Your search keyword '"Cristiano Giuffrida"' showing total 47 results

1. Enviral: Fuzzing the Environment for Evasive Malware Analysis

Author

Floris Gorter, Cristiano Giuffrida, Erik Van Der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

evasive malware analysis, fuzzing, system call hooks

Abstract

Analyzing malicious behavior is vital to effectively safeguard computer systems against malware. However, contemporary malware frequently contains evasive behavior, which allows it to hide its malicious intent from analysis. More specifically, if the malware detects it is being executed in an analysis environment, it resorts to evasive routines that exhibit benign behavior. Manually deactivating evasive checks requires significant effort, and is therefore not a scalable technique with regards to the increasing amount of evasive malware. Unfortunately, the existing systems that automatically analyze evasive malware are impractical, computationally inefficient, or incomplete by design. In this paper, we introduce Enviral, an automatic evasive malware analysis framework that proposes a novel method to analyze evasive malware, combining the best elements of existing approaches. We achieve this by applying fuzzing techniques to repeatedly adapt the view of the execution environment, thereby iteratively defeating the evasive checks in the target application. We realize these adaptations by applying mutations to the outcomes of environment queries, which in turn leads to the exploration of multiple execution paths. Our experimental results demonstrate that Enviral can detect and overcome evasive behavior and thereby exposes previously hidden activity in malware. We evaluate our system against a similar framework, and conclude that Enviral can expose 39% more interesting hidden system call activity on average, and achieves productive explorations where previously unseen behavior is discovered in 67% more malware samples.

Published

2023

2. On the Effectiveness of Same-Domain Memory Deduplication

Author

Andreas Costi, Brian Johannesmeyer, Erik Bosman, Cristiano Giuffrida, Herbert Bos, Computer Systems, Network Institute, and Systems and Network Security

Subjects

side channel attacks, memory deduplication

Abstract

Memory deduplication, an OS memory optimization technique that merges identical pages into a single Copy-on-Write (CoW) page, has been shown to be susceptible to a variety of timing side channel attacks, all of which stem from the differences between write times to the CoW page and to the normal page. To mitigate this issue, operating systems only merge pages from the same security domain (e.g., from the same process); moreover, browsers can piggyback on this defense with the recent adoption of site isolation. This was all considered sufficient, because it thwarts existing attacks, which have all relied upon separate domain (e.g., cross-process) scenarios. In this paper, we examine the effectiveness of same-domain memory deduplication as a mitigation by presenting two case studies that show that an attacker can still leverage the deduplication side channel to leak secrets. Specifically, our case studies highlight one key flaw: That it is non-Trivial to separate programs into separate security domains. In the first case study, we examine a client-server scenario-A scenario that inherently requires a server to read data from an untrusted client-And demonstrate that the client can control the alignment of data in memory to disclose the server's secret data. In the second case study, we examine a recent version of Firefox-A browser that has undergone massive efforts to ensure that data from different origins are separated into different domains-And demonstrate that nonetheless, a malicious webpage can exploit the browser's partial implementation of site isolation to leak secret data across tabs. We conclude that same-domain memory deduplication as a defense is difficult to implement correctly, and hence, is insufficient.

Published

2022

3. TRRespass

Author

Cristiano Giuffrida, Emanuele Vannacc, Pietro Frigo, Kaveh Razavi, Hasan Hassan, Victor van der Veen, Herbert Bos, Onur Mutlu, Computer Systems, Network Institute, and Systems and Network Security

Subjects

FOS: Computer and information sciences, 010302 applied physics, Computer Science - Cryptography and Security, B.8.1, Computer science, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, 020202 computer hardware & architecture, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Cryptography and Security (cs.CR), computer, Dram

Abstract

After a plethora of high-profile RowHammer attacks, CPU and DRAM vendors scrambled to deliver what was meant to be the definitive hardware solution against the RowHammer problem: Target Row Refresh (TRR). A common belief among practitioners is that, for the latest generation of DDR4 systems that are protected by TRR, RowHammer is no longer an issue in practice. However, in reality, very little is known about TRR. In this paper, we demystify the inner workings of TRR and debunk its security guarantees. We show that what is advertised as a single mitigation mechanism is actually a series of different solutions coalesced under the umbrella term TRR. We inspect and disclose, via a deep analysis, different existing TRR solutions and demonstrate that modern implementations operate entirely inside DRAM chips. Despite the difficulties of analyzing in-DRAM mitigations, we describe novel techniques for gaining insights into the operation of these mitigation mechanisms. These insights allow us to build TRRespass, a scalable black-box RowHammer fuzzer. TRRespass shows that even the latest generation DDR4 chips with in-DRAM TRR, immune to all known RowHammer attacks, are often still vulnerable to new TRR-aware variants of RowHammer that we develop. In particular, TRRespass finds that, on modern DDR4 modules, RowHammer is still possible when many aggressor rows are used (as many as 19 in some cases), with a method we generally refer to as Many-sided RowHammer. Overall, our analysis shows that 13 out of the 42 modules from all three major DRAM vendors are vulnerable to our TRR-aware RowHammer access patterns, and thus one can still mount existing state-of-the-art RowHammer attacks. In addition to DDR4, we also experiment with LPDDR4 chips and show that they are susceptible to RowHammer bit flips too. Our results provide concrete evidence that the pursuit of better RowHammer mitigations must continue., 16 pages, 16 figures, in proceedings IEEE S&P 2020

Published

2020

4. Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

Author

Cristiano Giuffrida, Daniele Cono D'Elia, Leonardo Querzoni, Pietro Borrello, Computer Systems, Network Institute, and Systems and Network Security

Subjects

FOS: Computer and information sciences, data-flow linearization, Computer Science - Cryptography and Security, Computer science, 02 engineering and technology, computer.software_genre, 03 medical and health sciences, Software, Constant (computer programming), 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Transient (computer programming), control-flow linearization, Side channel attack, 030304 developmental biology, 0303 health sciences, Computer Science - Programming Languages, business.industry, compilers, constant-time programming, side channels, 020207 software engineering, D.4.6, Data flow diagram, Embedded system, Compiler, State (computer science), business, Cryptography and Security (cs.CR), computer, Programming Languages (cs.PL)

Abstract

In the era of microarchitectural side channels, vendors scramble to deploy mitigations for transient execution attacks, but leave traditional side-channel attacks against sensitive software (e.g., crypto programs) to be fixed by developers by means of constant-time programming (i.e., absence of secret-dependent code/data patterns). Unfortunately, writing constant-time code by hand is hard, as evidenced by the many flaws discovered in production side channel-resistant code. Prior efforts to automatically transform programs into constant-time equivalents offer limited security or compatibility guarantees, hindering their applicability to real-world software. In this paper, we present Constantine, a compiler-based system to automatically harden programs against microarchitectural side channels. Constantine pursues a radical design point where secret-dependent control and data flows are completely linearized (i.e., all involved code/data accesses are always executed). This strategy provides strong security and compatibility guarantees by construction, but its natural implementation leads to state explosion in real-world programs. To address this challenge, Constantine relies on carefully designed optimizations such as just-in-time loop linearization and aggressive function cloning for fully context-sensitive points-to analysis, which not only address state explosion, but also lead to an efficient and compatible solution. Constantine yields overheads as low as 16% on standard benchmarks and can handle a fully-fledged component from the production wolfSSL library., Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2021. Code and BibTeX entry available at https://github.com/pietroborrello/constantine

Published

2021

5. LeanSym: Efficient hybrid fuzzing through conservative constraint debloating

Author

Cristiano Giuffrida, Sanjay Rawat, Xianya Mi, Herbert Bos, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Speedup, concolic execution, Computer science, Code coverage, Process (computing), Parallel computing, Fuzz testing, Tracing, Taint checking, Test suite, Concolic testing, hybrid fuzzing, taint analysis

