Your search keyword '"Cristiano Giuffrida"' showing total 36 results

1. Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization

Author

Cristiano Giuffrida, Daniele Cono D'Elia, Leonardo Querzoni, Pietro Borrello, Computer Systems, Network Institute, and Systems and Network Security

Subjects

FOS: Computer and information sciences, data-flow linearization, Computer Science - Cryptography and Security, Computer science, 02 engineering and technology, computer.software_genre, 03 medical and health sciences, Software, Constant (computer programming), 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Transient (computer programming), control-flow linearization, Side channel attack, 030304 developmental biology, 0303 health sciences, Computer Science - Programming Languages, business.industry, compilers, constant-time programming, side channels, 020207 software engineering, D.4.6, Data flow diagram, Embedded system, Compiler, State (computer science), business, Cryptography and Security (cs.CR), computer, Programming Languages (cs.PL)

Abstract

In the era of microarchitectural side channels, vendors scramble to deploy mitigations for transient execution attacks, but leave traditional side-channel attacks against sensitive software (e.g., crypto programs) to be fixed by developers by means of constant-time programming (i.e., absence of secret-dependent code/data patterns). Unfortunately, writing constant-time code by hand is hard, as evidenced by the many flaws discovered in production side channel-resistant code. Prior efforts to automatically transform programs into constant-time equivalents offer limited security or compatibility guarantees, hindering their applicability to real-world software. In this paper, we present Constantine, a compiler-based system to automatically harden programs against microarchitectural side channels. Constantine pursues a radical design point where secret-dependent control and data flows are completely linearized (i.e., all involved code/data accesses are always executed). This strategy provides strong security and compatibility guarantees by construction, but its natural implementation leads to state explosion in real-world programs. To address this challenge, Constantine relies on carefully designed optimizations such as just-in-time loop linearization and aggressive function cloning for fully context-sensitive points-to analysis, which not only address state explosion, but also lead to an efficient and compatible solution. Constantine yields overheads as low as 16% on standard benchmarks and can handle a fully-fledged component from the production wolfSSL library., Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2021. Code and BibTeX entry available at https://github.com/pietroborrello/constantine

Published

2021

2. CrossTalk: Speculative data leaks across cores are real

Author

Cristiano Giuffrida, Alyssa Milburn, Hany Ragab, Herbert Bos, Kaveh Razavi, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Multi-core processor, SDG 16 - Peace, Computer science, business.industry, SDG 16 - Peace, Justice and Strong Institutions, Side channels, Cryptography, Justice and Strong Institutions, Microarchitecture, Crosstalk, Embedded system, x86, business, CPUID, Transient execution attacks

Abstract

Recent transient execution attacks have demonstrated that attackers may leak sensitive information across security boundaries on a shared CPU core. Up until now, it seemed possible to prevent this by isolating potential victims and attackers on separate cores. In this paper, we show that the situation is more serious, as transient execution attacks can leak data across different cores on many modern Intel CPUs.We do so by investigating the behavior of x86 instructions, and in particular, we focus on complex microcoded instructions which perform offcore requests. Combined with transient execution vulnerabilities such as Micro-architectural Data Sampling (MDS), these operations can reveal internal CPU state. Using performance counters, we build a profiler, CrossTalk, to examine the number and nature of such operations for many x86 instructions, and find that some instructions read data from a staging buffer which is shared between all CPU cores.To demonstrate the security impact of this behavior, we present the first cross-core attack using transient execution, showing that even the seemingly-innocuous CPUID instruction can be used by attackers to sample the entire staging buffer containing sensitive data – most importantly, output from the hardware random number generator (RNG) – across cores. We show that this can be exploited in practice to attack SGX enclaves running on a completely different core, where an attacker can control leakage using practical performance degradation attacks, and demonstrate that we can successfully determine enclave private keys. Since existing mitigations which rely on spatial or temporal partitioning are largely ineffective to prevent our proposed attack, we also discuss potential new mitigation techniques.

Published

2021

3. FIRestarter: Practical Software Crash Recovery with Targeted Library-level Fault Injection

Author

Herbert Bos, Koustubha Bhat, Cristiano Giuffrida, Erik van der Kouwe, Computer Science, Network Institute, Computer Systems, and Systems and Network Security

Subjects

business.industry, Computer science, Survivability, Transactional memory, Crash Recovery, Crash, Persistent Fault Recovery, Fault injection, computer.software_genre, Reliability, Software, Recoverability, SDG 3 - Good Health and Well-being, Operating system, Persistent Faults, Software transactional memory, Transient (computer programming), Transactional Memory, Instrumentation (computer programming), business, computer, Adaptive Transactions, Rollback

Abstract

Despite advances in software testing, many bugs still plague deployed software, leading to crashes and thus service disruption in high-availability production applications. Existing crash recovery solutions are either limited to transient faults or require manual annotations to target predetermined persistent bugs. Moreover, existing solutions are generally inefficient, hindering practical deployment.In this paper, we present FIRestarter (Fault Injection-based Restarter), an efficient and automatic crash recovery solution for commodity user applications. To eliminate the need for manual annotations, FIRestarter injects targeted software faults at the library interface to automatically trigger error handling code for standard library calls already part of the application. In particular, when a crash occurs, we roll back the application state before the last recoverable library call, inject a fault, and restart execution forcing the call to immediately return a predetermined error code. This strategy allows the application to automatically bypass the crashing code upon such a restart and exploits existing error-handling code to recover from even persistent bugs. Moreover, since library calls lie pervasively throughout the code, our design provides a large recovery surface despite the automated approach. Finally, FIRestarter's recovery windows are small and frequent compared to traditional checkpoint-restart, which enables new optimizations such as the ability to support rollback by means of hybrid hardware/software transactional memory instrumentation and improve performance. We apply FIRestarter to a number of event-driven server applications and show our solution achieves near-instantaneous, state-preserving crash recovery in the face of even persistent crashes. On popular web servers, our evaluation results show a recovery surface of at least 77%, with low performance overhead of at most 17%.

