Computer Science graduate student Ben Kallus, Guarini, puts his research into practice by doubling as a hacker—an ethical, or white hat, hacker, who finds vulnerabilities in computer systems that could be exploited by bad actors.
In the last two years, he has earned more than $30,000 from Google's Vulnerability Reward Program that pays independent security researchers who help to keep Google products safe and secure.
For his PhD, Kallus investigates the security of web servers—the backend software that enables billions of websites to function every day. Vulnerabilities in these systems have wide-ranging impact, from leaking private data stored in servers without having direct login access to them, to sending messages to servers that would render them unusable (also known as a denial of service attack).
The web operates under the assumption that all software accessing it implements certain core specifications correctly---Kallus' core research focuses on identifying the software that does not comply with the specifications. The bugs that he primarily targets fall under the umbrella of "HTTP request smuggling."
When users visit most large websites, their browser does not directly request the site's data from its source. Instead, the browser's requests are passed through a sequence of servers before reaching their destinations, typically for reasons related to optimization.
"HTTP request smuggling is a technique that exploits parsing discrepancies between servers in that sequence. If attackers manage to properly line up these discrepancies (think a game of telephone), interesting stuff can happen," says Kallus.
In particular, attackers can use this technique to access restricted server resources, cause servers to deliver invalid or malicious HTTP responses to other people, and even steal responses HTTP intended for other people, he says.
It was during an internship at Narf Industries, where he worked with Prashant Anantharaman, Guarini '22 and Michael Locasto, a former Dartmouth CS postdoc, that Kallus began finding bugs.
"It takes a lot of people to build companies' infrastructure, but only one to break it," says Kallus. "In this way, a single person can have a large impact on the security of the web."
By discovering new families of vulnerabilities hidden in legacy code, Kallus is making it possible for future coders to avoid them.
He tremendously enjoys teaching students how to find bugs too. "Given the right resources," he says, "a good undergrad can go from the intro CS sequence to finding real bugs in a few weeks."