Abstract

To improve code coverage and flip complex program branches, hybrid fuzzers couple fuzzing with concolic execution. Despite its benefits, this strategy inherits the inherent slowness and memory bloat of concolic execution, due to path explosion and constraint solving. While path explosion has received much attention, constraint bloat (having to solve complex and unnecessary constraints) is much less studied. In this paper, we present LeanSym (LSym), an efficient hybrid fuzzer. LSym focuses on optimizing the core concolic component of hybrid fuzzing by conservatively eliminating constraint bloat without sacrificing concolic execution soundness. The key idea is to partially symbolize the input and the program in order to remove unnecessary constraints accumulated during execution and significantly speed up the fuzzing process. In particular, we use taint analysis to identify the bytes that may influence the branches that we want to flip and symbolize only those bytes to minimize the constraints to collect. Furthermore, we eliminate non-trivial constraints introduced by environment modelling for system I/O. This is done by targeting the concolic analysis solely to library function-level tracing. We show this simple approach is effective and can be implemented in a modular fashion on top of off-the-shelf binary analysis tools. In particular, with only 1k LOC to implement simple branch/seed selection policies for hybrid fuzzing on top of unmodified Triton, libdft, and AFL, LSym outperforms state-of-the-art hybrid fuzzers with much less memory bloat, including those with advanced branch/seed selection policies or heavily optimized concolic execution engines such as QSYM and derivatives. On average, LSym outperforms QSYM by 7.61% in coverage, while finding bugs 4.79x faster in 18 applications of Google Fuzzer Test Suite. In real-world application testing, LSym reported 17 new bugs in 5 applications.

Published

2021

6. CrossTalk: Speculative data leaks across cores are real

Author

Cristiano Giuffrida, Alyssa Milburn, Hany Ragab, Herbert Bos, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Multi-core processor, SDG 16 - Peace, Computer science, business.industry, SDG 16 - Peace, Justice and Strong Institutions, Side channels, Cryptography, Justice and Strong Institutions, Microarchitecture, Crosstalk, Embedded system, x86, business, CPUID, Transient execution attacks

Abstract

Recent transient execution attacks have demonstrated that attackers may leak sensitive information across security boundaries on a shared CPU core. Up until now, it seemed possible to prevent this by isolating potential victims and attackers on separate cores. In this paper, we show that the situation is more serious, as transient execution attacks can leak data across different cores on many modern Intel CPUs.We do so by investigating the behavior of x86 instructions, and in particular, we focus on complex microcoded instructions which perform offcore requests. Combined with transient execution vulnerabilities such as Micro-architectural Data Sampling (MDS), these operations can reveal internal CPU state. Using performance counters, we build a profiler, CrossTalk, to examine the number and nature of such operations for many x86 instructions, and find that some instructions read data from a staging buffer which is shared between all CPU cores.To demonstrate the security impact of this behavior, we present the first cross-core attack using transient execution, showing that even the seemingly-innocuous CPUID instruction can be used by attackers to sample the entire staging buffer containing sensitive data – most importantly, output from the hardware random number generator (RNG) – across cores. We show that this can be exploited in practice to attack SGX enclaves running on a completely different core, where an attacker can control leakage using practical performance degradation attacks, and demonstrate that we can successfully determine enclave private keys. Since existing mitigations which rely on spatial or temporal partitioning are largely ineffective to prevent our proposed attack, we also discuss potential new mitigation techniques.

Published

2021

7. SMASH: Synchronized many-sided rowhammer attacks from JavaScript

Author

Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Hardware_MEMORYSTRUCTURES

Abstract

Despite their in-DRAM Target Row Refresh (TRR) mitigations, some of the most recent DDR4 modules are still vulnerable to many-sided Rowhammer bit flips. While these bit flips are exploitable from native code, triggering them in the browser from JavaScript faces three nontrivial challenges. First, given the lack of cache flushing instructions in JavaScript, existing eviction-based Rowhammer attacks are already slow for the older single- or double-sided variants and thus not always effective. With many-sided Rowhammer, mounting effective attacks is even more challenging, as it requires the eviction of many different aggressor addresses from the CPU caches. Second, the most effective many-sided variants, known as n-sided, require large physically-contiguous memory regions which are not available in JavaScript. Finally, as we show for the first time, eviction-based Rowhammer attacks require proper synchronization to bypass in-DRAM TRR mitigations. Using a number of novel insights, we overcome these challenges to build SMASH (Synchronized MAny-Sided Hammering), a technique to succesfully trigger Rowhammer bit flips from JavaScript on modern DDR4 systems. To mount effective attacks, SMASH exploits high-level knowledge of cache replacement policies to generate optimal access patterns for eviction-based many-sided Rowhammer. To lift the requirement for large physically-contiguous memory regions, SMASH decomposes n-sided Rowhammer into multiple double-sided pairs, which we can identify using slice coloring. Finally, to bypass the in-DRAM TRR mitigations, SMASH carefully schedules cache hits and misses to successfully trigger synchronized many-sided Rowhammer bit flips. We showcase SMASH with an end-to-end JavaScript exploit which can fully compromise the Firefox browser in 15 minutes on average.

Published

2021

8. D2.5 Platform Integration

Author

Gino Carrozzo, Gabriele Scivoletto, Felipe Huici, Costin Raiciu, Gaulthier Gain, Mike Rapoport, and Cristiano Giuffrida

Subjects

Smart Contracts, IoT, NFV, unikernels, micro-libs, libraries, VM, OS kernel, toolkit, Unikraft, toolchain, Serverless Computing

Abstract

One of the main goals of the UNICORE Consortium is to work on the integration of all the different libraries, components and tools developed within the Project in order to build and release consolidated prototypes of the UNIKRAFT/UNICORE toolstack. The main collectors of public artifacts from this process are: The UNIKRAFT GitHub page: https://github.com/unikraft The UNIKRAFT project webportal: https://unikraft.org/ The UNICORE project webpage: https://unicore-project.eu/ This deliverable reports on the integration activities executed in the UNICORE project. The document specifically provides insights on the toolkits adopted to manage the software configuration management aspects of the UNIKRAFT/UNICORE project, and also provides guidelines for building and deploying krafted functions. Mechanisms for submitting developed artifacts on UNIKRAFT as well as the available channels and policies for interactions with the UNIKRAFT core developer teams are described.

Published

2021

9. Who's Debugging the Debuggers? Exposing Debug Information Bugs in Optimized Binaries

Author

Davide Italiano, Leonardo Querzoni, Cristiano Giuffrida, Giuseppe Antonio Di Luna, Sebastian Österlund, Luca Massarelli, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Computer science, media_common.quotation_subject, 02 engineering and technology, computer.software_genre, Toolchain, Consistency (database systems), Software, SDG 3 - Good Health and Well-being, Software_SOFTWAREENGINEERING, 020204 information systems, Debug Information, Optimized Binaries, Verification, 0202 electrical engineering, electronic engineering, information engineering, Argument of a function, computer.programming_language, Debugger, media_common, Programming language, business.industry, 020207 software engineering, Debugging, Compiler, business, computer, Rust (programming language)

Abstract

Despite the advancements in software testing, bugs still plague deployed software and result in crashes in production. When debugging issues-sometimes caused by "heisenbugs"-there is the need to interpret core dumps and reproduce the issue offline on the same binary deployed. This requires the entire toolchain (compiler, linker, debugger) to correctly generate and use debug information. Little attention has been devoted to checking that such information is correctly preserved by modern toolchains' optimization stages. This is particularly important as managing debug information in optimized production binaries is non-trivial, often leading to toolchain bugs that may hinder post-deployment debugging efforts. In this paper, we present Debug2, a framework to find debug information bugs in modern toolchains. Our framework feeds random source programs to the target toolchain and surgically compares the debugging behavior of their optimized/unoptimized binary variants. Such differential analysis allows Debug2 to check invariants at each debugging step and detect bugs from invariant violations. Our invariants are based on the (in)consistency of common debug entities, such as source lines, stack frames, and function arguments. We show that, while simple, this strategy yields powerful cross-toolchain and cross-language invariants, which can pinpoint several bugs in modern toolchains. We have used Debug2 to find 23 bugs in the LLVM toolchain (clang/lldb), 8 bugs in the GNU toolchain (GCC/gdb), and 3 in the Rust toolchain (rustc/lldb)-with 14 bugs already fixed by the developers.