Published

2021

4. Who's Debugging the Debuggers? Exposing Debug Information Bugs in Optimized Binaries

Author

Davide Italiano, Leonardo Querzoni, Cristiano Giuffrida, Giuseppe Antonio Di Luna, Sebastian Österlund, Luca Massarelli, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Computer science, media_common.quotation_subject, 02 engineering and technology, computer.software_genre, Toolchain, Consistency (database systems), Software, SDG 3 - Good Health and Well-being, Software_SOFTWAREENGINEERING, 020204 information systems, Debug Information, Optimized Binaries, Verification, 0202 electrical engineering, electronic engineering, information engineering, Argument of a function, computer.programming_language, Debugger, media_common, Programming language, business.industry, 020207 software engineering, Debugging, Compiler, business, computer, Rust (programming language)

Abstract

Despite the advancements in software testing, bugs still plague deployed software and result in crashes in production. When debugging issues-sometimes caused by "heisenbugs"-there is the need to interpret core dumps and reproduce the issue offline on the same binary deployed. This requires the entire toolchain (compiler, linker, debugger) to correctly generate and use debug information. Little attention has been devoted to checking that such information is correctly preserved by modern toolchains' optimization stages. This is particularly important as managing debug information in optimized production binaries is non-trivial, often leading to toolchain bugs that may hinder post-deployment debugging efforts. In this paper, we present Debug2, a framework to find debug information bugs in modern toolchains. Our framework feeds random source programs to the target toolchain and surgically compares the debugging behavior of their optimized/unoptimized binary variants. Such differential analysis allows Debug2 to check invariants at each debugging step and detect bugs from invariant violations. Our invariants are based on the (in)consistency of common debug entities, such as source lines, stack frames, and function arguments. We show that, while simple, this strategy yields powerful cross-toolchain and cross-language invariants, which can pinpoint several bugs in modern toolchains. We have used Debug2 to find 23 bugs in the LLVM toolchain (clang/lldb), 8 bugs in the GNU toolchain (GCC/gdb), and 3 in the Rust toolchain (rustc/lldb)-with 14 bugs already fixed by the developers.

Published

2021

5. CollabFuzz - A Framework for Collaborative Fuzzing

Author

Herbert Bos, Cristiano Giuffrida, Sebastian Österlund, Elia Geretto, Emre Güler, Thorsten Holz, Andrea Jemmett, Philipp Görz, Computer Systems, Network Institute, and Systems and Network Security

Subjects

0303 health sciences, automated bug finding, ensemble fuzzing, business.industry, Computer science, Control (management), 020207 software engineering, 02 engineering and technology, Fuzz testing, fuzzing, Scheduling (computing), Test (assessment), 03 medical and health sciences, parallel fuzzing, SDG 17 - Partnerships for the Goals, Test case, Work (electrical), 0202 electrical engineering, electronic engineering, information engineering, Orchestration (computing), collaborative fuzzing, Software engineering, business, 030304 developmental biology

Abstract

In the recent past, there has been lots of work on improving fuzz testing. In prior work, EnFuzz showed that by sharing progress among different fuzzers, they can perform better than the sum of their parts. In this paper, we continue this line of work and present CollabFuzz, a collaborative fuzzing framework allowing multiple different fuzzers to collaborate under an informed scheduling policy based on a number of central analyses. More specifically, CollabFuzz is a generic framework that allows a user to express different test case scheduling policies, such as the collaborative approach presented by EnFuzz. CollabFuzz can control which tests cases are handed out to what fuzzer and allows the orchestration of different fuzzers across the network. Furthermore, it allows the centralized analysis of the test cases generated by the various fuzzers under its control, allowing to implement scheduling policies based on the results of arbitrary program (e.g., data-flow) analysis.

Published

2021

6. NetCAT: Practical cache attacks from the network

Author

Kaveh Razavi, Cristiano Giuffrida, Michael Kurth, Herbert Bos, Dennis Andriesse, Ben Gras, Systems and Network Security, Network Institute, Computer Systems, and Computer Science

Subjects

010302 applied physics, Random access memory, SDG 16 - Peace, Computer science, business.industry, SDG 16 - Peace, Justice and Strong Institutions, 02 engineering and technology, 01 natural sciences, Justice and Strong Institutions, Microarchitecture, Network interface controller, Server, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Central processing unit, Cache, business, Direct memory access, Computer network

Abstract

Increased peripheral performance is causing strain on the memory subsystem of modern processors. For example, available DRAM throughput can no longer sustain the traffic of a modern network card. Scrambling to deliver the promised performance, instead of transferring peripheral data to and from DRAM, modern Intel processors perform I/O operations directly on the Last Level Cache (LLC). While Direct Cache Access (DCA) instead of Direct Memory Access (DMA) is a sensible performance optimization, it is unfortunately implemented without care for security, as the LLC is now shared between the CPU and all the attached devices, including the network card.In this paper, we reverse engineer the behavior of DCA, widely referred to as Data-Direct I/O (DDIO), on recent Intel processors and present its first security analysis. Based on our analysis, we present NetCAT, the first Network-based PRIME+PROBE Cache Attack on the processor's LLC of a remote machine. We show that NetCAT not only enables attacks in cooperative settings where an attacker can build a covert channel between a network client and a sandboxed server process (without network), but more worryingly, in general adversarial settings. In such settings, NetCAT can enable disclosure of network timing-based sensitive information. As an example, we show a keystroke timing attack on a victim SSH connection belonging to another client on the target server. Our results should caution processor vendors against unsupervised sharing of (additional) microarchitectural components with peripherals exposed to malicious input.

