11

Enhancing Security of Real-World Enhancing Security of Real-World Systems with a Better Understanding Systems with a Better Understanding of Threatsof Threats

Shuo ChenShuo ChenPh.D. Candidate in Computer SciencePh.D. Candidate in Computer ScienceCenter for Reliable and High Performance Center for Reliable and High Performance ComputingComputingUniversity of Illinois at Urbana-ChampaignUniversity of Illinois at Urbana-Champaign

22

Security Threat Analysis and Mitigations in Real-Security Threat Analysis and Mitigations in Real-World SystemsWorld Systems– How errors in hardware and software impose security How errors in hardware and software impose security

threats to real-world systems? (common threats to real-world systems? (common characteristics?)characteristics?)

– How effective are current defense techniques? How effective are current defense techniques? (substantial deficiencies?)(substantial deficiencies?)

– How to build better defenses?How to build better defenses? Analysis-centric research approachAnalysis-centric research approach

– Study hardware memory errors Study hardware memory errors impact on system impact on system securitysecurity

– Software vulnerabilities reported in Bugtraq and CERT Software vulnerabilities reported in Bugtraq and CERT databases, source code of vulnerable applicationsdatabases, source code of vulnerable applications

– Current attack methods and defense techniquesCurrent attack methods and defense techniques– Analysis results motivate the development of new Analysis results motivate the development of new

defense techniques.defense techniques. Many areas related to my dissertationMany areas related to my dissertation

My DissertationMy Dissertation

33

I as a System Hacker/BuilderI as a System Hacker/Builder

Summer’01, Avaya Labs, Basking Ridge, NJSummer’01, Avaya Labs, Basking Ridge, NJ– PortPort Libsafe Libsafe to Windows NT/2000. to Windows NT/2000.

Summer’02, Bell Labs, Holmdel, NJSummer’02, Bell Labs, Holmdel, NJ– Detection of network denial of service attacksDetection of network denial of service attacks– Hack FreeBSD TCP/IP, network card drivers Hack FreeBSD TCP/IP, network card drivers

Summer’03, Microsoft Research, Redmond, WASummer’03, Microsoft Research, Redmond, WA– Audit-enhanced authentication in KerberosAudit-enhanced authentication in Kerberos– NTOS security subsystem, Kerberos, LSA, NTDLLNTOS security subsystem, Kerberos, LSA, NTDLL

Summer’04, Microsoft Research, Redmond, WASummer’04, Microsoft Research, Redmond, WA– A tracing technique to identify the dependencies of A tracing technique to identify the dependencies of

Windows applications on Administrator privilegesWindows applications on Administrator privileges– NTOS security subsystem, access/privilege checking, NTOS security subsystem, access/privilege checking,

application interactions with NTOS application interactions with NTOS

44

OutlinesOutlines

Analyzing and Identifying Security Analyzing and Identifying Security Threats on Real-World SystemsThreats on Real-World Systems– Security compromises due to HW/SW Security compromises due to HW/SW

memory corruptionsmemory corruptions– A type of memory corruption attacks A type of memory corruption attacks

currently believed to be rare is a currently believed to be rare is a realisticrealistic threat. threat.

– Deficiencies of current defense techniquesDeficiencies of current defense techniques

New Defense Techniques Towards a New Defense Techniques Towards a Better Security ProtectionBetter Security Protection– A common characteristic of memory A common characteristic of memory

corruption attacks: corruption attacks: pointer taintednesspointer taintedness– A theorem proving based program analysisA theorem proving based program analysis– A runtime detection techniqueA runtime detection technique

Analyses

Solutions

55

Analyzing and Identifying Analyzing and Identifying Security Threats on Real-World Security Threats on Real-World SystemsSystems

66

Threat of Hardware Memory Threat of Hardware Memory ErrorsErrors

Attacker Target hostFirewall (IPChains and Netfilter)

Due to hardware memory errors, packets can penetrate firewalls

Attacker Network server (FTP and SSH)

Due to hardware memory errors, users can log in with arbitrary passwords

Emulate random hardware memory errorsEmulate random hardware memory errors A stochastic model to estimate such threats in real environmentsA stochastic model to estimate such threats in real environments Motivate other researchers to conduct physical fault injectionsMotivate other researchers to conduct physical fault injections

– Java type system subverted due to random hardware memory errors.Java type system subverted due to random hardware memory errors.