Published

2021

10. PIBE

Author

Victor Duta, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

operating systems, 0303 health sciences, control-flow hijacking, Computer science, Distributed computing, Indirect branch, Linux kernel, computer.software_genre, 03 medical and health sciences, 0302 clinical medicine, Control flow, Software bug, 030220 oncology & carcinogenesis, transient execution, profile-guided optimizations, Overhead (computing), Transient (computer programming), Compiler, Instrumentation (computer programming), computer, 030304 developmental biology

Abstract

Control-flow hijacking, which allows an attacker to execute arbitrary code, remains a dangerous software vulnerability. Control-flow hijacking in speculated or transient execution is particularly insidious as it allows attackers to leak data from operating system kernels and other targets on commodity hardware, even in the absence of software bugs. Having made the jump from regular to transient execution in recent attacks, control-flow hijacking has become a top priority for developers. While powerful defenses against control-flow hijacking in regular execution are now sufficiently low-overhead to see wide-spread adoption, this is not the case for defenses in transient execution. Unfortunately, current techniques for mitigating attacks in transient execution exhibit high overheads-requiring a costly combination of defenses for every indirect branch. We show that the high overhead incurred by state-of-the-art mitigations is mostly due to the effect of hardening frequently executed branches. We propose PIBE, which offers comprehensive protection against control-flow hijacking at a fraction of the cost of existing solutions, by revisiting design choices in the compiler's optimization passes. For every indirect branch, it decides whether to harden it with instrumentation code or elide it altogether using code transformations. By specifically removing the heavy hitters among the indirect branches through tailored profile-guided optimization, PIBE aggressively reduces the number of vulnerable branches to allow the simultaneous application of multiple state-of-the-art defenses on the remaining branches with practical overhead. Demonstrating our solution on the Linux kernel, one of the largest, most complex and most security-critical code bases on modern systems, we show that PIBE reduces the overhead of comprehensive defenses against transient control flow hijacking by an order of magnitude, from 149% to 10.6% on microbenchmarks and from ~ 40% to around 6% on several application benchmarks.

Published

2021

11. CollabFuzz - A Framework for Collaborative Fuzzing

Author

Herbert Bos, Cristiano Giuffrida, Sebastian Österlund, Elia Geretto, Emre Güler, Thorsten Holz, Andrea Jemmett, Philipp Görz, Computer Systems, Network Institute, and Systems and Network Security

Subjects

0303 health sciences, automated bug finding, ensemble fuzzing, business.industry, Computer science, Control (management), 020207 software engineering, 02 engineering and technology, Fuzz testing, fuzzing, Scheduling (computing), Test (assessment), 03 medical and health sciences, parallel fuzzing, SDG 17 - Partnerships for the Goals, Test case, Work (electrical), 0202 electrical engineering, electronic engineering, information engineering, Orchestration (computing), collaborative fuzzing, Software engineering, business, 030304 developmental biology

Abstract

In the recent past, there has been lots of work on improving fuzz testing. In prior work, EnFuzz showed that by sharing progress among different fuzzers, they can perform better than the sum of their parts. In this paper, we continue this line of work and present CollabFuzz, a collaborative fuzzing framework allowing multiple different fuzzers to collaborate under an informed scheduling policy based on a number of central analyses. More specifically, CollabFuzz is a generic framework that allows a user to express different test case scheduling policies, such as the collaborative approach presented by EnFuzz. CollabFuzz can control which tests cases are handed out to what fuzzer and allows the orchestration of different fuzzers across the network. Furthermore, it allows the centralized analysis of the test cases generated by the various fuzzers under its control, allowing to implement scheduling policies based on the results of arbitrary program (e.g., data-flow) analysis.

Published

2021

12. Speculative Probing:Hacking Blind in the Spectre Era

Author

Enes Goktas, Herbert Bos, Cristiano Giuffrida, Georgios Portokalidis, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

SDG 16 - Peace, code-reuse attacks, Address space, Computer science, 05 social sciences, Code reuse, SDG 16 - Peace, Justice and Strong Institutions, Speculative execution, 050301 education, Linux kernel, Memory corruption, 02 engineering and technology, Computer security, computer.software_genre, Justice and Strong Institutions, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0503 education, computer, speculative execution

Abstract

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectre-like attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectre-style disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems.

Published

2020

13. D3.3 API, Library and Security Primitives Implementation - Initial

Author

Razvan Deaconescu, Costin Raiciu, Felipe Huici, Simon Kuenzer, Gaulthier Gain, Cyril Soldani, Cristiano Giuffrida, and Herbert Bos

Subjects

IoT, applications, VM, SQLite, toolkit, unikraft, Smart Contracts, NFV, unikernels, Redis, API, libraries, virtual machine, toolchain, nginx, Serverless Computing

Abstract

In the deliverable we provide the initial implementation of the UNICORE APIs, along with an initial set of libraries. This set supports multiple applications (nginx, Redis, SQLite) available for the project use cases. We recall the overall design of UNICORE APIs together with a list of external libraries and applications. External libraries and applications are linked to required UNICORE APIs to create specialized (small and fast) unikernel images. We also describe the initial implementation of security and safety primitives. The goal of the EU-funded UNICORE project is to develop a common code-base and toolchain that will enable software developers to rapidly create secure, portable, scalable, high-performance solutions starting from existing applications. The key to this is to compile an application into very light-weight virtual machines – known as unikernels – where there is no traditional operating system, only the specific bits of operating system functionality that the application needs. The resulting unikernels can then be deployed and run on standard high-volume servers or cloud computing infrastructure.

Published

2020

14. NetCAT: Practical cache attacks from the network

Author

Kaveh Razavi, Cristiano Giuffrida, Michael Kurth, Herbert Bos, Dennis Andriesse, Ben Gras, Systems and Network Security, Network Institute, Computer Systems, and Computer Science

Subjects

010302 applied physics, Random access memory, SDG 16 - Peace, Computer science, business.industry, SDG 16 - Peace, Justice and Strong Institutions, 02 engineering and technology, 01 natural sciences, Justice and Strong Institutions, Microarchitecture, Network interface controller, Server, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Central processing unit, Cache, business, Direct memory access, Computer network

Abstract

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

Published

2020

15. BinRec: dynamic binary lifting and recompilation

Author

Dixin Zhou, David Gens, Michael Franz, Stijn Volckaert, Prabhu Rajasekaran, Taddeus Kroes, Yeoul Na, Herbert Bos, Anil Altinay, Cristiano Giuffrida, Adrian Dabrowski, Joseph Nash, Computer Systems, Network Institute, Systems and Network Security, Bilas, Angelos, Magoutis, Kostas, Markatos, Evangelos P, Kostic, Dejan, and Seltzer, Margo I

Subjects

Semantics (computer science), Computer science, Spec#, Binary number, 020206 networking & telecommunications, 02 engineering and technology, Parallel computing, Range (mathematics), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Binary code, Heuristics, Representation (mathematics), computer, computer.programming_language

Abstract

Binary lifting and recompilation allow a wide range of install-Time program transformations, such as security hardening, deobfuscation, and reoptimization. Existing binary lifting tools are based on static disassembly and thus have to rely on heuristics to disassemble binaries. In this paper, we present BinRec, a new approach to heuristic-free binary recompilation which lifts dynamic traces of a binary to a compiler-level intermediate representation (IR) and lowers the IR back to a "recovered" binary. This enables BinRec to apply rich program transformations, such as compiler-based optimization passes, on top of the recovered representation. We identify and address a number of challenges in binary lifting, including unique challenges posed by our dynamic approach. In contrast to existing frameworks, our dynamic frontend can accurately disassemble and lift binaries without heuristics, and we can successfully recover obfuscated code and all SPEC INT 2006 benchmarks including C++ applications. We evaluate BinRec in three application domains: i) binary reoptimization, ii) deobfuscation (by recovering partial program semantics from virtualization-obfuscated code), and iii) binary hardening (by applying existing compiler-level passes such as AddressSanitizer and SafeStack on binary code).

