Merve GÜLMEZ

Merve GÜLMEZ

Researcher

crowdstrike

1 minute read

Published:

The CrowdStrike outage shows that improving software resilience and availability is as important as detecting and mitigating memory-safety vulnerabilities.

I am exploring these aspects in my PhD research.

As a solution, we propose “secure rewind and discard of isolated domains (SDRaD)” as an efficient and secure method of improving software resilience targeted by runtime attacks. Rewind & Discard: Improving Software Resilience using Isolated Domains. Even though my solution is for the user-space application, the same principle can be applied to kernel-space, too.

We also work on improving software resilience for Rust applications when they are subject to unsafe code. Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust

In a recent MSc thesis Sacha RUCHLEJMER, which I supervised, we explored improving the resiliency of CHERI in the Arm Morello prototype system with the principles developed for SDRaD. CHERI complements SDRaD well and allows many memory-safety problems to be detected before they corrupt memory, which makes recovering from CHERI-detected faults more efficient. Secure Rewind and Discard on Arm Morello

As a result, in the arms race between attacks and mitigations, we should also consider the effect on system availability and resiliency when memory-safety issues are detected!

You May Also Enjoy

security

less than 1 minute read

Published:

At the beginning of my PhD I at first became interested in the broader area of cybersecurity, but my current line of research really got me into the area of systems security. In particular improving the cyber-resilience and availability low-level systems software against memory corruption attacks. This has required me to develop skills, such as in-depth knowledge of the C and Rust runtimes, as well as assembly programming.

LLVM

1 minute read

Published:

I have been learning LLVM for a while; I added a function and variable attribute, new compiler options, wrote a hacky LLVM transformation pass, and deleted my hacky stuff in the backend! I kind of enjoyed it, kind of annoyed; in the end, I think it was good to learn!

Bluspec

less than 1 minute read

Published:

To install the BSC compiler, follow these steps (example for Ubuntu):

Example for Ubuntu

wget https://github.com/B-Lang-org/bsc/releases/download/2023.07/bsc-2023.07-ubuntu-22.04.tar.gz 
cd ~/cheri/bsc-2023.07-debian-12.1 
export PATH="$PATH:/home/cheri/bsc-2023.07-ubuntu-22.04/bin/

It’s likely that you will also need the Bluespec library. It took me a long time to understand what was missing. You need to install this library from the following repository:

https://github.com/B-Lang-org/bsc-contrib/tree/main

CHERI

less than 1 minute read

Published:

Adversarial Examples: A great starting point! These exercises will introduce you to the concept of capabilities and how they can be used to protect against various security threats.