Sergey's modest homepage

Sergey Bratus

My web page at https://www.cs.dartmouth.edu/~sergey/ now redirects here. Links may be broken for a while.

Classes

Current: I am teaching CS 60 Networking in Spring 2024. The course page is at https://cosc60.gitlab.io/.

Previous: [CS 69.16/169, Basics of Reverse Engineering] [CS 59, Programming Languages] [CS 258, Advanced OS] [CS 65, Smartphone Programing] [CS 60, Computer Networks]

I also teach a variety of low-level networking and systems security reading courses such as "netreads"; ask if interested.

Bio

I am the Dartmouth College Distinguished Professor in Cyber Security, Technology, and Society and an Associate Professor of Computer Science. In 2018-2024 I served as a Program Manager at DARPA's Information Innovation Office (I2O), where I created multiple fundamental research programs in cybersecurity, resilience, and sustainment of critical software. You can read about them here.

My primary focus is on studying exploitation of systems and networks, and any ways of inducing unexpected computation (a.k.a. weird machines, unexpected, unintended, or emergent programming models in software or hardware). In a word, I believe that state-of-the-art hacking is already a distinct discipline of computer science, even though not formally recognized as such; this is where my main interest is.

I am interested in all aspects of cyber security, including Unix and Linux kernel security, software verification and cyber hardening, malware detection and reverse engineering (especially at the kernel and boot-stage firmware levels), wireless networking, digital radio, and visualizations of security-related information. I am interested in identifying and eliminating the root causes of software vulnerabilities, and I believe that this requires connecting state-of-the-art hacking with fundamental concepts of computer science. I believe that edge-of-the-art hacking has developed into a distinct discipline of computer science, even though not formally recognized as such, and that studying it is indispensable for building future computing systems we could finally trust.

Before coming to Dartmouth, I worked on Natural Language Processing systems at BBN Technologies (see [1, 2]).

Projects & interests

Language-theoretic approach to security, invented by Len Sassaman and Meredith L. Patterson.
"Weird machines", unexpected and unusual (and mostly even Turing-complete) programming models via inputs ordinarily thought to be "metadata", "tables", or "descriptors". So far found in the ELF and DWARF formats, x86 MMU descriptors, and other unlikely places. Exploits are programs that run on weird machines made of bugs and features in their targets, and serve as proofs by construction of the weird machine's existence. Many weird machines are emergent, brought into being within the target by careful memory allocations ("heap feng-shui"), resource starvation, thread manipulation, etc.
DemystiPHY, hacking 802.15.4/ZigBee digital radio PHY using our APImote utility, with Travis Goodspeed and River Loop Security;
BabylonPHY, exploring digital radio polyglots and cross-PHY injection, with Travis Goodspeed & Debanjum S. Solanky ([WOOT'16])
BinderFilter, an Android Binder firewall & instrumentation framework, with David X. Wu.
USB Facedancer and FreeBSD firewall, with Travis Goodspeed & Peter C. Johnson.
Packet-in-packet attacks on digital radio protocols (follow the link to read about it in Travis Goodspeed's blog).
Battleaxe showed a new vector for introducing attack logic into modern GCC toolchain's exception handling mechanism based on DWARF. This is not a weakness of GCC, nor do we mean to criticize GCC, but rather a call to developers to more deeply understand the ELF and DWARF formats we all use daily.
Baffle -- active (behavioral) fingerprinting of 802.11 devices.
- A side-project tested the reliability of the timestamps clock skew in 802.11 beacon frames for AP fingerprinting ( [paper], [slides])
Kerf -- data organization and machine learning techniques for smarter log and packet capture browsing, analysis and sharing.
- An offshot of this work was the Backhoe log and packet trace visualization technique based on graphically representing the amounts of information and conditional information in log cross-sections.
- While working on Kerf, I developed several tools as side projects. A tool for visualizing and browsing Linux Snare and Solaris BSM system call traces is described here (and is freely available upon request).
LZfuzz -- a simple fuzzer for plain text proprietary protocols, such as those still found in SCADA systems.
Windsock -- networks monitoring sensors based on streaming estimation of information-theoretic measures.

In May 2009 I provided an expert witness report for the Franklin Pierce Law Center's legal team led by Prof. Ashlyn Lembree defending Mavis Roy in UMG Recordings et al. v. Roy civil action lawsuit. This led to a research paper with Prof. Lembree on the general issues and challenges of trust in computer-generated evidence, presented the TRUST 2010 conference in Berlin, Germany. [local copy], [slides], [discussion on Bruce Schneier's blog]. More information about the case can be found on [Ray Beckerman's blog] and [ArsTechnica].

Hacking

Being much indebted to the hacker community for many things I learned from its amazingly rich sources, I tried to describe some trends in the hacker learning experience (the so-called "hacker curriculum") that distinguish it from the typical experiences of traditionally trained developers and CS students. We use some (implicit) principles of this "hidden curriculum" and related experiences in our teaching of Computer Security at Dartmouth.

Offsite collection of relevant materials: www.hackercurriculum.org.

Publications:

What Hackers Learn that the Rest of Us Don't: Notes on Hacker Curriculum [DOI], [PDF]
I hope to use these observations a basis for larger work on the "hacker curriculum" and a bibliography of influential hacker work. You are welcome to send me comments on the [rough draft].
Hacker Curriculum: How Hackers Learn Networking
Hacker Curriculum: How We Can Use It in Teaching

Personal

I received my undergraduate education at the Moscow Institute of Physics and Technology (aka Moscow Phystech), and my Ph.D. at Northeastern University (1999). Before coming to Dartmouth I worked at BBN Technologies on statistical learning methods in Natural Language Processing (NLP) for information extraction from natural English text, "text understanding", and similar topics.

My old homepage is at http://www.ccs.neu.edu/home/sbratus/.

My GPG public key.

Please support the Free Software Foundation, the people who brought us the GPL and are fighting to protect our freedom to write and change software.

Don't care to have your research squashed by an unscrupulous vendor's bogus copyright claims or have all of your Internet traffic mined and monitored for undisclosed purposes? Please support the Electronic Frontier Foundation.

	Please support the Free Software Foundation, the people who brought us the GPL and are fighting to protect our freedom to write and change software.
	Don't care to have your research squashed by an unscrupulous vendor's bogus copyright claims or have all of your Internet traffic mined and monitored for undisclosed purposes? Please support the Electronic Frontier Foundation.