77

Threat of Software VulnerabilitiesThreat of Software Vulnerabilities

CERT Advisories: CERT Advisories: 66% vulnerabilities are low 66% vulnerabilities are low level memory errors in software.level memory errors in software.

Widely exploited by attackers, worms and viruses.Widely exploited by attackers, worms and viruses.

Format String 7%

Globbing2%

Heap Corruption

8%

Integer Overflow

6%

Buffer Overflow

44%

Other33%

88

Execute malicious code

Overwrite a return address

Embed malicious contents in input

State Machine Model: WU-FTP Server AttackState Machine Model: WU-FTP Server Attack

get an FTP command

Authentication;x = user ID

repeat

FTP_service()

seteuid(x)

SITE_EXEC(fn)

printf(fn,…)

seteuid(0) exec(“/bin/sh”)

99

Overwrite function pointer foo

Corrupt heap structure

Execute malicious code

State Machine Model: NULL-HTTP Server State Machine Model: NULL-HTTP Server AttackAttack

process HTTP headerp=malloc(…)

repeat

HTTP_service()

HTTP_POST()

recv(p,…)

seteuid(0) exec(“/bin/sh”)

free(p)

*foo()

1010

Control Data Attack: Well-Known, Control Data Attack: Well-Known, DominantDominant

Control data:Control data:– data used as targets of call, return and jump.data used as targets of call, return and jump.– widely understood as security critical widely understood as security critical

elementselements

Control data attack: the most dominant Control data attack: the most dominant form of memory corruption attacks form of memory corruption attacks [CERT and Microsoft Security Bulletin][CERT and Microsoft Security Bulletin]

Many current defense techniques: to Many current defense techniques: to enforce program control flow integrity to enforce program control flow integrity to provide security. provide security.

1111

Non-control-data attacksNon-control-data attacks

Currently very rare in reality.Currently very rare in reality.

One instance suggested by Young One instance suggested by Young and McHugh in 1987.and McHugh in 1987.

How applicable are such attacks How applicable are such attacks against many real-world against many real-world software? software? – Not studied yet, but important.Not studied yet, but important.

1212

An Important QuestionAn Important Question

Are attackers in general incapable to mount Are attackers in general incapable to mount non-control-data attacks against many real non-control-data attacks against many real systems?systems?

– PROBABLY NOT!PROBABLY NOT!

– Random hardware memory errors can subvert the Random hardware memory errors can subvert the security of real-world systems with a non-negligible security of real-world systems with a non-negligible probability.probability.

– Software vulnerabilities are more deterministic and Software vulnerabilities are more deterministic and more amenable to attacks.more amenable to attacks.

– Each attack exploiting software vulnerabilities is Each attack exploiting software vulnerabilities is composed by multiple primitive components. Allow composed by multiple primitive components. Allow potentially polymorphic attacks. Dangerous.potentially polymorphic attacks. Dangerous.

1313

Our Claim: General Applicability Our Claim: General Applicability of Non-control-data Attacksof Non-control-data Attacks

We claim:We claim:– Many real-world software applications are Many real-world software applications are

susceptible to non-control-data attacks. susceptible to non-control-data attacks. – The severity of the attack consequences is The severity of the attack consequences is

equivalent to that due to control data attacks. equivalent to that due to control data attacks.

Validate the claim by constructing non-Validate the claim by constructing non-control-data attacks to get the root control-data attacks to get the root privilege on major network serversprivilege on major network servers– FTP, HTTP, SSH and Telnet servers FTP, HTTP, SSH and Telnet servers – Over 1/3 of vulnerabilities in CERT advisoriesOver 1/3 of vulnerabilities in CERT advisories

Non-control-data attacks are realistic Non-control-data attacks are realistic threats.threats.

1414

Non-control-data attack against Non-control-data attack against WU-WU-FTPFTP Server (via a format string bug) Server (via a format string bug)

int x;FTP_service(...) { authenticate(); x = user ID of the authenticated user; seteuid(x); while (1) { get_FTP_command(...); //vulnerable if (a data command?) getdatasock(...); }}getdatasock( ... ) { seteuid(0); setsockopt( ... ); seteuid(x);}

x=109, run as EUID 0

x uninitialized, run as EUID 0

x=109, run as EUID 109. Lose the root privilege!