Published

2020

16. ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Author

Cristiano Giuffrida, Michael Kurth, Ben Gras, Kaveh Razavi, and Herbert Bos

Subjects

business.industry, Computer science, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, 02 engineering and technology, Side channel attack, business, Commodity (Marxism)

Published

2020

17. VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Author

Dennis Andriesse, Thorsten Holz, Andre Pawlowski, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe, Victor van der Veen, Computer Systems, Network Institute, and Systems and Network Security

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, 0211 other engineering and technologies, Binary number, Spec#, 02 engineering and technology, computer.software_genre, Binary Analysis, Function pointer, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, False positive paradox, Virtual function, computer.programming_language, 021110 strategic, defence & security studies, business.industry, Attack surface, Pointer (computer programming), Operating system, CFI, business, computer, Cryptography and Security (cs.CR)

Abstract

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (VPS), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, VPS achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, VPS ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, VPS explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of VPS on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC., Comment: Published in Annual Computer Security Applications Conference (ACSAC'19)

Published

2019

18. D3.2 Security, Safety and Validation Support Definition

Author

Cristiano Giuffrida, Herbert Bos, Kaveh Razavi, Emil Slusanschi, and Felipe Huici

Subjects

Smart Contracts, IoT, NFV, unikernels, applications, vm, H2020, virtual machine, toolkit, toolchain, Serverless Computing, unikraft

Abstract

This deliverabledescribes the definition of the UNICORE security and safety primitives, which allow UNICORE applications to minimize the attack and failure surface in production. This is done both proactively (using software verification techniques) and reactively (using software hardening techniques). In addition, this deliverablereports on deterministic execution support for smart contracts.

Published

2019

19. SoK: Benchmarking Flaws in Systems Security

Author

Herbert Bos, Gernot Heiser, Dennis Andriesse, Cristiano Giuffrida, Erik van der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Computer science, media_common.quotation_subject, Compromise, Comparability, 020207 software engineering, Mistake, Sample (statistics), security, 02 engineering and technology, Benchmarking, Safeguard, Risk analysis (engineering), 020204 information systems, Scale (social sciences), computer systems, 0202 electrical engineering, electronic engineering, information engineering, Quality (business), benchmarking, media_common

Abstract

Properly benchmarking a system is a difficult and intricate task. Even a seemingly innocuous mistake can compromise the guarantees provided by a systems security defense and threaten reproducibility and comparability. Moreover, as many modern defenses trade security for performance, the damage caused by benchmarking mistakes is increasingly worrying. To analyze the magnitude of the phenomenon, we identify 22 benchmarking flaws that threaten the validity of systems security evaluations, and survey 50 defense papers published in top venues. We show that benchmarking flaws are widespread even in papers published at tier-1 venues; tier-1 papers contain an average of five benchmarking flaws and we find only a single paper in our sample without any benchmarking flaws. Moreover, the scale of the problem appears constant over time, suggesting that the community is not yet taking sufficient countermeasures. This threatens the scientific process, which relies on reproducibility and comparability to ensure that published research advances the state of the art. We hope to raise awareness and provide recommendations for improving benchmarking quality and safeguard the scientific process in our community.

Published

2019

20. RIDL: Rogue In-Flight Data Load

Author

Alyssa Milburn, Kaveh Razavi, Sebastian Österlund, Pietro Frigo, Stephan van Schaik, Herbert Bos, Giorgi Maisuradze, Cristiano Giuffrida, Systems and Network Security, Network Institute, and Computer Systems

Subjects

Speculative-execution-attacks, SDG 16 - Peace, Out-of-order execution, Exploit, Page fault, Network security, business.industry, Computer science, SDG 16 - Peace, Justice and Strong Institutions, Speculative execution, 02 engineering and technology, Side-channels, Computer security, computer.software_genre, Data structure, Justice and Strong Institutions, 020202 computer hardware & architecture, Virtual machine, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Central processing unit, business, computer

Abstract

We present Rogue In-flight Data Load (RIDL), a new class of speculative unprivileged and constrained attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Our reverse engineering efforts show such vulnerabilities originate from a variety of micro-optimizations pervasive in commodity (Intel) processors, which cause the CPU to speculatively serve loads using extraneous CPU-internal in-flight data (e.g., in the line fill buffers). Contrary to other state-of-the-art speculative execution attacks, such as Spectre, Meltdown and Foreshadow, RIDL can leak this arbitrary in-flight data with no assumptions on the state of the caches or translation data structures controlled by privileged software. The implications are worrisome. First, RIDL attacks can be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak sensitive information from victim processes, virtual machines, kernel, SGX and CPU-internal components. Second, and perhaps more importantly, RIDL bypasses all existing 'spot' mitigations in software (e.g., KPTI, PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even by more heavyweight defenses (e.g., L1D flushing or disabling SMT). RIDL questions the sustainability of a per-variant, spot mitigation strategy and suggests more fundamental mitigations are needed to contain ever-emerging speculative execution attacks.

Published

2019

21. Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Author

Kaveh Razavi, Lucian Cojocar, Herbert Bos, Cristiano Giuffrida, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Exploit, Computer science, Reliability (computer networking), 02 engineering and technology, 01 natural sciences, law.invention, ECC memory, Hardware, law, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Ecc, SDG 7 - Affordable and Clean Energy, Side channel attack, Hardware_ARITHMETICANDLOGICSTRUCTURES, Rowhammer, 010302 applied physics, Random access memory, Hardware_MEMORYSTRUCTURES, business.industry, Cold boot attack, Attack surface, 020202 computer hardware & architecture, Embedded system, Security, Key (cryptography), business

Abstract

Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

Published

2019

22. ProbeGuard

Author

Cristiano Giuffrida, Erik van der Kouwe, Koustubha Bhat, Herbert Bos, Computer Science, Network Institute, Computer Systems, and Systems and Network Security

Subjects

program transformations, graceful performance degradation, reactive defenses, Computer science, processor trace, 02 engineering and technology, Computer security, computer.software_genre, Value of information, Memory address, software bugs, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Baseline (configuration management), Shadow (psychology), code reuse, Code reuse, 020206 networking & telecommunications, information hiding, hotpatching, Software bug, Software security assurance, Information hiding, security hardening, computer, performancesecurity tradeoff

Abstract

Many modern defenses against code reuse rely on hiding sensitive data such as shadow stacks in a huge memory address space. While much more efficient than traditional integritybased defenses, these solutions are vulnerable to probing attacks which quickly locate the hidden data and compromise security. This has led researchers to question the value of information hiding in real-world software security. Instead, we argue that such a limitation is not fundamental and that information hiding and integrity-based defenses are two extremes of a continuous spectrum of solutions. We propose a solution, ProbeGuard, that automatically balances performance and security by deploying an existing information hiding based baseline defense and then incrementally moving to more powerful integrity-based defenses by hotpatching when probing attacks occur. ProbeGuard is efficient, provides strong security, and gracefully trades off performance upon encountering more probing primitives.

