all of which were later confirmed by Apple. To exploit as many vulnerabilities as possible, they used several approaches, including fuzzing, source code review, and reverse engineering.
Ultimately, the competition allowed the team to sharpen skills they can bring back to their SCS research, such as designing automatic tools to find bugs, and identifying vulnerabilities on complex, real-world programs.
“SSlab gave us the opportunity to make a such wonderful team because our
lab is one of the best information security labs in the world with many talented students.”
As we step into 2024 and reflect on the previous year, 2023 was a huge year for news stories here at @GTcomputing . Dive into the 184 published news stories of 2023 and see if theres anything you missed! https://t.co/zUHBPiiEwp
— Georgia Tech Computing (@gtcomputing) January 11, 2024
The College of Computing is proud to celebrate Black History Month this February and honor those who pave the way for equality within our community. pic.twitter.com/Rn5BRskogI
— Georgia Tech Computing (@gtcomputing) February 1, 2024