Get a special SITE EXEC command. Exploit a format string vulnerability.x= 0, still run as EUID 109.

x=0, run as EUID 0

x=0, run as EUID 0

When return to service loop, still runs as EUID 0 (root). Allow me to upload /etc/passwdI can grant myself the root privilege!

Only corrupt an integer, not a control data attack.

Get a data command (e.g., PUT)

1515

Non-control-hijacking attack against Non-control-hijacking attack against NULL-HTTPNULL-HTTP Server (via a heap overflow Server (via a heap overflow bug)bug)

Attack the configuration string of CGI-BIN Attack the configuration string of CGI-BIN path.path.

Mechanism of CGIMechanism of CGI– suppose server name = www.foo.comsuppose server name = www.foo.com

CGI-BIN = /usr/local/httpd/exe CGI-BIN = /usr/local/httpd/exe – Requested URL = http://www.foo.com/cgi-bin/barRequested URL = http://www.foo.com/cgi-bin/bar– The server executesThe server executes

Our attackOur attack– Exploit the vulnerability to overwrite CGI-BIN to /binExploit the vulnerability to overwrite CGI-BIN to /bin– Request URL http://www.foo.com/cgi-bin/shRequest URL http://www.foo.com/cgi-bin/sh– The server executes The server executes

The server gives me a root shell!Only overwrite four characters in the CGI-BIN string.Not a control data attack.

//usr/local/httpd/exeusr/local/httpd/exe//barbar

/bin/bin/sh/sh

1616

Non-control-data attack againstNon-control-data attack against SSH SSH CommunicationsCommunications SSH Server (via an integer SSH Server (via an integer overflow bug)overflow bug)

void do_authentication(char *user, ...) { int auth = 0; ... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) { ... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case ... } if (auth) break; } /* Perform session preparation. */ do_authenticated(…);}

auth = 0

auth = 0

auth = 1

Password incorrect, but auth = 1

auth = 1

Logged in without correct password

1717

More non-control-hijacking More non-control-hijacking attacksattacks

Against Against NetKitNetKit Telnet server (default Telnet Telnet server (default Telnet server of server of Redhat LinuxRedhat Linux))– Exploit a heap overflow bugExploit a heap overflow bug– Overwrite two strings:Overwrite two strings:

/bin//bin/loginlogin –h –h foo.comfoo.com -p (normal scenario) -p (normal scenario) /bin//bin/shsh –h –h –p–p -p (attack scenario) -p (attack scenario)

– The server runs /bin/sh when it tries to The server runs /bin/sh when it tries to authenticate the user.authenticate the user.

Against Against GazTekGazTek HTTP server HTTP server– Exploit a stack buffer overflow bugExploit a stack buffer overflow bug

Send a legitimate URL http://www.foo.com/cgi-bin/barSend a legitimate URL http://www.foo.com/cgi-bin/bar The server checks that “/..” is not embedded in the URLThe server checks that “/..” is not embedded in the URL Exploit the bug to change the URL to Exploit the bug to change the URL to

http://www.foo.com/cgi-bin/http://www.foo.com/cgi-bin/../../../../bin/sh../../../../bin/sh The server executes /bin/shThe server executes /bin/sh

1818

Implications of Non-Control-Data Implications of Non-Control-Data AttacksAttacks

Control flow integrity is not a Control flow integrity is not a sufficiently accurate approximation sufficiently accurate approximation to software security.to software security.

Many types of non-control data Many types of non-control data critical to securitycritical to security

Once attackers have the incentive, Once attackers have the incentive, they are likely to succeed in non-they are likely to succeed in non-control-data attacks. control-data attacks.

1919

Re-Examining Current Defense Re-Examining Current Defense TechniquesTechniques

Many of them are based on control Many of them are based on control flow integrityflow integrity– Monitor system call sequences Monitor system call sequences – Protect control dataProtect control data– Non-executable stack and heapNon-executable stack and heap

Pointer encryption Pointer encryption PointGuardPointGuard Address space randomizationAddress space randomization StackGuardStackGuard, , LibsafeLibsafe and and FormatGuardFormatGuard Building a generic and secure defense Building a generic and secure defense

technique: still an open problem. technique: still an open problem.

2020

Pointer TaintednessPointer Taintedness Detection: Detection: Towards a Better Security Towards a Better Security Protection for Real-World Protection for Real-World SystemsSystems

2121

Pointer TaintednessPointer Taintedness

Pointer Taintedness: a pointer : a pointer value, including a return address, is value, including a return address, is derived from user input. derived from user input.