Published

2019

23. kMVX: Detecting Kernel Information Leaks with Multi-variant Execution

Author

Koen Koning, Antonio Barbalace, Pierre Olivier, Cristiano Giuffrida, Herbert Bos, Sebastian Österlund, Computer Systems, Network Institute, and Systems and Network Security

Subjects

operating systems, 021110 strategic, defence & security studies, Exploit, Computer science, Distributed computing, 0211 other engineering and technologies, 020207 software engineering, 02 engineering and technology, security, Kernel (statistics), 0202 electrical engineering, electronic engineering, information engineering, multi-variant exection, Overhead (computing), Confidentiality, information leaks, Scope (computer science)

Abstract

Kernel information leak vulnerabilities are a major security threat to production systems. Attackers can exploit them to leak confidential information such as cryptographic keys or kernel pointers. Despite efforts by kernel developers and researchers, existing defenses for kernels such as Linux are limited in scope or incur a prohibitive performance overhead. In this paper, we present kMVX, a comprehensive defense against information leak vulnerabilities in the kernel by running multiple diversified kernel variants simultaneously on the same machine. By constructing these variants in a careful manner, we can ensure they only show divergences when an attacker tries to exploit bugs present in the kernel. By detecting these divergences we can prevent kernel information leaks. Our kMVX design is inspired by multi-variant execution (MVX). Traditional MVX designs cannot be applied to kernels because of their assumptions on the run-time environment. kMVX, on the other hand, can be applied even to commodity kernels. We show our Linux-based prototype provides powerful protection against information leaks at acceptable performance overhead (20-50% in the worst case for popular server applications).

Published

2019

24. Type-After-Type

Author

Taddeus Kroes, Cristiano Giuffrida, Erik van der Kouwe, Chris Ouwehand, Herbert Bos, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Memory errors, Computer science, Use-after-free, Spec#, 020207 software engineering, Uninitialized read, 02 engineering and technology, Parallel computing, Reuse, Static analysis, Computer systems, Allocator, Stack (abstract data type), LLVM, 020204 information systems, Type safety, Defense, 0202 electrical engineering, electronic engineering, information engineering, SDG 7 - Affordable and Clean Energy, computer, Heap (data structure), computer.programming_language

Abstract

Temporal memory errors, such as use-after-free bugs, are increasingly popular among attackers and their exploitation is hard to stop efficiently using current techniques. We present a new design, called Type-After-Type, which builds on abstractions in production allocators to provide complete temporal type safety for C/C++ programs-ensuring that memory reuse is always type safe-and efficiently hinder temporal memory attacks. Type-After-Type uses static analysis to determine the types of all heap and stack allocations, and replaces regular allocations with typed allocations that never reuse memory previously used by other types. On the heap, Type-After-Type splits available memory into separate pools for each type. For the stack, Type-After-Type efficiently implements type-safe memory reuse for the first time, pushing variables on separate stacks according to their types, unless they are provably safe (e.g., their address is not taken), in which case they are zero-initialized and kept on a special stack. In our evaluation, we show that Type-After-Type stops a variety of real-world temporal memory attacks and on SPEC CPU2006 incurs a performance overhead of 4.3% and a memory overhead of 17.4% (geomean).

Published

2018

25. Are all citations worth the same? Valuing citations by the value of the citing items

Author

Ciriaco Andrea D'Angelo, Cristiano Giuffrida, Giovanni Abramo, Systems and Network Security, Network Institute, and Computer Systems

Subjects

FOS: Computer and information sciences, Research evaluation, impact, citing-cited, bibliometrics, Library and Information Sciences, 050905 science studies, Bibliometrics, Citing-cited, Impact, Digital Libraries (cs.DL), Impact indicator, Operationalization, Actuarial science, 05 social sciences, Scientific production, Computer Science - Digital Libraries, Variety (linguistics), Settore ING-IND/35 - Ingegneria Economico-Gestionale, Computer Science Applications, Weighting, 0509 other social sciences, 050904 information & library sciences, Psychology, Citation, Value (mathematics)

Abstract

Bibliometricians have long recurred to citation counts to measure the impact of publications on the advancement of science. However, since the earliest days of the field, some scholars have questioned whether all citations should be worth the same, and have gone on to weight them by a variety of factors. However sophisticated the operationalization of the measures, the methodologies used in weighting citations still present limits in their underlying assumptions. This work takes an alternative approach to resolving the underlying problem: the proposal is to value citations by the impact of the citing articles, regardless of the length of their reference list. As well as conceptualizing a new indicator of impact, the work illustrates its application to the 2004-2012 Italian scientific production indexed in the WoS. The proposed impact indicator is highly correlated to the traditional citation count, however the shifts observed between the two measures are frequent and the number of outliers not negligible. Moreover, the new indicator shows greater "sensitivity" when used to identify the highly-cited papers.

Published

2018

26. Towards Automated Vulnerability Scanning of Network Servers

Author

Nathan Schagen, Herbert Bos, Cristiano Giuffrida, Koen Koning, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, SDG 16 - Peace, Process (engineering), business.industry, Network security, Computer science, Property (programming), Distributed computing, SDG 16 - Peace, Justice and Strong Institutions, 0211 other engineering and technologies, 020207 software engineering, 02 engineering and technology, Fuzz testing, Justice and Strong Institutions, Vulnerability fingerprinting, Software, Discriminative model, Server, 0202 electrical engineering, electronic engineering, information engineering, Internet-wide scanning, Heartbleed, business

Abstract

We explore a new technique for safe patch fingerprinting to automate vulnerability scanning of network servers. Our technique helps automate the discovery of inputs that safely discriminate vulnerable from patched servers for the latest vulnerabilities. This enables rapid updates to vulnerability scanning tools as new software vulnerabilities are discovered, allowing administrators to scan and secure their networks more quickly. To ensure such scans are safe and ethical, we need to reject inputs with malicious side effects. We have implemented a framework, based on delta execution, which tests the discriminative property of such inputs, as well as their safety. We use a fuzzer to find promising candidate inputs to further automate the process. To illustrate the potential of this approach, we present a Heartbleed case study.

Published

2018

27. Delta Pointers

Author

Taddeus Kroes, Herbert Bos, Cristiano Giuffrida, Koen Koning, Erik van der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

SDG 16 - Peace, Exploit, Computer science, Memory Safety, SDG 16 - Peace, Justice and Strong Institutions, Bounds Checking, Spec#, 020206 networking & telecommunications, 020207 software engineering, Memory corruption, 02 engineering and technology, computer.software_genre, Pointer Tagging, Justice and Strong Institutions, Bounds checking, Pointer (computer programming), LLVM, 0202 electrical engineering, electronic engineering, information engineering, Operating system, computer, Memory safety, computer.programming_language, Buffer overflow

Abstract

Despite decades of research, buffer overflows still rank among the most dangerous vulnerabilities in unsafe languages such as C and C++. Compared to other memory corruption vulnerabilities, buffer overflows are both common and typically easy to exploit. Yet, they have proven so challenging to detect in real-world programs that existing solutions either yield very poor performance, or introduce incompatibilities with the C/C++ language standard. We present Delta Pointers, a new solution for buffer overflow detection based on efficient pointer tagging. By carefully altering the pointer representation, without violating language specifications, Delta Pointers use existing hardware features to detect both contiguous and non-contiguous overflows on dereferences, without a single check incurring extra branch or memory access operations. By focusing on buffer overflows rather than other vulnerabilities (e.g., underflows), Delta Pointers offer a unique checkless design to provide high performance while still maintaining compatibility. We show that Delta Pointers are effective in detecting arbitrary buffer overflows and, at 35% overhead on SPEC, offer much better performance than competing solutions.