Published

2020

7. ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures

Author

Cristiano Giuffrida, Michael Kurth, Ben Gras, Kaveh Razavi, and Herbert Bos

Subjects

business.industry, Computer science, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, 02 engineering and technology, Side channel attack, business, Commodity (Marxism)

Published

2020

8. VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Author

Dennis Andriesse, Thorsten Holz, Andre Pawlowski, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe, Victor van der Veen, Computer Systems, Network Institute, and Systems and Network Security

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, 0211 other engineering and technologies, Binary number, Spec#, 02 engineering and technology, computer.software_genre, Binary Analysis, Function pointer, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, False positive paradox, Virtual function, computer.programming_language, 021110 strategic, defence & security studies, business.industry, Attack surface, Pointer (computer programming), Operating system, CFI, business, computer, Cryptography and Security (cs.CR)

Abstract

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (VPS), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, VPS achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, VPS ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, VPS explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of VPS on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC., Comment: Published in Annual Computer Security Applications Conference (ACSAC'19)

Published

2019

9. RIDL: Rogue In-Flight Data Load

Author

Alyssa Milburn, Kaveh Razavi, Sebastian Österlund, Pietro Frigo, Stephan van Schaik, Herbert Bos, Giorgi Maisuradze, Cristiano Giuffrida, Systems and Network Security, Network Institute, and Computer Systems

Subjects

Speculative-execution-attacks, SDG 16 - Peace, Out-of-order execution, Exploit, Page fault, Network security, business.industry, Computer science, SDG 16 - Peace, Justice and Strong Institutions, Speculative execution, 02 engineering and technology, Side-channels, Computer security, computer.software_genre, Data structure, Justice and Strong Institutions, 020202 computer hardware & architecture, Virtual machine, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Central processing unit, business, computer

Abstract

We present Rogue In-flight Data Load (RIDL), a new class of speculative unprivileged and constrained attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Our reverse engineering efforts show such vulnerabilities originate from a variety of micro-optimizations pervasive in commodity (Intel) processors, which cause the CPU to speculatively serve loads using extraneous CPU-internal in-flight data (e.g., in the line fill buffers). Contrary to other state-of-the-art speculative execution attacks, such as Spectre, Meltdown and Foreshadow, RIDL can leak this arbitrary in-flight data with no assumptions on the state of the caches or translation data structures controlled by privileged software. The implications are worrisome. First, RIDL attacks can be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system-wide attacks from arbitrary unprivileged code (including JavaScript in the browser). To exemplify such attacks, we build a number of practical exploits that leak sensitive information from victim processes, virtual machines, kernel, SGX and CPU-internal components. Second, and perhaps more importantly, RIDL bypasses all existing 'spot' mitigations in software (e.g., KPTI, PTE inversion) and hardware (e.g., speculative store bypass disable) and cannot easily be mitigated even by more heavyweight defenses (e.g., L1D flushing or disabling SMT). RIDL questions the sustainability of a per-variant, spot mitigation strategy and suggests more fundamental mitigations are needed to contain ever-emerging speculative execution attacks.

Published

2019

10. Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks

Author

Kaveh Razavi, Lucian Cojocar, Herbert Bos, Cristiano Giuffrida, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Exploit, Computer science, Reliability (computer networking), 02 engineering and technology, 01 natural sciences, law.invention, ECC memory, Hardware, law, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Ecc, SDG 7 - Affordable and Clean Energy, Side channel attack, Hardware_ARITHMETICANDLOGICSTRUCTURES, Rowhammer, 010302 applied physics, Random access memory, Hardware_MEMORYSTRUCTURES, business.industry, Cold boot attack, Attack surface, 020202 computer hardware & architecture, Embedded system, Security, Key (cryptography), business

Abstract

Given the increasing impact of Rowhammer, and the dearth of adequate other hardware defenses, many in the security community have pinned their hopes on error-correcting code (ECC) memory as one of the few practical defenses against Rowhammer attacks. Specifically, the expectation is that the ECC algorithm will correct or detect any bits they manage to flip in memory in real-world settings. However, the extent to which ECC really protects against Rowhammer is an open research question, due to two key challenges. First, the details of the ECC implementations in commodity systems are not known. Second, existing Rowhammer exploitation techniques cannot yield reliable attacks in presence of ECC memory. In this paper, we address both challenges and provide concrete evidence of the susceptibility of ECC memory to Rowhammer attacks. To address the first challenge, we describe a novel approach that combines a custom-made hardware probe, Rowhammer bit flips, and a cold boot attack to reverse engineer ECC functions on commodity AMD and Intel processors. To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations. In addition, we show that, despite the non-trivial constraints imposed by ECC, ECCploit can still be powerful in practice and mimic the behavior of prior Rowhammer exploits.

Published

2019

11. On the effectiveness of code normalization for function identification

Author

Herbert Bos, Angelos Oikonomopoulos, Remco Vermeulen, Cristiano Giuffrida, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Normalization (statistics), Reverse engineering, Source code, Computer science, media_common.quotation_subject, 02 engineering and technology, computer.software_genre, Machine learning, Transfer function, 0202 electrical engineering, electronic engineering, information engineering, Binary rejuvenation, media_common, business.industry, 020207 software engineering, computer.file_format, Binary analysis, Problem domain, Task analysis, Malware, 020201 artificial intelligence & image processing, Artificial intelligence, Executable, business, computer, Program equivalence

Abstract

Information on the identity of functions is typically removed when translating source code to executable form. Yet being able to recognize specific functions opens up a number of applications. In this paper, we investigate normalization-based approaches for the purposes of aiding the reverse engineer and as an enabler for the rejuvenation of legacy binaries. We iteratively refine our methods and report on their effectiveness. Our results show that a naive approach can be surprisingly effective in both problem domains. Further, our evaluation looks into more advanced normalization techniques and finds that their practicality varies significantly with the problem domain.

Published

2019

12. Towards Automated Vulnerability Scanning of Network Servers

Author

Nathan Schagen, Herbert Bos, Cristiano Giuffrida, Koen Koning, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, SDG 16 - Peace, Process (engineering), business.industry, Network security, Computer science, Property (programming), Distributed computing, SDG 16 - Peace, Justice and Strong Institutions, 0211 other engineering and technologies, 020207 software engineering, 02 engineering and technology, Fuzz testing, Justice and Strong Institutions, Vulnerability fingerprinting, Software, Discriminative model, Server, 0202 electrical engineering, electronic engineering, information engineering, Internet-wide scanning, Heartbleed, business

Abstract

We explore a new technique for safe patch fingerprinting to automate vulnerability scanning of network servers. Our technique helps automate the discovery of inputs that safely discriminate vulnerable from patched servers for the latest vulnerabilities. This enables rapid updates to vulnerability scanning tools as new software vulnerabilities are discovered, allowing administrators to scan and secure their networks more quickly. To ensure such scans are safe and ethical, we need to reject inputs with malicious side effects. We have implemented a framework, based on delta execution, which tests the discriminative property of such inputs, as well as their safety. We use a fuzzer to find promising candidate inputs to further automate the process. To illustrate the potential of this approach, we present a Heartbleed case study.