Most memory corruption attacks are Most memory corruption attacks are due to pointer taintedness. due to pointer taintedness.

Pointer taintedness: a unifying Pointer taintedness: a unifying perspective for reasoning about perspective for reasoning about many security attacks.many security attacks.

2222

Most Memory Corruption Attacks are Most Memory Corruption Attacks are Due to Pointer TaintednessDue to Pointer Taintedness

Format string attack Format string attack – Taint an argument pointer of functions such Taint an argument pointer of functions such

as as printf, sprintf printf, sprintf andand syslog. syslog. Stack buffer overflow (stack smashing)Stack buffer overflow (stack smashing)

– Taint a frame pointer or a return address.Taint a frame pointer or a return address. Heap corruption Heap corruption

– Taint the free-chunk doubly-linked list Taint the free-chunk doubly-linked list maintaining the heap structure.maintaining the heap structure.

globbingglobbing attack attack – User input resides in a location that is used User input resides in a location that is used

as a pointer by the parent function of as a pointer by the parent function of glob().glob().

2323

Internals of Stack Buffer Overflow Internals of Stack Buffer Overflow Attacks Attacks

Vulnerable code: char buf[100]; strcpy(buf,user_input);

Return addrReturn addr

Frame pointerFrame pointer

buf[99]buf[99]

……

buf[1]buf[1]

buf[0]buf[0]

High

Low

Sta

ck g

row

th

buf

user_input

Frame pointer or return address can be tainted.

2424

ap: argument pointer

fmt: format string pointer

Internals of Format String Internals of Format String AttacksAttacks

In vfprintf(), if (fmt points to “%n”) then **ap = (character count)

Vulnerable code: recv(buf); printf(buf); /* should be printf(“%s”,buf) */

\xdd \xcc \xbb \xaa %d %d %d %n

……

%n%n

%d%d

%d%d

%d%d

0xaabbccdd0xaabbccdd

fmt: format string pointer

ap: argument pointer

High

Low

Sta

ck g

row

th

*ap is a tainted value.

2525

Internals of Heap Corruption Internals of Heap Corruption AttacksAttacks

Free chunk A

Free chunk Bfd=Abk=C

Allocated buffer buf

Free chunk C

user

inpu

t

Vulnerable code:buf = malloc(1000);recv(sock,buf,1024);free(buf);

In free():B->fd->bk=B->bk; B->bk->fd=B->fd;

When B->fd and B->bk are tainted, the effect of free() is to write a user specified value to a user specified address.

2626

Building Defense Techniques Building Defense Techniques based on Pointer Taintednessbased on Pointer Taintedness

Static code analysis: analyze the Static code analysis: analyze the source code to extract the source code to extract the conditions under which the conditions under which the possibility of pointer taintedness possibility of pointer taintedness exists.exists.– To uncover potential vulnerabilitiesTo uncover potential vulnerabilities

Runtime detection: monitor at Runtime detection: monitor at runtime whether a tainted value is runtime whether a tainted value is dereferenced as a pointer.dereferenced as a pointer.– To defeat memory corruption attacksTo defeat memory corruption attacks

2727

Static Analysis about Pointer Static Analysis about Pointer Taintedness: Taintedness: To Extract Security Specifications of Library To Extract Security Specifications of Library FunctionsFunctions

IFIP International Information Security Conference 2004

2828

Library function specifications Library function specifications are crucial to secure are crucial to secure programmingprogramming

Library function specifications are specified Library function specifications are specified empirically empirically – printf(fmt,…), strcpy(d,s), free(p), glob(p), printf(fmt,…), strcpy(d,s), free(p), glob(p),

strtok(s,del), savestr(p),strtok(s,del), savestr(p), …. ….

A unified reason why these specifications A unified reason why these specifications are requiredare required– Required to eliminate pointer taintedness.Required to eliminate pointer taintedness.

Extraction of security specifications of a Extraction of security specifications of a function is reduced to a theorem proving function is reduced to a theorem proving tasktask

Formal and complete specifications Formal and complete specifications required by compiler techniques to check required by compiler techniques to check application source code for security.application source code for security.