Published

2018

28. BinRec

Author

Cristiano Giuffrida, Stijn Volckaert, Michael Franz, Yeoul Na, Herbert Bos, Anil Altinay, Joseph Nash, Taddeus Kroes, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Intermediate language, Symbolic execution, Correctness, Computer science, Attack surface reduction, Binary number, 020207 software engineering, 02 engineering and technology, Attack surface, Static analysis, Binary lifting, Feature (linguistics), LLVM, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, SDG 7 - Affordable and Clean Energy, Pruning (decision trees), Rewriting, Reduction (mathematics), Algorithm

Abstract

Compile-time specialization and feature pruning through static binary rewriting have been proposed repeatedly as techniques for reducing the attack surface of large programs, and for minimizing the trusted computing base. We propose a new approach to attack surface reduction: dynamic binary lifting and recompilation. We present BinRec, a binary recompilation framework that lifts binaries to a compiler-level intermediate representation (IR) to allow complex transformations on the captured code. After transformation, BinRec lowers the IR back to a "recovered" binary, which is semantically equivalent to the input binary, but has its unnecessary features removed. Unlike existing approaches, which are mostly based on static analysis and rewriting, our framework analyzes and lifts binaries dynamically. The crucial advantage is that we can not only observe the full program including all of its dependencies, but we can also determine which program features the end-user actually uses. We evaluate the correctness and performance of Bin-Rec, and show that our approach enables aggressive pruning of unwanted features in COTS binaries.

Published

2018

29. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Author

Herbert Bos, Cristiano Giuffrida, Kaveh Razavi, Pietro Frigo, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Mobile processor, Mobile security, Computer science, Microarchitectural attacks, 02 engineering and technology, 01 natural sciences, Rendering (computer graphics), 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, SDG 7 - Affordable and Clean Energy, Integrated GPUs, Shader, Rowhammer, 010302 applied physics, business.industry, Cache-only memory architecture, Side channels, Browser security, 020202 computer hardware & architecture, Microarchitecture, Embedded system, ARM, business

Abstract

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

Published

2018

30. SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities

Author

Herbert Bos, Cristiano Giuffrida, Alyssa Milburn, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Common error, Low overhead, Computer science, Initialization, Optimizing compiler, Spec#, 020207 software engineering, Linux kernel, 02 engineering and technology, computer.software_genre, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Information disclosure, Operating system, computer, Heap (data structure), computer.programming_language

Abstract

Usage of uninitialized values remains a common error in C/C++ code. This results not only in undefined and generally undesired behavior, but is also a cause of information disclosure and other security vulnerabilities. Existing solutions for mitigating such errors are not used in practice as they are either limited in scope (for example, only protecting the heap), or incur high runtime overhead. In this paper, we propose SafeInit, a practical protection system which hardens applications against such undefined be-havior by guaranteeing initialization of all values on the heap and stack, every time they are allocated or come into scope. Doing so provides comprehensive protection against this class of vulnerabilities in generic programs, including both information disclosure and re-use/logic vulnerabilities. We show that, with carefully designed compiler optimizations, our implementation achieves sufficiently low overhead (5% for typical server applications and SPEC CPU2006) to serve as a standard hardening protection in practical settings. Moreover, we show that we can effortlessly apply it to harden non-standard code, such as the Linux kernel, with low runtime overhead.

Published

2017

31. Drammer: Deterministic Rowhammer attacks on mobile platforms

Author

Cristiano Giuffrida, Yanick Fratantonio, Clémentine Maurice, Martina Lindorfer, Daniel Gruss, Herbert Bos, Kaveh Razavi, Victor van der Veen, Giovanni Vigna, Computer Systems, Network Institute, and Systems and Network Security

Subjects

010302 applied physics, SDG 16 - Peace, Exploit, Computer science, SDG 16 - Peace, Justice and Strong Institutions, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Justice and Strong Institutions, 020202 computer hardware & architecture, Allocator, Memory management, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, x86, classrowhammer, Android (operating system), computer, Privilege escalation, classmobile

Abstract

Recent work shows that the Rowhammer hardware bug can be used to craft powerful attacks and completely subvert a system. However, existing e orts either describe probabilistic (and thus unreliable) attacks or rely on special (and often unavailable) memory management features to place victim objects in vulnerable physical memory locations. Moreover, prior work only targets x86 and researchers have openly wondered whether Rowhammer attacks on other architectures, such as ARM, are even possible. We show that deterministic Rowhammer attacks are feasible on commodity mobile platforms and that they cannot be mitigated by current defenses. Rather than assuming special memory management features, our attack, Drammer, solely relies on the predictable memory reuse patterns of standard physical memory allocators. We implement Drammer on Android/ARM, demonstrating the practicability of our attack, but also discuss a generalization of our approach to other Linux-based platforms. Furthermore, we show that traditional x86-based Rowhammer exploitation techniques no longer work on mobile platforms and address the resulting challenges towards practical mobile Rowhammer attacks. To support our claims, we present the rst Rowhammer-based Android root exploit relying on no software vulnerability, and requiring no user permissions. In addition, we present an analysis of several popular smartphones and nd that many of them are susceptible to our Drammer attack. We conclude by discussing potential mitigation strategies and urging our community to address the concrete threat of faulty DRAM chips in widespread commodity platforms.

Published

2016

32. On the effectiveness of sensor-enhanced keystroke dynamics against statistical attacks

Author

Valeriu-Daniel Stanciu, Riccardo Spolaor, Cristiano Giuffrida, Mauro Conti, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Biometrics, statistical attacks, Computer science, Data_MISCELLANEOUS, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, classsidechannels, biometric authentication, 0202 electrical engineering, electronic engineering, information engineering, sensor dynamics, classmobile, Password, 021110 strategic, defence & security studies, Authentication, Focus (computing), Variety (cybernetics), Mobile security, Keystroke dynamics, mobile security, 020201 artificial intelligence & image processing, keystroke dynamics, Mobile device, computer

Abstract

In recent years, simple password-based authentication systems have increasingly proven ineffective for many classes of real-world devices. As a result, many researchers have concentrated their efforts on the design of new biometric authentication systems. This trend has been further accelerated by the advent of mobile devices, which offer numerous sensors and capabilities to implement a variety of mobile biometric authentication systems. Along with the advances in biometric authentication, however, attacks have also become much more sophisticated and many biometric techniques have ultimately proven inadequate in face of advanced attackers in practice. In this paper, we investigate the effectiveness of sensor enhanced keystroke dynamics, a recent mobile biometric authentication mechanism that combines a particularly rich set of features. In our analysis, we consider different types of attacks, with a focus on advanced attacks that draw from general population statistics. Such attacks have already been proven effective in drastically reducing the accuracy of many state-of-the-art biometric authentication systems. We implemented a statistical attack against sensor enhanced keystroke dynamics and evaluated its impact on detection accuracy. On one hand, our results show that sensor-enhanced keystroke dynamics are generally robust against statistical attacks with a marginal equal-error rate impact (

Published

2016

33. Automating Live Update for Generic Server Programs

Author

Andrew S. Tanenbaum, Cristiano Giuffrida, Clin Iorgulescu, Giordano Tamburrelli, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Computer science, Distributed computing, 02 engineering and technology, Thread (computing), computer.software_genre, Live update, Software, Quiescence detection, Record-Replay, Server, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), DSU, TRACE (psycholinguistics), 020203 distributed computing, business.industry, Checkpoint-Restart, 020207 software engineering, Data structure, Pointer (computer programming), Garbage collection, Operating system, State (computer science), business, computer

Abstract

The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage the adoption of live update. This paper presents Mutable Checkpoint-Restart ( MCR ), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the running version to safely reach a quiescent state and then allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs ( Apache httpd , nginx , OpenSSH and vsftpd ) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible performance overhead (2 percent on average) and moderate memory overhead (3.9 $\times$ on average, without optimizations).