Published

2018

13. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU

Author

Herbert Bos, Cristiano Giuffrida, Kaveh Razavi, Pietro Frigo, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Mobile processor, Mobile security, Computer science, Microarchitectural attacks, 02 engineering and technology, 01 natural sciences, Rendering (computer graphics), 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, SDG 7 - Affordable and Clean Energy, Integrated GPUs, Shader, Rowhammer, 010302 applied physics, business.industry, Cache-only memory architecture, Side channels, Browser security, 020202 computer hardware & architecture, Microarchitecture, Embedded system, ARM, business

Abstract

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs, already widely employed to accelerate a variety of benign applications such as image rendering, can also be used to 'accelerate' microarchitectural attacks (i.e., making them more effective) on commodity platforms. In particular, we show that an attacker can build all the necessary primitives for performing effective GPU-based microarchitectural attacks and that these primitives are all exposed to the web through standardized browser extensions, allowing side-channel and Rowhammer attacks from JavaScript. These attacks bypass state-of-the-art mitigations and advance existing CPU-based attacks: we show the first end-to-end microarchitectural compromise of a browser running on a mobile phone in under two minutes by orchestrating our GPU primitives. While powerful, these GPU primitives are not easy to implement due to undocumented hardware features. We describe novel reverse engineering techniques for peeking into the previously unknown cache architecture and replacement policy of the Adreno 330, an integrated GPU found in many common mobile platforms. This information is necessary when building shader programs implementing our GPU primitives. We conclude by discussing mitigations against GPU-enabled attackers.

Published

2018

14. RevAnC: A framework for reverse engineering hardware page table caches

Author

Herbert Bos, Kaveh Razavi, Cristiano Giuffrida, Ben Gras, Stephan van Schaik, Computer Systems, Network Institute, and Systems and Network Security

Subjects

010302 applied physics, 0301 basic medicine, Reverse engineering, Speedup, Hardware_MEMORYSTRUCTURES, business.industry, Computer science, Interface (computing), Process (computing), computer.software_genre, 01 natural sciences, 03 medical and health sciences, 030104 developmental biology, Memory management unit, 0103 physical sciences, Operating system, SDG 7 - Affordable and Clean Energy, Page attribute table, business, Page table, computer, Computer hardware, Cache coherence

Abstract

Recent hardware-based attacks that compromise systems with Rowhammer or bypass address-space layout random- ization rely on how the processor's memory management unit (MMU) interacts with page tables. These attacks often need to reload page tables repeatedly in order to observe changes in the target system's behavior. To speed up the MMU's page table lookups, modern processors make use of multiple levels of caches such as translation lookaside buffers (TLBs), special-purpose page table caches and even general data caches. A successful attack needs to ush these caches reliably before accessing page tables. To ush these caches from an unprivileged process, the attacker needs to create specialized memory access patterns based on the internal architecture and size of these caches as well as how they in- teract with each other. While information about TLBs and data caches are often reported in processor manuals released by the vendors, there is typically little or no information about the properties of page table caches on different pro- cessors. In this paper, we describe RevAnC, an open-source framework for reverse engineering internal architecture, size and the behavior these page table caches by retrofitting a recently proposed EVICT+TIME attack on the MMU. RevAnC can automatically reverse engineer page table caches on new architectures while providing a convenient interface for ush- ing these caches on 23 different microarchitectures that we evaluated from Intel, ARM and AMD.

Published

2017

15. No Need to Hide

Author

Cristiano Giuffrida, Koen Koning, Elias Athanasopoulos, Herbert Bos, Xi Chen, Computer Systems, Network Institute, and Systems and Network Security

Subjects

0301 basic medicine, Address space, Computer science, Commodity hardware, business.industry, Probabilistic logic, Information hiding, 020206 networking & telecommunications, Intel MPX, 02 engineering and technology, Computer security, computer.software_genre, Isolation, 03 medical and health sciences, 030104 developmental biology, Software, Bounds checking, 0202 electrical engineering, electronic engineering, information engineering, x86, Hardware features, Software fault isolation, business, computer

Abstract

As modern 64-bit x86 processors no longer support the segmentation capabilities of their 32-bit predecessors, most research projects assume that strong in-process memory isolation is no longer an affordable option. Instead of strong, deterministic isolation, new defense systems therefore rely on the probabilistic pseudo-isolation provided by randomization to "hide" sensitive (or safe) regions. However, recent attacks have shown that such protection is insufficient; attackers can leak these safe regions in a variety of ways. In this paper, we revisit isolation for x86-64 and argue that hardware features enabling efficient deterministic isolation do exist. We first present a comprehensive study on commodity hardware features that can be repurposed to isolate safe regions in the same address space (e.g., Intel MPX and MPK).We then introduce MemSentry, a framework to harden modern defense systems with commodity hardware features instead of information hiding. Our results show that some hardware features are more effective than others in hardening such defenses in each scenario and that features originally conceived for other purposes (e.g., Intel MPX for bounds checking) are surprisingly efficient at isolating safe regions compared to their software equivalent (i.e., SFI).

Published

2017

16. DangSan - Scalable Use-after-free Detection

Author

Cristiano Giuffrida, Erik van der Kouwe, Vinod Nigade, Computer Systems, Network Institute, and Systems and Network Security

Subjects

010302 applied physics, Dangling pointers, business.industry, Computer science, Hazard pointer, Distributed computing, Use-after-free, 020207 software engineering, Smart pointer, 02 engineering and technology, Parallel computing, 01 natural sciences, Software, Dangling pointer, LLVM, Pointer (computer programming), Escape analysis, 0103 physical sciences, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Information system, business

Abstract

Use-after-free vulnerabilities due to dangling pointers are an important and growing threat to systems security. While various solutions exist to address this problem, none of them is sufficiently practical for real-world adoption. Some can be bypassed by attackers, others cannot support complex multithreaded applications prone to dangling pointers, and the remainder have prohibitively high overhead. One major source of overhead is the need to synchronize threads on every pointer write due to pointer tracking. In this paper, we present DangSan, a use-after-free detection system that scales efficiently to large numbers of pointer writes as well as to many concurrent threads. To significantly reduce the overhead of existing solutions, we observe that pointer tracking is write-intensive but requires very few reads. Moreover, there is no need for strong consistency guarantees as inconsistencies can be reconciled at read (i.e., object deallocation) time. Building on these intuitions, DangSan's design mimics that of log-structured file systems, which are ideally suited for similar workloads. Our results show that DangSan can run heavily multithreaded applications, while introducing only half the overhead of previous multithreaded use-after-free detectors.