2929

Semantics of Pointer Semantics of Pointer TaintednessTaintedness Formal definition of program semantics is Formal definition of program semantics is

required for theorem proving.required for theorem proving.– Currently defined using an equational logic Currently defined using an equational logic

frameworkframework

Taintedness-aware memory modelTaintedness-aware memory model– The logic framework defines operations to fetch the The logic framework defines operations to fetch the

content and test the taintedness (true/false) of each content and test the taintedness (true/false) of each memory location.memory location.

Incorporate pointer taintedness into program Incorporate pointer taintedness into program semanticssemantics– Define program semantics at the assembly level to Define program semantics at the assembly level to

reason about memory layout.reason about memory layout.– Load/Store/ALU instructions: propagate taintedness Load/Store/ALU instructions: propagate taintedness

from source data to destination data.from source data to destination data.– Input functions (scanf, recv and recvfrom)Input functions (scanf, recv and recvfrom)

Axiom: The memory locations in the receiving buffer are Axiom: The memory locations in the receiving buffer are tainted immediately after these function calls.tainted immediately after these function calls.

3030

Extracting Function Extracting Function Specifications by Theorem Specifications by Theorem ProverProver

C source code of a library function

formal semantic representation

Automatically translated to formal semantic representation

Theorem generation

Theorem proving

A set of sufficient conditions that imply the validity of the theorems. They are the security specifications of the analyzed function.

For each pointer dereference in an assignment, generate a theorem stating that the pointer is not tainted

3131

Example: Example: vfprintf()vfprintf()

int vfprintf (FILE *s, const char *format, va_list ap){ char * p, *q; int done,data,n,state; char buf[10]; p=format; done=0; if (p==NULL) return 0; state=NO_PENDING; while (*p != 0) { if (state==NO_PENDING) {

if (*p=='%') state=PENDING; else outchar(s,*p); }

else { switch (*p) { case '%': outchar(s,'%')

break;case 'd': data=va_arg (ap, int);

if (data<0) { outchar(s,'-'); data=-data; }

n=0; while (data>0 && n<10) {

buf[n]=data%10+'0'; data/=10;

n++; } while (n>0) { n--; outchar(s,buf[n]); } break;case 's': q=va_arg (ap, char *); if (q==NULL) break; while (*q!=0) {

outchar(s,*q)q++; }

break;case 'n': q= va_arg(ap,void*) ;

*(int*) q = done;break;

default: outchar(s,*p)}state=NO_PENDING;

} p++; } return done; }

Theorem1: buf+n should not be a tainted value

Theorem2: q should not be a tainted value

3232

Extracting the Specifications of Extracting the Specifications of vfprintf()vfprintf()

Try to prove the two theoremsTry to prove the two theorems The theorem prover cannot complete the proof The theorem prover cannot complete the proof

initially initially – only valid under certain preconditions.only valid under certain preconditions.

Add these preconditions as axioms to the theorem Add these preconditions as axioms to the theorem prover.prover.

Repeat until both theorems are proved.Repeat until both theorems are proved.

Four preconditions are added: the specifications of Four preconditions are added: the specifications of vfprintf (FILE *s, const char *format, va_list ap)– apap never points to any location within the current function never points to any location within the current function

frame.frame.– *ap*ap never points to the location of variable ap, i.e., never points to the location of variable ap, i.e., *ap *ap

&ap&ap– Suppose the memory segment that Suppose the memory segment that apap sweeps over is sweeps over is

called called ap_activitiy_rangeap_activitiy_range, then , then *ap*ap never points to any never points to any location within location within ap_activitiy_rangeap_activitiy_range..

– No locations within No locations within ap_activitiy_rangeap_activitiy_range are tainted before are tainted before vfprintf()vfprintf() is called. is called.

Suggest the scenario of format string vulnerability

itera

te

3333

Other Studied ExamplesOther Studied Examples Function Function strcpy()strcpy()

– Four security specifications indicating buffer overflow, Four security specifications indicating buffer overflow, buffer overlapping and buffer underflow scenarios buffer overlapping and buffer underflow scenarios causing pointer taintedness.causing pointer taintedness.

Function Function free()free() of a heap management system of a heap management system– Seven security specifications are extracted, including Seven security specifications are extracted, including

several specifications indicating several specifications indicating heap corruption vulnerabilities.vulnerabilities.