Published

2016

34. A heuristic approach to author name disambiguation in bibliometrics databases for large-scale research assessments

Author

Ciriaco Andrea D'Angelo, Giovanni Abramo, Cristiano Giuffrida, Computer Systems, Network Institute, and Secure and Liable Computer Systems

Subjects

FOS: Computer and information sciences, Computer Networks and Communications, Computer science, Heuristic, Computer Science - Digital Libraries, Bibliometrics, Settore ING-IND/35 - Ingegneria Economico-Gestionale, Data science, Human-Computer Interaction, SDG 17 - Partnerships for the Goals, Artificial Intelligence, Scale (social sciences), Scalability, Key (cryptography), Digital Libraries (cs.DL), Precision and recall, Author name, Software, University system, Information Systems

Abstract

National exercises for the evaluation of research activity by universities are becoming regular practice in ever more countries. These exercises have mainly been conducted through the application of peer-review methods. Bibliometrics has not been able to offer a valid large-scale alternative because of almost overwhelming difficulties in identifying the true author of each publication. We will address this problem by presenting a heuristic approach to author name disambiguation in bibliometric datasets for large-scale research assessments. The application proposed concerns the Italian university system, comprising 80 universities and a research staff of over 60,000 scientists. The key advantage of the proposed approach is the ease of implementation. The algorithms are of practical application and have considerably better scalability and expandability properties than state-of-the-art unsupervised approaches. Moreover, the performance in terms of precision and recall, which can be further improved, seems thoroughly adequate for the typical needs of large-scale bibliometric research assessments. © 2010 ASIS&T.

Published

2010

35. Lightweight Memory Checkpointing

Author

Cristiano Giuffrida, Dirk Vogt, Andrew S. Tanenbaum, Herbert Bos, Computer Systems, Systems and Network Security, and Network Institute

Subjects

Flat memory model, business.industry, Computer science, Registered memory, computer.software_genre, Memory map, Extended memory, Physical address, Memory management, Embedded system, Shadow memory, Interleaved memory, Operating system, SDG 7 - Affordable and Clean Energy, business, computer

Abstract

Memory check pointing is a pivotal technique in systems reliability, with applications ranging from crash recovery to replay debugging. Unfortunately, many traditional memory check pointing use-cases require high-frequency checkpoints, something for which existing application-level solutions are not well-suited. The problem is that they incur either substantial run-time performance overhead, or poor memory usage guarantees. As a result, their application in practice is hampered. This paper presents Lightweight Memory Check pointing (LMC), a new user-level memory check pointing technique that combines low performance overhead with strong memory usage guarantees for high check pointing frequencies. To this end, LMC relies on compiler-based instrumentation to shadow the entire memory address space of the running program and incrementally checkpoint modified memory bytes in a LMC-maintained shadow state. Our evaluation on popular server applications demonstrates the viability of our approach in practice, confirming that LMC imposes low performance overhead with strictly bounded memory usage at runtime.

Published

2015

36. Speculative Memory Checkpointing

Author

Cristiano Giuffrida, Georgios Portokalidis, Dirk Vogt, Andrew S. Tanenbaum, Herbert Bos, Armando Miraglia, Computer Systems, Systems and Network Security, and Network Institute

Subjects

010302 applied physics, 020203 distributed computing, Computer science, Backtracking, media_common.quotation_subject, Reliability (computer networking), Distributed computing, Working set, Workload, 02 engineering and technology, 01 natural sciences, Memory management, Debugging, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Overhead (computing), SDG 7 - Affordable and Clean Energy, media_common

Abstract

High-frequency memory checkpointing is an important technique in several application domains, such as automatic error recovery (where frequent checkpoints allow the system to transparently mask failures) and application debugging (where frequent checkpoints enable fast and accurate time-traveling support). Unfortunately, existing (typically incremental) checkpointing frameworks incur substantial performance overhead in high-frequency memory checkpointing applications, thus discouraging their adoption in practice.This paper presents Speculative Memory Checkpointing (SMC), a new low-overhead technique for high-frequency memory checkpointing. Our motivating analysis identifies key bottlenecks in existing frameworks and demonstrates that the performance of traditional incremental checkpointing strategies in high-frequency checkpointing scenarios is not optimal. To fill the gap, SMC relies on working set estimation algorithms to eagerly checkpoint the memory pages that belong to the writable working set of the running program and only lazily checkpoint the memory pages that do not. Our experimental results demonstrate that SMC is effective in reducing the performance overhead of prior solutions, is robust to variations in the workload, and incurs modest memory overhead compared to traditional incremental checkpointing.

Published

2015

37. Mutable Checkpoint-Restart: Automating Live Update for Generic Server Programs

Author

Calin Iorgulescu, Cristiano Giuffrida, Andrew S. Tanenbaum, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

Computer science, business.industry, Distributed computing, Initialization, Data structure, computer.software_genre, Live update, Software, Record-Replay, Garbage collection, Key (cryptography), Operating system, Overhead (computing), DSU, State (computer science), business, computer, TRACE (psycholinguistics)

Abstract

The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage live update adoption.This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs (Apache httpd, nginx, OpenSSH and vsftpd) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible run-time performance overhead (2% on average) and moderate memory overhead (3.9x on average).

Published

2014

38. I Sensed It Was You: Authenticating Mobile Users with Sensor-enhanced Keystroke Dynamics

Author

Kamil Majdanik, Cristiano Giuffrida, Herbert Bos, Mauro Conti, Network Institute, Computer Systems, and Systems and Network Security

Subjects

User information, Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication, Identification (information), Keystroke dynamics, Biometrics, Computer science, Context (language use), Computer security, computer.software_genre, Mobile device, computer

Abstract

Mobile devices have become an important part of our everyday life, harvesting more and more confidential user information. Their portable nature and the great exposure to security attacks, however, call out for stronger authentication mechanisms than simple password-based identification. Biometric authentication techniques have shown potential in this context. Unfortunately, prior approaches are either excessively prone to forgery or have too low accuracy to foster widespread adoption. In this paper, we propose sensor-enhanced keystroke dynamics, a new biometric mechanism to authenticate users typing on mobile devices. The key idea is to characterize the typing behavior of the user via unique sensor features and rely on standard machine learning techniques to perform user authentication. To demonstrate the effectiveness of our approach, we implemented an Android prototype system termed Unagi. Our implementation supports several feature extraction and detection algorithms for evaluation and comparison purposes. Experimental results demonstrate that sensor-enhanced keystroke dynamics can improve the accuracy of recent gestured-based authentication mechanisms (i.e., EER>0.5%) by one order of magnitude, and the accuracy of traditional keystroke dynamics (i.e., EER>7%) by two orders of magnitude.

Published

2014

39. Practical Automated Vulnerability Monitoring Using Program State Invariants

Author

Cristiano Giuffrida, Andrew S. Tanenbaum, Lorenzo Cavallaro, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

SDG 16 - Peace, Memory errors, Computer science, SDG 16 - Peace, Justice and Strong Institutions, 020207 software engineering, Memory corruption, 02 engineering and technology, Static analysis, Computer security, computer.software_genre, Justice and Strong Institutions, Memory management, SDG 3 - Good Health and Well-being, Vulnerability assessment, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, State (computer science), computer, Vulnerability (computing), Compile time

Abstract

Despite the growing attention to security concerns and advances in code verification tools, many memory errors still escape testing and plague production applications with security vulnerabilities. We present RCORE, an efficient dynamic program monitoring infrastructure to perform automated security vulnerability monitoring. Our approach is to perform extensive static analysis at compile time to automatically index program state invariants (PSIs). At runtime, our novel dynamic analysis continuously inspects the program state and produces a report when PSI violations are found. Our technique retrofits existing applications and is designed for both offline and production runs. To avoid slowing down production applications, we can perform our dynamic analysis on idle cores to detect suspicious behavior in the background. The alerts raised by our analysis are symptoms of memory corruption or other-potentially exploitable-dangerous behavior. Our experimental evaluation confirms that RCORE can report on several classes of vulnerabilities with very low overhead.