Published

2017

17. Fast and Generic Metadata Management with Mid-Fat Pointers

Author

Koen Koning, Taddeus Kroes, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

0301 basic medicine, Tagged pointer, Database, Computer science, business.industry, Distributed computing, 020207 software engineering, 02 engineering and technology, Static analysis, computer.software_genre, Metadata, 03 medical and health sciences, 030104 developmental biology, Software, restrict, Pointer (computer programming), Metadata management, 0202 electrical engineering, electronic engineering, information engineering, business, computer, Access time

Abstract

Object metadata management schemes are a fundamental building block in many modern defenses and significantly affect the overall run-time overhead of a software hardening solution. To support fast metadata lookup, many metadata management schemes embed metadata tags directly inside pointers. However, existing schemes using such tagged pointers either provide poor compatibility or restrict the generality of the solution.In this paper, we propose mid-fat pointers to implement fast and generic metadata management while retaining most of the compatibility benefits of existing schemes. The key idea is to use spare bits in a regular 64-bit pointer to encode arbitrary metadata and piggyback on software fault isolation (SFI) already employed by many modern defenses to efficiently decode regular pointers at memory access time. Our experimental results demonstrate that we cut overhead in half compared to a defense running on top of SFI, more than compensating for SFI overhead. Moreover, we demonstrate good compatibility, which may be further improved by static analysis.

Published

2017

18. Secure Hardware-Software Architectures for Robust Computing Systems - SHARCS

Author

Vassilis Prevelakis, Ioannis Sourdis, Dmitry Pidan, Sotiris Ioannidis, Cristiano Giuffrida, C. Strydis, John Thomson, and Martin Böhner

Subjects

business.industry, Computer science, Embedded system, business, Computing systems, Hardware software

Published

2017

19. A NEaT Design for reliable and scalable network stacks

Author

Tomas Hruby, Herbert Bos, Cristiano Giuffrida, Lionel Sambuc, Andrew S. Tanenbaum, Computer Systems, Systems and Network Security, and Network Institute

Subjects

010302 applied physics, business.industry, Computer science, Distributed computing, Reliability (computer networking), False sharing, 020206 networking & telecommunications, 02 engineering and technology, 01 natural sciences, Protocol stack, Embedded system, 0103 physical sciences, Synchronization (computer science), Scalability, 0202 electrical engineering, electronic engineering, information engineering, Dependability, Isolation (database systems), Microkernel, SDG 7 - Affordable and Clean Energy, business

Abstract

Operating systems provide a wide range of services, which are crucial for the increasingly high reliability and scalability demands of modern applications. Providing both reliability and scalability at the same time is hard. Commodity OS architectures simply lack the design abstractions to do so for demanding core OS services such as the network stack. For reliability and scalability guarantees, they rely almost exclusively on ensuring a high-quality implementation, rather than a reliable and scalable design. This results in complex error recovery paths and hard-to-maintain synchronization code. We demonstrate that a simple and structured design that strictly adheres to two principles, isolation and par- titioning, can yield reliable and scalable network stacks. We present NEaT, a system which partitions the stack across isolated process replicas handling independent requests. Our design principles intelligently partition the state to minimize the impact of failures (offering strong recovery guarantees) and to scale comparably to Linux without exposing the implementation to common pitfalls such as synchronization errors, poor locality, and false sharing.

Published

2016

20. VTPin

Author

Cristiano Giuffrida, Elias Athanasopoulos, Pawel Sarbinowski, Vasileios P. Kemerlis, Computer Systems, Systems and Network Security, and Network Institute

Subjects

0301 basic medicine, SDG 16 - Peace, Exploit, Computer science, Overhead (engineering), 02 engineering and technology, computer.software_genre, Computer security, 03 medical and health sciences, Software, VTable protection, 0202 electrical engineering, electronic engineering, information engineering, Control-flow hijacking, business.industry, SDG 16 - Peace, Justice and Strong Institutions, Process (computing), Use-after-free, 020207 software engineering, Object (computer science), Justice and Strong Institutions, Allocator, 030104 developmental biology, Dangling pointer, Pointer (computer programming), Operating system, business, computer

Abstract

VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In fact, in the recent Pwn2Own competitions all major web browsers were compromised with exploits that employed (among others) use-afterfree vulnerabilities and VTable hijacking. In this paper, we propose VTPin: a system to protect against VTable hijacking, via use-after-free vulnerabilities, in large C++ binaries that cannot be re-compiled or re-written. The main idea behind VTPin is to pin all the freed VTable pointers on a safe VTable under VTPin's control. Specifically, for every object deallocation, VTPin deallocates all space allocated, but preserves and updates the VTable pointer with the address of the safe VTable. Hence, any dereferenced dangling pointer can only invoke a method provided by VTPin's safe object. Subsequently, all virtual-method calls due to dangling pointers are not simply neutralized, but they can be logged, tracked, and patched. Compared to other solutions that defend against VTable hijacking, VTPin exhibits certain characteristics that make it suitable for practical and instant deployment in production software. First, VTPin protects binaries, directly and transparently, without requiring source compilation or binary rewriting. Second, VTPin is not an allocator replacement, and thus it does not interfere with the allocation strategies and policies of the protected program; it intervenes in the deallocation process only when a virtual object is to be freed for preserving the VTable pointer. Third, VTPin is fast; Mozilla Firefox, protected with VTPin, experiences an average overhead of 1%-4.1% when running popular browser benchmarks.

Published

2016

21. A Tough Call

Author

Thorsten Holz, Sanjay Rawat, Andre Pawoloski, Xi Chen, Moritz Contag, Victor van der Veen, Cristiano Giuffrida, Elias Athanasopoulos, Enes Goktas, Herbert Bos, Computer Systems, Network Institute, and Systems and Network Security

Subjects

021110 strategic, defence & security studies, Object-oriented programming, Source code, Exploit, Computer science, business.industry, media_common.quotation_subject, Liveness, Code reuse, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Software, Control flow, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), classarmor, Enhanced Data Rates for GSM Evolution, business, computer, media_common

Abstract

Current binary-level Control-Flow Integrity (CFI) techniques are weak in determining the set of valid targets for indirect control flow transfers on the forward edge. In particular, the lack of source code forces existing techniques to resort to a conservative address-taken policy that overapproximates this set. In contrast, source-level solutions can accurately infer the targets of indirect calls and thus detect malicious control-flow transfers more precisely. Given that source code is not always available, however, offering similar quality of protection at the binary level is important, but, unquestionably, more challenging than ever: recent work demonstrates powerful attacks such as Counterfeit Object-oriented Programming (COOP), which made the community believe that protecting software against control-flow diversion attacks at the binary level is rather impossible. In this paper, we propose binary-level analysis techniques to significantly reduce the number of possible targets for indirect branches. More specifically, we reconstruct a conservative approximation of target function prototypes by means of use-def analysis at possible callees. We then couple this with liveness analysis at each indirect callsite to derive a many-to-many relationship between callsites and target callees with a much higher precision compared to prior binary-level solutions. Experimental results on popular server programs and on SPEC CPU2006 show that TypeArmor, a prototype implementation of our approach, is efficient - with a runtime overhead of less than 3%. Furthermore, we evaluate to what extent TypeArmor can mitigate COOP and other advanced attacks and show that our approach can significantly reduce the number of targets on the forward edge. Moreover, we show that TypeArmor breaks published COOP exploits, providing concrete evidence that strict binary-level CFI can still mitigate advanced attacks, despite the absence of source information or C++ semantics.

Published

2016

22. Binary Rejuvenation: Applications and Challenges

Author

Herbert Bos, Cristiano Giuffrida, Sanjay Rawat, Angelos Oikonomopoulos, Computer Systems, Systems and Network Security, and Network Institute

Subjects

Source code, Computer Networks and Communications, Computer science, media_common.quotation_subject, Binary number, 0102 computer and information sciences, computer.software_genre, 01 natural sciences, 03 medical and health sciences, 0302 clinical medicine, Software, Electrical and Electronic Engineering, Equivalence (formal languages), Rejuvenation, media_common, Programming language, business.industry, 010201 computation theory & mathematics, 030220 oncology & carcinogenesis, Rewriting, business, SDG 4 - Quality Education, Law, computer

Abstract

Software engineers have long performed source code rejuvenation, or rewriting of obsolete or outdated programming idioms to modern counterparts. Inspired by this practice, the authors propose binary rejuvenation by updating selected binary files.

Published

2016

23. Finding fault with fault injection: an empirical exploration of distortion in fault injection experiments

Author

Andrew S. Tanenbaum, Cristiano Giuffrida, Erik van der Kouwe, Computer Systems, Network Institute, Systems and Network Security, and Secure and Liable Computer Systems

Subjects

Engineering, business.industry, Reliability (computer networking), 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, Fault injection, Hardware_PERFORMANCEANDRELIABILITY, Fault (power engineering), Reliability engineering, Fault indicator, Stuck-at fault, Software fault tolerance, Fault coverage, 0202 electrical engineering, electronic engineering, information engineering, Fault model, Safety, Risk, Reliability and Quality, business, Software

Abstract

It has become well established that software will never become bug free, which has spurred research in mechanisms to contain faults and recover from them. Since such mechanisms deal with faults, fault injection is necessary to evaluate their effectiveness. However, little thought has been put into the question whether fault injection experiments faithfully represent the fault model designed by the user. Correspondence with the fault model is crucial to be able to draw strong and general conclusions from experimental results. The aim of this paper is twofold: to make a case for carefully evaluating whether activated faults match the fault model and to gain a better understanding of which parameters affect the deviation of the activated faults from the fault model. To achieve the latter, we instrumented a number of programs with our LLVM-based fault injection framework. We investigated the biases introduced by limited coverage, parts of the program executed more often than others and the nature of the workload. We evaluated the key factors that cause activated faults to deviate from the model and from these results provide recommendations on how to reduce such deviations.

Published

2016

24. Automating Live Update for Generic Server Programs

Author

Andrew S. Tanenbaum, Cristiano Giuffrida, Clin Iorgulescu, Giordano Tamburrelli, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Computer science, Distributed computing, 02 engineering and technology, Thread (computing), computer.software_genre, Live update, Software, Quiescence detection, Record-Replay, Server, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), DSU, TRACE (psycholinguistics), 020203 distributed computing, business.industry, Checkpoint-Restart, 020207 software engineering, Data structure, Pointer (computer programming), Garbage collection, Operating system, State (computer science), business, computer

Abstract

The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage the adoption of live update. This paper presents Mutable Checkpoint-Restart ( MCR ), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the running version to safely reach a quiescent state and then allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs ( Apache httpd , nginx , OpenSSH and vsftpd ) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible performance overhead (2 percent on average) and moderate memory overhead (3.9 $\times$ on average, without optimizations).

Published

2016

25. OSIRIS: Efficient and Consistent Recovery of Compartmentalized Operating Systems

Author

Koustubha Bhat, Dirk Vogt, Ben Gras, Cristiano Giuffrida, Erik van der Kouwe, Lionel Sambuc, Herbert Bos, Andrew S. Tanenbaum, Computer Systems, Network Institute, and Systems and Network Security

Subjects

020203 distributed computing, business.industry, Computer science, Reliability (computer networking), Distributed computing, Fault tolerance, 020206 networking & telecommunications, Crash, 02 engineering and technology, Modular design, Static analysis, computer.software_genre, Reliability, Crash recovery, Software bug, Overhead (business), Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Operating system, State (computer science), business, computer, Operating systems

Abstract

Much research has gone into making operating systems more amenable to recovery and more resilient to crashes. Traditional solutions rely on partitioning the operating system (OS) to contain the effects of crashes within compartments and facilitate modular recovery. However, state dependencies among the compartments hinder recovery that is globally consistent. Such recovery typically requires expensive runtime dependency tracking which results in high performance overhead, highcomplexity and a large Reliable Computing Base (RCB). We propose a lightweight strategy that limits recovery to cases where we can statically and conservatively prove that compartment recovery leads to a globally consistent state - trading recoverable surface for a simpler and smaller RCB with lower performance overhead and maintenance cost. We present OSIRIS, a research OS design prototype that demonstrates efficient and consistent crash recovery. Our evaluation shows that OSIRIS effectively recovers from important classes of real-world software bugs with a modest RCB and low overheads.

Published

2016

26. TypeSan - Practical Type Confusion Detection

Author

Yuseok Jeon, Istvan Haller, Mathias Payer, Hui Peng, Herbert Bos, Cristiano Giuffrida, Erik van der Kouwe, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Downcasting, Computer science, business.industry, Distributed computing, Type safety, Spec#, 020207 software engineering, Smart pointer, 02 engineering and technology, Type confusion, Placement syntax, Software, 020204 information systems, Pointer (computer programming), 0202 electrical engineering, electronic engineering, information engineering, Object type, Typecasting, business, computer, Heap (data structure), computer.programming_language

Abstract

The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or badcasting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4-10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.

Published

2016

27. Lightweight Memory Checkpointing

Author

Cristiano Giuffrida, Dirk Vogt, Andrew S. Tanenbaum, Herbert Bos, Computer Systems, Systems and Network Security, and Network Institute

Subjects

Flat memory model, business.industry, Computer science, Registered memory, computer.software_genre, Memory map, Extended memory, Physical address, Memory management, Embedded system, Shadow memory, Interleaved memory, Operating system, SDG 7 - Affordable and Clean Energy, business, computer

Abstract

Memory check pointing is a pivotal technique in systems reliability, with applications ranging from crash recovery to replay debugging. Unfortunately, many traditional memory check pointing use-cases require high-frequency checkpoints, something for which existing application-level solutions are not well-suited. The problem is that they incur either substantial run-time performance overhead, or poor memory usage guarantees. As a result, their application in practice is hampered. This paper presents Lightweight Memory Check pointing (LMC), a new user-level memory check pointing technique that combines low performance overhead with strong memory usage guarantees for high check pointing frequencies. To this end, LMC relies on compiler-based instrumentation to shadow the entire memory address space of the running program and incrementally checkpoint modified memory bytes in a LMC-maintained shadow state. Our evaluation on popular server applications demonstrates the viability of our approach in practice, confirming that LMC imposes low performance overhead with strictly bounded memory usage at runtime.

Published

2015

28. Evaluating Distortion in Fault Injection Experiments

Author

Cristiano Giuffrida, Erik van der Kouwe, Andrew S. Tanenbaum, Computer Systems, Network Institute, and Secure and Liable Computer Systems

Subjects

Stuck-at fault, Engineering, business.industry, General protection fault, Software fault tolerance, Fault coverage, Fault injection, Hardware_PERFORMANCEANDRELIABILITY, Fault model, business, Fault (power engineering), Fault indicator, Reliability engineering

Abstract

It has become well-established that software will never become bug-free, which has spurred research in mechanisms to contain faults and recover from them. Since such mechanisms deal with faults, fault injection is necessary to evaluate their effectiveness. However, little thought has been put into the question whether fault injection experiments faithfully represent the fault model designed by the user. Correspondence with the fault model is crucial to be able to draw strong and general conclusions from experimental results. The aim of thispaper is twofold: to make a case for carefully evaluating whether activated faults match the fault model and to gain a better understanding of which parameters affect the deviation of theactivated faults from the fault model. To achieve the latter, we instrumented a number of programs with our LLVM-based fault injection framework. We investigated the biases introduced bylimited coverage, parts of the program executed more often than others and the nature of the workload. We evaluated the key factors that cause activated faults to deviate from the model and from these results provide recommendations on how to reduce such deviations.

Published

2014

29. Mutable Checkpoint-Restart: Automating Live Update for Generic Server Programs

Author

Calin Iorgulescu, Cristiano Giuffrida, Andrew S. Tanenbaum, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

Computer science, business.industry, Distributed computing, Initialization, Data structure, computer.software_genre, Live update, Software, Record-Replay, Garbage collection, Key (cryptography), Operating system, Overhead (computing), DSU, State (computer science), business, computer, TRACE (psycholinguistics)

Abstract

The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage live update adoption.This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs (Apache httpd, nginx, OpenSSH and vsftpd) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible run-time performance overhead (2% on average) and moderate memory overhead (3.9x on average).

Published

2014

30. EDFI: A Dependable Fault Injection Tool for Dependability Benchmarking Experiments

Author

Andrew S. Tanenbaum, Cristiano Giuffrida, Anton Kuijsten, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

Engineering, business.industry, 020207 software engineering, 02 engineering and technology, Fault injection, Hardware_PERFORMANCEANDRELIABILITY, Fault (power engineering), 020202 computer hardware & architecture, Reliability engineering, Stuck-at fault, General protection fault, Embedded system, Software fault tolerance, Fault coverage, 0202 electrical engineering, electronic engineering, information engineering, Instrumentation (computer programming), business, Segmentation fault

Abstract

Fault injection is a pivotal technique in dependability benchmarking. Unfortunately, existing general-purpose fault injection tools either inject faults in predetermined memory locations or resort to random injection, approaches that generally result in poor fault coverage and controllability guarantees. This makes it difficult to reproduce or compare experiments across different systems or workloads. This paper presents EDFI, a new tool for dependable general-purpose fault injection experiments. EDFI combines static and dynamic program instrumentation to perform execution-driven fault injection, a technique which allows realistic software faults to be injected in a controlled way as the target system executes. Our instrumentation strategy guarantees a predetermined fault load distribution during the entirety of the experiment, independently of the particular system or workload considered. Our evaluation confirms that EDFI significantly improves the precision and controllability of prior tools, at the cost of only modest memory and performance overhead during fault-free execution.