Socket read functions of Apache HTTP Server and Socket read functions of Apache HTTP Server and NULL HTTP ServerNULL HTTP Server– Apache function is proven to be free of pointer Apache function is proven to be free of pointer

taintedness.taintedness.– Two (known) vulnerabilities are exposed in the theorem Two (known) vulnerabilities are exposed in the theorem

proving process of NULL HTTP Server function. proving process of NULL HTTP Server function.

3434

Runtime Pointer Taintedness Runtime Pointer Taintedness Detection: Detection: To Defeat Memory Corruption AttacksTo Defeat Memory Corruption Attacks

To appear in IEEE Conference on Dependable Systems and Networks, 2005.

3535

The TechniqueThe Technique

A processor architectural level A processor architectural level mechanism to detect pointer mechanism to detect pointer taintednesstaintedness– On SimpleScalar simulatorOn SimpleScalar simulator

Implemented a taintedness-aware memory Implemented a taintedness-aware memory system system

Extened instructions to track taintednessExtened instructions to track taintedness

– To show the validity of pointer To show the validity of pointer taintedness concept on whole programs taintedness concept on whole programs of real applicationsof real applications Network serversNetwork servers SPEC 2000 integer benchmarksSPEC 2000 integer benchmarks

3636

Evaluations on Real-World Evaluations on Real-World SoftwareSoftware Evaluation Evaluation

– Effectiveness of detectionEffectiveness of detection– No false alarm in any application evaluatedNo false alarm in any application evaluated– Transparent to applicationsTransparent to applications– A small number of potential attack scenarios A small number of potential attack scenarios

undetected. undetected.

Pointer taintedness detection can be Pointer taintedness detection can be applied to the whole program of real applied to the whole program of real software software – offers a substantial improvement on security offers a substantial improvement on security

protection. protection.

3737

ConclusionsConclusions

3838

ConclusionsConclusions

Many real-world software can be compromised Many real-world software can be compromised by corrupting non-control data. by corrupting non-control data. – It is insufficient to rely on control flow integrity for It is insufficient to rely on control flow integrity for

software security.software security.

Pointer taintedness is a unifying perspective to Pointer taintedness is a unifying perspective to reason about most memory corruption reason about most memory corruption vulnerabilities/attacks. vulnerabilities/attacks.

Reasoning about pointer taintedness is a Reasoning about pointer taintedness is a promising direction to enhance security on real-promising direction to enhance security on real-world systemsworld systems

– A theorem proving based code analysis approachA theorem proving based code analysis approach

– A runtime pointer taintedness detection mechanismA runtime pointer taintedness detection mechanism

3939

Future DirectionsFuture Directions

Short term goalsShort term goals– Provide a higher degree of automation for the Provide a higher degree of automation for the

theorem proving technique.theorem proving technique.– Reduce the intrusiveness of the runtime pointer Reduce the intrusiveness of the runtime pointer

taintedness detection techniquetaintedness detection technique Combine with the theorem proving technique. The Combine with the theorem proving technique. The

processor only checks function preconditions.processor only checks function preconditions.

Long term goalsLong term goals– Extract programming styles susceptible to security Extract programming styles susceptible to security

attacks. Can compilers detect bad programming attacks. Can compilers detect bad programming styles?styles?

– Identify a broader range of non-traditional security Identify a broader range of non-traditional security threats. threats.

– Study historical data about how security Study historical data about how security vulnerabilities were discovered, reported and vulnerabilities were discovered, reported and patched.patched.

– Decompose the behaviors of viruses, worms and Decompose the behaviors of viruses, worms and rootkits to a number of basic building blocks.rootkits to a number of basic building blocks.

4040

Summary of My Research Summary of My Research MethodologyMethodology Analysis-centric approachAnalysis-centric approach

– A significant amount of effort in my A significant amount of effort in my dissertation is on analysis. dissertation is on analysis.

– Starting from the reality (usually a mess) to Starting from the reality (usually a mess) to define problems!define problems!

I am a data analysis personI am a data analysis person– Excited to analyze real data and incidentsExcited to analyze real data and incidents– Tedious? Sometimes, but it is a step toward a Tedious? Sometimes, but it is a step toward a

lot of fun.lot of fun.– Rewarding? Definitely. Especially important Rewarding? Definitely. Especially important

for systems research.for systems research.– Goal: strongly motivate research topics that Goal: strongly motivate research topics that

solve problems in the reality. solve problems in the reality.