Published

2013

40. KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware

Author

Cristiano Giuffrida, Bruno Crispo, Stefano Ortolani, Computer Systems, Secure and Liable Computer Systems, and Network Institute

Subjects

User information, SDG 16 - Peace, Computer science, SDG 16 - Peace, Justice and Strong Institutions, Data harvesting, Computer security, computer.software_genre, Keystroke logging, Justice and Strong Institutions, Cryptovirology, Information sensitivity, Malware, Profiling (information science), Confidentiality, computer

Abstract

Privacy-breaching malware is an ever-growing class of malicious applications that attempt to steal confidential data and leak them to third parties. One of the most prominent activities to acquire private user information is to eavesdrop and harvest user-issued keystrokes. Despite the serious threat involved, keylogging activities are challenging to detect in the general case. From an operating system perspective, their general behavior is no different than that of legitimate applications used to implement common end-user features like custom shortcut handling and keyboard remapping. As a result, existing detection techniques that attempt to model malware behavior based on system or library calls are largely ineffective. To address these concerns, we introduce a novel detection technique based on fine-grained profiling of memory write patterns. The intuition behind our model lies in data harvesting being a good predictor for sensitive information leakage. To demonstrate the viability of our approach, we have designed and implemented KLIMAX: a Kernel-Level Infrastructure for Memory and eXecution profiling. Our system supports proactive and reactive detection and can be transparently deployed online on a running Windows platform. Experimental results with real-world malware confirm the effectiveness of our approach.

Published

2011

41. MINIX 3: Status Report and Current Research

Author

Andrew Tanenbaum, Appuswamy, R., Herbert Bos, Cavallaro, L., Cristiano Giuffrida, Hruby, T., Herder, J. N., Kouwe, E., Moolenbroek, D. C., Computer Systems, Network Institute, Systems and Network Security, High Performance Distributed Computing, and Secure and Liable Computer Systems

Published

2010

42. Bait your Hook: a Novel Detection Technique for Keyloggers

Author

Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo, Computer Systems, Secure and Liable Computer Systems, and Network Institute

Subjects

Black box (phreaking), Class (computer programming), Property (programming), business.industry, Computer science, computer.software_genre, Computer security, Keystroke logging, Software, Mode (computer interface), Embedded system, User space, Malware, business, computer

Abstract

Software keyloggers are a fast growing class of malware often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes of the users of the system. Such an ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows to understand and model their behavior in detail. Leveraging this property, we propose a new detection technique that simulates carefully crafted keystroke sequences (the bait) in input and observes the behavior of the keylogger in output to univocally identify it among all the running processes. We have prototyped and evaluated this technique with some of the most common free keyloggers. Experimental results are encouraging and confirm the viability of our approach in practical scenarios.

Published

2010

43. Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing

Author

Philipp Görz, Emre Güler, Andrea Jemmett, Thorsten Holz, Herbert Bos, Elia Geretto, Sebastian Österlund, Cristiano Giuffrida, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Empirical data, Computer science, ensemble fuzzing, 0211 other engineering and technologies, Code coverage, 02 engineering and technology, Machine learning, computer.software_genre, Set (abstract data type), Software, parallel fuzzing, SDG 17 - Partnerships for the Goals, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Selection (genetic algorithm), Complement (set theory), 021110 strategic, defence & security studies, business.industry, automated bug finding, Fuzz testing, fuzzing, Artificial intelligence, collaborative fuzzing, Heuristics, business, computer

Abstract

Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.

44. Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Author

Benjamin Kollenda, Erik Bosman, Cristiano Giuffrida, Georgios Portokalidis, Herbert Bos, Enes Goktas, Philipp Koppe, Thorsten Holz, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, SDG 16 - Peace, Exploit, Payload, Computer science, Code reuse, SDG 16 - Peace, Justice and Strong Institutions, vulnerability, 0211 other engineering and technologies, 02 engineering and technology, security, Computer security, computer.software_genre, Electronic mail, Justice and Strong Institutions, Memory management, 020204 information systems, Secrecy, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), computer, exploitation, Vulnerability (computing)

Abstract

Address-space layout randomization is a wellestablished defense against code-reuse attacks. However, it can be completely bypassed by just-in-time code-reuse attacks that rely on information disclosure of code addresses via memory or side-channel exposure. To address this fundamental weakness, much recent research has focused on detecting and mitigating information disclosure. The assumption being that if we perfect such techniques, we will not only maintain layout secrecy but also stop code reuse. In this paper, we demonstrate that an advanced attacker can mount practical code-reuse attacks even in the complete absence of information disclosure. To this end, we present Position-Independent Code-Reuse Attacks, a new class of codereuse attacks relying on the relative rather than absolute location of code gadgets in memory. By means of memory massaging, the attacker first makes the victim program generate a rudimentary ROP payload (for instance, containing code pointers that target instructions 'close' to relevant gadgets). Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. To establish the practicality of such attacks, we present multiple Position-Independent ROP exploits against real-world software. After showing that we can bypass ASLR in current systems without requiring information disclosures, we evaluate the impact of our technique on other defenses, such as fine-grained ASLR, multi-variant execution, execute-only memory and re-randomization. We conclude by discussing potential mitigations.

45. Practical Context-Sensitive CFI

Author

Ben Gras, Dennis Andriesse, Enes Goktas, Cristiano Giuffrida, Victor van der Veen, Lionel Sambuc, Herbert Bos, Asia Slowinska, Computer Systems, Systems and Network Security, and Network Institute

Subjects

Set (abstract data type), Computer science, Distributed computing, Context (language use), Enhanced Data Rates for GSM Evolution, State (computer science), Context-sensitive CFI, Control-flow integrity, Implementation

Abstract

Current Control-Flow Integrity (CFI) implementations track control edges individually, insensitive to the context of preceding edges. Recent work demonstrates that this leaves sufficient leeway for powerful ROP attacks. Context-sensitive CFI, which can provide enhanced security, is widely considered impractical for real-world adoption. Our work shows that Context-sensitive CFI (CCFI) for both the backward and forward edge can be implemented efficiently on commodity hardware. We present PathArmor, a binary-level CCFI implementation which tracks paths to sensitive program states, and defines the set of valid control edges within the state context to yield higher precision than existing CFI implementations. Even with simple context-sensitive policies, PathArmor yields significantly stronger CFI invariants than context-insensitive CFI, with similar performance.

46. StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries

Author

Asia Slowinska, Herbert Bos, Cristiano Giuffrida, Xi Chen, Dennis Andriesse, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Source code, Memory errors, business.industry, Computer science, Call stack, media_common.quotation_subject, Real-time computing, Spec#, Stack (abstract data type), Embedded system, Overhead (computing), x86, Rewriting, business, computer, media_common, computer.programming_language

Abstract

StackArmor is a comprehensive protection technique for stack-based memory error vulnerabilities in binaries. It relies on binary analysis and rewriting strategies to drastically reduce the uniquely high spatial and temporal memory predictability of traditional call stack organizations. Unlike prior solutions, StackArmor can protect against arbitrary stack-based attacks, requires no access to the source code, and offers a policy-driven protection strategy that allows end users to tune the securityperformance tradeoff according to their needs. We present an implementation of StackArmor for x86 64 Linux and provide a detailed experimental analysis of our prototype on popular server programs and standard benchmarks (SPEC CPU2006). Our results demonstrate that StackArmor offers better security than prior binaryand source-level approaches, at the cost of only modest performance and memory overhead even with full protection.

47. Safe and automatic live update

Author

Cristiano Giuffrida, Tanenbaum, Andrew, Computer Systems, and Network Institute