Published

2013

31. Memoirs of a browser

Author

Cristiano Giuffrida, Bruno Crispo, Stefano Ortolani, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

Service (systems architecture), SDG 16 - Peace, business.industry, Computer science, SDG 16 - Peace, Justice and Strong Institutions, Content Security Policy, Computer security, computer.software_genre, Justice and Strong Institutions, Browser security, World Wide Web, Cross-browser, Web Accessibility Initiative, Software, Web page, business, computer

Abstract

Web browsers are undoubtedly one of the most popular user applications. This is even more evident in recent times, with Google introducing a platform where the browser is the only application provided to the user. With their modular and extensible architecture, modern browsers are also an appealing platforms for third-party software developers, who can easily publish new extensions to extend any standard web browser functionality. Extendability is a crucial feature that makes web browsers a very attractive service platform. From a security perspective, however, extensions opened up new opportunities for attacks. Most extensions do not require any special privilege to be installed, despite their ability to access all the user private data. Delegating the decision about extension's security to trusted parties is not a conclusive solution, given that privacy-breaching behavior has been found even in store-approved extensions [1].

Published

2012

32. Unprivileged Black-Box Detection of User-space Keyloggers

Author

Cristiano Giuffrida, Stefano Ortolani, Bruno Crispo, Computer Systems, Secure and Liable Computer Systems, and Network Institute

Subjects

Software, Software deployment, business.industry, Computer science, Robustness (computer science), False positives and false negatives, User space, Operating system, Electrical and Electronic Engineering, business, Keystroke logging, computer.software_genre, computer

Abstract

Software keyloggers are a fast growing class of invasive software often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes typed by the users of a system. The ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows one to understand and model their behavior in detail. Leveraging this characteristic, we propose a new detection technique that simulates carefully crafted keystroke sequences in input and observes the behavior of the keylogger in output to unambiguously identify it among all the running processes. We have prototyped our technique as an unprivileged application, hence matching the same ease of deployment of a keylogger executing in unprivileged mode. We have successfully evaluated the underlying technique against the most common free keyloggers. This confirms the viability of our approach in practical scenarios. We have also devised potential evasion techniques that may be adopted to circumvent our approach and proposed a heuristic to strengthen the effectiveness of our solution against more elaborated attacks. Extensive experimental results confirm that our technique is robust to both false positives and false negatives in realistic settings. © 2004-2012 IEEE.

Published

2012

33. Bait your Hook: a Novel Detection Technique for Keyloggers

Author

Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo, Computer Systems, Secure and Liable Computer Systems, and Network Institute

Subjects

Black box (phreaking), Class (computer programming), Property (programming), business.industry, Computer science, computer.software_genre, Computer security, Keystroke logging, Software, Mode (computer interface), Embedded system, User space, Malware, business, computer

Abstract

Software keyloggers are a fast growing class of malware often used to harvest confidential information. One of the main reasons for this rapid growth is the possibility for unprivileged programs running in user space to eavesdrop and record all the keystrokes of the users of the system. Such an ability to run in unprivileged mode facilitates their implementation and distribution, but, at the same time, allows to understand and model their behavior in detail. Leveraging this property, we propose a new detection technique that simulates carefully crafted keystroke sequences (the bait) in input and observes the behavior of the keylogger in output to univocally identify it among all the running processes. We have prototyped and evaluated this technique with some of the most common free keyloggers. Experimental results are encouraging and confirm the viability of our approach in practical scenarios.

Published

2010

34. Cooperative update

Author

Andrew S. Tanenbaum, Cristiano Giuffrida, Network Institute, Secure and Liable Computer Systems, and Computer Systems

Subjects

010302 applied physics, Downtime, Computer science, business.industry, Distributed computing, 020207 software engineering, 02 engineering and technology, 01 natural sciences, Backward compatibility, Scheduling (computing), SDG 17 - Partnerships for the Goals, Software, Trustworthiness, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Dependability, Software system, business

Abstract

Many real-world systems require continuous operation. Downtime is ill-affordable and scheduling maintenance for regular software updates is a tremendous challenge for system administrators. For this reason, live update is a potential solution as it allows running software to be replaced by a newer version without stopping the system. The vast majority of live update approaches proposed as a solution to this problem aims to support existing software systems, while striving to maintain a good level of safety and flexibility.In this paper, we consider the opposite direction. Our work aims to build dependable and trustworthy live updatable systems that do not attempt to be backward compatible but look forward to solving the update problem in future systems. To this end, we highlight possible issues and limitations in existing approaches and propose a new cooperative model for live update to provide better safety and flexibility guarantees.

Published

2009

35. Cupid : Automatic Fuzzer Selection for Collaborative Fuzzing

Author

Philipp Görz, Emre Güler, Andrea Jemmett, Thorsten Holz, Herbert Bos, Elia Geretto, Sebastian Österlund, Cristiano Giuffrida, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Empirical data, Computer science, ensemble fuzzing, 0211 other engineering and technologies, Code coverage, 02 engineering and technology, Machine learning, computer.software_genre, Set (abstract data type), Software, parallel fuzzing, SDG 17 - Partnerships for the Goals, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Selection (genetic algorithm), Complement (set theory), 021110 strategic, defence & security studies, business.industry, automated bug finding, Fuzz testing, fuzzing, Artificial intelligence, collaborative fuzzing, Heuristics, business, computer

Abstract

Combining the strengths of individual fuzzing methods is an appealing idea to find software faults more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced the idea of ensemble fuzzing and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of different fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset. We find that Cupid outperforms two expert-guided, target-specific and hand-picked combinations on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find a high-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.

36. StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries

Author

Asia Slowinska, Herbert Bos, Cristiano Giuffrida, Xi Chen, Dennis Andriesse, Computer Systems, Network Institute, and Systems and Network Security

Subjects

Source code, Memory errors, business.industry, Computer science, Call stack, media_common.quotation_subject, Real-time computing, Spec#, Stack (abstract data type), Embedded system, Overhead (computing), x86, Rewriting, business, computer, media_common, computer.programming_language

Abstract

StackArmor is a comprehensive protection technique for stack-based memory error vulnerabilities in binaries. It relies on binary analysis and rewriting strategies to drastically reduce the uniquely high spatial and temporal memory predictability of traditional call stack organizations. Unlike prior solutions, StackArmor can protect against arbitrary stack-based attacks, requires no access to the source code, and offers a policy-driven protection strategy that allows end users to tune the securityperformance tradeoff according to their needs. We present an implementation of StackArmor for x86 64 Linux and provide a detailed experimental analysis of our prototype on popular server programs and standard benchmarks (SPEC CPU2006). Our results demonstrate that StackArmor offers better security than prior binaryand source-level approaches, at the cost of only modest performance and memory overhead even with full protection.