WarGames in memory: what is the winning move?

Presented at 30C3 (2013), Dec. 29, 2013, 8:30 p.m. (60 minutes).

Memory corruption has been around forever but is still one of the most exploited problems on current systems. This talk looks at the past 30 years of memory corruption and systematizes the different existing exploit and defense techniques in a streamlined way. We evaluate (i) how the different attacks evolved, (ii) how researchers came up with defense mechanisms as an answer to new threats, and (iii) what we will have to expect in the future.

Memory corruption (e.g., buffer overflows, random writes, memory allocation bugs, or uncontrolled format strings) is one of the oldest and most exploited problems in computer science. These problems are here to stay as low-level languages like C or C++ continue to trade safety for potential performance. A small set of all proposed solutions (e.g., Address Space Layout Randomization, Data Execution Prevention, and stack canaries) is applied in practice but real exploits show that all currently deployed protections can be defeated.

In this talk we systematize the existing knowledge about (i) attack vectors and specific techniques to exploit running software and (ii) defense mechanisms that protect against the attack vectors. Many of these techniques have been developed hand in hand. We take a methodological approach and cover the complete design space for control-flow based and data-flow based attacks for low-level languages.

The problems of current protection mechanisms calls for novel approaches towards software protection that adhere to the three laws of software defenses: low overhead for high security guarantees, no changes to the original source code, and compatibility to existing libraries and binaries (including a partial migration strategy).


Presenters:

  • gannimo
    Mathias Payer is a security nerd and an assistant professor in computer science at Purdue university. His interests are related to system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH with a Dr. sc. ETH in 2012. The topic of his thesis is related to low-level binary translation and security. After developing a fast binary translation system (fastBT) he started to analyze different exploit techniques and wondered how binary translation could be used to raise the guard of current systems (with TRuE and libdetox as a prototype implementation of the security framework).

Links:

Similar Presentations: