It’s 2007. Five miles from the Acropolis, in the city that has launched a thousand postcards of a tiny moon rising over the Parthenon, something else is being hoisted into the Athenian sky. Vasileios Kemerlis, who joins Brown CS as Assistant Professor this autumn, is attaching an antenna to the roof of a building. The boy who grew up hacking FM radios has finally convinced his university to allow a peer-to-peer wireless network that students will build themselves.
Looking back, he remembers feeling elated: “I love learning new things, the satisfaction at building them yourself. I could do whatever I wanted.”
Freedom! Yet despite his passion for “breaking systems” to look underneath the hood (the word “curious” reoccurs when talking with Vasileios), the anarchic hacker stereotype doesn’t fit. Instead of endlessly seeking the next exploit, what motivates him today is instantiated nicely in his early rooftop experiments: prototyping, testing a hypothesis, opening lines of communication, making connections. The goal is better security for all users. “We have to break the assumptions made by the bad guys,” Kemerlis explains.
When his family bought their first computer in the early 1990’s, the Internet had come to Athens, but it was far from omnipresent or entirely reliable.
“I taught myself programming at first,” he says. “It was hard to find places to learn, so I worked with translations of English-language books. In those days, you actually had to go to the store, place an order, then go back to pick it up! I didn’t have classmates doing what I did, but there was a hacking scene, an underground community. IRC was popular, and we had channels where we would come up with exploits. We were inspired by the big hacker groups, L0pht and Cult of the Dead Cow and so on. There were a lot of weak spots in systems at the time, so they weren’t hard to break or get around. We also played games, but I was more interested in finding ways to get to another level without playing or hacking a particular defense. Later, when I had a more concrete view of security, I fully understood what I’d been doing before, and why.”
His early work at the Athens University of Economics and Business was in wireless networking, not security as such. “Being able to communicate is very attractive,” Kemerlis says. “This was new, it was always on, not like a modem. To be on the Internet, or just to talk to people with no time limit, was amazing, exciting! I could test routing tricks immediately, not have to send in requests to the university.”
Finding academia a good proving ground for his evolving ideas about security, a stay at Columbia University for an MS, MPhil, and PhD in computer science was next: “I knew I wanted to go on. I liked the process of research: prototyping, making an argument, justifying an argument, sharing results.”
Vasileios is looking forward to similar collaboration at Brown CS. “I have a very good connection with the people here,” he explains. “I visited twice, and had friends here and knew some of the students. I was very impressed with the technical discussions we had and how motivated they were, with well-positioned projects. I had great chemistry with the department from the beginning.”
Of course, things have changed considerably since his early days of hacking. “Security, as a field, is not static,” Kemerlis says. “In the 90’s, hacking was mostly about curiosity and fame. Now, people don’t deface pages -- they would rather use someone’s server to make money. Malware enables millions of zombie computers that can be rented to steal credit card numbers or knock someone’s server off the Web for an hour, a day, or whatever, as long as they’re paid.”
Is the average computer user at greater risk today? “There are many more breaches, but that doesn’t mean that security experts aren’t getting better. It’s natural progress. But we’re not in a state of winning the war, certainly. Because of the way software is developed, people can naturally come up with exploits if they invest the time. That means that a software monoculture can be easily weaponized, as a single hack can affect millions.”
That notion of software monoculture leads to his current research, which Vasileios puts under the umbrella of software hardening: building secure systems by using techniques that make them more difficult to exploit.
“How do we get out of that monoculture state?” he asks. “The most effective way is to have tools that create diversified versions of code automatically. Think of a math problem: you can either add a positive number or subtract a negative and get the same result. We need to give developers modified compilers or other tools that are retrofitted for code diversification, but do it transparently, so we change the results but not how software if created. We end up with a diversified instance of the software stack on every phone or laptop. I’m also very interested in the OS and the kernel level because it’s so important to the security of a system as a whole. Protection begins there: if the OS goes down, the browser will, too.”
His interest in “offensive research” is perhaps a flashback to his early days of collaborating on exploit development via IRC: “We need to make new attacks proactively, break systems in order to be one step ahead and create robust countermeasures. Are we safe, or is it a false sense of security?”
But time has brought Kemerlis a wider perspective, the “concrete view” of the full security ecosystem that he spoke of earlier. “I don’t care about specific bug instances but design flaws. Systems have gotten more complex, and when separate pieces come together, the security flaws of one part can compromise the entire environment.”
And maybe one curious person, lifting an antenna to be connected with many others, can craft measures to help protect it. Welcome, Vasileios! We’re looking forward to breaking things with you.