“I'm a researcher, I want to work on the next security challenge!”

“Do you know that Google Chrome and its ecosystem consist of around 100-million lines of code?” asks Mathias Payer, Head of EPFL’s HexHive Laboratory, part of the School of Computer and Communication Sciences, whose research focuses on improving software and systems security.

“If you print this source code you would end up with a stack of A4 paper that is 400 meters high. About 50 to 80 meters of this complex stack changes every year. Imagine, you're searching for a bug on one line of code on a single sheet of paper in this massive stack. That’s insane!”

Payer uses this example to demonstrate why security remains as important as ever. From the low-end attacks being carried out by hobbyists in their basements decades ago, he says attacks have become much more of an organized industry meaning there is a constant need to come up with technologies to protect our systems from large scale and targeted attacks by increasingly sophisticated adversaries.

At the beginning of Payer’s career his work focused on mitigations, extra integrity checks to detect the active exploitation of vulnerabilities that are added during code compilation. He describes these mitigations as like paying an insurance policy.

“You're paying a little bit of money for a policy and in general your system is roughly protected but it’s always a trade-off between how much you are willing to pay versus the risk that you're exposed to. Some of the mitigations that I've worked on are now common standard and widely deployed in industry. This has been a fun topic but we've now left it to the Googles, Apples and Microsofts of the world to deploy them in their software,” he explained.

His lab is now working on techniques that help developers find as many bugs in their code as possible before the program is shipped to a customer - tools that will automatically test code to find and fix the vulnerabilities in today’s massively complex systems. This research has been successful and, as with mitigations, Payer expects the research results to be taken over by industry to enable and empower developers.

Going forward, he is excited about research towards what is being called compartmentalization, which he thinks will be how developers find and protect systems from bugs ten years from now.

“Take Google Chrome, with its 100-million lines of code, and the question that we are asking right now is how can we break this large complex ecosystem into smaller components. Similar to Lego builds, complex code consists not just of lines of code but is made up of many components. Instead of securing the whole code, which is not possible, we would secure these individual parts and make sure that if there is a bug in one component it can’t compromise another. I think this is a super interesting research topic,” Payer explained.

He’s also extremely proud of EPFL’s large hacker community and its Capture the Flag team, the polygl0ts. Its members organize one of the newest additions to the global Capture the Flag circuit, Lake CTF, in which teams reverse engineer, decrypt, and hack into computer systems to capture flags (small tokens of data that prove that a team solved a challenge) to win points. This helps students to learn about all aspects of cyber security and gain practical skills ready to be used in the real world.

“We have an amazing team of undergraduates, master, and PhD students going to events like the “Hacker Olympics” at DEFCON in Las Vegas, working together on these fun challenges. I’m extremely proud of how well this team represents EPFL. I really look forward to the next ten years of exciting research and cyber security challenges.”

Mathias Payer joins eleven other IC faculty who have been named Fellows of the Association for Computing Machinery (ACM).